Slashdot Mirror

← Back to Stories (view on slashdot.org)

Rowhammer Attack Can Now Root Android Devices (softpedia.com)

Posted by BeauHD on from the all-inclusion-attacks dept.

An anonymous reader writes from a report via Softpedia: Researchers have discovered a method to use the Rowhammer RAM attack for rooting Android devices. For their research paper, called Drammer: Deterministic Rowhammer Attacks on Mobile Platforms, researchers tested and found multiple smartphone models to be vulnerable to their attack. The list includes LG Nexus (4, 5, 5X), LG G4, Motorola Moto G (2013 and 2014), One Plus One, HTC Desire 510, Lenovo K3 Note, Xiaomi Mi 4i, and Samsung Galaxy (S4, S5, and S6) devices. Researchers estimate that millions of Android users might be vulnerable. The research team says the Drammer attack has far more wide-reaching implications than just Android, being able to exploit any device running on ARM chips. In the past, researchers have tested the Rowhammer attack against DDR3 and DDR4 memory cards, weaponized it via JavaScript, took over PCs via Microsoft Edge, and hijacked Linux virtual machines. There's an app to test if your phone is vulnerable to this attack. "Rowhammer is an unintended side effect in dynamic random-access memory (DRAM) that causes memory cells to leak their charges and interact electrically between themselves, possibly altering the contents of nearby memory rows that were not addressed in the original memory access," according to Wikipedia. "This circumvention of the isolation between DRAM memory cells results from the high cell density in modern DRAM, and can be triggered by specially crafted memory access patterns that rapidly activate the same memory rows numerous times."

100 comments

  1. epic fail by Anonymous Coward · · Score: 0

    Rowhammer is far worse than the infamous Pentium FDIV bug, but RAM makers have no incentive to fix it.
    This is why we can't have nice things.

    p.s. Future AI's will probably evolve to make use of hardware bugs like Rowhammer in ways that humans can't even understand.

    1. Re: epic fail by Anonymous Coward · · Score: 0

      By the time AI is that advanced we will have a completely different kind of RAM. Or an AI guard to replace anti-virus/malware/exploit software.

    2. Re:epic fail by Anonymous Coward · · Score: 0

      For the common user, it means that accessing certain websites could root their phones?

    3. Re:epic fail by Daetrin · · Score: 1

      If the AI's are created in any kind of evolutionary manner, then almost certainly yes. It's happened with hardware design before.

      --
      This Space Intentionally Left Blank
  2. I don't understand by TheRaven64 · · Score: 5, Interesting

    One of the simplest existing known attacks involves creating an 8MB TypedArray object in JavaScript. This gives you a contiguous virtual address range, which allows you to generate 9 addresses that will be aliased to the same cache line and therefore where 9 sequential writes will trigger an eviction and a write back to RAM. What made this attack now work on mobile devices?

    --
    I am TheRaven on Soylent News
    1. Re:I don't understand by 110010001000 · · Score: 1

      They made an app that did it.

    2. Re:I don't understand by Anonymous Coward · · Score: 0

      Well damn at least they aren't luddites, right?

      Apps!

    3. Re:I don't understand by Gravis+Zero · · Score: 4, Informative

      One of the simplest existing known attacks involves [...]. What made this attack now work on mobile devices?

      Surprise, they didn't do it that way!

      It was previously "speculated that Rowhammer on ARM could be impossible, one of the main reasons being that the ARM memory controller might be too slow to trigger the Rowhammer bug" which is true in most cases like the one you listed. However, one thing they figured out is that they could use "DMA buffers bypass the CPU and its caches" using Android's DMA Buffer Management API.

      They did several other things like figure out how to determine the size of the DRAM rows (not uniform on ARM) and create a deterministic way force security-sensitive data int vulnerable rows in a deterministic fashion.

      You can read the paper that describes it here: https://vvdveen.com/publications/drammer.pdf

      TL;DR: They are smart and if your Android phone isn't getting the latest patches then you are vulnerable to total pwn4g3 from anything in the Google Play Store until Google figures out how to scan for apps that will perform this attack.

