Security Experts:

Connect with us

Hi, what are you looking for?


Black Hat

JavaScript-Based DRAM Attack Allows Covert Data Theft

Anders Fogh and Michael Schwarz at Black Hat Europe

Anders Fogh and Michael Schwarz at Black Hat Europe

LONDON – BLACK HAT EUROPE – A new dynamic random-access memory (DRAM) attack method disclosed by researchers on Friday can allow malicious actors to steal sensitive data from a virtual machine, through a covert channel, using JavaScript.

Anders Fogh, principal malware analyst at G DATA Advanced Analytics, and Michael Schwarz, a Ph.D. student at the Graz University of Technology in Austria, detailed the security implications of current DRAM design and demonstrated some practical cross-CPU attacks. The first part of this research was presented in August at the 25th USENIX Security Symposium.

At the 2016 Black Hat Europe conference, Fogh and Schwarz showed how an attacker can steal small amounts of sensitive information, such as a password or a private key, from a virtual machine that has no network access using JavaScript code running in the web browser on the host. They also demonstrated an improvement to the Rowhammer attack and showed that, unlike previously thought, the method also works against DDR4.

Using virtual addresses enables running multiple processes securely on the same CPU. However, when “talking” to the DRAM, the CPU requires a physical address, which is why virtual addresses need to be mapped to physical addresses.

The mapping function used by the processor’s memory controller is undocumented, but Fogh and Schwarz’s team managed to reverse engineer it by measuring the time it takes for the CPU to read data from memory banks. A tool that can be used to reverse engineer undocumented DRAM addressing functions has been released by the researchers as open source.

Unlike cache attacks, which have been known for some time and for which experts created efficient countermeasures, the DRAMA (DRAM addressing) attacks have the advantage of working across the CPU. However, there are some similarities.

“We found that the buffers used in DRAM show a very similar behavior as CPU caches. We exploit the timing differences of the DRAM buffers to mount attacks. Using timing differences is already known from cache-based attacks,” researchers explained in their paper. “The big advantage of DRAM attacks is that they do not require any shared memory. Moreover, in most setups, the main memory is shared between CPUs as well, meaning we can mount these attacks even in a cross-CPU scenario.”

Fogh and Schwarz showed that without running any binaries on the host system and without leveraging any software vulnerabilities, they can open a covert channel between the VM and the host. The sender, which runs inside the VM, and the receiver running in the browser on the host agree on a memory bank, which can be hardcoded. Memory access times are measured and a “0” bit is transmitted if access is fast and a “1” bit is transmitted if the access is slow.

The researchers also showed how an attacker could steal keystrokes from the VM using this technique. In this scenario, the attacker needs to profile the system to identify the event they want to spy on. They can trick the victim into accessing a webpage containing the malicious JavaScript code or they can use malvertising attacks.

The experts said there is a chance that the memory used to exfiltrate data is used by another application, which would corrupt the data, but the chances are fairly small and the attack they implemented includes error detection code to prevent this. To make exfiltration even more efficient, the transmission of data is made using packets, which include a sequence bit that specifies if the packet is new or if it’s retransmitted.

In the JavaScript attack, the researchers obtained a transfer rate of 11 bits per second. However, the same attack implemented in native code would be much faster — with a piece of malware running in the protected domain (i.e. the VM) and a piece of malware running in the host, the transfer rate could reach roughly 600 Kbps and even more if the same CPU is used.

While the research has focused on Intel x86-64, they pointed out that the underlying problem is in the RAM, and they have confirmed that other architectures are affected, including the ARM processors used in smartphones.

Since these attacks are possible due to the way DRAM is designed and works, the researchers believe there are no easy mitigations. However, they noted that while the vulnerability is serious, it’s unlikely that we will see any attacks in the wild in the next few years. The goal of this research is to raise awareness and demonstrate that hardware needs to be secure as well — software is not the only problem.

*Updated to correct the transfer rate from 11 Kb/s to 11 b/s.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Black Hat

Black Hat 2019 recently wrapped in Las Vegas, where somewhere between 15,000 and 20,000 experts descended to experience the latest developments in the world...

Black Hat

LAS VEGAS – The security industry makes its annual pilgrimage to the hot Sonoran desert this week for skills training, hacking demos, research presentations...

Black Hat

Sin City, A.K.A Las Vegas, Nevada – is once again playing host this week to the Black Hat and DEFCON security conferences. With throngs...

Black Hat

Bypassing Air Gap Security: Malware Uses Radio Frequencies to Steal Data from Isolated Computers 

Application Security

As the year comes to a close, we thought it would be appropriate to highlight some of the best stories and columns for 2010....

Application Security

If Patch Tuesday is a party, this would be the IT security version of pre-gaming.On Aug. 9, Microsoft accidentally released information on the five...