search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Integrated GPUs may allow side-channel and rowhammer attacks using WebGL ("Glitch")

Vulnerability Note VU#283803

Original Release Date: 2018-05-03 | Last Revised: 2018-05-03

Overview

Some platforms with integrated GPUs, such as smartphones, may allow both side-channel and rowhammer attacks via WebGL, which may allow a remote attacker to compromise the browser on an affected platform. An attack technique that leverages these vulnerabilities is called "GLitch."

Description

An academic paper describes an attack called "GLitch," which leverages two different techniques to achieve a compromise of a web browser using WebGL. The attack is only feasible on platforms where the CPU and GPU share the same memory, such as a smartphone or similar device. The two components of the attack are:

    1. A Side-channel attack to determine physical memory layout
    2. A Rowhammer attack to flip the value of one or more bits in physical memory

    The side-channel attack

    The precise timing capabilities provided by WebGL can allow an attacker to determine the difference between cached DRAM accesses and uncached DRAM accesses. This can allow an attacker to determine contiguous areas of physical DRAM memory. Knowledge of contiguous memory regions are used in a number of microarchitectural attacks, such as rowhammer.

    The rowhammer attack

    The rowhammer attack targets the design of DRAM memory. On a system where the DRAM is insufficiently refreshed, targeted operations on a row of DRAM memory may be able to influence the memory values on neighboring rows. Protections against the rowhammer attack include the use of ECC DRAM, as well as increased refresh rates. The LPDDR4 mobile memory standard also has optional hardware support for target row refresh, which can mitigate the rowhammer attack.

    Combining the attacks with WebGL

    The GLitch attack leverages both a side-channel attack to determine contiguous memory, as well as rowhammer. With the knowledge of contiguous memory, an attacker may be able to determine relative physical addresses. This knowledge of relative physical addresses can let the attacker know what memory locations to target with the rowhammer attack. The use of WebGL with precise timers is important in the GLitch attack for these reasons:
      • Precise WebGL timers allow a side-channel to leak memory addresses.
      • GPU capabilities exposed via WebGL allow for fast double-sided DRAM access, enabling the rowhammer attack.
    The impact of combining both the side-channel attack and rowhammer attack has been demonstrated to bypass the Firefox sandbox on the Android platform.

    GLitch success rates in testing

    It is important to realize that the GLitch attack has only successfully been demonstrated on the Nexus 5 phone, which was released in 2013. The Nexus 5 phone received its last software security update in October, 2015, and is therefore an already unsafe device to use. Several other phones released in 2013 were tested, but were not able to successfully be attacked with the GLitch attack. Success rates on phones newer than 2013 models were not provided. Non-Android devices were not tested as well.

    Impact

    Upon visiting a malicious or compromised website with a vulnerable device, an attacker may be able to bypass security features provided by the web browser.

    Solution

    Apply an update

    Google Chrome and Mozilla Firefox have released updates which disable high precision timers in the browser.
    Other browsers do not appear to be affected.

    Vendor Information

    283803
     
    Affected   Unknown   Unaffected

    Google

    Notified:  March 16, 2018 Updated:  May 03, 2018

    Status

      Affected

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Mozilla

    Notified:  March 16, 2018 Updated:  May 03, 2018

    Status

      Affected

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Microsoft

    Notified:  March 16, 2018 Updated:  April 25, 2018

    Status

      Not Affected

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    AMD

    Notified:  March 16, 2018 Updated:  March 16, 2018

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor References

      Apple

      Notified:  March 16, 2018 Updated:  March 16, 2018

      Status

        Unknown

      Vendor Statement

      No statement is currently available from the vendor regarding this vulnerability.

      Vendor References

        Arm

        Updated:  April 26, 2018

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor Information

        We are not aware of further vendor information regarding this vulnerability.

        BlackBerry

        Notified:  March 16, 2018 Updated:  March 16, 2018

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor References

          Brave Software

          Notified:  March 16, 2018 Updated:  March 16, 2018

          Status

            Unknown

          Vendor Statement

          No statement is currently available from the vendor regarding this vulnerability.

          Vendor References

            Broadcom

            Notified:  March 16, 2018 Updated:  March 16, 2018

            Status

              Unknown

            Vendor Statement

            No statement is currently available from the vendor regarding this vulnerability.

            Vendor References

              IBM, INC.

              Notified:  April 26, 2018 Updated:  April 26, 2018

              Status

                Unknown

              Vendor Statement

              No statement is currently available from the vendor regarding this vulnerability.

              Vendor References

                Imagination Technologies

                Notified:  March 16, 2018 Updated:  March 16, 2018

                Status

                  Unknown

                Vendor Statement

                No statement is currently available from the vendor regarding this vulnerability.

                Vendor References

                  Intel

                  Notified:  March 16, 2018 Updated:  March 16, 2018

                  Status

                    Unknown

                  Vendor Statement

                  No statement is currently available from the vendor regarding this vulnerability.

                  Vendor References

                    NVIDIA

                    Notified:  March 16, 2018 Updated:  March 16, 2018

                    Status

                      Unknown

                    Vendor Statement

                    No statement is currently available from the vendor regarding this vulnerability.

                    Vendor References

                      Opera

                      Notified:  March 16, 2018 Updated:  March 16, 2018

                      Status

                        Unknown

                      Vendor Statement

                      No statement is currently available from the vendor regarding this vulnerability.

                      Vendor References

                        QUALCOMM Incorporated

                        Notified:  March 16, 2018 Updated:  March 16, 2018

                        Status

                          Unknown

                        Vendor Statement

                        No statement is currently available from the vendor regarding this vulnerability.

                        Vendor References

                          Sailfish OS

                          Notified:  March 16, 2018 Updated:  March 16, 2018

                          Status

                            Unknown

                          Vendor Statement

                          No statement is currently available from the vendor regarding this vulnerability.

                          Vendor References

                            Samsung Mobile

                            Notified:  March 16, 2018 Updated:  March 16, 2018

                            Status

                              Unknown

                            Vendor Statement

                            No statement is currently available from the vendor regarding this vulnerability.

                            Vendor References

                              Silicon Intgrated Systems Corp.

                              Notified:  March 16, 2018 Updated:  March 16, 2018

                              Status

                                Unknown

                              Vendor Statement

                              No statement is currently available from the vendor regarding this vulnerability.

                              Vendor References

                                UC Browser for Android

                                Notified:  March 16, 2018 Updated:  March 16, 2018

                                Status

                                  Unknown

                                Vendor Statement

                                No statement is currently available from the vendor regarding this vulnerability.

                                Vendor References

                                  Vivaldi

                                  Notified:  March 16, 2018 Updated:  March 16, 2018

                                  Status

                                    Unknown

                                  Vendor Statement

                                  No statement is currently available from the vendor regarding this vulnerability.

                                  Vendor References

                                    View all 20 vendors View less vendors


                                    CVSS Metrics

                                    Group Score Vector
                                    Base 4.0 AV:N/AC:H/Au:N/C:P/I:P/A:N
                                    Temporal 3.6 E:F/RL:W/RC:C
                                    Environmental 2.7 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

                                    References

                                    Acknowledgements

                                    This issue was reported by Pietro Frigo, Cristiano Giuffrida, Herbert Bos, and Kaveh Razavi of the Vrije Universiteit Amsterdam.

                                    This document was written by Will Dormann and Trent Novelly.

                                    Other Information

                                    CVE IDs: CVE-2018-10229
                                    Date Public: 2018-05-03
                                    Date First Published: 2018-05-03
                                    Date Last Updated: 2018-05-03 19:45 UTC
                                    Document Revision: 45

                                    Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.