trrespass exploiting the many sides of target row refresh
play

TRRespass: Exploiting the Many Sides of Target Row Refresh Pietro - PowerPoint PPT Presentation

Nov 19, 2022 •14 likes •354 views

TRRespass: Exploiting the Many Sides of Target Row Refresh Pietro Frigo 1 Emanuele Vannacci 1 Hasan Hassan 2 Victor Van der Veen 3 Onur Mutlu 2 Herbert Bos 1 Cristiano Giuffrida 1 Kaveh Razavi 1 1 Vrije Universiteit Amsterdam 2 ETH Zrich 3

  1. TRRespass: Exploiting the Many Sides of Target Row Refresh Pietro Frigo 1 Emanuele Vannacci 1 Hasan Hassan 2 Victor Van der Veen 3 Onur Mutlu 2 Herbert Bos 1 Cristiano Giuffrida 1 Kaveh Razavi 1 1 Vrije Universiteit Amsterdam 2 ETH Zürich 3 Qualcomm Technologies Inc. 1

  2. Teaser • Memory vendors advertise RowHammer-free devices • What is Target Row Refresh (TRR)? Not a single mitigation! • Reverse-engineering of in-DRAM mitigations • The Many-sided RowHammer • Hammering up to 20 aggressor rows • 3 major vendors all vulnerable: Samsung, Micron, SK Hynix • Currently representing over 95% of the DRAM market 2

  3. Memory request flow DIMMs DRAM CPU Memory Controller DRAM commands 3

  4. DRAM Refresh • DRAM is dynamic because data must be refresh periodically • Retention time (i.e., 64ms) • The MC issues a REFRESH command every 7.8µs • Only a small portion of memory is refreshed with a command • 8192 refreshes within a 64ms interval 4

  5. Memory array 1 1 1 1 Row 0 0 1 1 0 Row 1 1 1 1 1 Row 2 0 1 0 1 Row 3 Row buffer 5

  6. Read operation: Row 1 1 1 1 1 Row 0 - - - - Row 1 1 1 1 1 Row 2 0 1 0 1 Row 3 0 1 1 0 ACTIVATE Row 1 6

  7. Read operation: Row 3 1 1 1 1 Row 0 0 1 1 0 Row 1 1 1 1 1 Row 2 0 1 0 1 Row 3 - - - - PRECHARGE Row 1 7

  8. Read operation: Row 3 1 1 1 1 Row 0 0 1 1 0 Row 1 1 1 1 1 Row 2 - - - - Row 3 0 1 0 1 ACTIVATE Row 3 8

  9. RowHammer 1 1 1 1 Row 0 0 1 1 0 Row 1 1 0 1 1 Row 2 0 1 0 1 Row 3 - - - - Bit flip! 9

  10. Double-sided RowHammer 1 1 1 1 1 1 1 1 Row 0 0 1 1 0 Row 1 Aggressor row 1 0 1 1 Row 2 Victim row 0 1 0 1 Row 3 Aggressor row - - - - Bit flip! 10

  11. Hardware mitigations • Error-correcting code (ECC) [1] Refreshing a row restores the cells electric charge: it prevents flips. • Double refresh • Target Row Refresh (TRR) [1 ] L. Cojocaret al., “Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks,” in S&P, 2019. 11

  12. Target Row Refresh • TRR-like mitigations track rows activations and refresh victim rows • Many possible implementations in practice • Security through obscurity • Pseudo TRR (pTRR) • Memory controller implementation • In-DRAM TRR • Embedded in the DRAM circuitry 12

  13. Timeline pTRR DDR3 In-DRAM TRR Intel reports pTRR on Earliest manufacturing date DDR3 server systems of RH-free DRAM modules '12 '13 '14 '15 '16 '17 '18 '19 Last generation DIMMs we focus on pTRR DDR4 First DDR4 generation is pTRR protected 13

  14. Goals • Reverse engineer TRR to demystify in-DRAM mitigations • Memory device assessment • A Novel hammering pattern: The Many-sided RowHammer • Hammering up to 20 aggressor rows allows to bypass TRR • Automatically test memory devices: TRRespass • Automate hammering patterns generation 14

  15. Challenges • Analysis from the CPU side not possible • No timing side-channels • FPGA-based memory controller [1,2] [1 ] H. Hassan et al., “SoftMC: A Flexible and Practical Open - Source Infrastructure for Enabling Experimental DRAM Studies,” in HPC A, 2017 [2 ] SAFARI Research Group, “SoftMC — GitHub Repository,” https:// github.com/CMU -SAFARI/SoftMC. 15

  16. Building blocks Abstractions: • Sampler • Track aggressor rows activations • Keep a set of rows • Inhibitor • Prevent bit flips • Refresh victims 16

