CVE-2015-3335, CVE-2015-3693
Mark Seaborn, Yoongu Kim, et. al.
The attacker wants to modify memory without permission.
The type of memory used in most computers is called DRAM. It works by storing a bit (a 1 or a 0) as a charge in what is called a capacitor (that behaves like a battery). These are connected to each other in rows and laid out like a grid. If the capacitor is charged, then it usually represents 1, and if it isn't then it is 0. One of the disadvantages of DRAM is that the capacitors lose their charge over time because they are connected to something that behaves like an on-off switch called a transistor that lets electricity go out even when it's off. To prevent this from being a problem, the computer "refreshes" the capacitor storing that bit by re-writing it's value, up to 16 times per second.
Unfortunately, if one row in memory is read extremely often (over 100,000 times in one second) then the rows directly next to it will lose charge faster because of poor electric isolation between the rows, and as a result, the value stored in the adjacent capacitors might lose enough charge so that they will return the wrong value the next time they are read. This means that if before, the capacitor had charge and represented 1, when read again it will appear discharged and represent 0. Abusing this, an attacker can repeatedly and precisely reserve and access memory so that if there are any memory errors and if any of the bits change then he can escalate privileges or evade security protections.
Mark Seaborn, Yoongu Kim, et. al.
The attacker wants to modify memory without permission.
The type of memory used in most computers is called DRAM. It works by storing a bit (a 1 or a 0) as a charge in what is called a capacitor (that behaves like a battery). These are connected to each other in rows and laid out like a grid. If the capacitor is charged, then it usually represents 1, and if it isn't then it is 0. One of the disadvantages of DRAM is that the capacitors lose their charge over time because they are connected to something that behaves like an on-off switch called a transistor that lets electricity go out even when it's off. To prevent this from being a problem, the computer "refreshes" the capacitor storing that bit by re-writing it's value, up to 16 times per second.
Unfortunately, if one row in memory is read extremely often (over 100,000 times in one second) then the rows directly next to it will lose charge faster because of poor electric isolation between the rows, and as a result, the value stored in the adjacent capacitors might lose enough charge so that they will return the wrong value the next time they are read. This means that if before, the capacitor had charge and represented 1, when read again it will appear discharged and represent 0. Abusing this, an attacker can repeatedly and precisely reserve and access memory so that if there are any memory errors and if any of the bits change then he can escalate privileges or evade security protections.
