GLitch Chronicles: Turning WebGL Into A Hammer

This talk is the tall tale of a frustrated student who wanted to do something cool for his master thesis.

The outcome of such thesis is a JavaScript exploit that takes advantage of the (now) well-known Rowhammer vulnerability to compromise an Android smartphone with NO software bugs in less than two minutes. Not completely satisfied we also wanted to give it a cool name: meet GLitch. GLitch is the first exploit of its kind for two main reasons: (i) it represents the first instance of a JavaScript-based Rowhammer attack on the more widespread ARM platforms (that is, your smartphone), (ii) it is the first PoC of Rowhammer bit flips triggered from the GPU (and from a website).

Now you may be asking yourself: wtf?!! how is this even possible?? how can you trigger bit flips from the GPU? and how do you do it from JS? The answer is WebGL. The WebGL API gives access to GPU acceleration to developers trying to bring graphical content to the Web. It also happens to give us the possibility to trigger Rowhammer bit flips providing a “fast” lane from JavaScript to DRAM.

Now don’t get scared if you’re not familiar with half of the terms in the previous paragraph! In this talk we start from the the basics to build into the more complex exploitation techniques.
We start by giving some contextual meaning to this research (aka, the chronicles of GLitch). Then we continue with a “Rowhammer 101” class followed by a deep hardware reverse engineering class to explain the GPU internals that allow us to perform such attack.

And finally we introduce you to the real guest of this talk: GLitch. Here we describe how can we exploit the Firefox browser to gain control over an Android smartphone in under 2 mins. In this part we describe advanced exploitation techniques that can be used to attack the Firefox browser. And, of course, we’re going to give a demo.

MAIN CONFERENCE
Location: Conf Track 1 Date: November 28, 2018 Time: 3:00 pm - 4:00 pm Pietro Frigo