A new attack dubbed “GLitch” uses two different techniques, side-channel and rowhammer attacks, to compromise a web browser using WebGL.
The attack can be pulled off on platforms where the CPU and GPU share the same memory (e.g., smartphone).
The two attack techniques are described in a security advisory published by CERT, a Division of the Software Engineering Institute (SEI) at Carnegie Mellon University, as described below.
The side-channel attack: “The precise timing capabilities provided by WebGL can allow an attacker to determine the difference between cached DRAM accesses and uncached DRAM accesses. This can allow an attacker to determine contiguous areas of physical DRAM memory. Knowledge of contiguous memory regions are used in a number of microarchitectural attacks, such as rowhammer.
can compromise platform vulnerabilities.”
The rowhammer attack: “The rowhammer attack targets the design of DRAM memory. On a system where the DRAM is insufficiently refreshed, targeted operations on a row of DRAM memory may be able to influence the memory values on neighboring rows. Protections against the rowhammer attack include the use of ECC DRAM, as well as increased refresh rates. The LPDDR4 mobile memory standard also has optional hardware support for target row refresh, which can mitigate the rowhammer attack.”
An attacker can leverage both attacks in combination to bypass the Firefox sandbox on the Android platform. However, the researchers mentioned the GLitch attack was only successfully demonstrated on the Nexus 5 phone, that was released in 2013 and since patched.
Some other Android devices were tested but no vulnerabilities found. No other non-Android devices were tested or found vulnerable.