Rowhammer.js Is the Most Ingenious Hack I've Ever Seen
DRAM circuit. Image: Dick Thomas Johnson/Flickr
Software exploits have become routine. People's private data gets stolen, it makes the news for a bit, a company releases a software patch that just barely fixes the problem, rinse, repeat. But every so often one comes along that's so damn cool, you have to sit and marvel at how someone pulled it off.
The bad news is that if your computer is vulnerable, it's a hardware issue, and there's very little you personally can do about it. No software patches are coming to the rescue any time soon. The good news is that this hack is so complicated to pull off, you're probably safe just from its level of difficulty alone.
To understand Rowhammer.js, you have to understand row hammer, the computer phenomenon it takes advantage of. A row hammer exploit is an unfortunate side effect of Dynamic Random Access Memory (DRAM). DRAM is a type of memory that a computer's CPU uses to store data that it needs to access often and quickly. DRAM systems save each bit of data on individual capacitors which are electrically charged. The binary logic that is the heart of all computing comes from this charge: no charge on a bit reads as 0, a charge past a certain threshold reads as 1.
It's like breaking into an apartment by repeatedly slamming a neighbor's door until the vibrations open the door you were after
The great thing about DRAM is we can pack millions of these capacitors on the surface of a chip, in a grid pattern of rows and columns. In most cases the more capacitors a chip has, the faster your CPU can processes operations, but the density of these capacitors poses a problem. The electrical charge of a single capacitor can leak out and affect the charge of its neighbors, changing the binary value of nearby capacitors and and corrupting a computer's memory in the process. To solve this, a dedicated tool called a memory controller refreshes the charge on the capacitors thousands of times a second to ensure bit values stay correct.
A row hammer is when a program floods a particular row of bits with data, over and over again. This interrupts a memory controller's refresh process, causing electrical charges to leak to neighboring rows of bits on purpose, manipulating data that an executable program wouldn't normally have access to.
Earlier this year Google security researchers proved it was possible to exploit this corruption to gain access to all of a computer's physical memory—reading, and maybe rewriting, important system files at will. That's scary, but also incredibly cool. It's like breaking into an apartment by repeatedly slamming a neighbor's door until the vibrations force open the door you were after.
However, Google's exploit relied on code that had to run locally, so up until now a computer would have to have to been compromised already for a row hammer exploit to work. Rowhammer.js changes all of that. Now the entire exploit, from finding the right bit locations, hammering them repeatedly, and corrupting their neighbors, can be done within a web browser, using the scripting language that 89.9% of websites use.
Most malware and exploits take advantage of a lack of foresight. Programmers can be especially bad at thinking long-term, and hackers are pretty good at throwing types of data at software that it wasn't expecting, causing all kinds of trouble. But Rowhammer.js is different. It takes advantage of something we all want: speed. DRAM is packed so densely because we want faster chips, faster processors, faster computers. That density is a feature, not a bug. It means the electrical charge between capacitors needs to be managed very carefully if we don't want bits of data being corrupted by other bits nearby.
This hack is such a perfect blend of intricate math, computer architecture knowledge, and sheer computing power that it's probably unfeasible for anyone but a nation state actor. Knowing exactly which rows and columns of bits correspond to which locations in memory, and then causing them to flip their charge, takes a level of precision that makes it off limits for most cyber criminals. Ironically, the hack is too good. You're safe from an almost unstoppable attack because it's too difficult for most people to pull off.
As an academic exercise Rowhammer.js is really instructive, and should inform the way we construct memory chips in the future. If it ever becomes feasible in the wild though, it'll be terrifying. Beautiful, but terrifying.