SMASH: the new variant of the Rowhammer attack that puts millions of users at risk

A group of cybersecurity specialists published research detailing the finding of SMASH, a new variant of the Rowhammer attack that triggers a malicious JavaScript condition on the latest DDR4 RAM cards despite mitigations implemented by manufacturers for about 5 years.

According to the report, despite the security mechanisms present in DRAM Target Row Refresh (TRR), some of the latest DDR4 modules remain exposed to bit changes derived from conditions derived from a Rowhammer scenario.

The new attack variant exploits high-level knowledge of cache replacement policies to generate optimal access patterns for multifaceted eviction-based Rowhammer. To bypass TRR mitigations, SMASH carefully schedules cache hits and failures to activate the multifaceted Rowhammer bit.

As you will remember, the term Rowhammer refers to a class of exploits that abuse a peculiarity of hardware design in DDR4 systems. RAM cards store data within what are called memory cells arranged on the silicon chip of the RAM in the form of an array.

Due to the natural discharge levels of capacitors, memory cells tend to lose their state over time, so they require periodic reading and rewriting of each cell to restore the capacitor load to its original level. On the other hand, increasing the density of DRAM integrated circuits allows for increased rates of electromagnetic interactions between memory cells and an increased chance of sensitive data loss.

A few years ago a group of experts discovered that, by repeatedly performing quick read/write operations on a row of memory, it was possible to induce electrical disturbance that would alter data stored in nearby rows of memory. Since then multiple variants of this attack have appeared, so manufacturers began to develop sophisticated prevention methods.

While TRRespass aims to achieve TRR bypass using native code, there were no methods available to activate them in the browser from JavaScript. It is at this point that SMASH enters, which gives threat actors an arbitrary read/write primitive in the browser: “Specifically, the chain of exploits starts when the target user arrives at a malicious or compromised website, taking advantage of Rowhammer bit changes that are triggered from the JavaScript sandbox to control the compromised browser” , experts point out.

Investigators released a video to prove the attack, as well as announcing that their full investigation will be published shortly. To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.