23.3 A 4.8Gb/s/pin 2Gb LPDDR4 SDRAM with sub-100µA self-refresh current for IoT applications

Kwak, Nohhyup; Kim, Saeng-Hwan; Lee, Kyong Ha; Baek, Chang‐Ki; Jang, Mun Seon; Joo, Yong-Suk; Lee, Seunghun; Lee, Woo Young; Lee, Eunryeong; Han, Dong-Hee; Kang, Jaeyeol; Lim, Jung Ho; Park, Jae-Beom; Kim, Kyung‐Tae; Cho, Sunki; Han, Sung Woo; Keh, Jee Yeon; Chun, Jun Hyun; Oh, Jae‐Eung; Lee, Seok Hee

doi:10.1109/isscc.2017.7870426

Cited by 11 publications

(19 citation statements)

References 1 publication

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, once the uncommon case, ECC-equipped platforms are now on the rise, from large cloud providers (e.g., Amazon EC2 [14]) to high-end consumer platforms [15]. In addition, ECC memory is increasingly deployed on low-power platforms such as mobile and IoT devices to drop the DRAM refresh rate below "safe" values and save power [16], [17]. It has therefore become important to quantitatively assess the effectiveness of ECC memory as a Rowhammer mitigation.…”

Section: Introductionmentioning

confidence: 99%

Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks

Cojocar

Razavi

Giuffrida

et al. 2019

2019 IEEE Symposium on Security and Privacy (SP)

127

124

View full text Add to dashboard Cite

Given the increasing impact of Rowhammer, and the dearth of adequate other hardware defenses, many in the security community have pinned their hopes on error-correcting code (ECC) memory as one of the few practical defenses against Rowhammer attacks. Specifically, the expectation is that the ECC algorithm will correct or detect any bits they manage to flip in memory in real-world settings. However, the extent to which ECC really protects against Rowhammer is an open research question, due to two key challenges. First, the details of the ECC implementations in commodity systems are not known. Second, existing Rowhammer exploitation techniques cannot yield reliable attacks in presence of ECC memory.In this paper, we address both challenges and provide concrete evidence of the susceptibility of ECC memory to Rowhammer attacks. To address the first challenge, we describe a novel approach that combines a custom-made hardware probe, Rowhammer bit flips, and a cold boot attack to reverse engineer ECC functions on commodity AMD and Intel processors. To address the second challenge, we present ECCploit, a new Rowhammer attack based on composable, data-controlled bit flips and a novel side channel in the ECC memory controller. We show that, while ECC memory does reduce the attack surface for Rowhammer, ECCploit still allows an attacker to mount reliable Rowhammer attacks against vulnerable ECC memory on a variety of systems and configurations. In addition, we show that, despite the non-trivial constraints imposed by ECC, ECCploit can still be powerful in practice and mimic the behavior of prior Rowhammer exploits.

show abstract

Section: Introductionmentioning

confidence: 99%

Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks

Cojocar

Razavi

Giuffrida

et al. 2019

2019 IEEE Symposium on Security and Privacy (SP)

127

124

View full text Add to dashboard Cite

show abstract

“…10 shows the distribution of RowHammer bit flips that our custom access patterns induce across 8-byte data chunks as boxand-whisker plots 14 for all 45 DRAM modules we test across three vendors. We use 8-byte data chunks as DRAM ECC typically uses 8-byte or larger datawords [10,37,43,60,61,79,87,118].…”

Section: Bypassing System-level Ecc Using U-trrmentioning

confidence: 99%

“…The large number of RowHammer bit flips caused by our specialized access patterns has significant implications for systems protected by Error Correction Codes (ECC) [47,92,93,95]. Our analysis shows that the U-TRR-discovered access patterns can cause up to 7 bit flips at arbitrary locations in one 8-byte dataword, suggesting that typical ECC schemes capable of correcting one error/symbol and detecting two errors/symbols (e.g., SECDED ECC [10,37,43,60,61,79,87,118] and Chipkill [2,20,86]) cannot provide sufficient protection against RowHammer even in the presence of TRR mechanisms.…”

Section: Introductionmentioning

confidence: 99%

Uncovering In-DRAM RowHammer Protection Mechanisms:A New Methodology, Custom RowHammer Patterns, and Implications

