Advertisement

RowHammer and Beyond

  • Onur MutluEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11421)

Abstract

We will discuss the RowHammer problem in DRAM, which is a prime (and likely the first) example of how a circuit-level failure mechanism in Dynamic Random Access Memory (DRAM) can cause a practical and widespread system security vulnerability. RowHammer is the phenomenon that repeatedly accessing a row in a modern DRAM chip predictably causes errors in physically-adjacent rows. It is caused by a hardware failure mechanism called read disturb errors. Building on our initial fundamental work that appeared at ISCA 2014, Google Project Zero demonstrated that this hardware phenomenon can be exploited by user-level programs to gain kernel privileges. Many other recent works demonstrated other attacks exploiting RowHammer, including remote takeover of a server vulnerable to RowHammer. We will analyze the root causes of the problem and examine solution directions. We will also discuss what other problems may be lurking in DRAM and other types of memories, e.g., NAND flash and Phase Change Memory, which can potentially threaten the foundations of reliable and secure systems, as the memory technologies scale to higher densities.

Notes

Acknowledgments

This short paper and the associated keynote talk are heavily based on two previous papers we have written on RowHammer, one that first introduced the phenomenon in ISCA 2014 [55] and the other that provides an analysis and future outlook on RowHammer [80]. They are a result of the research done together with many students and collaborators over the course of the past 7–8 years. In particular, three PhD theses have shaped the understanding that led to this work. These are Yoongu Kim’s thesis entitled “Architectural Techniques to Enhance DRAM Scaling” [54], Yu Cai’s thesis entitled “NAND Flash Memory: Characterization, Analysis, Modeling and Mechanisms” [24] and his continued follow-on work after his thesis, summarized in [27, 28], and Donghyuk Lee’s thesis entitled “Reducing DRAM Latency at Low Cost by Exploiting Heterogeneity” [62]. We also acknowledge various funding agencies (NSF, SRC, ISTC, CyLab) and industrial partners (AliBaba, AMD, Google, Facebook, HP Labs, Huawei, IBM, Intel, Microsoft, Nvidia, Oracle, Qualcomm, Rambus, Samsung, Seagate, VMware) who have supported the presented and other related work in my group generously over the years. The first version of this talk was delivered at a CMU CyLab Partners Conference in September 2015. Another version of the talk was delivered as part of an Invited Session at DAC 2016, with a collaborative accompanying paper entitled “Who Is the Major Threat to Tomorrow’s Security? You, the Hardware Designer” [16]. The most recent version is the invited talk given at the Top Picks in Hardware and Embedded Security workshop, co-located with ICCAD 2018 [7], where RowHammer was selected as a Top Pick among hardware and embedded security papers published between 2012–2017. I would like to also thank Christina Giannoula for her help in preparing this manuscript.

