Over the past few years, there has been a steady evolution in Rowhammer, the once largely theoretical attack that exploits physical defects in memory chips to tamper with the security of the devices they run on. On Thursday, researchers are unveiling the most practical demonstration yet of Rowhammer’s power and reach: an exploit that remotely executes malicious code on Android phones by harnessing their graphical processors.
GLitch gets its name and idiosyncratic capitalization because it uses the WebGL programming interface for rendering graphics to trigger a known glitch in DDR3 and DDR4 dual in-line memory modules, or DIMMs. The term Rowhammer was coined because the exploit class accesses—or “hammers”—specific memory blocks known as rows inside a DIMM thousands of times per second. Attackers use it to alter crucial pieces of data by changing zeros to ones and vice versa. The physical weakness is the result of ever smaller dimensions of the silicon. With less space between each DRAM cell, it becomes increasingly hard to prevent one cell from interacting electrically with its neighbors.
Like all of the Rowhammer attacks that have preceded it, the GLitch proof-of-concept exploit isn’t mature enough to pose an immediate threat to most end users. Because of the significant amount of reverse engineering required and the advent of Rowhammer mitigations in some newer phones, the PoC currently works only on a Nexus 5 phone, which Google discontinued in 2015. With refinements, however, the novel attack vector could one day provide a more robust way to compromise a serious vulnerability in both computers and phones that can be mitigated but never actually patched.
As a result, I think its implications are very significant—GPUs are employed in all interesting mobile systems, and if the DRAM is vulnerable to Rowhammer, one can exploit that GPU to take over the system. The fact that the attack is end-to-end and does not require the user to install a new app to be performed makes it even more significant since the barrier to attack is low. So, I think this paper presents a significant and very clever demonstration of how the Rowhammer vulnerability can lead to another attack.
A farewell to CPUs
The breakthrough of the GLitch research is its discovery of a new way to exploit the Rowhammer vulnerability. To hammer rows, exploits must repeatedly access specific chunks of data stored in DRAM in rapid succession. This hammering can be hampered by the data caches that sit between the CPUs and the main memory chips, because the caches store recently accessed data.
The GPUs integrated into most smartphones, by contrast, usually employ smaller caches. What’s more, the GLitch researchers found, mobile GPU caches have deterministic behaviors that contrast sharply with the random policies implemented in mobile CPUs. These GPU features make cache eviction efficient and fast enough to trigger bit flips in entire classes of devices once considered off limits.
In a research paper titled Grand Pwning Unit: Accelerating Microarchitectural Attacks with the GPU, the researchers wrote:
Unlike CPU caches that are large and optimize for a general-purpose workload by implementing either random or nondeterministic replacement policies, we show that GPU caches are small and follow a deterministic replacement policy. This allows an attacker to reason about cache hits or misses with great precision, paving the way for fast and reliable side-channel attacks with little noise.
Rowhammer attacks rely on side channels to map out large chunks of memory stored inside vulnerable chips. To surgically hammer only the rows storing targeted bits, the attacks carefully measure the time certain accesses take. To surgically hammer the rows storing targeted bits, Rowhammer attacks carefully measure the time certain DRAM access take. The timing side channels allow the attacks to deduce information about the bits’ location in the module. The speed and clarity of GPU-based side channels are key to the success of GLitch.
The researchers gleaned GPUs’ superior Rowhammer capabilities using a novel technique to reverse engineer the Snapdragon 800/801 system on a chip, which integrates a CPU and GPU onto the same piece of silicon. The researchers then used the insights to develop an exploit for the Nexus 5, which uses the Snapdragon SoC. The researchers said their exploit works on other mobile devices that use the same Snapdragon SoC. They also believe other SoC models can be exploited by subjecting them to the same intensive reverse engineering.
Pietro Frigo, one of the four researchers in Vrije University Amsterdam Systems and Network Security Group who authored the paper, told Ars that most of the GLitch research was done using the Chrome browser, which is much more popular on Android than Firefox.