  17. Case study: Vendor C How big is the sampler? • Pick N aggressor rows • Perform a series of hammers (activations of aggressors) • 8K activations • After each series of hammers, issue R refreshes • 10 Rounds Activations Refreshes Activations Refreshes Round 17

  18. Case study: Vendor C # Corruptions 18

  19. Case study: Vendor C # Corruptions 19

  20. Case study: Vendor C # Corruptions 20

  21. Case study: Observations • The TRR mitigation acts on every refresh command 21

  22. Case study: Vendor C # Corruptions 22

  23. Case study: Vendor C # Corruptions 23

  24. Case study: Observations • The TRR mitigation acts on every refresh command • The mitigation can sample more than one aggressor per refresh interval • The mitigation can refresh only a single victim within a refresh operation 24

  25. Case study: Vendor C # Corruptions 25

  26. Case study: Vendor C # Corruptions 26

  27. Case study: Observations • The TRR mitigation acts on every refresh command • The mitigation can sample more than one aggressor per refresh interval • The mitigation can refresh only a single victim within a refresh operation • Sweeping the number of refresh operations and aggressor rows while hammering reveals the sampler size 27

  28. Case study: Vendor C with tREFi == 7.8 μs 28

  29. Case study: Observations • The TRR mitigation acts on every refresh command • The mitigation can sample more than one aggressor per refresh interval • The mitigation can refresh only a single victim within a refresh operation • Sweeping the number of refresh operations and aggressor rows while hammering reveals the sampler size • The sampling mechanism is affected by the addresses of aggressor rows 29

  30. TRRespass: The RowFuzzer • Black-box fuzzing for RowHammer • Ignore the MC optimizations • Scalable approach for testing • The sampler can track a limited number of aggressor rows • # Aggressors • The sampler design may be row address dependent • Aggressor Location 30

  31. TRRespass: Results • 42 DIMMS from 3 of the major vendors : Samsung, Micron, SK Hynix • 95% of the market • Testing 256MB of contiguous memory against the best pattern • 13 DIMMs with bit flips • Multiple effective patterns for each of them • Bit flips with double refresh • Fuzzing is effective. • How to Improve? Parameter selection. 31

  32. Exploitation • Memory templating • Find the right hammering pattern • Locations of aggressors not always fundamental • Bit flips are repeatable • Spurious flips • We demonstrate the feasibility of 3 example attacks: • Privilege escalation [1] • Access to co-hosted VM via RSA key corruption [2] • Sudo exploit: opcode flipping [3] [1] M. Seaborn and T. Dullien , “Exploiting the DRAM Rowhammer Bug to Gain Kernel Privileges,” in Black Hat USA, 2015 [2] K. Razavi et al., “Flip Feng Shui: Hammering a Needle in the Software Stack ,” in USENIX Sec., 2016 32 [3] D. Gruss et al., “Another Flip in the Wall of Rowhammer Defenses,” in S&P, 2018.

  33. Conclusion • Bit flips with more than 20 aggressor rows! • DDR4 devices are much more vulnerable than DDR3 • Bit flips with less than 50K activations • Fuzzing can help in memory testing • Reverse engineering to find meaningful parameters • RowHammer is still a serious problem • No prompt mitigations available 33

  34. Questions! 34

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Meta-classifiers for exploiting feature dependencies in automatic target recognition Umamahesh

Meta-classifiers for exploiting feature dependencies in automatic target recognition Umamahesh

Meta-classifiers for exploiting feature dependencies in automatic target recognition Umamahesh Srinivas iPAL Group Meeting September 03, 2010 (Work being submitted to IEEE Radar Conference 2011) Outline Automatic Target Recognition

528 views • 37 slides
Exploiting Branch Target Injection Jann Horn, Google Project Zero 1 Outline Introduction

Exploiting Branch Target Injection Jann Horn, Google Project Zero 1 Outline Introduction

Exploiting Branch Target Injection Jann Horn, Google Project Zero 1 Outline Introduction Reverse-engineering branch prediction Leaking host memory from KVM 2 Disclaimer I haven't worked in CPU design I don't

670 views • 40 slides
OmpSs + OpenACC Multi-target Task-Based Programming Model Exploiting OpenACC GPU Kernel Guray

OmpSs + OpenACC Multi-target Task-Based Programming Model Exploiting OpenACC GPU Kernel Guray

www.bsc.es www.bsc.es OmpSs + OpenACC Multi-target Task-Based Programming Model Exploiting OpenACC GPU Kernel Guray Ozen guray.ozen@bsc.es Exascale in BSC Marenostrum 4 (13.7 Petaflops ) General purpose cluster (3400 nodes) with Intel

464 views • 20 slides
Refresh RUS 1 Network RUS: Electrification Refresh 30 year perspective as part of Long

Refresh RUS 1 Network RUS: Electrification Refresh 30 year perspective as part of Long