      --
      Anons need not reply. Questions end with a question mark.
    4. Re:I don't understand by Anonymous Coward · · Score: 0

      News flash. You are ALREADY vulnerable to total ownage from anything in the Google play store. Google wants it that way, Google likes it that way. Fixing rowhammer does not fix that fact.

      I don't bother with latest patches for android. I have about a dozen apps that need upgrading but every one of them wants more permissions than I'm willing to give them. Weather App needs contact list? F*ck off, I don't want to be owned!

    5. Re:I don't understand by frovingslosh · · Score: 2

      What I don't understand is if this attack is able to root so many different Android systems, why is it still so hard for the device's owner who wants to root his device to actually root it?

      --
      I'm an American. I love this country and the freedoms that we used to have.
    6. Re:I don't understand by Anonymous Coward · · Score: 0

      FYI, Android 6 has:
      * Post-install/run-time permission requests
      * App permissions now granted individually at run-time, not all-or-nothing at install time.

      Source: https://en.wikipedia.org/wiki/Android_version_history#Android_6.0_Marshmallow_.28API_level_23.29

    7. Re:I don't understand by blivit42 · · Score: 1

      TL;DR: They are smart and if your Android phone isn't getting the latest patches then you are vulnerable to total pwn4g3 from anything in the Google Play Store until Google figures out how to scan for apps that will perform this attack.

      I thought I'd add a potentially interesting anecdote to this. The app is not available on the US Google Play Store, as the github readme said may be the case. I downloaded the app directly to my Motorola Droid 2 Turbo (last OS update July 1st, 2016) and installed it. I was surprised to see a warning message pop up "Installation blocked. This app contains code that attempts to bypass Android's security protections." Something in my phone is detecting the potentially malicious code, and I don't think it is the Play Store, since I didn't use the Play Store, and installed the app directly from my download directory.

      Once installed, it looked like it tried to download 100 files (progress meter showed 0 out of 100). This hung, since I have the NetGuard firewall installed, set to block all wifi / mobile data access by default.

      I canceled out of the download and tried to run the hammertime attack, but got an extremely long error message that took up the whole screen.

      So, for at least this proof of concept attack app, it failed on several levels:

      1) Something on my phone detected it as potentially malicious and asked me if I really wanted to install it (I have not installed any virus/malware scanners that I am aware of, so I don't know what this was).
      2) It failed to download some files, potentially necessary for the attack, due to my firewall
      3) It failed to work, maybe due to missing the files it couldn't download.

      I'm sure that a more robust attack app could be developed, but, at least as far as the proof of concept app is concerned, I'm not overly worried -- for the moment.

    8. Re: I don't understand by Anonymous Coward · · Score: 0

      So they added a feature that iOS had even in the earlier versions? How cool...

    9. Re:I don't understand by Altrag · · Score: 1

      Its not that hard. A quick Google will find you dozens of pages and Youtube videos showing you how to do it.

      The hard part is trusting any of those rooting programs to not be malware themselves. Any time you're doing something that's against the rules (even if not actually illegal,) you'll find a boatload of shady people offering questionable solutions since most "legitimate" sources tend to avoid breaking the rules.

    10. Re:I don't understand by Anonymous Coward · · Score: 0

      So...instead of apps getting more and more snoopy, the alternative is to just throw in the towel and get an updated OS that is more snoopy than the current one? Can't even update a single built-in app without updating the entire OS? Mixing feature updates (more snooping!) with bug fixes? NO THANKS.

    11. Re: I don't understand by Anonymous Coward · · Score: 0

      Settings > Google > Security > scan for potentially harmful apps

  3. Bug of feature? by sciengin · · Score: 1, Interesting

    Of course this is a terrible bug for most.
    On the other hand it would be awesome if one could incorporate this attack into an app that roots the device without needing to connect it to a PC first.

