
Drive-by Rowhammer attack uses GPU to compromise an Android phone - markdog12
https://arstechnica.com/information-technology/2018/05/drive-by-rowhammer-attack-uses-gpu-to-compromise-an-android-phone/
======
someperson
So fundamentally, due to mitigatable-but-impossible-to-fully-patch hardware
exploits like Rowhammer and Spectre, client-based sandboxing cannot be relied
upon.

Seems that a good approach for the average HN user is to disable Javascript
for _all_ sites, but whitelisting trusted sources (of course with HTTP MITM
over compromised routers, never execute any code with questionable integrity,
so anything delivered over a non-TLS connection)

Goes without saying one should only use the minimal possible amount of native
applications too: ideally none except perhaps the smartphone OS-vendor's
trusted applications (your OS-vendor can already arbitrarily execute code and
read memory). Using the OS-vendor's web browser with Javascript disabled
shouldn't be too much of a security risk.

~~~
nradov
Even seemingly trusted web sites are often pulling in JavaScript libraries
from third party CDNs, analytics services, and advertising networks. It's
almost impossible to be certain that none of those are compromised.

~~~
pietroglyph
Decentraleyes[0] is a great plugin that intercepts many popular 3rd party CDN
requests and replaces them with local copies. It's not a silver bullet, but it
reduces CDN-based tracking and the chance of the attack described in the
parent comment.

Subresource integrity[1] is a technology that's been available for a while
that also mitigates this attack, if used properly by website owners.

[0]: [https://decentraleyes.org/](https://decentraleyes.org/) and
[https://github.com/Synzvato/decentraleyes](https://github.com/Synzvato/decentraleyes)
[1]: [https://www.w3.org/TR/SRI/](https://www.w3.org/TR/SRI/)

------
baybal2
I will be joining a long line of people with "I told you..." said in address
of dotcom browser devs shoveling OpenGL with effectively raw GPU memory access
into browsers.

~~~
fulafel
It's a hardware flaw in this case though, and apps are another vector. Android
even has drive by ("instant") apps these days.

(And WebGL is far from raw gpu access)

~~~
djrogers
But that’s exactly the point - the more hardware you expose to web browsers,
the bigger the attack surface for web-based attacks.

~~~
fulafel
Yeah, it's a valid position to want to limit the web platform's capabilities
so that implementations are simpler and have fewer places where bugs can
happen. The other position is that walled garden platforms (like Apple/Google
app stores) could then make the web irrelevant as an app platform.

It would be nice if there were 2 "profiles" that web pages could conform to,
browsers would only enable "simple content" profile by default...

------
ams6110
Pretty much ready to ditch my smartphone. iPhones are too expensive and
affordable Android phones are a security mess since they never get updated.

~~~
slededit
Apple is using the same commodity DRAM chips as everyone else. I doubt they
are immune.

~~~
bilbo0s
No need to "doubt". Just try Rowhammer via GLitch on a test iOS device. It
will either work, or it will not. We need more people trying this out,
informing vendors, and reporting their results in a REPLICABLE fashion.

~~~
gruez
>Just try Rowhammer via GLitch on a test iOS device

from TFA:

>the PoC currently works only on a Nexus 5 phone

~~~
bigiain
This makes me _more_ certain iOS will end up being _more_ vulnerable to this
type of attack.

It's almost certainly quite hardware specific, and if you were weaponising
this there's way more homogeneous hardware on iOS than Android. Get this
working on iPhone 7/8/X and you've probably got 75% of the "high value" iOS
device fleet covered.

------
sengork
It is interesting to note that DDR and DDR2 are more immune to this kind of
attack. Older computers with decently patches OS/browser would be safer to use
for those who want to avoid Row hammer.

[https://en.wikipedia.org/wiki/Row_hammer](https://en.wikipedia.org/wiki/Row_hammer)

------
textmode
Question: How would this type of attack be implemented without using
Javascript?

------
_o_
Well webgl, canvas and audio functionality of javacript are anyway nice to be
disabled due to browser fingerprinting, now there is just another good case to
disable webgl. But this is getting crazy, I think that todays CPUs, need a
serious step back and rethinking.

------
ouid
rowhammer is the best name yet for a security vulnerability.

~~~
inetknght
Rowhammer has been around for a while