Electrification Refresh RUS 1 Network RUS: Electrification Refresh 30 year perspective as part of Long Term Planning Process 'to give funders choices for investment in CP6 and beyond' 3 key objectives: Identify the extent of

268 views • 25 slides
e-SIDES Ethical and Societal Implications of Data Sciences What is e-SIDES? Horizon 2020

e-SIDES Ethical and Societal Implications of Data Sciences What is e-SIDES? Horizon 2020

e-SIDES Ethical and Societal Implications of Data Sciences What is e-SIDES? Horizon 2020 grant, running for 3 years Three partners in consortium: eLaw team Planned results 7 community events; Final conference; 7 white

443 views • 28 slides
and sides between congruent triangles basing on the fact that corresponding parts in congruent

and sides between congruent triangles basing on the fact that corresponding parts in congruent

D AY 62 C ONGRUENT ANGLES AND SIDES I NTRODUCTION The most important parts of the triangle that we consider here are sides and three angles. Congruent triangles have corresponding sides of the same length and corresponding angles with

495 views • 14 slides
congruent because the images, the pre-image, and the image, congruent one having undergone a rigid

congruent because the images, the pre-image, and the image, congruent one having undergone a rigid

D AY 51 I DENTIFYING C ONGRUENT SIDES OF A TRIANGLE I NTRODUCTION When a figure undergoes a rigid motion, its shape and size do not change. As a result, it becomes easy to trace the sides that originate from the initial sides before the

373 views • 10 slides
Detecting and exploiting amino acid vulnerabilities in cancer Oncode Institute - NKI-AVL Reuven

Detecting and exploiting amino acid vulnerabilities in cancer Oncode Institute - NKI-AVL Reuven

Detecting and exploiting amino acid vulnerabilities in cancer Oncode Institute - NKI-AVL Reuven Agami Course Basic and Translational Oncology 2018 How to -specifically- kill cancer cells? Target DNA replication (chemotherapy) Suffocate them

518 views • 37 slides
Di ff erentially-Private Batch Query Answering Exploiting the Workload vs. Exploiting the Data

Di ff erentially-Private Batch Query Answering Exploiting the Workload vs. Exploiting the Data

Di ff erentially-Private Batch Query Answering Exploiting the Workload vs. Exploiting the Data Gerome Miklau University of Massachusetts, Amherst DIMACS Workshop on Recent Work on Di ff erential Privacy across Computer Science October 2012

1.39k views • 136 slides
JSNA Refresh www.WalsallIntelligence.org.uk JSNA 2018-2019 refresh Gap in life expectancy Ageing

JSNA Refresh www.WalsallIntelligence.org.uk JSNA 2018-2019 refresh Gap in life expectancy Ageing

JSNA Refresh www.WalsallIntelligence.org.uk JSNA 2018-2019 refresh Gap in life expectancy Ageing 1 in 4 of 10 & 11 LAC rate from 95 year olds (year 0 to 77.2 yrs population to 98 in 2017 6) obese 0 to 82 yrs 2017 attainment but more to

309 views • 15 slides
Whats My Identity? By Miss Elliott Squares vs. Rectangles Squares Rectangles 4 sides

Whats My Identity? By Miss Elliott Squares vs. Rectangles Squares Rectangles 4 sides

Whats My Identity? By Miss Elliott Squares vs. Rectangles Squares Rectangles 4 sides 4 sides 4 right angles 4 right angles 4 equal sides Opposite sides are equal (2 pairs) Circle the squares with red and the

289 views • 15 slides
Exploiting Depmap cancer dependency data using the depmap R package Theo Killian Gatto Lab 1

Exploiting Depmap cancer dependency data using the depmap R package Theo Killian Gatto Lab 1

UCLouvain Institut de Duve - Computational Biology and Bioinformatics Exploiting Depmap cancer dependency data using the depmap R package Theo Killian Gatto Lab 1 Cancer Dependency Map Precision cancer medicine seeks to target

504 views • 13 slides
Adding value to food waste and by-products REFRESH Community of Experts webinar series

Adding value to food waste and by-products REFRESH Community of Experts webinar series

Adding value to food waste and by-products REFRESH Community of Experts webinar series www.refreshcoe.eu 4/10/2019 REFRESH is funded by the Horizon 2020 Framework Programme of the European Union under Grant Agreement no. 641933. The contents

715 views • 55 slides
Winston-Salem State University Undergrad Brand Refresh WSSU UG Brand Refresh | Progress IMC:

Winston-Salem State University Undergrad Brand Refresh WSSU UG Brand Refresh | Progress IMC:

Winston-Salem State University Undergrad Brand Refresh WSSU UG Brand Refresh | Progress IMC: Brainstorm | Persona Exercise | Meetings Admissions Staff: Focus Group | Persona Exercise 68 FYE Students: Focus Groups Other Students:

279 views • 6 slides
Measuring and managing retail food waste REFRESH Community of Experts webinar series

Measuring and managing retail food waste REFRESH Community of Experts webinar series

Measuring and managing retail food waste REFRESH Community of Experts webinar series www.refreshcoe.eu 5/7/2019 REFRESH is funded by the Horizon 2020 Framework Programme of the European Union under Grant Agreement no. 641933. The contents of

842 views • 62 slides
Tackling consumer food waste REFRESH Community of Experts webinar series www.refreshcoe.eu

Tackling consumer food waste REFRESH Community of Experts webinar series www.refreshcoe.eu

Tackling consumer food waste REFRESH Community of Experts webinar series www.refreshcoe.eu 5/2/2019 REFRESH is funded by the Horizon 2020 Framework Programme of the European Union under Grant Agreement no. 641933. The contents of this document

828 views • 53 slides
T flip flop (toggle) TODAY: from flip flops to RAM lecture 6 Sequential circuits 2 Assume

T flip flop (toggle) TODAY: from flip flops to RAM lecture 6 Sequential circuits 2 Assume

T flip flop (toggle) TODAY: from flip flops to RAM lecture 6 Sequential circuits 2 Assume falling edge - T flipflops, counters and timers (finishing last lecture) triggered. - register array - RAM m January 27, 2016 cm Q:

321 views • 4 slides
Small Groups: Slides, Flips and Turns with MELDS.M.G.PS.8 MELDS.MD.PS.5 Geometric Shapes Week 3

Small Groups: Slides, Flips and Turns with MELDS.M.G.PS.8 MELDS.MD.PS.5 Geometric Shapes Week 3

Unit 5 Math Standards: SG 1 MELDS.M.G.PS.6 Small Groups: Slides, Flips and Turns with MELDS.M.G.PS.8 MELDS.MD.PS.5 Geometric Shapes Week 3 Low Support Guiding Math Ideas: Slides, Flips and Turns Patterns- Adding Complexity

204 views • 3 slides
Trading Places RAHAB & ACHAN IN JOSHUA 2 & 7 True or False? All fruitful time

Trading Places RAHAB & ACHAN IN JOSHUA 2 & 7 True or False? All fruitful time

Trading Places RAHAB & ACHAN IN JOSHUA 2 & 7 True or False? All fruitful time in the Word of God leaves us with something to believe and something to obey . (The two legs of walking with God!) Food for Thought Biblical

407 views • 25 slides
Representing and reasoning about Bayesian coalitional games Oldooz Dianat Supervisor: Prof.

Representing and reasoning about Bayesian coalitional games Oldooz Dianat Supervisor: Prof.

Representing and reasoning about Bayesian coalitional games Oldooz Dianat Supervisor: Prof. Mehmet Orgun Co-supervisor: Dr. Lee Flax Macquarie University Department of Computing June 2012 Oldooz Dianat (Department of computing) Bayesian

580 views • 28 slides
Sequential circuits If the same input may produce different output signal, we have a sequential

Sequential circuits If the same input may produce different output signal, we have a sequential

Sequential circuits If the same input may produce different output signal, we have a sequential logic circuit. It must then have an internal memory that allows the Same input can produce different output output to be affected by both the

795 views • 60 slides
CS70: Jean Walrand: Lecture 20. Modeling Uncertainty: Probability Space 1. Key Points 2. Random

CS70: Jean Walrand: Lecture 20. Modeling Uncertainty: Probability Space 1. Key Points 2. Random

CS70: Jean Walrand: Lecture 20. Modeling Uncertainty: Probability Space 1. Key Points 2. Random Experiments 3. Probability Space Key Points Uncertainty does not mean nothing is known How to best make decisions under uncertainty?

581 views • 24 slides
Flips in higher order Delaunay triangulations Elena Arseneva, Prosenjit Bose, Pilar Cano, and

Flips in higher order Delaunay triangulations Elena Arseneva, Prosenjit Bose, Pilar Cano, and

Flips in higher order Delaunay triangulations Elena Arseneva, Prosenjit Bose, Pilar Cano, and Rodrigo I. Silveira Delaunay triangulations Delaunay triangulations S Delaunay triangulations DT ( S ) Delaunay triangulations DT ( S ) Delaunay

935 views • 64 slides
Digital Design Discussion: Flip-Flops D-Latch Design Latch vs. Flip-Flop Timing D-latch Design

Digital Design Discussion: Flip-Flops D-Latch Design Latch vs. Flip-Flop Timing D-latch Design

Principles Of Digital Design Discussion: Flip-Flops D-Latch Design Latch vs. Flip-Flop Timing D-latch Design Design a gated D-latch using NAND gates and inverters. Draw the schematic and create a truth table for it. An implementation of

54 views • 4 slides

More recommend