
Rowhammer.js: Root privileges for web apps? - mparramon
https://media.ccc.de/v/32c3-7197-rowhammer_js_root_privileges_for_web_apps
======
zwegner
Hmm, it seems that all the pieces aren't in place yet. If I'm understanding
correctly, the exploit technique they use relies on cross-page errors (causing
errors in one page with accesses to another page), because the page with
errors needs to get freed to the operating system to potentially reuse as
PTEs, while still having the ability to cause the errors. There's a line on
one of the slides that says you can use timing information to get cross-page
information, but I'm really not sure what that means, and how feasible it is.

In addition, they need to find a double-bit error, one that would change both
the writable bit and an address bit, if a PTE was in that place in memory.
They mentioned that they tested their laptop for these errors, and they're
possible, but much rarer--how rare? This point was kind of just glossed over.

I'd guess that these two combined would make an exploitable error much more
unlikely.

~~~
creshal
> how rare? This point was kind of just glossed over.

It varies widely between memory chips, memory controllers, and a variety of
other factors.

Not to mention, Rowhammer was first disclosed early last year, and many
vendors started shipping BIOS updates to prevent Rowhammer on the memory
controller level _months_ ago; additionally the problem has been fixed from
the start on DDR4 RAM (the bug has been known to memory vendors before, but
not been deemed a security problem, so the fix wasn't applied retroactively to
DDR3).

So finding actually exploitable devices _now_ is going to be difficult.

~~~
revelation
Who has ever updated their BIOS? Unless Windows now does this silently.

~~~
TazeTSchnitzel
Apple machines handle firmware updates like any other software update.

~~~
yuhong
Yea, I think they even started bundling them with Mac OS X updates now.

------
_Codemonkeyism
Nice work, but didn't show an exploit or have one.

The "?" in the end of the talk title should tip you off, same click bait as
everyone else uses, sad.

~~~
fabulist
Theres nothing wrong with presenting work at an intermediate stage. For
instance, Chris Valasek and Charlie Miller presented their automotive research
a year before they could control cars remotely[0].

They cobbled together the primitives you'd need to build an exploit, thus
proving it to be exploitable. That seems like a reasonable time to share your
work to me. The title is provocative, but not to the extent which makes it
clickbait.

[0]
[https://www.youtube.com/watch?v=tnYO4U0h_wY](https://www.youtube.com/watch?v=tnYO4U0h_wY)

~~~
_Codemonkeyism
Then I didn't made myself understandable. I didn't say that it is. The title
of Chris talk is modestly worded as "A Survey of Remote Automotive Attack
Surfaces" not "A root exploit of the car bus system and engine management?".

I wanted to express that the title of the talk suggests that there exists
something that is called Rowhammer.js that gives root access through the
browser. And there isn't.

~~~
fabulist
It takes more than an attention-grabbing headline to make something clickbait.
There is no real financial incentive here; they gave their talk a provocative
title so people would show up. There are not misrepresenting the facts; you
can get root from JavaScript using Rowhammer, and they'll tell you how.

Additionally, there is something called Rowhammer.js:

[https://github.com/IAIK/rowhammerjs](https://github.com/IAIK/rowhammerjs)

~~~
_Codemonkeyism
Again, I feel the need to represent the facts from the video for people
stumbling over this thread (as of 2016/01):

1.) Rowhammer.js does not (yet) give root access through JS on a website, this
is work in progress. The current Rowhammer JS script can create bit flips in
DRAM lines.

2.) They do not show how to get root access with Rowhammer.js, they describe a
scenario they are working on and that might work in the future, which involves
getting access to memory pages with memory cached versions of scripts that
someone might execute as root.

------
th0br0
Slides:
[https://events.ccc.de/congress/2015/Fahrplan/system/event_at...](https://events.ccc.de/congress/2015/Fahrplan/system/event_attachments/attachments/000/002/815/original/slides.pdf)

------
wazoox
The paper is available here:
[http://arxiv.org/abs/1507.06955](http://arxiv.org/abs/1507.06955)

------
Robadob
Interestingly, in response to the first question they state that allegedly
some brands of ECC memory are also vulnerable (by also hammering the checksum
rows).

~~~
dogma1138
SECDED ECC will be vulnerable to hammer attacks that flip more than 2 bits in
a row.

------
mehrdada
The speaker makes fun of Intel for calling a relatively trivial mapping of CPU
physical address to DRAM addresses in the memory controller a "hash function".
I'd like to point out that it is actually a hash function mathematically. The
term "hash function" has a much looser definition and does not necessarily
have any of the cryptographic properties that are common in
_cryptographically-secure_ hash functions. It's a clash of terminology, not a
poor design decision by Intel. Intel has probably no interest in obfuscating
that mapping and the fact that they leave it undocumented is probably just
because they don't want to make compatibility guarantees if you somehow rely
on the mapping for some reason.

------
antouank
Video :
[https://www.youtube.com/watch?v=LT54Jq_0kJk](https://www.youtube.com/watch?v=LT54Jq_0kJk)

------
MasterScrat
I can't load the page: "Secure Connection Failed".

edit: video file is here [http://c3media.vsos.ethz.ch/congress/2015/webm-
hd/32c3-7197-...](http://c3media.vsos.ethz.ch/congress/2015/webm-
hd/32c3-7197-en-de-Rowhammerjs_Root_privileges_for_web_apps_webm-hd.webm)

