Please use this identifier to cite or link to this item:
https://hdl.handle.net/20.500.11851/8264
Full metadata record
DC Field | Value | Language |
---|---|---|
dc.contributor.author | Hassan, H. | - |
dc.contributor.author | Tu?rul, Y.C. | - |
dc.contributor.author | Kim, Jeremie S. | - |
dc.contributor.author | Van Der Veen, V. | - |
dc.contributor.author | Razavi, K. | - |
dc.contributor.author | Mutlu, O. | - |
dc.date.accessioned | 2022-01-15T13:00:47Z | - |
dc.date.available | 2022-01-15T13:00:47Z | - |
dc.date.issued | 2021 | - |
dc.identifier.isbn | 9781450385572 | - |
dc.identifier.issn | 1072-4451 | - |
dc.identifier.uri | https://doi.org/10.1145/3466752.3480110 | - |
dc.identifier.uri | https://hdl.handle.net/20.500.11851/8264 | - |
dc.description | ARM;et al.;Huawei;IBM;Intel;Microsoft | en_US |
dc.description | 54th Annual IEEE/ACM International Symposium on Microarchitecture, MICRO 2021 -- 18 October 2021 through 22 October 2021 -- 172825 | en_US |
dc.description.abstract | The RowHammer vulnerability in DRAM is a critical threat to system security. To protect against RowHammer, vendors commit to security-through-obscurity: modern DRAM chips rely on undocumented, proprietary, on-die mitigations, commonly known as Target Row Refresh (TRR). At a high level, TRR detects and refreshes potential RowHammer-victim rows, but its exact implementations are not openly disclosed. Security guarantees of TRR mechanisms cannot be easily studied due to their proprietary nature. To assess the security guarantees of recent DRAM chips, we present Uncovering TRR (U-TRR), an experimental methodology to analyze in-DRAM TRR implementations. U-TRR is based on the new observation that data retention failures in DRAM enable a side channel that leaks information on how TRR refreshes potential victim rows. U-TRR allows us to (i) understand how logical DRAM rows are laid out physically in silicon; (ii) study undocumented on-die TRR mechanisms; and (iii) combine (i) and (ii) to evaluate the RowHammer security guarantees of modern DRAM chips. We show how U-TRR allows us to craft RowHammer access patterns that successfully circumvent the TRR mechanisms employed in 45 DRAM modules of the three major DRAM vendors.We find that the DRAM modules we analyze are vulnerable to RowHammer, having bit flips in up to 99.9% of all DRAM rows. © 2021 Association for Computing Machinery. | en_US |
dc.description.sponsorship | Nederlandse Organisatie voor Wetenschappelijk Onderzoek, NWO: NWO 016 | en_US |
dc.description.sponsorship | We conclude that 1) conventional DRAM ECC cannot protect against our new custom RowHammer patterns and 2) an ECC scheme that can protect against our custom patterns requires a large number of parity-check symbols, i.e., large overheads. 8 Related Work Kim et al. [56] are the first to introduce and analyze the RowHam-mer phenomenon. Numerous later works develop RowHammer attacks to compromise various systems in various ways [1, 7, 8, 15, 16, 19, 23, 24, 28, 29, 34, 38, 44, 54, 62, 71, 82, 83, 96, 98, 100, 104, 109, 122–124, 128, 129, 136, 140] and analyze RowHammer further [15, 16, 28, 54, 89, 97, 98, 122, 126, 135]. To our knowledge, this is the first work to 1) propose an experimental methodology to understand the inner workings of commonly-implemented in-DRAM RowHammer protection (i.e., TRR) mechanisms and 2) use this understanding to create custom access patterns that circumvent the TRR mechanisms of modern DDR4 DRAM chips. In-DRAM TRR. We already provided extensive descriptions of TRR and TRRespass in §1, §2.4, and §6. TRRespass [24] is the most relevant prior work to ours in understanding and circumventing TRR mechanisms, yet it is not effective enough. While TRRespass can incur RowHammer bit flips in 13 of 42 DDR4 modules (and 5 of 13 LPDDR4 modules), TRRespass does not uncover many implementation details of the TRR mechanisms, which are important to circumvent TRR mechanisms. For example, in 29 out of 42 DDR4 modules (and 8 out of 13 LPDDR4 modules), TRRespass fails to find an access pattern that can circumvent TRR. In contrast, our new U-TRR methodology can be used to understand different aspects of a TRR mechanism in great detail and use this understanding to generate specific RowHammer access patterns that effectively incur a large number of bit flips (as we show on 45 real DRAM