    1. Re:Bug of feature? by peragrin · · Score: 5, Funny

      don't worry they are working on a java script version.

      That way they can root your device on the web and load the advertising directly to all of your contacts.

      oh wait that's called facebook.

      --
      i thought once I was found, but it was only a dream.
    2. Re:Bug of feature? by TheRaven64 · · Score: 5, Informative

      Rowhammer has been usable from JavaScript for ages. As I said above (in the post currently at 0 overrated), one of the published ways of exploiting it is to use TypedArray objects to get a large chunk of contiguous memory, which then gives you a load of addresses in the same cache associativity set. You then hammer those addresses, which forces repeated cache evictions and eventually flips some adjacent bits. You can then use this to escape from the JavaScript sandbox. I don't know why this attack wouldn't work on mobile devices, so I don't really see what's new here.

      --
      I am TheRaven on Soylent News
    3. Re:Bug of feature? by ausekilis · · Score: 1

      What's new is this is an exploit uses a hardware vulnerability, not a software vulnerability. While Ars is lacking specific details, the article reads as though it's a vulnerability in a common type of memory chip (or controller thereof) and doesn't depend on a specific version of Android or Dalvik. That sounds different to me, but I'm no expert.

    4. Re:Bug of feature? by TheRaven64 · · Score: 2

      Uh, no. All RowHammer attacks use a hardware vulnerability. That's the definition. The JavaScript attack allows you to exploit this vulnerability from a bug-free JavaScript VM, with the only requirement being that it implements TypedArray objects as contiguous (virtual) memory arrays (which is the obvious way of implementing them, and it would be difficult to implement them usefully any other way if you want to use them with WebGL). The only variation is which bits you choose to try to flip with the RowHammer attack. This is the equivalent of running a different program with a known attack, not a new attack.

      --
      I am TheRaven on Soylent News
    5. Re:Bug of feature? by ausekilis · · Score: 1

      I learned something today. Time to ask the boss if I can go home ;-).

    6. Re:Bug of feature? by Gravis+Zero · · Score: 1

      Rowhammer has been usable from JavaScript for ages. [...] I don't know why this attack wouldn't work on mobile devices

      Your javascript attack works on x86 systems but not on ARM systems because of how and how fast the memory is accessed. ARM memory controllers just aren't fast enough to trigger the DRAM bug.

      I don't really see what's new here.

      you should consider reading the research paper before spouting ignorant and misleading comments. :)

      --
      Anons need not reply. Questions end with a question mark.
    7. Re:Bug of feature? by johanw · · Score: 1

      Try Kingroot for that. Then, run a script to replace Kingroot with SuperSU, For most phones this is the easiest root method.

  4. Bugger! by warewolfsmith · · Score: 1

    You Android device is ROOTED :-(

    1. Re:Bugger! by Anonymous Coward · · Score: 1

      You think you're being all clever here, but the risk isn't that your phone ends up rooted and you get to enjoy the spoils. The risk is that malicious software roots your phone without your knowledge and they enjoy the spoils.

    2. Re:Bugger! by Anonymous Coward · · Score: 0

      I suspect they're either Australian, or making a joke about the Aussie slang definition of rooted/rooting (fucked/fucking).

      You could try being clever yourself.

    3. Re:Bugger! by TheCarp · · Score: 2

      While you are correct, I must confess.... MY first reaction to this was "Oh good, you mean I can root my phone that I bought with my money now"

      As much as I hate the implications of this.... and I do.... I also hate that I own a device that is functionally crippled and unable to run many of the apps I would like to run.

      Funny ecosystem we have eh?

      --
      "I opened my eyes, and everything went dark again"
    4. Re:Bugger! by johanw · · Score: 1

      My phone is already rooted, is another process installs a new su binary SuperSU will notice and complain about it.

    5. Re:Bugger! by Yo+Grark · · Score: 1

      Amen. Got a Cat S50 I can't root for the life of me. I need root to remotely help my grandfather who accidentally presses buttons all the time. I got him a great water proof drop proof old age proof phone, but the gas and mileage of physically driving 100 miles to press a stupid button is getting on my nerves!

