Reliable Rowhammer Attack and Mitigation Based on Reverse Engineering Memory Address Mapping Algorithms

  • Saeyoung Oh
  • Jong KimEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11402)


Rowhammer attacks intentionally induce bit flips to corrupt victim’s data whose integrity must be guaranteed. To perform sophisticated rowhammer attacks, attackers need to repeatedly access the neighboring rows of target data. In DRAM, however, the physical addresses of neighboring rows are not always contiguous even if they are located before or after a target row. Hence, it is important to know the mapping algorithm which maps between physical addresses and physical row indexes not only for an attack but also for protection.

In this paper, we introduce a method to reverse engineer the exact mapping algorithm and demonstrate that the assumption in previous rowhammer work is faulty. In addition, we introduce a novel and efficient rowhammer method and improve existing mitigations that has a security hole caused by the faulty assumption. Finally, we evaluate the effectiveness of the proposed attack and show that the proposed mitigation almost perfectly defends against rowhammer attacks.


Rowhammer bug Reverse engineer Memory address mapping 



This work was supported by the National Research Foundation of Korea (NRF) grant funded by the Korea government (MSIP) (No. 2017R1A2B4010914).


  1. 1.
    Aweke, Z.B., et al.: ANVIL: software-based protection against next-generation rowhammer attacks. ACM SIGPLAN Not. 51(4), 743–755 (2016)CrossRefGoogle Scholar
  2. 2.
    Baumann, R.: The impact of technology scaling on soft error rate performance and limits to the efficacy of error correction. In: International Electron Devices Meeting, IEDM 2002, pp. 329–332. IEEE (2002)Google Scholar
  3. 3.
    Brasser, F., Davi, L., Gens, D., Liebchen, C., Sadeghi, A.R.: Can’t touch this: software-only mitigation against rowhammer attacks targeting kernel memory. In: Proceedings of the 26th USENIX Security Symposium (Security), Vancouver, BC, Canada (2017)Google Scholar
  4. 4.
    JEDEC: DDR3 SDRAM Unbuffered DIMM Design Specification, rev. 1.06 (2013)Google Scholar
  5. 5.
    Khan, S., Lee, D., Mutlu, O.: Parbor: an efficient system-level technique to detect data-dependent failures in dram. In: 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 239–250. IEEE (2016)Google Scholar
  6. 6.
    Kim, Y., et al.: Flipping bits in memory without accessing them: an experimental study of dram disturbance errors. In: 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA), pp. 361–372, June 2014Google Scholar
  7. 7.
    Kim, Y., Seshadri, V., Lee, D., Liu, J., Mutlu, O.: A case for exploiting subarray-level parallelism (SALP) in dram. ACM SIGARCH Comput. Arch. News 40(3), 368–379 (2012)CrossRefGoogle Scholar
  8. 8.
    Min, D.S., Langer, D.W.: Twisted line techniques for multi-gigabit dynamic random access memories, US Patent 6,034,879, 7 March 2000Google Scholar
  9. 9.
    Min, D.S., Seo, D.I., You, J., Cho, S., Chin, D., Park, Y.: Wordline coupling noise reduction techniques for scaled drams. In: 1990 Symposium on VLSI Circuits, Digest of Technical Papers, pp. 81–82. IEEE (1990)Google Scholar
  10. 10.
    Pessl, P., Gruss, D., Maurice, C., Schwarz, M., Mangard, S.: DRAMA: exploiting dram addressing for cross-CPU attacks. In: USENIX Security Symposium, pp. 565–581 (2016)Google Scholar
  11. 11.
    Razavi, K., Gras, B., Bosman, E., Preneel, B., Giuffrida, C., Bos, H.: Flip Feng Shui: hammering a needle in the software stack. In: USENIX Security Symposium, pp. 1–18 (2016)Google Scholar
  12. 12.
    Seaborn, M., Dullien, T.: Exploiting the DRAM rowhammer bug to gain kernel privileges (2015).
  13. 13.
    Van Der Veen, V., et al.: Drammer: deterministic rowhammer attacks on mobile platforms. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1675–1689. ACM (2016)Google Scholar
  14. 14.
    Xiao, Y., Zhang, X., Zhang, Y., Teodorescu, R.: One bit flips, one cloud flops: cross-VM row hammer attacks and privilege escalation. In: USENIX Security Symposium, pp. 19–35 (2016)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Department of Computer Science and EngineeringPohang University of Science and Technology (POSTECH)PohangRepublic of Korea

Personalised recommendations