Video: Turn your Android smartphone into a bunker with 10 simple steps.
The attack lowers the bar to pulling off so-called rowhammer attacks that flip bits in physical memory to ram through in-built security protections.
The researchers note that most defenses against rowhammer attacks have focused on protecting CPU cores, and show that GPUs that are integrated with CPUs -- common on mobile system on chips -- are another attack avenue.
"We demonstrate the potential of such attacks by bypassing state-of-the-art browser defenses and presenting the first reliable GPU-based rowhammer attack that compromises a browser on a phone in under two minutes," the researchers from Vrije Universiteit in Amsterdam write in a new paper.
See: Special report: Cybersecurity in an IoT and mobile world (free PDF)
A year after rowhammer attacks were first reported in 2014, researchers at Google Project Zero drew attention to vulnerabilities affecting dozens of x86 laptops using bit flips in DRAM to escalate privileges.
The rowhammer problem is the result of shrinking DRAM cells, which has made it harder to isolate memory in one address from corrupting data stored in another.
The work demonstrated that repeated toggling of a DRAM row's wordline -- rowhammering -- "stresses inter-cell coupling effects that accelerate charge leakage from nearby rows", resulting in 'bit flips' where a cell's value changes from 1 to 0 or vice versa.
As noted by Carnegie Mellon University's CERT, the GLitch attack is comprised of two parts: a side-channel to determine the layout of physical memory address space; and a rowhammer attack that targets the design of DRAM memory.
The two attacks are then combined with the WebGL application programming interface (API), which is used for rendering web graphics in browsers. It also relies on browser support for precision WebGL timers, which allow the side-channel to leak memory addresses.
See: Cyberwar: A guide to the frightening future of online conflict
Meanwhile, the GPU allows for "fast double-sided DRAM access, enabling the rowhammer attack".
The researchers showed that it was possible to use the technique to bypass the Firefox sandbox on Android.
"The precise timing capabilities provided by WebGL can allow an attacker to determine the difference between cached DRAM accesses and uncached DRAM accesses," explained CERT researchers Will Dormann and Trent Novelly.
"This can allow an attacker to determine contiguous areas of physical DRAM memory. Knowledge of contiguous memory regions is used in a number of microarchitectural attacks, such as rowhammer."
Precision timers have been disabled in Chrome and Firefox on Android to mitigate the attacks.
Previous and related coverage
'Rowhammer' DRAM flaw could be widespread, says Google
Google's Project Zero team have found a serious DRAM bug that it's using to encourage computer vendors to cough up more information about hardware flaws.
Google's Project Zero exposes unpatched Windows 10 lockdown bypass
Google denies multiple requests by Microsoft for an extension to Project Zero's 90-day disclose-or-fix deadline.
Google Project Zero 'tpf0' exploit whets appetite for iOS 11 jailbreak
Google's Project Zero releases exploit that offers hope for an iOS 11 jailbreak.
Internet Explorer zero-day alert: Attackers hitting unpatched bug in Microsoft browser
Microsoft is being urged to rush out a patch for a bug in Internet Explorer that's being used in attacks.
Google's Project Zero fuzzed top browsers for bugs: Safari users won't like the results
Google's Project Zero releases the open-source tool it used to find new bugs in major browsers.