      Yo Grark

      --
      Canadian Bred with American Buttering
  5. Oh dear, more military terminology by Viol8 · · Score: 2, Insightful

    A bunch of pasty faced sad sack nerds sitting in a basement want to sound cool and tough, like they've just done a tour in 'Nam. So they don't say "enabled" by javascript, no no no, its "weaponised" with "attack vectors" instead of flaws or holes. Its just so lame and wannabe.

    1. Re:Oh dear, more military terminology by Anonymous Coward · · Score: 1

      Sounds more like marketing speak than anything someone in a basement would find compelling.

    2. Re: Oh dear, more military terminology by Anonymous Coward · · Score: 0

      Careful, you might cut yourself on all that edge.

    3. Re:Oh dear, more military terminology by Anonymous Coward · · Score: 0

      Are the kids on your lawn again grandpa?

      Time to pull your pants up all the way to your armpits and march outside to show them a thing or two!

    4. Re:Oh dear, more military terminology by 110010001000 · · Score: 2

      Also the term "researchers" is dubious. What a waste of time this junk is.

    5. Re:Oh dear, more military terminology by Anonymous Coward · · Score: 0

      I have to ask, why are you on this site? From your posting history, all you do it whine and moan about the articles. Is your life so empty that you crave attention in places you don't like to be? Or are you just some little snowflake who believes his contributions matter to anyone else? Genuinely interested in what drives you to keep coming back here to perform for the uninterested masses.

    6. Re:Oh dear, more military terminology by Maritz · · Score: 1

      He's right though. The languge they use to try to make this stuff sound cool is actually just really cringeworthy.

      --
      I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
    7. Re: Oh dear, more military terminology by DNS-and-BIND · · Score: 2

      We don't say "'Nam" any more, Grandpa. Moreover it's the marketroids that come up with these names, not the techies. And seriously, nerd-shaming, on Slashdot? Turn in your geek card, it's revoked by unanimous popular consent.

      --
      Shutting down free speech with violence isn't fighting fascism. It IS fascism!
    8. Re:Oh dear, more military terminology by Anonymous Coward · · Score: 0

      Ah but you forget, we apparently now live in an age where every security vulnerability needs a cutesy name and its own website to terrorize anybody who might be vulnerable.

      Truth be told, though, it's the pasty-faced government employees who are really turning these attacks into "weapons" these days, even if I have to agree that the phrase itself is really kind of a pathetic reflection upon the security community. Oh there's plenty of basement-dwellers using 0-day exploits sure, that's where most of them come from in the first place...but the ones who find them are typically collecting money these days, either from bug bounties or from whoever will pay for them on a sketchy TOR site. Why report them to the vendor when the vendor will typically either ignore you at best or file a joke lawsuit at the other end?

      Either way you are right, it's just sprinkling flowery language on something rather than making an effort to understand it; apparently it's more important for people to have heard the word "rowhammer" than to even know how it works, People trying to sound more important and relevant than they really are, obscuring any facts that might be helpful in the process...ugh. I'm glad some posters in the threads below have at least attempted to explain the vulnerability itself.

    9. Re:Oh dear, more military terminology by Anonymous Coward · · Score: 0

      Ha ha, indeed. Same goes for 'software engineers' doing 'engineering' (when they're actually designing some hella slow javascripty website).

    10. Re:Oh dear, more military terminology by Anonymous Coward · · Score: 0

      Dude... we're in the middle of the cyberwar. Why wouldn't we adapt military terminology to describe it?

    11. Re:Oh dear, more military terminology by 110010001000 · · Score: 1

      Waaaah, you mad bro? Sorry I got you so upset.

    12. Re:Oh dear, more military terminology by Viol8 · · Score: 1

      Because its nothing like real war "dude".

    13. Re:Oh dear, more military terminology by Anonymous Coward · · Score: 0

      hey! there are many kinds of basements!!!