modules). System-level RowHammer Mitigation Techniques. A number of studies propose system-level RowHammer mitigation techniques [4, 5, 9, 22, 27, 55, 56, 59, 68, 91, 115, 117, 121, 124, 130, 131, 137]. Recent works [23, 28, 54, 131] show that some of these mechanisms are insecure, inefficient, or do not scale well in chips with higher vulnerability to RowHammer. We believe the fundamental principles of U-TRR can be useful for improving the security of these works as well as potentially combining them with in-DRAM TRR. We leave examining such directions to future work. 9 Conclusion We propose U-TRR, a novel experimental methodology for reverse-engineering the main RowHammer mitigation mechanism, Target Row Refresh (TRR), implemented in modern DRAM chips. Using U-TRR, we 1) provide insights into the inner workings of existing proprietary and undocumented TRR mechanisms and 2) develop custom DRAM access patterns to efficiently circumvent TRR in 45 DDR4 DRAM modules from three major vendors. We conclude that TRR does not provide security against RowHammer and can be easily circumvented using the new understanding provided by U-TRR. We believe and hope that U-TRR will facilitate future research by enabling rigorous and open analysis of RowHammer mitigation mechanisms, leading to the development of both new RowHammer attacks and more secure RowHammer protection mechanisms. Acknowledgments We thank the anonymous reviewers of MICRO 2021 for feedback. We thank the SAFARI Research Group members for valuable feedback and the stimulating intellectual environment they provide. We acknowledge the generous gifts provided by our industrial partners, especially Google, Huawei, Intel, Microsoft, and VMware. This work was also supported in part by the Netherlands Organisation for Scientific Research through grant NWO 016.Veni.192.262. | en_US |
dc.language.iso | en | en_US |
dc.publisher | IEEE Computer Society | en_US |
dc.relation.ispartof | Proceedings of the Annual International Symposium on Microarchitecture, MICRO | en_US |
dc.rights | info:eu-repo/semantics/openAccess | en_US |
dc.subject | DRAM | en_US |
dc.subject | Reliability | en_US |
dc.subject | RowHammer | en_US |
dc.subject | Security | en_US |
dc.subject | Testing | en_US |
dc.subject | Access patterns | en_US |
dc.subject | Data-retention | en_US |
dc.subject | DRAM chips | en_US |
dc.subject | Experimental methodology | en_US |
dc.subject | Protection mechanisms | en_US |
dc.subject | Refresh mechanism | en_US |
dc.subject | Rowhammer | en_US |
dc.subject | Security | en_US |
dc.subject | Side-channel | en_US |
dc.subject | System security | en_US |
dc.subject | Dynamic random access storage | en_US |
dc.title | Uncovering In-Dram Rowhammer Protection Mechanisms: a New Methodology, Custom Rowhammer Patterns, and Implications | en_US |
dc.type | Conference Object | en_US |
dc.department | Faculties, Faculty of Engineering, Department of Electrical and Electronics Engineering | en_US |
dc.department | Fakülteler, Mühendislik Fakültesi, Elektrik ve Elektronik Mühendisliği Bölümü | tr_TR |
dc.identifier.startpage | 1198 | en_US |
dc.identifier.endpage | 1213 | en_US |
dc.identifier.scopus | 2-s2.0-85116725151 | en_US |
dc.institutionauthor | Tu?rul, Yahya Can | - |
dc.identifier.doi | 10.1145/3466752.3480110 | - |
dc.authorscopusid | 57189066886 | - |
dc.authorscopusid | 57322480300 | - |
dc.authorscopusid | 56311059300 | - |
dc.authorscopusid | 55431169900 | - |
dc.authorscopusid | 55532049200 | - |
dc.authorscopusid | 16043006700 | - |
dc.relation.publicationcategory | Konferans Öğesi - Uluslararası - Kurum Öğretim Elemanı | en_US |
dc.identifier.scopusquality | - | - |
item.openairetype | Conference Object | - |
item.languageiso639-1 | en | - |
item.grantfulltext | none | - |
item.fulltext | No Fulltext | - |
item.openairecristype | http://purl.org/coar/resource_type/c_18cf | - |
item.cerifentitytype | Publications | - |
Appears in Collections: | Elektrik ve Elektronik Mühendisliği Bölümü / Department of Electrical & Electronics Engineering Scopus İndeksli Yayınlar Koleksiyonu / Scopus Indexed Publications Collection |
CORE Recommender
SCOPUSTM
Citations
2
checked on Dec 21, 2024
Page view(s)
70
checked on Dec 23, 2024
Google ScholarTM
Check
Altmetric
Items in GCRIS Repository are protected by copyright, with all rights reserved, unless otherwise indicated.