SMASH Attack Exploits Rowhammer Bug
Researchers from the Vrije University in Amsterdam and ETH Zurich have shared their findings of a new Rowhammer exploit. They have called it ‘SMASH’ (Synchronized MAny-Sided Hammering) attack that bypasses existing mitigations for Rowhammer. Thus, this technique can aggressively target the modern DDR4 systems as well
SMASH exploits high-level knowledge of cache replacement policies to generate optimal access patterns for eviction-based many-sided Rowhammer. To lift the requirement for large physically-contiguous memory regions, SMASH decomposes n-sided Rowhammer into multiple double-sided pairs, which we can identify using slice coloring. Finally, to bypass the in-DRAM TRR mitigations, SMASH carefully schedules cache hits and misses to successfully trigger synchronized many-sided Rowhammer bit flips.
In a real-world scenario, executing the SMASH attack only requires a target user to visit a malicious website (set up by the attacker) or visit a site with a malicious ad. It can then let the adversary takeover a user’s browser. In their study, the researchers could easily SMASH Firefox browser within 15 minutes.
The following video demonstrates the attack. Whereas, the researchers have shared the code on GitHub.
Alongside presenting the details of the attack, the researchers have also shared some mitigations. In short, they recommend disabling THP, which SMASH necessarily requires to build self-evicting patterns. Also, the researchers’ exploit heavily relied on browser pointers to break ASLR. Thus, protecting the integrity of pointers can also help in preventing these SMASH attacks.
The researchers have shared the details of the SMASH attack in a white paper scheduled for presentation at the USENIX Security ’21.