Recently I stumbled into an interesting paper. This paper introduces a bug / vulnerability called “Rowhammer.js”. In short: Rowhammer.js enables hardware-level memory corruption (bit flips) via web browser. Yes, it sounds insane, it is insane, and yet it seems to be a real thing. I believe this may become a major client-side web security issue.
Rowhammer and Rowhammer.js
Rowhammer itself is one awesome bug. The vulnerability is not in software, driver or firmware, but hardware (DRAM devices, to be more precise). It can be exploited by repeatedly accessing a certain memory row using certain CPU instructions, and eventually a bit on that row may be accidentally flipped (even though that specific bit it is never written or read). This sounds weird but rather harmless. However, it is not harmless. This practically could allow attacker to modify write-protected data and gain kernel privileges.
Example by Google’s Project Zero: http://googleprojectzero.blogspot.fi/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
More information about Rowhammer: rowhammer.com
Also, some sort of proof-of-concept code is available at Github