JackHammer: Efficient Rowhammer on Heterogeneous FPGA-CPU Platforms

Weissman, Zane; Tiemann, Thore; Moghimi, Daniel; Custodio, Evan; Eisenbarth, Thomas; Sunar, Berk

doi:10.48550/arxiv.1912.11523

Cited by 4 publications

(7 citation statements)

References 36 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The RowHammer vulnerability can be used to reliably induce bit flips in main memory using various system-level security attacks [1,10,13,20,21,26,27,33,34,39,43,49,56,78,85,99,101,118,119,122,129,133,145,150,151,156,158,167,171]. Prior work demonstrates that inducing bit flips via a RowHammer attack is practical for privilege escalation [33,34,56,85,122,133,150,158], denial of service [33,85], leaking confidential data [78], and manipulating a critical application's correctness [43,167].…”

Section: The Rowhammer Vulnerabilitymentioning

confidence: 99%

“…RowHammer Attacks and Defenses. Many works [1,10,13,20,21,26,27,33,34,39,43,49,56,78,85,99,101,118,119,122,129,133,145,150,151,156,158,167,171] exploit the RowHammer vulnerability to induce bit flips in main memory, as §2.3 explains. These works activate two (double-sided attack [71,72,133]) or more (many-sided attack [27]) aggressor rows, as rapidly as possible, aiming to maximize the number of RowHammer-induced bit flips.…”

Section: Related Workmentioning

confidence: 99%

“…RowHammer is an error mechanism that is caused by hammering, or opening and closing (i.e., activating and precharging), a DRAM row (i.e., aggressor row) many times, which can cause bit flips in physically-nearby rows (i.e., victim rows) [29,58,72,99,101,110,111,127,153,[164][165][166]. RowHammer has gained attention in both academia and industry, and various attacks have exploited the RowHammer vulnerability to escalate privilege, leak private data, and manipulate critical application outputs [1,10,13,20,21,26,27,33,34,39,43,49,56,78,85,99,101,118,119,122,129,133,145,150,151,156,158,167,171]. 1 To make matters worse, recent experimental studies [20,27,71,72,…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

A Deeper Look into RowHammer’s Sensitivities: Experimental Analysis of Real DRAM Chips and Implications on Future Attacks and Defenses

Orosa

Yağlıkçı

Luo

et al. 2021

MICRO-54: 54th Annual IEEE/ACM International Symposium on Microarchitecture

View full text Add to dashboard Cite

RowHammer is a circuit-level DRAM vulnerability where repeatedly accessing (i.e., hammering) a DRAM row can cause bit flips in physically nearby rows. The RowHammer vulnerability worsens as DRAM cell size and cell-to-cell spacing shrink. Recent studies demonstrate that modern DRAM chips, including chips previously marketed as RowHammer-safe, are even more vulnerable to RowHammer than older chips such that the required hammer count to cause a bit flip has reduced by more than 10X in the last decade. Therefore, it is essential to develop a better understanding and in-depth insights into the RowHammer vulnerability of modern DRAM chips to more effectively secure current and future systems.Our goal in this paper is to provide insights into fundamental properties of the RowHammer vulnerability that are not yet rigorously studied by prior works, but can potentially be 𝑖) exploited to develop more effective RowHammer attacks or 𝑖𝑖) leveraged to design more effective and efficient defense mechanisms. To this end, we present an experimental characterization using 248 DDR4 and 24 DDR3 modern DRAM chips from four major DRAM manufacturers demonstrating how the RowHammer effects vary with three fundamental properties: 1) DRAM chip temperature, 2) aggressor row active time, and 3) victim DRAM cell's physical location. Among our 16 new observations, we highlight that a RowHammer bit flip 1) is very likely to occur in a bounded range, specific to each DRAM cell (e.g., 5.4% of the vulnerable DRAM cells exhibit errors in the range 70 °C to 90 °C), 2) is more likely to occur if the aggressor row is active for longer time (e.g., RowHammer vulnerability increases by 36% if we keep a DRAM row active for 15 column accesses), and 3) is more likely to occur in certain physical regions of the DRAM module under attack (e.g., 5% of the rows are 2x more vulnerable than the remaining 95% of the rows). Our study has important practical implications on future RowHammer attacks and defenses. We describe and analyze the implications of our new findings by proposing three future RowHammer attack and six future RowHammer defense improvements.

show abstract

Section: The Rowhammer Vulnerabilitymentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

A Deeper Look into RowHammer’s Sensitivities: Experimental Analysis of Real DRAM Chips and Implications on Future Attacks and Defenses

Orosa

Yağlıkçı

Luo

et al. 2021

MICRO-54: 54th Annual IEEE/ACM International Symposium on Microarchitecture

View full text Add to dashboard Cite

show abstract

“…A security attack exploits the RowHammer vulnerability by hammering (i.e., repeatedly activating and precharging) an aggressor row many times (e.g., 139𝐾 in DDR3 [56], 10𝐾 in DDR4 [54], and 4.8𝐾 in LPDDR4 [54]) 1 to cause bit flips in the cells of the victim rows that are physically adjacent to the hammered row. Since the discovery of RowHammer, researchers have proposed many techniques that take advantage of the RowHammer vulnerability to compromise operating systems [7,15,16,29,38,44,62,96,98,109,123,124,128,140], web browsers [8,19,23,24,28], cloud virtual machines [100,129], remote servers [71,122], and deep neural networks [34,136]. 2 Thus, RowHammer is a clear major threat to system security.…”