    14. Re: Oh dear, more military terminology by Anonymous Coward · · Score: 0

      Can't tell if you're troller or are you really that fucking stupid?

    15. Re:Oh dear, more military terminology by Anonymous Coward · · Score: 0

      Ah, I see you're a 15 year old child. Well, that explains the "edgy" posts. Have fun popping those zits, kid :)

  6. An app by Anonymous Coward · · Score: 0

    So, how do I test my phone with this uncompiled app?

    1. Re:An app by Anonymous Coward · · Score: 0

      By compiling it. Any more obvious answers I can help you with?

    2. Re:An app by Anonymous Coward · · Score: 0

      So, how do I compile this uncompiled app on my phone?

    3. Re:An app by RavenLrD20k · · Score: 1

      They provided the direct link to the apk file. Scroll down in the README.md displayed on the github link to the heading "Android GUI app" found here. The first line of the paragraph has the phrase "Android app" as a link to the drammer.apk file. You can use this to sideload onto your device and perform the check. They also tried to provide a link to the Google Play page for the app in that section of the doc, however it looks like Google disabled it as against the TOS (link now goes to a 404 page).

      All that said, this is probably one of those apps you'll want to first read the source and see for yourself what it's doing, then install the Android NDK on a PC to compile it; from there sideload the apk you built. This way you can at least be a little more certain of the build to make sure that it only does exactly what the code says it should...instead of trusting someone else's build to not have any added features

    4. Re: An app by Anonymous Coward · · Score: 0

      Wise move! APKs custom HOSTS file will keep you safe from all harm! I applaud your choice of ad/malware blocking, good sir.

      *tips fedora*

    5. Re:An app by Anonymous Coward · · Score: 0

      Oh, ok. Sad they don't have official Play store app.

    6. Re:An app by Anonymous Coward · · Score: 0

      It's literally on the linked GitHub page, step by step instructions.

      'News for Nerds' my ass, this place is full of anything but.

    7. Re: An app by Anonymous Coward · · Score: 0
      Godamnit you just summoned He Who Must Not Be Named.

      Nice going, asshole.

  7. Phew, my Galaxy Note 7 is safe! by Anonymous Coward · · Score: 3, Funny

    Lucky I upgra

    1. Re:Phew, my Galaxy Note 7 is safe! by Anonymous Coward · · Score: 0

      How did you click preview, type a captcha, and click post, if your phone is on fire?

    2. Re:Phew, my Galaxy Note 7 is safe! by mlw4428 · · Score: 2

      He's just joking. Not every Galaxy Note 7 is having these issues, in fact I just plugged mine in and as you can see it hasn't exp

  8. Does this affect Kindle (FireOS) as well? by Danathar · · Score: 1

    Does anybody know if this affects Amazon Kindle devices since they are an Android Fork?

    1. Re:Does this affect Kindle (FireOS) as well? by Anonymous Coward · · Score: 0

      It's software-independent. It would need a hardware fix (ECC and/or increased refresh rate)

  9. hardware fix by sxpert · · Score: 2

    time to implement ECC everywhere, period !
    it's not like ram is expensive anymore

    1. Re:hardware fix by Anonymous Coward · · Score: 0

      If the hammer takes out enough bits in a row,, ECC won't fix, but might have good odds of detecting and stopping the machine.

    2. Re:hardware fix by Anonymous Coward · · Score: 0

      There is still no confirmed case of Rowhammer working against ECC.

    3. Re:hardware fix by Anonymous Coward · · Score: 0

      time to implement ECC everywhere, period !
      it's not like ram is expensive anymore

      They're already putting ECC memory into some high-end laptops. See

        http://www.pcworld.com/article/2960799/laptop-computers/the-first-skylake-laptops-are-lenovos-thinkpad-p50-and-p70-graphics-workstations.html

    4. Re:hardware fix by fintux · · Score: 1

      ECC requires more power (more data to store + data integrity checks to be done), and might also have a bit bigger footprint. I don't know how much more exactly, nor how big portion of the power usage comes from RAM, but in any case, cost isn't the only drawback.

