BlockHammer: Preventing RowHammer at Low Cost by Blacklisting Rapidly-Accessed DRAM Rows

Yağlıkçı, A. Giray; Patel, Minesh; Kim, Jeremie S.; Azizi, Roknoddin; Olgun, Ataberk; Orosa, Lois; Hassan, Hasan; Park, Jisung; Kanellopoulos, Konstantinos; Shahroodi, Taha; Ghose, Saugata; Mutlu, Onur

doi:10.1109/hpca51647.2021.00037

Cited by 54 publications

(63 citation statements)

References 79 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…To combat attacks that exploit the RowHammer phenomenon, various RowHammer mitigation mechanisms have been proposed in literature [4,5,9,22,27,55,56,59,68,91,115,117,121,124,130,131,137]. 2 Yaglikci et al [130] classify these mitigation mechanisms into four groups: 𝑖) increasing the refresh rate to reduce the number of activations that can be performed within a refresh interval [4,56], 𝑖𝑖) isolating sensitive data from DRAM rows that an attacker can potentially hammer [9,59,124], 𝑖𝑖𝑖) keeping track of row activations and refreshing potential victim rows [5,22,55,56,68,91,115,117,121,131,137], and 𝑖𝑣) throttling row activations to limit the times a row can be activated within a refresh interval [27,56,130]. Many of these research proposals describe the details of their proposed mechanisms and discuss their security guarantees [56,91,130].…”

Section: Rowhammer Mitigation Mechanismsmentioning

confidence: 99%

“…2 Yaglikci et al [130] classify these mitigation mechanisms into four groups: 𝑖) increasing the refresh rate to reduce the number of activations that can be performed within a refresh interval [4,56], 𝑖𝑖) isolating sensitive data from DRAM rows that an attacker can potentially hammer [9,59,124], 𝑖𝑖𝑖) keeping track of row activations and refreshing potential victim rows [5,22,55,56,68,91,115,117,121,131,137], and 𝑖𝑣) throttling row activations to limit the times a row can be activated within a refresh interval [27,56,130]. Many of these research proposals describe the details of their proposed mechanisms and discuss their security guarantees [56,91,130].…”

Section: Rowhammer Mitigation Mechanismsmentioning

confidence: 99%

“…We observe that the TRR mechanism refreshes four of the victim rows closest to the detected aggressor row, i.e., two victims on each side of the aggressor. This is likely done to protect against the probability that RowHammer bit flips can occur in victim rows that are two rows apart from the aggressor rows, as demonstrated by prior works [54,56,130,131].…”

Section: Vendor Amentioning

confidence: 99%

“…System-level RowHammer Mitigation Techniques. A number of studies propose system-level RowHammer mitigation techniques [4,5,9,22,27,55,56,59,68,91,115,117,121,124,130,131,137]. Recent works [23,28,54,130] show that some of these mechanisms are insecure, inefficient, or do not scale well in chips with higher vulnerability to RowHammer.…”

Section: Related Workmentioning

confidence: 99%

“…A number of studies propose system-level RowHammer mitigation techniques [4,5,9,22,27,55,56,59,68,91,115,117,121,124,130,131,137]. Recent works [23,28,54,130] show that some of these mechanisms are insecure, inefficient, or do not scale well in chips with higher vulnerability to RowHammer. We believe the fundamental principles of U-TRR can be useful for improving the security of these works as well as potentially combining them with in-DRAM TRR.…”

Section: Related Workmentioning

confidence: 99%

See 4 more Smart Citations

Uncovering In-DRAM RowHammer Protection Mechanisms:A New Methodology, Custom RowHammer Patterns, and Implications

Hassan

Can

Kim

et al. 2021

MICRO-54: 54th Annual IEEE/ACM International Symposium on Microarchitecture

Self Cite

View full text Add to dashboard Cite

The RowHammer vulnerability in DRAM is a critical threat to system security. To protect against RowHammer, vendors commit to security-through-obscurity: modern DRAM chips rely on undocumented, proprietary, on-die mitigations, commonly known as Target Row Refresh (TRR). At a high level, TRR detects and refreshes potential RowHammer-victim rows, but its exact implementations are not openly disclosed. Security guarantees of TRR mechanisms cannot be easily studied due to their proprietary nature.To assess the security guarantees of recent DRAM chips, we present Uncovering TRR (U-TRR), an experimental methodology to analyze in-DRAM TRR implementations. U-TRR is based on the new observation that data retention failures in DRAM enable a side channel that leaks information on how TRR refreshes potential victim rows. U-TRR allows us to (i) understand how logical DRAM rows are laid out physically in silicon; (ii) study undocumented on-die TRR mechanisms; and (iii) combine (i) and (ii) to evaluate the RowHammer security guarantees of modern DRAM chips. We show how U-TRR allows us to craft RowHammer access patterns that successfully circumvent the TRR mechanisms employed in 45 DRAM modules of the three major DRAM vendors. We find that the DRAM modules we analyze are vulnerable to RowHammer, having bit flips in up to 99.9% of all DRAM rows. CCS Concepts• Hardware → Dynamic memory; • Security and privacy → Hardware reverse engineering.

show abstract

Section: Rowhammer Mitigation Mechanismsmentioning

confidence: 99%

Section: Rowhammer Mitigation Mechanismsmentioning

confidence: 99%

Section: Vendor Amentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

See 3 more Smart Citations

Uncovering In-DRAM RowHammer Protection Mechanisms:A New Methodology, Custom RowHammer Patterns, and Implications

Hassan

Can

Kim

et al. 2021

MICRO-54: 54th Annual IEEE/ACM International Symposium on Microarchitecture

Self Cite

View full text Add to dashboard Cite

show abstract

A Rowhammer Reproduction Study Using the Blacksmith Fuzzer

Gerlach,

Thomas,

Pietsch

et al. 2024

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Rowhammer is a hardware vulnerability that can be exploited to induce bit flips in dynamic random access memory (DRAM), compromising the security of a computer system. Multiple ways of exploiting Rowhammer have been shown and even in the presence of mitigations such as target row refresh (TRR), DRAM modules remain partially vulnerable. In this paper, we present a large-scale reproduction study on the Rowhammer vulnerability using the Blacksmith Rowhammer fuzzer. The main focus of our study is the impact of the fuzzing environment. Our study uses a diverse set of 10 DRAM chips from various manufacturers, with different capacities and memory frequencies. We show that the runtime, used seeds, and DRAM coverage of the fuzzer have been underestimated in previous work. Additionally, we study the entire hardware setup's impact on the transferability of Rowhammer by fuzzing the same DRAM on 4 identical machines. The transferability study heavily relates to Rowhammer-based physically unclonable functions (PUFs) which rely on the stability of Rowhammer-induced bit flips. Our results confirm the findings of the Blacksmith fuzzer, showing that even modern DRAM chips are vulnerable to Rowhammer. In addition, we show that PUFs are challenging to achieve on commodity systems due to the high variability of Rowhammer bit flips.

show abstract