Please use this identifier to cite or link to this item: https://hdl.handle.net/20.500.11851/8264
Full metadata record
DC FieldValueLanguage
dc.contributor.authorHassan, H.-
dc.contributor.authorTu?rul, Y.C.-
dc.contributor.authorKim, Jeremie S.-
dc.contributor.authorVan Der Veen, V.-
dc.contributor.authorRazavi, K.-
dc.contributor.authorMutlu, O.-
dc.date.accessioned2022-01-15T13:00:47Z-
dc.date.available2022-01-15T13:00:47Z-
dc.date.issued2021-
dc.identifier.isbn9781450385572-
dc.identifier.issn1072-4451-
dc.identifier.urihttps://doi.org/10.1145/3466752.3480110-
dc.identifier.urihttps://hdl.handle.net/20.500.11851/8264-
dc.descriptionARM;et al.;Huawei;IBM;Intel;Microsoften_US
dc.description54th Annual IEEE/ACM International Symposium on Microarchitecture, MICRO 2021 -- 18 October 2021 through 22 October 2021 -- 172825en_US
dc.description.abstractThe RowHammer vulnerability in DRAM is a critical threat to system security. To protect against RowHammer, vendors commit to security-through-obscurity: modern DRAM chips rely on undocumented, proprietary, on-die mitigations, commonly known as Target Row Refresh (TRR). At a high level, TRR detects and refreshes potential RowHammer-victim rows, but its exact implementations are not openly disclosed. Security guarantees of TRR mechanisms cannot be easily studied due to their proprietary nature. To assess the security guarantees of recent DRAM chips, we present Uncovering TRR (U-TRR), an experimental methodology to analyze in-DRAM TRR implementations. U-TRR is based on the new observation that data retention failures in DRAM enable a side channel that leaks information on how TRR refreshes potential victim rows. U-TRR allows us to (i) understand how logical DRAM rows are laid out physically in silicon; (ii) study undocumented on-die TRR mechanisms; and (iii) combine (i) and (ii) to evaluate the RowHammer security guarantees of modern DRAM chips. We show how U-TRR allows us to craft RowHammer access patterns that successfully circumvent the TRR mechanisms employed in 45 DRAM modules of the three major DRAM vendors.We find that the DRAM modules we analyze are vulnerable to RowHammer, having bit flips in up to 99.9% of all DRAM rows. © 2021 Association for Computing Machinery.en_US
dc.description.sponsorshipNederlandse Organisatie voor Wetenschappelijk Onderzoek, NWO: NWO 016en_US
dc.description.sponsorshipWe conclude that 1) conventional DRAM ECC cannot protect against our new custom RowHammer patterns and 2) an ECC scheme that can protect against our custom patterns requires a large number of parity-check symbols, i.e., large overheads. 8 Related Work Kim et al. [56] are the first to introduce and analyze the RowHam-mer phenomenon. Numerous later works develop RowHammer attacks to compromise various systems in various ways [1, 7, 8, 15, 16, 19, 23, 24, 28, 29, 34, 38, 44, 54, 62, 71, 82, 83, 96, 98, 100, 104, 109, 122–124, 128, 129, 136, 140] and analyze RowHammer further [15, 16, 28, 54, 89, 97, 98, 122, 126, 135]. To our knowledge, this is the first work to 1) propose an experimental methodology to understand the inner workings of commonly-implemented in-DRAM RowHammer protection (i.e., TRR) mechanisms and 2) use this understanding to create custom access patterns that circumvent the TRR mechanisms of modern DDR4 DRAM chips. In-DRAM TRR. We already provided extensive descriptions of TRR and TRRespass in §1, §2.4, and §6. TRRespass [24] is the most relevant prior work to ours in understanding and circumventing TRR mechanisms, yet it is not effective enough. While TRRespass can incur RowHammer bit flips in 13 of 42 DDR4 modules (and 5 of 13 LPDDR4 modules), TRRespass does not uncover many implementation details of the TRR mechanisms, which are important to circumvent TRR mechanisms. For example, in 29 out of 42 DDR4 modules (and 8 out of 13 LPDDR4 modules), TRRespass fails to find an access pattern that can circumvent TRR. In contrast, our new U-TRR methodology can be used to understand different aspects of a TRR mechanism in great detail and use this understanding to generate specific RowHammer access patterns that effectively