References

  1. 1.
  2. 2.
  3. 3.
    Rowhammer: Source Code for Testing the Row Hammer Error Mechanism in DRAM Devices. https://github.com/CMU-SAFARI/rowhammer
  4. 4.
    Test DRAM for Bit Flips Caused by the RowHammer Problem. https://github.com/google/rowhammer-test
  5. 5.
    ThinkPad X210 BIOS Debugging. https://github.com/tadfisher/x210-bios
  6. 6.
    Tweet about RowHammer Mitigation on x210. https://twitter.com/isislovecruft/status/1021939922754723841
  7. 7.
    Top Picks in Hardware and Embedded Security - Workshop Collocated with ICCAD 2018 (2017). https://wp.nyu.edu/toppicksinhardwaresecurity/
  8. 8.
    Aga, M.T., Aweke, Z.B., Austin, T.: When good protections go bad: exploiting anti-DoS measures to accelerate rowhammer attacks. In: HOST (2017)Google Scholar
  9. 9.
    Aichinger, B.: The Known Failure Mechanism in DDR3 Memory referred to as Row Hammer, September 2014. http://ddrdetective.com/files/6414/1036/5710/The_Known_Failure_Mechanism_in_DDR3_memory_referred_to_as_Row_Hammer.pdf
  10. 10.
    Aichinger, B.: DDR memory errors caused by row hammer. In: HPEC (2015)Google Scholar
  11. 11.
    Apple Inc., About the security content of Mac EFI Security Update 2015-001, June 2015. https://support.apple.com/en-us/HT204934
  12. 12.
    Aweke, Z.B., et al.: Anvil: software-based protection against next-generation rowhammer attacks. In: ASPLOS (2016)Google Scholar
  13. 13.
    Bhattacharya, S., Mukhopadhyay, D.: Curious case of RowHammer: flipping secret exponent bits using timing analysis. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 602–624. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53140-2_29CrossRefGoogle Scholar
  14. 14.
    Bosman, E., et al.: Dedup Est Machina: memory deduplication as an advanced exploitation vector. In: S&P (2016)Google Scholar
  15. 15.
    Brasser, F., Davi, L., Gens, D., Liebchen, C., Sadeghi, A.-R.: Can’t touch this: practical and generic software-only defenses against RowHammer attacks. In: USENIX Security (2017)Google Scholar
  16. 16.
    Burleson, W., et al.: Who is the major threat to tomorrow’s security? You, the hardware designer. In: DAC (2016)Google Scholar
  17. 17.
    Cai, Y., et al.: Error patterns in MLC NAND flash memory: measurement, characterization, and analysis. In: DATE (2012)Google Scholar
  18. 18.
    Cai, Y., et al.: Flash correct-and-refresh: retention-aware error management for increased flash memory lifetime. In: ICCD (2012)Google Scholar
  19. 19.
    Cai, Y., et al.: Error analysis and retention-aware error management for NAND flash memory. ITJ 17(1), 140–165 (2013)Google Scholar
  20. 20.
    Cai, Y., et al.: Program interference in MLC NAND flash memory: characterization, modeling, and mitigation. In: ICCD (2013)Google Scholar
  21. 21.
    Cai, Y., et al.: Threshold voltage distribution in MLC NAND flash memory: characterization, analysis and modeling. In: DATE (2013)Google Scholar
  22. 22.
    Cai, Y., et al.: Neighbor-cell assisted error correction for MLC NAND flash memories. In: SIGMETRICS (2014)Google Scholar
  23. 23.
    Cai, Y., et al.: Vulnerabilities in MLC NAND flash memory programming: experimental analysis, exploits, and mitigation techniques. In: HPCA (2017)Google Scholar
  24. 24.
    Cai, Y.: NAND flash memory: characterization, analysis, modeling and mechanisms. Ph.D. thesis, Carnegie Mellon University (2012)Google Scholar
  25. 25.
    Cai, Y., et al.: Data retention in MLC NAND flash memory: characterization, optimization and recovery. In: HPCA (2015)Google Scholar
  26. 26.
    Cai, Y., et al.: Read disturb errors in MLC NAND flash memory: characterization, mitigation, and recovery. In: DSN (2015)Google Scholar
  27. 27.
    Cai, Y., Ghose, S., Haratsch, E.F., Luo, Y., Mutlu, O.: Error characterization, mitigation, and recovery in flash-memory-based solid-state drives. Proc. IEEE 105, 1666–1704 (2017)CrossRefGoogle Scholar
  28. 28.
    Cai, Y., Ghose, S., Haratsch, E.F., Luo, Y., Mutlu, O.: Errors in Flash-Memory-Based Solid-State Drives: Analysis, Mitigation, and Recovery (2017). arXiv preprint: arXiv:1711.11427
  29. 29.
    Chandrasekar, K., et al.: Exploiting expendable process-margins in DRAMs for run-time performance optimization. In: DATE (2014)Google Scholar
