Quantifying Rowhammer Vulnerability for DRAM Security

Jiang, Yichen; Zhu, Huifeng; Sullivan, Dean; Guo, Xiaolong; Zhang, Xuan; Jin, Yier

doi:10.1109/dac18074.2021.9586119

Cited by 9 publications

(7 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Modern DRAM chips suffer from an error mechanism, called RowHammer [71,72,101] that happens when a DRAM row (i.e., aggressor row) is repeatedly activated enough times before its neighboring rows (i.e., victim rows) get refreshed [29,58,71,72,99,101,110,111,127,153,[164][165][166]. Due to the aggressive reduction in manufacturing process technology node size, DRAM cells become smaller and closer to each other, exacerbating the RowHammer vulnerability.…”

Section: The Rowhammer Vulnerabilitymentioning

confidence: 99%

“…Thus, it is necessary to rigorously understand the RowHammer vulnerability of modern DRAM chips, project future attacks, and develop effective RowHammer defense mechanisms in modern systems that use DRAM. Through characterization [71,72,110,111] and modeling [29,58,111,123,127,153,[164][165][166], past research shows that circuit-level capacitive coupling [58,123] and trap-assisted leakage [166] have a significant effect on RowHammer bit flips [153].…”

Section: The Rowhammer Vulnerabilitymentioning

confidence: 99%

“…Simulation-based Studies. Prior works [29,58,123,127,153,[164][165][166] attempt to explain the error mechanisms that cause RowHammer bit flips through circuit-level simulations of capacitative-coupling and charge-trapping mechanisms, without testing real DRAM chips. These works, some of which we discuss in §5.3 and §6.3, are orthogonal to our experimental study.…”

Section: Related Workmentioning

confidence: 99%

“…Unfortunately, these reductions have been shown to negatively impact DRAM reliability [92,98] and expose vulnerabilities such as RowHammer [71,72,101]. RowHammer is an error mechanism that is caused by hammering, or opening and closing (i.e., activating and precharging), a DRAM row (i.e., aggressor row) many times, which can cause bit flips in physically-nearby rows (i.e., victim rows) [29,58,72,99,101,110,111,127,153,[164][165][166]. RowHammer has gained attention in both academia and industry, and various attacks have exploited the RowHammer vulnerability to escalate privilege, leak private data, and manipulate critical application outputs [1,10,13,20,21,26,27,33,34,39,43,49,56,78,85,99,101,118,119,122,129,133,145,150,151,156,158,167,…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

A Deeper Look into RowHammer’s Sensitivities: Experimental Analysis of Real DRAM Chips and Implications on Future Attacks and Defenses

Orosa

Yağlıkçı

Luo

et al. 2021

MICRO-54: 54th Annual IEEE/ACM International Symposium on Microarchitecture

View full text Add to dashboard Cite

RowHammer is a circuit-level DRAM vulnerability where repeatedly accessing (i.e., hammering) a DRAM row can cause bit flips in physically nearby rows. The RowHammer vulnerability worsens as DRAM cell size and cell-to-cell spacing shrink. Recent studies demonstrate that modern DRAM chips, including chips previously marketed as RowHammer-safe, are even more vulnerable to RowHammer than older chips such that the required hammer count to cause a bit flip has reduced by more than 10X in the last decade. Therefore, it is essential to develop a better understanding and in-depth insights into the RowHammer vulnerability of modern DRAM chips to more effectively secure current and future systems.Our goal in this paper is to provide insights into fundamental properties of the RowHammer vulnerability that are not yet rigorously studied by prior works, but can potentially be 𝑖) exploited to develop more effective RowHammer attacks or 𝑖𝑖) leveraged to design more effective and efficient defense mechanisms. To this end, we present an experimental characterization using 248 DDR4 and 24 DDR3 modern DRAM chips from four major DRAM manufacturers demonstrating how the RowHammer effects vary with three fundamental properties: 1) DRAM chip temperature, 2) aggressor row active time, and 3) victim DRAM cell's physical location. Among our 16 new observations, we highlight that a RowHammer bit flip 1) is very likely to occur in a bounded range, specific to each DRAM cell (e.g., 5.4% of the vulnerable DRAM cells exhibit errors in the range 70 °C to 90 °C), 2) is more likely to occur if the aggressor row is active for longer time (e.g., RowHammer vulnerability increases by 36% if we keep a DRAM row active for 15 column accesses), and 3) is more likely to occur in certain physical regions of the DRAM module under attack (e.g., 5% of the rows are 2x more vulnerable than the remaining 95% of the rows). Our study has important practical implications on future RowHammer attacks and defenses. We describe and analyze the implications of our new findings by proposing three future RowHammer attack and six future RowHammer defense improvements.

show abstract

Section: The Rowhammer Vulnerabilitymentioning

confidence: 99%

Section: The Rowhammer Vulnerabilitymentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

A Deeper Look into RowHammer’s Sensitivities: Experimental Analysis of Real DRAM Chips and Implications on Future Attacks and Defenses