    5. Re:hardware fix by sxpert · · Score: 1

      good news !
      hope these are not locked to winblows 10

    6. Re:hardware fix by sxpert · · Score: 1

      the core to do ECC in the memory controller bits of the processor is really small... and doesn't consume much anymore compared to the billions of transistors required for ever bigger cache and logic in those processors... the issue is rather moot

    7. Re:hardware fix by Anonymous Coward · · Score: 0

      It won't fix the data, but it will certainly invalidate the whole ECC region, thus protecting against the attack.

  10. How Slashdot has fallen by Anonymous Coward · · Score: 0

    The second most insightful post on a security article is about some dude with a chip on his shoulder about the verbiage of the article. Where are all the 1337 hax0rz around here that shout and scream when we're discussing soft security topics like the handling of Clinton's mail server? No input from you boys? Not something here we can debunk like some Hollywood misrepresentation of the computer culture?

    Come on guys... you're all experts, worked in the field since Babbage moved on, right? Where's your insights now?

    I guess you're all saving it for the next article about how "Teh MafiAAAA" wants people to shut off their cellphones before a movie.

  11. Awesome by steveo777 · · Score: 1

    Can't wait until it's up on XDA Developers for the S5 from AT&T, which so far hasn't been able to be rooted, and is the phone my work gave me. Sure it's a free phone and it's a work phone... But I wanna put a different ROM on it, dammit.

    --
    This sig isn't original enough, it's time to come up with something witty...
    1. Re:Awesome by Anonymous Coward · · Score: 0

      root access to OS != boot loader access, which is required to change the ROM. :*(

    2. Re:Awesome by PincushionMan · · Score: 1

      Sorry, those bootloaders are cryptographically signed with keys in either Verizon's or AT&T's possession. These keys preclude the installation of any custom ROMs. Short of an AT&T dev being careless with the crypto-keys, it's not going to happen. In my experience, Samsung phones are pretty beefy. They have to be to run the TouchWiz OS layer on top of Android OS.

      If you have an older Samsung phone - for instance the Galaxy S3 - and you have the ability to install a Custom ROM (Cyanogen, Slim, Oxygen), they will work fairly well. The S3 can even run Marshmallow (6.0), where the Note 3 is stuck on Lollipop (5.0.1). The Note3 didn't even get even 5.1.1! The S3's only problem is the stock camera occasionally crashes (and requires reboot to fix). There's some 3rd party cameras out there that work better. Overall, the S3 with Cyanogen is much, much snappier than with TouchWiz.

  12. Intel SoC by Frederic54 · · Score: 1

    No problem with my Asus Zenfone2 with an Intel chip! (I hope)

    --
    "Science will win because it works." - Stephen Hawking
  13. Well... by johnsmithperson123 · · Score: 1

    This is just another reason why we need to migrate away from DRAM. It's simply at a fundamental level too easy to exploit this way. We need to move to non-volitile memory, which is more power efficient anyway. Hopefully within a few more years the tech will be there.... I'm most excited about the carbon nanotubes, myself.

    1. Re:Well... by Anonymous Coward · · Score: 0

      ...what the hell does that have to do with anything?

    2. Re:Well... by Anonymous Coward · · Score: 0

      Or we could just use ECC DRAM.

      Though that said, I would be happy if they started putting static RAM in computers.

  14. Takes over Microsoft Edge, like I'm suprised by Trax3001BBS · · Score: 0

    This weekend I used Win10, everytime I wanted to view a PDF; Edge wanted to be the PDF viewer yet has no usable options for that function.

    I was using the computer just to view PDF's, I had to select Open With: select Foxit (which came pre-installed) and 5+ requestor to make it the default PDF viewer, this everytime I opened a PDF.

    It's an obtrusive sob that I'm sure threw itself into the hack.

  15. Shouldn't they have called it DRAMP? by tlambert · · Score: 1

    Shouldn't they have called it DRAMP?