  30. 30.
    Chang, K., et al.: Understanding latency variation in modern DRAM chips: experimental characterization, analysis, and optimization. In: SIGMETRICS (2016)Google Scholar
  31. 31.
    Chang, K., et al.: Improving DRAM performance by parallelizing refreshes with accesses. In: HPCA (2014)Google Scholar
  32. 32.
    Chen, E., et al.: Advances and future prospects of spin-transfer torque random access memory. IEEE Trans. Magn. 46, 1873–1878 (2010)CrossRefGoogle Scholar
  33. 33.
    Das, A., et al.: VRL-DRAM: improving DRAM performance via variable refresh latency. In: DAC (2018)Google Scholar
  34. 34.
    Fridley, T., Santos, O.: Mitigations Available for the DRAM Row Hammer Vulnerability, March 2015. http://blogs.cisco.com/security/mitigations-available-for-the-dram-row-hammer-vulnerability
  35. 35.
    Frigo, P., et al.: Grand Pwning unit: accelerating microarchitectural attacks with the GPU. In: IEEE S&P (2018)Google Scholar
  36. 36.
    Gomez, H., Amaya, A., Roa, E.: DRAM Row-hammer attack reduction using dummy cells. In: NORCAS (2016)Google Scholar
  37. 37.
    Goodin, D.: Once thought safe, DDR4 memory shown to be vulnerable to Rowhammer (2016). https://arstechnica.com/information-technology/2016/03/once-thought-safe-ddr4-memory-shown-to-be-vulnerable-to-rowhammer/
  38. 38.
    Greenberg, A.: Forget Software – Now Hackers are Exploiting Physics (2016). https://www.wired.com/2016/08/new-form-hacking-breaks-ideas-computers-work/
  39. 39.
    Gruss, D., et al.: Another flip in the wall of rowhammer defenses. In: IEEE S&P (2018)Google Scholar
  40. 40.
    Gruss, D., et al.: Rowhammer.js: a remote software-induced fault attack in Javascript. CoRR, abs/1507.06955 (2015)Google Scholar
  41. 41.
    Harris, R.: Flipping DRAM bits - maliciously, December 2014. http://www.zdnet.com/article/flipping-dram-bits-maliciously/
  42. 42.
    Hassan, H., et al.: SoftMC: a flexible and practical open-source infrastructure for enabling experimental DRAM studies. In: HPCA (2017)Google Scholar
  43. 43.
    Hewlett-Packard Enterprise. HP Moonshot Component Pack Version 2015.05.0 (2015). http://h17007.www1.hp.com/us/en/enterprise/servers/products/moonshot/component-pack/index.aspx
  44. 44.
    Irazoqui, G., Eisenbarth, T., Sunar, B.: MASCAT: stopping microarchitectural attacks before execution. IACR Cryptology ePrint Archive (2016)Google Scholar
  45. 45.
    Jang, Y., Lee, J., Lee, S., Kim, T.: SGX-bomb: locking down the processor via rowhammer attack. In: SysTEX (2017)Google Scholar
  46. 46.
    Kang, U., et al.: Co-architecting controllers and DRAM to enhance DRAM process scaling. In: The Memory Forum (2014)Google Scholar
  47. 47.
    Khan, S., et al.: The efficacy of error mitigation techniques for DRAM retention failures: a comparative experimental study. In: SIGMETRICS (2014)Google Scholar
  48. 48.
    Khan, S., et al.: A case for memory content-based detection and mitigation of data-dependent failures in DRAM. CAL 16(2), 88–93 (2016)Google Scholar
  49. 49.
    Khan, S., et al.: PARBOR: an efficient system-level technique to detect data-dependent failures in DRAM. In: DSN (2016)Google Scholar
  50. 50.
    Kim, D.-H., et al.: Architectural support for mitigating row hammering in DRAM memories. IEEE CAL 14, 9–12 (2015)Google Scholar
  51. 51.
    Kim, J.S., Patel, M., Hassan, H., Mutlu, O.: Solar-DRAM: reducing DRAM access latency by exploiting the variation in local bitlines. In: ICCD (2018)Google Scholar
  52. 52.
    Kim, J.S., Patel, M., Hassan, H., Mutlu, O.: The DRAM latency PUF: quickly evaluating physical unclonable functions by exploiting the latency-reliability tradeoff in modern commodity DRAM devices. In: HPCA (2018)Google Scholar
  53. 53.
    Kim, J.S., Patel, M., Hassan, H., Orosa, L., Mutlu, O.: D-RaNGe: using commodity DRAM devices to generate true random numbers with low latency and high throughput. In: HPCA (2019)Google Scholar
  54. 54.
    Kim, Y.: Architectural techniques to enhance DRAM scaling. Ph.D. thesis, Carnegie Mellon University (2015)Google Scholar
  55. 55.
    Kim, Y., et al.: Flipping bits in memory without accessing them: an experimental study of DRAM disturbance errors. In: ISCA (2014)Google Scholar
  56. 56.