Hassan

Can

Kim

et al. 2021

MICRO-54: 54th Annual IEEE/ACM International Symposium on Microarchitecture

View full text Add to dashboard Cite

The RowHammer vulnerability in DRAM is a critical threat to system security. To protect against RowHammer, vendors commit to security-through-obscurity: modern DRAM chips rely on undocumented, proprietary, on-die mitigations, commonly known as Target Row Refresh (TRR). At a high level, TRR detects and refreshes potential RowHammer-victim rows, but its exact implementations are not openly disclosed. Security guarantees of TRR mechanisms cannot be easily studied due to their proprietary nature.To assess the security guarantees of recent DRAM chips, we present Uncovering TRR (U-TRR), an experimental methodology to analyze in-DRAM TRR implementations. U-TRR is based on the new observation that data retention failures in DRAM enable a side channel that leaks information on how TRR refreshes potential victim rows. U-TRR allows us to (i) understand how logical DRAM rows are laid out physically in silicon; (ii) study undocumented on-die TRR mechanisms; and (iii) combine (i) and (ii) to evaluate the RowHammer security guarantees of modern DRAM chips. We show how U-TRR allows us to craft RowHammer access patterns that successfully circumvent the TRR mechanisms employed in 45 DRAM modules of the three major DRAM vendors. We find that the DRAM modules we analyze are vulnerable to RowHammer, having bit flips in up to 99.9% of all DRAM rows. CCS Concepts• Hardware → Dynamic memory; • Security and privacy → Hardware reverse engineering.

show abstract

“…Prior works [60,97,98,120,129,133,138,147] indicate that existing on-die ECC codes are 64-or 128-bit single-error correction (SEC) Hamming codes [44]. However, each DRAM manufacturer considers their on-die ECC mechanism's design and implementation to be highly proprietary and ensures not to reveal its details in any public documentation, including DRAM standards [68,69], DRAM datasheets [63,121,149,158], publications [76,97,98,133], and industry whitepapers [120,147].…”

Section: Introductionmentioning

confidence: 99%

“…For each of these third parties, merely knowing or reverseengineering the type of ECC code (e.g., n-bit Hamming code) based on existing industry [60,97,98,120,133,147] and academic [129,138] publications is not enough to determine exactly how the ECC mechanism obfuscates speci c error pa erns.…”

Section: Introductionmentioning

confidence: 99%

Bit-Exact ECC Recovery (BEER): Determining DRAM On-Die ECC Functions by Exploiting DRAM Data Retention Characteristics

Patel¹,

Kim²,

Shahroodi³

et al. 2020

Preprint

View full text Add to dashboard Cite

Increasing single-cell DRAM error rates have pushed DRAM manufacturers to adopt on-die error-correction coding (ECC), which operates entirely within a DRAM chip to improve factory yield. e on-die ECC function and its e ects on DRAM reliability are considered trade secrets, so only the manufacturer knows precisely how on-die ECC alters the externally-visible reliability characteristics. Consequently, on-die ECC obstructs third-party DRAM customers (e.g., test engineers, experimental researchers), who typically design, test, and validate systems based on these characteristics.To give third parties insight into precisely how on-die ECC transforms DRAM error pa erns during error correction, we introduce Bit-Exact ECC Recovery (BEER), a new methodology for determining the full DRAM on-die ECC function (i.e., its parity-check matrix) without hardware tools, prerequisite knowledge about the DRAM chip or on-die ECC mechanism, or access to ECC metadata (e.g., error syndromes, parity information). BEER exploits the key insight that non-intrusively inducing data-retention errors with carefully-cra ed test patterns reveals behavior that is unique to a speci c ECC function.We use BEER to identify the ECC functions of 80 real LPDDR4 DRAM chips with on-die ECC from three major DRAM manufacturers. We evaluate BEER's correctness in simulation and performance on a real system to show that BEER is e ective and practical across a wide range of on-die ECC functions. To demonstrate BEER's value, we propose and discuss several ways that third parties can use BEER to improve their design and testing practices. As a concrete example, we introduce and evaluate BEEP, the rst error pro ling methodology that uses the known on-die ECC function to recover the number and bit-exact locations of unobservable raw bit errors responsible for observable post-correction errors.

show abstract

23.3 A 4.8Gb/s/pin 2Gb LPDDR4 SDRAM with sub-100µA self-refresh current for IoT applications

Cited by 11 publications

References 1 publication

Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks

Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks

Uncovering In-DRAM RowHammer Protection Mechanisms:A New Methodology, Custom RowHammer Patterns, and Implications

Bit-Exact ECC Recovery (BEER): Determining DRAM On-Die ECC Functions by Exploiting DRAM Data Retention Characteristics

Contact Info

Product

Resources

About