  16. I can't even root this phone by phishybongwaters · · Score: 1

    So I have to jump through hoops to try to root my S6 and end up giving up and restoring a backup... but this thing can drive by root it? wtf

  17. This is why we need rust by Anonymous Coward · · Score: 0

    C and Java are not memory safe, so shit like this happens. Rust is memory safe -- memory bugs are impossible! Google needs to drop dalvik and embrace rust. It's the only way to prevent bugs like this.

    1. Re:This is why we need rust by fintux · · Score: 1

      I hope you're just being sarcastic, but in case you're not, ...

      - This is a hardware issue, not a programming language problem
      - Rust helps to prevent programming bugs with memory, like dangling/null pointers, buffer overflows etc. But it has control over the memory layout, which is a crucial requirement in implementing a row hammer attack, so a row hammer attack with Rust would likely be very suitable for implementing such an attack
      - Even if there was a programming language that prevented this by doing some memory layout randomization or similar, it would also lose performance due to non-contiguous memory (prefetching will not work and there will be cache misses), and thus it also would kill the battery life
      - Even if ignoring the points above, it would require a massive amount of work to move away from JavaScript on web pages
      - We would also require the OS, including the kernel, written in such language (which probably would not be possible, since there would be an abstraction of memory, which doesn't play nice with many device drivers etc.)

    2. Re:This is why we need rust by OrangeTide · · Score: 1

      Theoretically you could relocate memory periodically in a system like Rust (or Java). This could be done so that the high level doesn't realize it has happened. It might have a fairly heavy performance cost, depending on how frequently the relocations are done and how you detect when you should do them. (scoreboard vs static analysis)

      I could write a very simple language/environment where rowhammer is essentially impossible. But it would be very slow. Obvious example is that every address is looked up on a hash table to find the physical address. The application cannot see this hidden hash table, it would allow a byte granularity to relocation instead of a page granularity. It would was a tremendous amount of memory and be very slow. (basically memory layout randomization)

      JavaScript itself doesn't necessarily need to be replaced. Replacing it with a similar implementation of Rust doesn't make rowhammer go away. Working around the issue is possible in JS, Rust, Java, Haskell, and a few others. Not practical to work-around in C, but theoretically possible.

      If you use SRAM instead of DRAM, there is no performance penalty for layout randomization. Of course, SRAM doesn't have the issue with rowhammer either.

      --
      “Common sense is not so common.” — Voltaire
    3. Re:This is why we need rust by Anonymous Coward · · Score: 0

      Right but if you wrote your row hammer exploit in rust it would be memory safe. If you write it in C it could leak memory or have a buffer overflow.

  18. Happy you're pleased as these folks are by Anonymous Coward · · Score: 0

    /.'ers disagree outnumbering you

    his hosts program is actually pretty good by xenotransplant

    his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg

    I've never tried to belittle (APK's) work, I've flat out said it's good by BronsCon

    take a look at the APK hosts file engine by SuperKendall

    APK is kinda right. I've tried his hosts file generating software. It works by bmo

    APK is totally right on this count. Adblock Plus on Firefox mobile is a dog on older, or lower end, phones. A hostfile based adblocker makes for a much better experience by chihowa

    I like your host file system by Karmashock

    I find your hosts file admirable by vel-ex-tech

    * My code's also recommended & hosted by Malwarebytes' hpHosts - It works doing more for less.

    APK

    P.S.=> See subject & those quoted /.'ers - want more? apk

  19. blackberry probably immune by Anonymous Coward · · Score: 0

    blackberry and qnx aren't looking too bad right now!

  20. Re:Researchers? by wildstoo · · Score: 1

    They are crackers not researchers damn!

    What has their skin colour got to do with it?

    Also, the correct term is "economically-disadvantaged caucasians".

  21. Re:Researchers? by Gravis+Zero · · Score: 3, Funny

    Can we stop calling these fucktards researchers already? They are crackers not researchers damn!

