Researcher Names: Finn de Ridder, Pietro Frigo, Emanuele Vannacci, Herbert Bos, Cristiano Giuffrida, Kaveh Razavi
Link: https://comsec.ethz.ch/wp-content/files/smash_sec21.pdf
Last year, we saw that despite the promise of a Rowhammer-free world, with some new trickery, it is still possible to flip bits on DDR4 memory deployed everywhere. However, the required trickery makes it extremely hard to flip bits in JavaScript. Many addresses need to be accessed in specific formations on DRAM very quickly while bypassing the CPU cache at the same time. Using a clever selection of addresses, SMASH can hammer DRAM and bypass the CPU cache simultaneously. Furthermore, by synchronizing with DRAM REFRESH commands all the way from JavaScript, SMASH can trigger bit flips much more effectively than before.
So here we are 10 years after discovering Rowhammer, and it is still possible to pwn your browser with it. But maybe a bit more difficult for those who like to see the glass half-full. Maybe a Pwnie will give a final push to make the industry get their act together a bit faster with DDR5/6 🙂