Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript

A fundamental assumption in software security is that a memory location can only be modified by processes that may write to this memory location. However, a recent study has shown that parasitic effects in DRAM can change the content of a memory cell without accessing it, but by accessing other memory locations in a high frequency. This so-called Rowhammer bug occurs in most of today’s memory modules and has fatal consequences for the security of all affected systems, e.g., privilege escalation attacks. All studies and attacks related to Rowhammer so far rely on the availability of a cache flush instruction in order to cause accesses to DRAM modules at a sufficiently high frequency. We overcome this limitation by defeating complex cache replacement policies. We show that caches can be forced into fast cache eviction to trigger the Rowhammer bug with only regular memory accesses. This allows to trigger the Rowhammer bug in highly restricted and even scripting environments. We demonstrate a fully automated attack that requires nothing but a website with JavaScript to trigger faults on remote hardware. Thereby we can gain unrestricted access to systems of website visitors. We show that the attack works on off-the-shelf systems. Existing countermeasures fail to protect against this new Rowhammer attack.

💡 Research Summary

The paper “Rowhammer.js: A Remote Software‑Induced Fault Attack in JavaScript” demonstrates that the Rowhammer vulnerability—bit flips in DRAM caused by repeatedly activating neighboring rows—can be exploited without the privileged cache‑flush (clflush) instruction. The authors first analyze modern Intel CPUs, showing that the last‑level cache (LLC) uses a complex, undocumented slice‑mapping function and adaptive replacement policies (pseudo‑LRU, adaptive LRU) that differ across micro‑architectures (Sandy Bridge, Ivy Bridge, Haswell, Skylake). To replace clflush, they develop high‑performance cache‑eviction strategies that repeatedly access a set of congruent addresses (addresses that map to the same cache set and slice) in carefully chosen patterns.

In an offline phase they exhaustively explore the parameter space—eviction‑set size, access order, repetitions—to find patterns that achieve the highest eviction rate with minimal latency on a variety of CPUs. They distinguish four approaches (static/dynamic eviction set, static/dynamic access pattern) and settle on a dynamic‑eviction‑set plus dynamic‑access‑pattern method that requires virtually no prior knowledge of the target system.

Armed with these eviction strategies, they translate the attack into pure JavaScript. Although JavaScript runs in a sandbox and cannot reveal virtual or physical addresses, the authors exploit OS‑level large‑page allocations (2 MiB pages) to infer the high bits of physical addresses from large typed arrays. By locating two addresses that reside in different DRAM rows but share the same cache set, they repeatedly hammer them using the derived eviction loops, forcing the CPU to fetch the data from DRAM at a rate sufficient to cause charge leakage in adjacent rows.

When a bit flip occurs, they reuse existing Rowhammer exploitation techniques (e.g., corrupting page‑table entries for privilege escalation or hijacking indirect jumps) to gain arbitrary code execution on the victim machine. The full attack chain is delivered via a web page; no native code, plugins, or user interaction beyond loading the page is required.

The authors evaluate the attack on eight hardware configurations, covering laptops and desktops with DDR3‑1333, DDR3‑1600, DDR4‑2133, and DDR4‑3200 modules. All tested systems exhibit bit flips under normal refresh intervals (≤ 64 ms), confirming that both DDR3 and DDR4 are still vulnerable. They also demonstrate the attack in virtualized environments, showing that cross‑VM isolation does not prevent exploitation.

Existing software mitigations—removing clflush from browsers, randomizing memory allocation, hardening page tables—are ineffective because the attack does not rely on clflush and works purely with regular memory accesses. Hardware mitigations such as increasing the DRAM refresh rate or BIOS updates that tighten memory controller timing are the only viable defenses, but they are not universally deployed and may impact performance.

In summary, the paper provides a comprehensive methodology for automatically discovering cache‑eviction patterns for modern CPUs, implements a native‑code Rowhammer attack that uses only memory accesses, and extends this to a fully automated JavaScript implementation capable of remote, large‑scale exploitation. This work expands the threat model for Rowhammer from native, privileged code to any web‑accessible environment, urging the security community to reconsider both software and hardware defenses against DRAM‑based fault attacks.