Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Black Hat

JavaScript-Based DRAM Attack Allows Covert Data Theft

Anders Fogh and Michael Schwarz at Black Hat Europe

Anders Fogh and Michael Schwarz at Black Hat Europe

LONDON – BLACK HAT EUROPE – A new dynamic random-access memory (DRAM) attack method disclosed by researchers on Friday can allow malicious actors to steal sensitive data from a virtual machine, through a covert channel, using JavaScript.

Anders Fogh, principal malware analyst at G DATA Advanced Analytics, and Michael Schwarz, a Ph.D. student at the Graz University of Technology in Austria, detailed the security implications of current DRAM design and demonstrated some practical cross-CPU attacks. The first part of this research was presented in August at the 25th USENIX Security Symposium.

At the 2016 Black Hat Europe conference, Fogh and Schwarz showed how an attacker can steal small amounts of sensitive information, such as a password or a private key, from a virtual machine that has no network access using JavaScript code running in the web browser on the host. They also demonstrated an improvement to the Rowhammer attack and showed that, unlike previously thought, the method also works against DDR4.

Using virtual addresses enables running multiple processes securely on the same CPU. However, when “talking” to the DRAM, the CPU requires a physical address, which is why virtual addresses need to be mapped to physical addresses.

The mapping function used by the processor’s memory controller is undocumented, but Fogh and Schwarz’s team managed to reverse engineer it by measuring the time it takes for the CPU to read data from memory banks. A tool that can be used to reverse engineer undocumented DRAM addressing functions has been released by the researchers as open source.

Unlike cache attacks, which have been known for some time and for which experts created efficient countermeasures, the DRAMA (DRAM addressing) attacks have the advantage of working across the CPU. However, there are some similarities.

“We found that the buffers used in DRAM show a very similar behavior as CPU caches. We exploit the timing differences of the DRAM buffers to mount attacks. Using timing differences is already known from cache-based attacks,” researchers explained in their paper. “The big advantage of DRAM attacks is that they do not require any shared memory. Moreover, in most setups, the main memory is shared between CPUs as well, meaning we can mount these attacks even in a cross-CPU scenario.”

Fogh and Schwarz showed that without running any binaries on the host system and without leveraging any software vulnerabilities, they can open a covert channel between the VM and the host. The sender, which runs inside the VM, and the receiver running in the browser on the host agree on a memory bank, which can be hardcoded. Memory access times are measured and a “0” bit is transmitted if access is fast and a “1” bit is transmitted if the access is slow.

Advertisement. Scroll to continue reading.

The researchers also showed how an attacker could steal keystrokes from the VM using this technique. In this scenario, the attacker needs to profile the system to identify the event they want to spy on. They can trick the victim into accessing a webpage containing the malicious JavaScript code or they can use malvertising attacks.

The experts said there is a chance that the memory used to exfiltrate data is used by another application, which would corrupt the data, but the chances are fairly small and the attack they implemented includes error detection code to prevent this. To make exfiltration even more efficient, the transmission of data is made using packets, which include a sequence bit that specifies if the packet is new or if it’s retransmitted.

In the JavaScript attack, the researchers obtained a transfer rate of 11 bits per second. However, the same attack implemented in native code would be much faster — with a piece of malware running in the protected domain (i.e. the VM) and a piece of malware running in the host, the transfer rate could reach roughly 600 Kbps and even more if the same CPU is used.

While the research has focused on Intel x86-64, they pointed out that the underlying problem is in the RAM, and they have confirmed that other architectures are affected, including the ARM processors used in smartphones.

Since these attacks are possible due to the way DRAM is designed and works, the researchers believe there are no easy mitigations. However, they noted that while the vulnerability is serious, it’s unlikely that we will see any attacks in the wild in the next few years. The goal of this research is to raise awareness and demonstrate that hardware needs to be secure as well — software is not the only problem.

*Updated to correct the transfer rate from 11 Kb/s to 11 b/s.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Black Hat

Black Hat 2019 recently wrapped in Las Vegas, where somewhere between 15,000 and 20,000 experts descended to experience the latest developments in the world...

Black Hat

Cris Thomas, also known as Space Rogue, was a founding member of the Lopht Heavy Industries hacker collective.

Black Hat

Hundreds of companies and organizations showcased their products and services this week at the 2023 edition of the Black Hat conference in Las Vegas.

Black Hat

LAS VEGAS – The security industry makes its annual pilgrimage to the hot Sonoran desert this week for skills training, hacking demos, research presentations...

Black Hat

Sin City, A.K.A Las Vegas, Nevada – is once again playing host this week to the Black Hat and DEFCON security conferences. With throngs...

Black Hat

Bypassing Air Gap Security: Malware Uses Radio Frequencies to Steal Data from Isolated Computers 

Black Hat

The cybersecurity industry heads to Las Vegas this week for Black Hat in a state of economic contraction, confusion and excitement. Can the promise...

Black Hat

The presentation "Jackpotting Automated Teller Machines" was originally on the schedule at Black Hat USA 2009 but the talk was pulled at the last...