Orosa

Yağlıkçı

Luo

et al. 2021

MICRO-54: 54th Annual IEEE/ACM International Symposium on Microarchitecture

View full text Add to dashboard Cite

show abstract

“…Kim et al [56] report that most DRAM chips manufactured since 2010 are susceptible to disturbance errors that are popularly referred to as RowHammer. Recent works [25,45,56,83,90,103,126,[133][134][135] explain the circuit-level charge leakage mechanisms that lead to the RowHammer vulnerability. A security attack exploits the RowHammer vulnerability by hammering (i.e., repeatedly activating and precharging) an aggressor row many times (e.g., 139𝐾 in DDR3 [56], 10𝐾 in DDR4 [54], and 4.8𝐾 in LPDDR4 [54]) 1 to cause bit flips in the cells of the victim rows that are physically adjacent to the hammered row.…”

Section: Introductionmentioning

confidence: 99%

Uncovering In-DRAM RowHammer Protection Mechanisms:A New Methodology, Custom RowHammer Patterns, and Implications

Hassan

Can

Kim

et al. 2021

MICRO-54: 54th Annual IEEE/ACM International Symposium on Microarchitecture

View full text Add to dashboard Cite

The RowHammer vulnerability in DRAM is a critical threat to system security. To protect against RowHammer, vendors commit to security-through-obscurity: modern DRAM chips rely on undocumented, proprietary, on-die mitigations, commonly known as Target Row Refresh (TRR). At a high level, TRR detects and refreshes potential RowHammer-victim rows, but its exact implementations are not openly disclosed. Security guarantees of TRR mechanisms cannot be easily studied due to their proprietary nature.To assess the security guarantees of recent DRAM chips, we present Uncovering TRR (U-TRR), an experimental methodology to analyze in-DRAM TRR implementations. U-TRR is based on the new observation that data retention failures in DRAM enable a side channel that leaks information on how TRR refreshes potential victim rows. U-TRR allows us to (i) understand how logical DRAM rows are laid out physically in silicon; (ii) study undocumented on-die TRR mechanisms; and (iii) combine (i) and (ii) to evaluate the RowHammer security guarantees of modern DRAM chips. We show how U-TRR allows us to craft RowHammer access patterns that successfully circumvent the TRR mechanisms employed in 45 DRAM modules of the three major DRAM vendors. We find that the DRAM modules we analyze are vulnerable to RowHammer, having bit flips in up to 99.9% of all DRAM rows. CCS Concepts• Hardware → Dynamic memory; • Security and privacy → Hardware reverse engineering.

show abstract

An Experimental Analysis of RowHammer in HBM2 DRAM Chips

Olgun,

Osseiran,

Yağlıkçı

et al. 2023

2023 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks - Supplemental Volume (DSN-S)

View full text Add to dashboard Cite

We introduce ABACuS, a new low-cost hardware-counterbased RowHammer mitigation technique that performance-, energy-, and area-efficiently scales with worsening RowHammer vulnerability. We observe that both benign workloads and RowHammer attacks tend to access DRAM rows with the same row address in multiple DRAM banks at around the same time. Based on this observation, ABACuS's key idea is to use a single shared row activation counter to track activations to the rows with the same row address in all DRAM banks. Unlike stateof-the-art RowHammer mitigation mechanisms that implement a separate row activation counter for each DRAM bank, ABA-CuS implements fewer counters (e.g., only one) to track an equal number of aggressor rows.Our comprehensive evaluations show that ABACuS securely prevents RowHammer bitflips at low performance/energy overhead and low area cost. We compare ABACuS to four state-ofthe-art mitigation mechanisms. At a near-future RowHammer threshold of 1000, ABACuS incurs only 0.58% (0.77%) performance and 1.66% (2.12%) DRAM energy overheads, averaged across 62 single-core (8-core) workloads, requiring only 9.47 KiB of storage per DRAM rank. At the RowHammer threshold of 1000, the best prior low-area-cost mitigation mechanism incurs 1.80% higher average performance overhead than ABACuS, while ABACuS requires 2.50× smaller chip area to implement. At a future RowHammer threshold of 125, ABACuS performs very similarly to (within 0.38% of the performance of) the best prior performance-and energy-efficient RowHammer mitigation mechanism while requiring 22.72× smaller chip area. We also show that ABACuS's performance scales well with the number of DRAM banks. At the RowHammer threshold of 125, ABA-CuS incurs 1.58%, 1.50%, and 2.60% performance overheads for 16-, 32-, and 64-bank systems across all 62 single-core workloads, respectively. ABACuS is freely and openly available at https://github.com/CMU-SAFARI/ABACuS.

show abstract

Quantifying Rowhammer Vulnerability for DRAM Security

Cited by 9 publications

References 11 publications

A Deeper Look into RowHammer’s Sensitivities: Experimental Analysis of Real DRAM Chips and Implications on Future Attacks and Defenses

A Deeper Look into RowHammer’s Sensitivities: Experimental Analysis of Real DRAM Chips and Implications on Future Attacks and Defenses

Uncovering In-DRAM RowHammer Protection Mechanisms:A New Methodology, Custom RowHammer Patterns, and Implications

An Experimental Analysis of RowHammer in HBM2 DRAM Chips

Contact Info

Product

Resources

About