    Kocher, P., et al.: Spectre attacks: exploiting speculative execution In: S&P (2018)Google Scholar
  57. 57.
    Kultursay, E., et al.: Evaluating STT-RAM as an energy-efficient main memory alternative. In: ISPASS (2013)Google Scholar
  58. 58.
    Lanteigne, M.: How Rowhammer could be used to exploit weaknesses in computer hardware, March 2016. http://www.thirdio.com/rowhammer.pdf
  59. 59.
    Lee, B.C., et al.: Architecting phase change memory as a scalable DRAM alternative. In: ISCA (2009)Google Scholar
  60. 60.
    Lee, B.C., et al.: Phase change memory architecture and the quest for scalability. CACM 53, 99–106 (2010)CrossRefGoogle Scholar
  61. 61.
    Lee, B.C., et al.: Phase change technology and the future of main memory. IEEE Micro 30, 143 (2010)CrossRefGoogle Scholar
  62. 62.
    Lee, D.: Reducing DRAM latency by exploiting heterogeneity. ArXiV (2016)Google Scholar
  63. 63.
    Lee, D., et al.: Adaptive-latency DRAM: optimizing DRAM timing for the common-case. In: HPCA (2015)Google Scholar
  64. 64.
    Lee, D., et al.: Design-induced latency variation in modern DRAM chips: characterization, analysis, and latency reduction mechanisms. In: POMACS (2017)Google Scholar
  65. 65.
    Lee, E., Lee, S., Edward Suh, G., Ahn, J.H.: TWiCe: time window counter based row refresh to prevent Row-hammering. CAL 17, 96–99 (2018)Google Scholar
  66. 66.
    Lenovo. Row Hammer Privilege Escalation, March 2015. https://support.lenovo.com/us/en/product_security/row_hammer
  67. 67.
    Lipp, M., et al.: Nethammer: inducing rowhammer faults through network requests (2018). arxiv.orgGoogle Scholar
  68. 68.
    Lipp, M., et al.: Meltdown: reading kernel memory from user space. In: USENIX Security (2018)Google Scholar
  69. 69.
    Liu, J., et al.: RAIDR: retention-aware intelligent DRAM refresh. In: ISCA (2012)Google Scholar
  70. 70.
    Liu, J., et al.: An experimental study of data retention behavior in modern DRAM devices: implications for retention time profiling mechanisms. In: ISCA (2013)Google Scholar
  71. 71.
    Luo, Y., et al.: WARM: improving NAND flash memory lifetime with write-hotness aware retention management. In: MSST (2015)Google Scholar
  72. 72.
    Luo, Y., et al.: Enabling accurate and practical online flash channel modeling for modern MLC NAND flash memory. JSAC 34, 2294–2311 (2016)Google Scholar
  73. 73.
    Luo, Y., Ghose, S., Cai, Y., Haratsch, E.F., Mutlu, O.: HeatWatch: improving 3D NAND flash memory device reliability by exploiting self-recovery and temperature awareness. In: HPCA (2018)Google Scholar
  74. 74.
    Luo, Y., Ghose, S., Cai, Y., Haratsch, E.F., Mutlu, O.: Improving 3D NAND flash memory lifetime by tolerating early retention loss and process variation. In: POMACS (2018)Google Scholar
  75. 75.
    Mandelman, J., et al.: Challenges and future directions for the scaling of dynamic random-access memory (DRAM). IBM J. Res. Dev. 46, 187–212 (2002)CrossRefGoogle Scholar
  76. 76.
    Meza, J., et al.: A case for efficient hardware-software cooperative management of storage and memory. In: WEED (2013)Google Scholar
  77. 77.
    Meza, J., et al.: A large-scale study of flash memory errors in the field. In: SIGMETRICS (2015)Google Scholar
  78. 78.
    Meza, J., et al.: Revisiting memory errors in large-scale production data centers: analysis and modeling of new trends from the field. In: DSN (2015)Google Scholar
  79. 79.
    Mutlu, O.: Memory scaling: a systems architecture perspective. In: IMW (2013)Google Scholar
  80. 80.
    Mutlu, O.: The RowHammer problem and other issues we may face as memory becomes denser. In: DATE (2017)Google Scholar
  81. 81.
    Mutlu, O.: Error analysis and management for MLC NAND flash memory. In: Flash Memory Summit (2014)Google Scholar
  82. 82.
    Mutlu, O., Subramanian, L.: Research problems and opportunities in memory systems. In: SUPERFRI (2014)Google Scholar
  83. 83.
    PassMark Software. MemTest86: The Original Industry Standard Memory Diagnostic Utility (2015). http://www.memtest86.com/troubleshooting.htm
  84. 84.
    Patel, M., Kim, J.S., Mutlu, O.: The Reach Profiler (REAPER): enabling the mitigation of DRAM retention failures via profiling at aggressive conditions. In: ISCA (2017)Google Scholar