“If you’re wondering if we can trigger bit flips on Chrome, the answer is yes, we can,” Frigo wrote in an email. Eventually, he and his fellow researchers switched to Firefox when developing the exploit.
“The reason we attacked Firefox is we already had some prior knowledge about its internals and there was more documentation around, so it was easier for us to build a full exploit there,” Frigo explained. “On different browsers, you would have different techniques to build the exploit which would make it faster/slower more/less practical. But, theoretically, you could exploit any target.”
Both Chrome and Firefox are in the process of being updated to shut down some of the functions that make GPU-based Rowhammer exploits possible. Both Chrome version 65 and Firefox version 59, which were released in March, disabled a WebGL extension called EXT_DISJOIN_TIMER_QUERY, which gave attackers a key tool for building a GPU-based side channel. Both updates also partially redesigned some WebGL functions to make it harder for attackers to build custom timers used in side-channel attacks.
Despite the mitigations put into Firefox 59, however, Frigo said the update has failed to stop his proof-of-concept exploit from working in version 59.0.2. He did say the changes make GLitch less reliable because the exploit now must guess if the targeted memory is contiguous or not.
In a statement, Google officials wrote:
We have worked with the team from Vrije Universiteit for months, and while this vulnerability isn’t a practical concern for the overwhelming majority of users, we appreciate any effort to protect them and advance the field of security research, overall. We are not aware of an exploit, but the researchers’ proof-of-concept does show that WWeb browsers can be a vector for this Rowhammer-style attack. We mitigated this remote vector in Chrome on March 13, and we are working with other browsers so they can implement similar protections.
Mozilla officials issued the following statement:
The Dutch National Cybersecurity Center did alert us to this issue. Like Chrome m65, Firefox also disabled EXT_DISJOINT_TIMER_QUERY in our March release of Firefox 59. We worked with the Chrome team to change the WebGL specification to make it harder for attackers to construct custom timers. These changes will be released with Firefox 60 on May 9. We will continue to monitor for any updates from hardware manufacturers to address the underlying issue and make changes accordingly.
Google researchers, speaking on the condition they not be named or quoted, also said that many Android phones ship with DDR chips that contain mitigations designed to prevent bits from flipping. One mitigation known as target row refresh recharges memory rows that show signs of being abused. Another, known as error correcting code, is designed to monitor chips for signs of bit flips and, when detected, quickly correct them. It’s not clear what Android models have one or both of these protections deployed, but it’s known that the Nexus 5 exploited by GLitch doesn’t implement either one.
Frigo said his teammates haven’t yet studied the mitigations, but he expects they would make Rowhammer attacks much harder. Still, he said his team has proof of bit flips produced on a Google Pixel phone, which may include some of the mitigations (the flips weren’t the result of GLitch). The researcher also said the mitigations aren’t likely to be included in lower-end phones.
For the time being, GLitch, as with most other Rowhammer exploits, poses little immediate threat to most phone and computer users. Compared with more mundane attacks that use malicious spam or compromised websites to spread malware, Rowhammer exploits are extremely expensive to develop and unreliable to use. With the exception of the most high-value marks targeted in exotic nation-sponsored hacks, there’s little chance of GLitch exploits being used in the wild.
At the same time, the GLitch research is immensely important because it demonstrates a never-before-seen vector for exploiting a hardware weakness that can never be patched. Not only is the GPU method almost completely overlooked, it’s also more effective than better-known methods that use CPUs.
Most important of all, GLitch illuminates the previously unknown susceptibility of smartphones and potentially other types of devices used by billions of people around the world. And for these reasons, Thursday’s paper and accompanying blog post should be required reading for anyone who develops hardware or software, particularly those who dismiss it as too esoteric an issue to warrant serious concern.
“Rowhammer in many ways has been ignored by vendors hiding behind [the claim] that it’s difficult and usually requires local execution or deduplication which has been removed from Windows by now,” said Anders Fogh, a principal security researcher with GDATA Advanced Analytics who spoke about Rowhammer at the 2015 Black Hat security conference. “This [research] should put some much needed focus on the fact that what is often seen only as a reliability issue is often a severe security issue.”