Abstract
Ensuring the integrity and security of the memory system is critical. Recent studies have shown serious security concerns due to "rowhammer" attacks, where repeated accesses to a row of memory cause bit flips in adjacent rows. Recent work by Google's Project Zero has shown how to leverage rowhammer-induced bit-flips as the basis for security exploits that include malicious code injection and memory privilege escalation. Being an important security concern, industry has attempted to defend against rowhammer attacks. Deployed defenses employ two strategies: (1) doubling the system DRAM refresh rate and (2) restricting access to the CLFLUSH instruction that attackers use to bypass the cache to increase memory access frequency (i.e., the rate of rowhammering). We demonstrate that such defenses are inadequte: we implement rowhammer attacks that both avoid using the CLFLUSH instruction and cause bit flips with a doubled refresh rate. Our next-generation CLFLUSH-free rowhammer attack bypasses the cache by manipulating cache replacement state to allow frequent misses out of the last-level cache to DRAM rows of our choosing.
To protect existing systems from more advanced rowhammer attacks, we develop a software-based defense, ANVIL, which thwarts all known rowhammer attacks on existing systems. ANVIL detects rowhammer attacks by tracking the locality of DRAM accesses using existing hardware performance counters. Our detector identifies the rows being frequently accessed (i.e., the aggressors), then selectively refreshes the nearby victim rows to prevent hammering. Experiments running on real hardware with the SPEC2006 benchmarks show that ANVIL has less than a 1% false positive rate and an average slowdown of 1%. ANVIL is low-cost and robust, and our experiments indicate that it is an effective approach for protecting existing and future systems from even advanced rowhammer attacks.
- https://twitter.com/lavados/status/685618703413698562. Accessed: 2016-01--21.Google Scholar
- Program for Testing for the DRAM "rowhammer" Problem. https://github.com/mseaborn/rowhammer-test. Accessed: 2015-08--11.Google Scholar
- National Security Agency. TEMPEST: A Signal Problem. https://www.nsa.gov/public_info/_files/cryptologic_spectrum/tempest.pdf. Accessed: 2015-08--11.Google Scholar
- JEDEC Solid State Technology Association. DDR3 SDRAM Specification, 2010.Google Scholar
- K. Bains, J.B. Halbert, C.P. Mozak, T.Z. Schoenborn, and Z. Greenfield. Row Hammer Refresh Command, 2014.Google Scholar
- Ishwar Bhati, Mu-Tien Chang, Zeshan Chishti, Shih-Lien Lu, and Bruce Jacob. DRAM Refresh Mechanisms, Penalties, and Trade-Offs. In IEEE Transactions on Computers, VOL. 64, 2015.Google Scholar
- Paul J. Drongowski. Instruction-Based Sampling: A New Performance Analysis Technique for AMD Family 10h Processors. 2007.Google Scholar
- D. Gruss, C. Maurice, and S. Mangard. Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript. ArXiv e-prints, July 2015.Google Scholar
- John L. Henning. SPEC CPU2006 Benchmark Descriptions. SIGARCH Comput. Archit. News, 34(4):1--17, September 2006.Google Scholar
- M. Hicks, M. Finnicum, S.T. King, M. Martin, and J.M. Smith. Overcoming an Untrusted Computing Base: Detecting and Removing Malicious Hardware Automatically. In Security and Privacy (SP), 2010 IEEE Symposium on, pages 159--172, May 2010.Google ScholarDigital Library
- Rei-Fu Huang, Hao-Yu Yang, M.C. Chao, and Shih-Chin Lin. Alternate Hammering Test for Application-Specific DRAMs and an Industrial Case Study. In Design Automation Conference (DAC), 2012 49th ACM/EDAC/IEEE, pages 1012--1017, June 2012.Google ScholarDigital Library
- R. Hund, C. Willems, and T. Holz. Practical Timing Side Channel Attacks against Kernel Space ASLR. In Security and Privacy (SP), 2013 IEEE Symposium on, pages 191--205, May 2013.Google ScholarDigital Library
- Apple Inc. About the Security Content of Mac EFI Security Update 2015-001 . https://support.apple.com/en-us/HT204934. Accessed: 2015-08--11.Google Scholar
- CISCO Inc. Mitigations Available for the DRAM Row Hammer Vulnerability. http://blogs.cisco.com/security/mitigations-available-for-the-dram-row-hammer-vulnerability.Google Scholar
- HP Inc. HP Moonshot Component Pack Version 2015.05.0. http://h17007.www1.hp.com/us/en/enterprise/servers/products/moonshot/component-pack/index.aspx. Accessed: 2015-08--11.Google Scholar