    Yeah, I mean, researchers explain their methodology and publish papers about it! These are just the dumbest criminal hackers that put their names on some paper they published! Can't wait until they go to jail for their criminal deeds which they are obviously waiting do in the future! -_-

    --
    Anons need not reply. Questions end with a question mark.
  22. From TFA by Jiro · · Score: 1

    Researchers said they don't plan to release the exploit code that weaponizes the Rowhammer attack in order to root Android devices.

    Gee, thanks.

    There are lots of people who are stuck on unrootable devices and could really use this.

  23. Another Day, Another Android Exploit by macs4all · · Score: 0

    Pretty sad, isn't it?

  24. Incentive for RAM-makers by davidwr · · Score: 1

    but RAM makers have no incentive to fix it

    Actually, they do. They can market lower-density, more-expensive-to-manufacture RAM which has spacing or other "rowhammer-protecting design elements" between rows for use in "high- but-not-quite-military-grade-security" applications.

    For example, if off-the-shelf equipment would have been approved for a high-security application but for the vulnerability to rowhammer and similar attacks then the product vendor can substitute the more expensive, lower-density, more-secure RAM and sell his product to the customer rather than lose the sale entirely.

    As for military-grade applications, I'm not going to pretend to know what their requirements are or how to address them.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  25. The test app by Anonymous Coward · · Score: 0

    I downloaded the app (https://vvdveen.com/drammer/drammer.apk) to check my android devices but it just keeps running and running. Is that a good thing? If there was a problem would it stop and tell me? Thanks

    1. Re:The test app by slashdice · · Score: 1

      LOL, "I asked some crack heads to house sit for me while I'm out of town for a few weeks. I figure if there was a problem they would stop smoking crack and tell me."

      --
      Copyright (c) 1990 - 2014 Dice. All rights reserved. Use of this comment is subject to certain Terms and Conditions.
    2. Re:The test app by Anonymous Coward · · Score: 0

      It's not from a "crack head". This guy (https://vvdveen.com/) wrote the app and he is a part of https://www.vusec.net/

      I couldn't find much documentation on it though hence my question.

  26. ECC only adds 8 bits.. by Anonymous Coward · · Score: 0

    In the case of 64 bit memory channels it is 72 bits for ECC memory.

    The *LARGER* problem is that ECC doesn't help with rowhammer attacks because in many cases rowhammer can trigger the same effect without causing the ECC checksum to fail. Meaning that it passes ECC checksumming and continues on running with the (un)intentionally corrupted data.

    The core issue here is that DRAM needs to be redesigned to avoid the capability of cacheline flushes causing unexpected behavior in DRAM (as mentioned in previous articles on this, it is specific brands of DRAM from specific manufacturers that fail this way. They need to be redesigned to solve this issue or have their latency specifications changed to take this situation into account and run with reduced performance characteristics that ensure this situation cannot be triggered under even worst case circumstances.)

    Meanwhile: Score one for jailbreakers everywhere. And for a blow against Samsung's KNOX, since this could potentially bypass it if you can trigger this situation over Trustzone controlled memory. (Completely defeating the purpose of a secure machine without using seperate and trustworthy batches of DRAM.)

    1. Re:ECC only adds 8 bits.. by Agripa · · Score: 1

      Redesigning the memory controller or DRAM is enough to solve the problem; force out of order refreshes on rows adjacent to continuously accessed rows. This is now called Target Row Refresh.

  27. Intel patented their fix by gonz · · Score: 1

    Apparently Intel patented their fix on Oct 31, 2013... the exact same day that Nexus 5 shipped in the US:

    https://www.google.com/patents...

    Glad to see the industry came together to protect consumers!

  28. Not accurate - list tested were not all rooted by Anonymous Coward · · Score: 0

    After reading over some of the drammer.pdf paper which others have linked to, I must conclude that the S4 was not tested and the S5 and S6 and many others were not found to be vulnerable. I believe the only ARMv8 they tested and found to be vulnerable was the LG G4.