incur a large number of bit flips (as we show on 45 real DRAM modules). System-level RowHammer Mitigation Techniques. A number of studies propose system-level RowHammer mitigation techniques [4, 5, 9, 22, 27, 55, 56, 59, 68, 91, 115, 117, 121, 124, 130, 131, 137]. Recent works [23, 28, 54, 131] show that some of these mechanisms are insecure, inefficient, or do not scale well in chips with higher vulnerability to RowHammer. We believe the fundamental principles of U-TRR can be useful for improving the security of these works as well as potentially combining them with in-DRAM TRR. We leave examining such directions to future work. 9 Conclusion We propose U-TRR, a novel experimental methodology for reverse-engineering the main RowHammer mitigation mechanism, Target Row Refresh (TRR), implemented in modern DRAM chips. Using U-TRR, we 1) provide insights into the inner workings of existing proprietary and undocumented TRR mechanisms and 2) develop custom DRAM access patterns to efficiently circumvent TRR in 45 DDR4 DRAM modules from three major vendors. We conclude that TRR does not provide security against RowHammer and can be easily circumvented using the new understanding provided by U-TRR. We believe and hope that U-TRR will facilitate future research by enabling rigorous and open analysis of RowHammer mitigation mechanisms, leading to the development of both new RowHammer attacks and more secure RowHammer protection mechanisms. Acknowledgments We thank the anonymous reviewers of MICRO 2021 for feedback. We thank the SAFARI Research Group members for valuable feedback and the stimulating intellectual environment they provide. We acknowledge the generous gifts provided by our industrial partners, especially Google, Huawei, Intel, Microsoft, and VMware. This work was also supported in part by the Netherlands Organisation for Scientific Research through grant NWO 016.Veni.192.262.en_US
dc.language.isoenen_US
dc.publisherIEEE Computer Societyen_US
dc.relation.ispartofProceedings of the Annual International Symposium on Microarchitecture, MICROen_US
dc.rightsinfo:eu-repo/semantics/openAccessen_US
dc.subjectDRAMen_US
dc.subjectReliabilityen_US
dc.subjectRowHammeren_US
dc.subjectSecurityen_US
dc.subjectTestingen_US
dc.subjectAccess patternsen_US
dc.subjectData-retentionen_US
dc.subjectDRAM chipsen_US
dc.subjectExperimental methodologyen_US
dc.subjectProtection mechanismsen_US
dc.subjectRefresh mechanismen_US
dc.subjectRowhammeren_US
dc.subjectSecurityen_US
dc.subjectSide-channelen_US
dc.subjectSystem securityen_US
dc.subjectDynamic random access storageen_US
dc.titleUncovering In-Dram Rowhammer Protection Mechanisms: a New Methodology, Custom Rowhammer Patterns, and Implicationsen_US
dc.typeConference Objecten_US
dc.departmentFaculties, Faculty of Engineering, Department of Electrical and Electronics Engineeringen_US
dc.departmentFakülteler, Mühendislik Fakültesi, Elektrik ve Elektronik Mühendisliği Bölümütr_TR
dc.identifier.startpage1198en_US
dc.identifier.endpage1213en_US
dc.identifier.scopus2-s2.0-85116725151en_US
dc.institutionauthorTu?rul, Yahya Can-
dc.identifier.doi10.1145/3466752.3480110-
dc.authorscopusid57189066886-
dc.authorscopusid57322480300-
dc.authorscopusid56311059300-
dc.authorscopusid55431169900-
dc.authorscopusid55532049200-
dc.authorscopusid16043006700-
dc.relation.publicationcategoryKonferans Öğesi - Uluslararası - Kurum Öğretim Elemanıen_US
dc.identifier.scopusquality--
item.openairetypeConference Object-
item.languageiso639-1en-
item.grantfulltextnone-
item.fulltextNo Fulltext-
item.openairecristypehttp://purl.org/coar/resource_type/c_18cf-
item.cerifentitytypePublications-
Appears in Collections:Elektrik ve Elektronik Mühendisliği Bölümü / Department of Electrical & Electronics Engineering
Scopus İndeksli Yayınlar Koleksiyonu / Scopus Indexed Publications Collection
Show simple item record



CORE Recommender

SCOPUSTM   
Citations

2
checked on Dec 21, 2024

Page view(s)

70
checked on Dec 23, 2024

Google ScholarTM

Check




Altmetric


Items in GCRIS Repository are protected by copyright, with all rights reserved, unless otherwise indicated.