- Intel Inc. Intel 64 and IA-32 Architectures Optimization Reference Manual. September 2014.Google Scholar
- Intel Inc. Intel® 64 and IA-32 Architectures Software Developer's Manual, Volume 3 (3A, 3B & 3C): System Programming Guide. June 2015.Google Scholar
- Lenovo Inc. Row Hammer Privilege Escalation Lenovo Security Advisory: LEN-2015-009. https://support.lenovo.com/us/en/product_security/row_hammer. Accessed: 2015-08--11.Google Scholar
- Micron Inc. DDR4 SDRAM MT40A2G4, MT40A1G8, MT40A512M16 Data sheet. 2015.Google Scholar
- Aamer Jaleel, Kevin B. Theobald, Simon C. Steely, Jr., and Joel Emer. High Performance Cache Replacement Using Re-reference Interval Prediction (RRIP). In Proceedings of the 37th Annual International Symposium on Computer Architecture, ISCA '10, pages 60--71, New York, NY, USA, 2010. ACM.Google ScholarDigital Library
- JEDEC Solid State Technology Association . Low Power Double Data Rate 4 (LPDDR4), 2015.Google Scholar
- Yier Jin, Nathan Kupp, and Yiorgos Makris. Experiences in hardware trojan design and implementation. In Proceedings of the 2009 IEEE International Workshop on Hardware-Oriented Security and Trust, HST '09, pages 50--57, Washington, DC, USA, 2009. IEEE Computer Society.Google ScholarDigital Library
- Dae-Hyun Kim, P.J. Nair, and M.K. Qureshi. Architectural support for mitigating row hammering in dram memories. Computer Architecture Letters, 14(1):9--12, Jan 2015.Google ScholarCross Ref
- Yoongu Kim, R. Daly, J. Kim, C. Fallin, Ji Hye Lee, Donghyuk Lee, C. Wilkerson, K. Lai, and O. Mutlu. Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors. In Computer Architecture (ISCA), 2014 ACM/IEEE 41st International Symposium on, pages 361--372, June 2014.Google ScholarDigital Library
- Mohsen Ghasempour, Mikel Lujan and Jim Garside. Armor: A Run-Time Memory Hot-Row Detector. http://apt.cs.manchester.ac.uk/projects/ARMOR/RowHammer/index.html. Accessed: 2015-08--11.Google Scholar
- Janani Mukundan, Hillery Hunter, Kyu-hyoun Kim, Jeffrey Stuecheli, and José F. Martınez. Understanding and Mitigating Refresh Overheads in High-density DDR4 DRAM Systems. In Proceedings of the 40th Annual International Symposium on Computer Architecture, ISCA '13, pages 48--59, New York, NY, USA, 2013. ACM.Google ScholarDigital Library
- Yossef Oren, Vasileios P. Kemerlis, Simha Sethumadhavan, and Angelos D. Keromytis. The Spy in the Sandbox: Practical Cache Attacks in JavaScript and their Implications. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, October 12--6, 2015, pages 1406--1418. ACM, 2015.Google ScholarDigital Library
- Mark Seaborn and Thomas Dullien. Exploiting the DRAM rowhammer bug to gain kernel privileges. March 2015.Google Scholar
- Yuval Yarom and Katrina Falkner. FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-channel Attack. In Proceedings of the 23rd USENIX Conference on Security Symposium, SEC'14, pages 719--732, Berkeley, CA, USA, 2014. USENIX Association.Google ScholarDigital Library
Index Terms
- ANVIL: Software-Based Protection Against Next-Generation Rowhammer Attacks
Recommendations
Fundamentally Understanding and Solving RowHammer
ASPDAC '23: Proceedings of the 28th Asia and South Pacific Design Automation ConferenceWe provide an overview of recent developments and future directions in the RowHammer vulnerability that plagues modern DRAM (Dynamic Random Memory Access) chips, which are used in almost all computing systems as main memory.
RowHammer is the phenomenon ...
A Deeper Look into RowHammer’s Sensitivities: Experimental Analysis of Real DRAM Chips and Implications on Future Attacks and Defenses
MICRO '21: MICRO-54: 54th Annual IEEE/ACM International Symposium on MicroarchitectureRowHammer is a circuit-level DRAM vulnerability where repeatedly accessing (i.e., hammering) a DRAM row can cause bit flips in physically nearby rows. The RowHammer vulnerability worsens as DRAM cell size and cell-to-cell spacing shrink. Recent studies ...
Uncovering In-DRAM RowHammer Protection Mechanisms:A New Methodology, Custom RowHammer Patterns, and Implications
MICRO '21: MICRO-54: 54th Annual IEEE/ACM International Symposium on MicroarchitectureThe RowHammer vulnerability in DRAM is a critical threat to system security. To protect against RowHammer, vendors commit to security-through-obscurity: modern DRAM chips rely on undocumented, proprietary, on-die mitigations, commonly known as Target ...
Comments