Rowhammer Attack Can Now Root Android Devices

An anonymous reader writes from a report via Softpedia: Researchers have discovered a method to use the Rowhammer RAM attack for rooting Android devices. For their research paper, called Drammer: Deterministic Rowhammer Attacks on Mobile Platforms, researchers tested and found multiple smartphone models to be vulnerable to their attack. The list includes LG Nexus (4, 5, 5X), LG G4, Motorola Moto G (2013 and 2014), One Plus One, HTC Desire 510, Lenovo K3 Note, Xiaomi Mi 4i, and Samsung Galaxy (S4, S5, and S6) devices. Researchers estimate that millions of Android users might be vulnerable. The research team says the Drammer attack has far more wide-reaching implications than just Android, being able to exploit any device running on ARM chips. In the past, researchers have tested the Rowhammer attack against DDR3 and DDR4 memory cards, weaponized it via JavaScript, took over PCs via Microsoft Edge, and hijacked Linux virtual machines. There's an app to test if your phone is vulnerable to this attack. "Rowhammer is an unintended side effect in dynamic random-access memory (DRAM) that causes memory cells to leak their charges and interact electrically between themselves, possibly altering the contents of nearby memory rows that were not addressed in the original memory access," according to Wikipedia. "This circumvention of the isolation between DRAM memory cells results from the high cell density in modern DRAM, and can be triggered by specially crafted memory access patterns that rapidly activate the same memory rows numerous times."

I don't understand

[TheRaven64]

One of the simplest existing known attacks involves creating an 8MB TypedArray object in JavaScript. This gives you a contiguous virtual address range, which allows you to generate 9 addresses that will be aliased to the same cache line and therefore where 9 sequential writes will trigger an eviction and a write back to RAM. What made this attack now work on mobile devices?

Re:Bug of feature?

[peragrin]

don't worry they are working on a java script version.

That way they can root your device on the web and load the advertising directly to all of your contacts.

oh wait that's called facebook.

Re:Bug of feature?

[TheRaven64]

Rowhammer has been usable from JavaScript for ages. As I said above (in the post currently at 0 overrated), one of the published ways of exploiting it is to use TypedArray objects to get a large chunk of contiguous memory, which then gives you a load of addresses in the same cache associativity set. You then hammer those addresses, which forces repeated cache evictions and eventually flips some adjacent bits. You can then use this to escape from the JavaScript sandbox. I don't know why this attack wouldn't work on mobile devices, so I don't really see what's new here.