Rowhammer.js: Root privileges for web apps?

A tale of fault attacks on DRAM and attacks on CPU caches

If you suspend your transcription on, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
"Insanity: doing the same thing over and over again and expecting different results."
Albert Einstein - Who did not live long enough to see Rowhammer

Recent studies have found that repeated accesses to DRAM rows can cause random bit flips, resulting in the so called Rowhammer vulnerability. We present Rowhammer.js, the first remote software-induced hardware-fault attack, from JavaScript. We also extend our presentation with an overview of cache side-channel attacks, that use the same technique to evict data from the cache.

Last year, studies demonstrated Rowhammer, a fault attack that can cause random bit flips by repeatedly accessing DRAM rows. This vulnerability has already been exploited to gain root privileges and to evade a sandbox, showing the severity of faulting single bits for security. However, these exploits are written in native code and use special instructions that flush data from the cache.

In this talk we present Rowhammer.js [1], a JavaScript-based implementation of the Rowhammer attack. After presenting the native attack, we underline the challenges we faced to trigger the vulnerability from JavaScript, without any special instruction. Beyond DRAM, this attack also requires a very fine understanding of CPU cache internals, that are largely undocumented. We detail our findings on these undocumented parts, and the different steps that led to the attack from JavaScript. We also give an outlook on possible exploits, including gaining root privileges from JavaScript and performing fault attacks on cryptography.

In the last part, we extend our presentation with an overview of cache attacks, bridging the gap between hardware-fault attacks and side channels. In side-channel attacks, the attacker doesn't rely on a direct software compromise, but rather on passive observation of hardware characteristics when a victim process runs. In common with Rowhammer.js, these attacks use techniques to evict data from the last-level cache.

[1] Daniel Gruss, Clémentine Maurice, Stefan Mangard. Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript.

Talk ID
Hall 1
6:15 p.m.
Type of
Clémentine Maurice
Daniel Gruss
Talk Slug & media link
0.0% Checking done0.0%
0.0% Syncing done0.0%
0.0% Transcribing done0.0%
100.0% Nothing done yet100.0%

Work on this video on Amara!

English: Transcribed until

Last revision: 3 weeks, 1 day ago