  85. 85.
    Pessl, P., Gruss, D., Maurice, C., Schwarz, M., Mangard, S.: DRAMA: exploiting dram addressing for cross-CPU attacks. In: USENIX Security (2016)Google Scholar
  86. 86.
    Poddebniak, D., Somorovsky, J., Schinzel, S., Lochter, M., Rösler, P.: Attacking deterministic signature schemes using fault attacks. In: EuroS&P (2018)Google Scholar
  87. 87.
    Qiao, R., Seaborn, M.: A new approach for rowhammer attacks. In: HOST (2016)Google Scholar
  88. 88.
    Qureshi, M.K., et al.: Scalable high performance main memory system using phase-change memory technology. In: ISCA (2009)Google Scholar
  89. 89.
    Qureshi, M.K., et al.: AVATAR: a Variable-Retention-Time (VRT) aware refresh for DRAM systems. In: DSN (2015)Google Scholar
  90. 90.
    Qureshi, M.K., et al.: Enhancing lifetime and security of phase change memories via start-gap wear leveling. In: MICRO (2009)Google Scholar
  91. 91.
    Raoux, S., et al.: Phase-change random access memory: a scalable technology. IBM J. Res. Dev. 52, 465–479 (2008)CrossRefGoogle Scholar
  92. 92.
    Razavi, K., et al.: Flip Feng Shui: hammering a needle in the software stack. In: USENIX Security (2016)Google Scholar
  93. 93.
    Schroeder, B., et al.: Flash reliability in production: the expected and the unexpected. In: USENIX FAST (2016)Google Scholar
  94. 94.
    Seaborn, M., Dullien, T.: Exploiting the DRAM Rowhammer Bug to Gain Kernel Privileges (2015). http://googleprojectzero.blogspot.com.tr/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
  95. 95.
    Seaborn, M., Dullien, T.: Exploiting the DRAM rowhammer bug to gain kernel privileges. In: BlackHat (2016)Google Scholar
  96. 96.
    Seyedzadeh, S.M., Jones, A.K., Melhem, R.: Counter-based tree structure for row hammering mitigation in DRAM. CAL 16, 18–21 (2017)Google Scholar
  97. 97.
    Son, M., Park, H., Ahn, J., Yoo, S.: Making DRAM stronger against row hammering. In: DAC (2017)Google Scholar
  98. 98.
    Sridharan, V., et al.: Memory errors in modern systems: the good, the bad, and the ugly. In: ASPLOS (2015)Google Scholar
  99. 99.
    Sridharan, V., Liberty, D.: A study of DRAM failures in the field. In: SC (2012)Google Scholar
  100. 100.
    Sridharan, V., Stearley, J., DeBardeleben, N., Blanchard, S., Gurumurthi, S.: Feng Shui of supercomputer memory: positional effects in DRAM and SRAM faults. In: SC (2013)Google Scholar
  101. 101.
    Tatar, A., et al.: Throwhammer: rowhammer attacks over the network and defenses. In: USENIX ATC (2018)Google Scholar
  102. 102.
    Tatar, A., Giuffrida, C., Bos, H., Razavi, K.: Defeating software mitigations against rowhammer: a surgical precision hammer. In: Bailey, M., Holz, T., Stamatogiannakis, M., Ioannidis, S. (eds.) RAID 2018. LNCS, vol. 11050, pp. 47–66. Springer, Cham (2018).  https://doi.org/10.1007/978-3-030-00470-5_3CrossRefGoogle Scholar
  103. 103.
    van der Veen, V., et al.: Drammer: deterministic rowhammer attacks on mobile platforms. In: CCS (2016)Google Scholar
  104. 104.
    van der Veen, V., et al.: GuardION: practical mitigation of DMA-based rowhammer attacks on ARM. In: Giuffrida, C., Bardin, S., Blanc, G. (eds.) DIMVA 2018. LNCS, vol. 10885, pp. 92–113. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-93411-2_5CrossRefGoogle Scholar
  105. 105.
  106. 106.
    Wong, H.-S.P., et al.: Phase change memory. Proc. IEEE 98, 2201–2227 (2010)CrossRefGoogle Scholar
  107. 107.
    Wong, H.-S.P., et al.: Metal-oxide RRAM. Proc. IEEE 100, 1951–1970 (2012)CrossRefGoogle Scholar
  108. 108.
    Xiao, Y., et al.: One bit flips, one cloud flops: cross-VM row hammer attacks and privilege escalation. In: USENIX Security (2016)Google Scholar
  109. 109.
    Yoon, H., et al.: Row buffer locality aware caching policies for hybrid memories. In: ICCD (2012)Google Scholar
  110. 110.
    Yoon, H., et al.: Efficient data mapping and buffering techniques for multi-level cell phase-change memories. In: TACO (2014)Google Scholar
  111. 111.
    Zhou, P., et al.: A durable and energy efficient main memory using phase change memory technology. In ISCA (2009)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.ETH ZürichZürichSwitzerland
  2. 2.Carnegie Mellon UniversityPittsburghUSA

Personalised recommendations