Security Experts:

JavaScript-Based DRAM Attack Allows Covert Data Theft

Anders Fogh and Michael Schwarz at Black Hat Europe

LONDON - BLACK HAT EUROPE - A new dynamic random-access memory (DRAM) attack method disclosed by researchers on Friday can allow malicious actors to steal sensitive data from a virtual machine, through a covert channel, using JavaScript.

Anders Fogh, principal malware analyst at G DATA Advanced Analytics, and Michael Schwarz, a Ph.D. student at the Graz University of Technology in Austria, detailed the security implications of current DRAM design and demonstrated some practical cross-CPU attacks. The first part of this research was presented in August at the 25th USENIX Security Symposium.

At the 2016 Black Hat Europe conference, Fogh and Schwarz showed how an attacker can steal small amounts of sensitive information, such as a password or a private key, from a virtual machine that has no network access using JavaScript code running in the web browser on the host. They also demonstrated an improvement to the Rowhammer attack and showed that, unlike previously thought, the method also works against DDR4.

Using virtual addresses enables running multiple processes securely on the same CPU. However, when “talking” to the DRAM, the CPU requires a physical address, which is why virtual addresses need to be mapped to physical addresses.

The mapping function used by the processor’s memory controller is undocumented, but Fogh and Schwarz’s team managed to reverse engineer it by measuring the time it takes for the CPU to read data from memory banks. A tool that can be used to reverse engineer undocumented DRAM addressing functions has been released by the researchers as open source.

Unlike cache attacks, which have been known for some time and for which experts created efficient countermeasures, the DRAMA (DRAM addressing) attacks have the advantage of working across the CPU. However, there are some similarities.

“We found that the buffers used in DRAM show a very similar behavior as CPU caches. We exploit the timing differences of the DRAM buffers to mount attacks. Using timing differences is already known from cache-based attacks,” researchers explained in their paper. “The big advantage of DRAM attacks is that they do not require any shared memory. Moreover, in most setups, the main memory is shared between CPUs as well, meaning we can mount these attacks even in a cross-CPU scenario.”

Fogh and Schwarz showed that without running any binaries on the host system and without leveraging any software vulnerabilities, they can open a covert channel between the VM and the host. The sender, which runs inside the VM, and the receiver running in the browser on the host agree on a memory bank, which can be hardcoded. Memory access times are measured and a “0” bit is transmitted if access is fast and a “1” bit is transmitted if the access is slow.

The researchers also showed how an attacker could steal keystrokes from the VM using this technique. In this scenario, the attacker needs to profile the system to identify the event they want to spy on. They can trick the victim into accessing a webpage containing the malicious JavaScript code or they can use malvertising attacks.

The experts said there is a chance that the memory used to exfiltrate data is used by another application, which would corrupt the data, but the chances are fairly small and the attack they implemented includes error detection code to prevent this. To make exfiltration even more efficient, the transmission of data is made using packets, which include a sequence bit that specifies if the packet is new or if it’s retransmitted.

In the JavaScript attack, the researchers obtained a transfer rate of 11 bits per second. However, the same attack implemented in native code would be much faster — with a piece of malware running in the protected domain (i.e. the VM) and a piece of malware running in the host, the transfer rate could reach roughly 600 Kbps and even more if the same CPU is used.

While the research has focused on Intel x86-64, they pointed out that the underlying problem is in the RAM, and they have confirmed that other architectures are affected, including the ARM processors used in smartphones.

Since these attacks are possible due to the way DRAM is designed and works, the researchers believe there are no easy mitigations. However, they noted that while the vulnerability is serious, it’s unlikely that we will see any attacks in the wild in the next few years. The goal of this research is to raise awareness and demonstrate that hardware needs to be secure as well — software is not the only problem.

*Updated to correct the transfer rate from 11 Kb/s to 11 b/s.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.