search

mozilla-mobile / focus-android

⚠️ Firefox Focus (Android) moved to a new repository. It is now developed and maintained as part of: https://github.com/mozilla-mobile/firefox-android
https://github.com/mozilla-mobile/firefox-android
Mozilla Public License 2.0
2.11k stars 711 forks source link

Rowhammer attack on GPU via WebGL #2882

Closed lcanali closed 2 years ago

lcanali commented 6 years ago

https://www.zdnet.com/article/android-alert-this-new-type-of-rowhammer-gpu-attack-can-hijack-your-phone-remotely/

Is this an issue for focus android?

thanks

setuidroot commented 6 years ago

Rowhammer attacks have been around for awhile, it is an unfortunate flaw in hardware design that Google/Mozilla have made software mitigation attempts to limit the "ease" at which these attacks could successfully carried out. Much like meltdown/spectre, rowhammer is, at it's core, a hardware exploit. Thus to answer your question, yes this type of attack is possible in any browser or application running JavaScipt (or any malicious code.)

I'm not very familiar with the codebase of firefox focus, so I couldn't tell you exactly the extent of which it could be vulnerable. I believe that firefox focus is far less prone to an attack like this because it natively blocks many known advertisements and trackers. If somebody wrote a working JS exploit code for this hardware vulnerability, it would be spread through advertisements (as most malicious JS exploits are.) Focus blocks most of these by default, in addition to having the ability for a user to disable JavaScript altogether (this would nullify any such exploit attempt, but also break many websites.)

To my knowledge, no fully functional rowhammer exploit code has been publicly released... thus the chances of running into this in the wild is very slim IMO. Rowhammer is a very real and a very dangerous exploitation of DRAM memory access which uses a brute-force like exploit to flip binary memory bits in a contiguous section of memory with the intended result to change memory into exploitation code, that the system then runs unknowingly. This can result in full root level access given a very expertly constructed exploitation code. This is not script kiddie stuff (yet) as unless someone releases a working exploit code, I would think this exploit would be limited to academic researchers or government-backed hacking groups with political espionage goals. IMO it's nothing for an average user to worry directly about, but the best (really the only) defense to this is the prevention of malicious JS code loading from sketchy sources. AD blockers (like those native to firefox focus) are IMO the best implementation of this defense other than disabling JavaScript altogether.

bbinto commented 6 years ago

@Sdaswani to roll this into a sec bug for the security team to investigate

Sdaswani commented 6 years ago

"Focus uses the platform-provided WebView (for now); so I guess the real question here is whether those precision timers are disabled in WebView as well. This might really be a question for the Google folks who maintain WebView (or it might be discoverable via some web-searching). But it seems likely that Google would've applied the same mitigation in WebView that they applied to Chrome."

stale[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.