Section: Introductionmentioning

confidence: 99%

Uncovering In-DRAM RowHammer Protection Mechanisms:A New Methodology, Custom RowHammer Patterns, and Implications

Hassan

Can

Kim

et al. 2021

MICRO-54: 54th Annual IEEE/ACM International Symposium on Microarchitecture

View full text Add to dashboard Cite

The RowHammer vulnerability in DRAM is a critical threat to system security. To protect against RowHammer, vendors commit to security-through-obscurity: modern DRAM chips rely on undocumented, proprietary, on-die mitigations, commonly known as Target Row Refresh (TRR). At a high level, TRR detects and refreshes potential RowHammer-victim rows, but its exact implementations are not openly disclosed. Security guarantees of TRR mechanisms cannot be easily studied due to their proprietary nature.To assess the security guarantees of recent DRAM chips, we present Uncovering TRR (U-TRR), an experimental methodology to analyze in-DRAM TRR implementations. U-TRR is based on the new observation that data retention failures in DRAM enable a side channel that leaks information on how TRR refreshes potential victim rows. U-TRR allows us to (i) understand how logical DRAM rows are laid out physically in silicon; (ii) study undocumented on-die TRR mechanisms; and (iii) combine (i) and (ii) to evaluate the RowHammer security guarantees of modern DRAM chips. We show how U-TRR allows us to craft RowHammer access patterns that successfully circumvent the TRR mechanisms employed in 45 DRAM modules of the three major DRAM vendors. We find that the DRAM modules we analyze are vulnerable to RowHammer, having bit flips in up to 99.9% of all DRAM rows. CCS Concepts• Hardware → Dynamic memory; • Security and privacy → Hardware reverse engineering.

show abstract

“…Kim et al [73] show that modern DRAM chips are susceptible to the RowHammer phenomenon, where opening and closing (i.e., activating and precharging) a DRAM row (i.e., aggressor row) at a high enough rate (i.e., hammering) can cause bit-flips in physicallynearby rows (i.e., victim rows) [101,104,121,159]. Many works demonstrate various system-level attacks using Row-Hammer to escalate privilege or leak private data (e.g., [1,10,13,24,25,34,35,41,42,47,50,56,79,87,101,104,117,118,120,126,127,144,147,148,151,156,160,163]). Recent findings indicate that RowHammer is a more serious problem than ever and that it is expected to worsen for future DRAM chips [72,101,104].…”

Section: Introductionmentioning

confidence: 99%

BlockHammer: Preventing RowHammer at Low Cost by Blacklisting Rapidly-Accessed DRAM Rows

Yağlıkçı,

Patel,

Kim

et al. 2021

Preprint

View full text Add to dashboard Cite

Aggressive memory density scaling causes modern DRAM devices to suffer from RowHammer, a phenomenon where rapidly activating (i.e., hammering) a DRAM row can cause bit-flips in physically-nearby rows. Recent studies demonstrate that modern DDR4/LPDDR4 DRAM chips, including chips previously marketed as RowHammer-safe, are even more vulnerable to RowHammer than older DDR3 DRAM chips. Many works show that attackers can exploit RowHammer bit-flips to reliably mount system-level attacks to escalate privilege and leak private data. Therefore, it is critical to ensure RowHammersafe operation on all DRAM-based systems as they become increasingly more vulnerable to RowHammer. Unfortunately, state-of-the-art RowHammer mitigation mechanisms face two major challenges. First, they incur increasingly higher performance and/or area overheads when applied to more vulnerable DRAM chips. Second, they require either closely-guarded proprietary information about the DRAM chips' physical circuit layouts or modifications to the DRAM chip design.In this paper, we show that it is possible to efficiently and scalably prevent RowHammer bit-flips without knowledge of or modification to DRAM internals. To this end, we introduce BlockHammer, a low-cost, effective, and easy-to-adopt Row-Hammer mitigation mechanism that prevents all RowHammer bit-flips while overcoming the two key challenges. BlockHammer selectively throttles memory accesses that could otherwise potentially cause RowHammer bit-flips. The key idea of Block-Hammer is to (1) track row activation rates using area-efficient Bloom filters, and (2) use the tracking data to ensure that no row is ever activated rapidly enough to induce RowHammer bit-flips. By guaranteeing that no DRAM row ever experiences a RowHammer-unsafe activation rate, BlockHammer (1) makes it impossible for a RowHammer bit-flip to occur and (2) greatly reduces a RowHammer attack's impact on the performance of co-running benign applications. Our evaluations across a comprehensive range of 280 workloads show that, compared to the best of six state-of-the-art RowHammer mitigation mechanisms (all of which require knowledge of or modification to DRAM internals), BlockHammer provides (1) competitive performance and energy when the system is not under a RowHammer attack and (2) significantly better performance and energy when the system is under a RowHammer attack.

show abstract

JackHammer: Efficient Rowhammer on Heterogeneous FPGA-CPU Platforms

Cited by 4 publications

References 36 publications

A Deeper Look into RowHammer’s Sensitivities: Experimental Analysis of Real DRAM Chips and Implications on Future Attacks and Defenses

A Deeper Look into RowHammer’s Sensitivities: Experimental Analysis of Real DRAM Chips and Implications on Future Attacks and Defenses

Uncovering In-DRAM RowHammer Protection Mechanisms:A New Methodology, Custom RowHammer Patterns, and Implications

BlockHammer: Preventing RowHammer at Low Cost by Blacklisting Rapidly-Accessed DRAM Rows

Contact Info

Product

Resources

About