Reliable Rowhammer Attack and Mitigation Based on Reverse Engineering Memory Address Mapping Algorithms
Rowhammer attacks intentionally induce bit flips to corrupt victim’s data whose integrity must be guaranteed. To perform sophisticated rowhammer attacks, attackers need to repeatedly access the neighboring rows of target data. In DRAM, however, the physical addresses of neighboring rows are not always contiguous even if they are located before or after a target row. Hence, it is important to know the mapping algorithm which maps between physical addresses and physical row indexes not only for an attack but also for protection.
In this paper, we introduce a method to reverse engineer the exact mapping algorithm and demonstrate that the assumption in previous rowhammer work is faulty. In addition, we introduce a novel and efficient rowhammer method and improve existing mitigations that has a security hole caused by the faulty assumption. Finally, we evaluate the effectiveness of the proposed attack and show that the proposed mitigation almost perfectly defends against rowhammer attacks.
KeywordsRowhammer bug Reverse engineer Memory address mapping
This work was supported by the National Research Foundation of Korea (NRF) grant funded by the Korea government (MSIP) (No. 2017R1A2B4010914).
- 2.Baumann, R.: The impact of technology scaling on soft error rate performance and limits to the efficacy of error correction. In: International Electron Devices Meeting, IEDM 2002, pp. 329–332. IEEE (2002)Google Scholar
- 3.Brasser, F., Davi, L., Gens, D., Liebchen, C., Sadeghi, A.R.: Can’t touch this: software-only mitigation against rowhammer attacks targeting kernel memory. In: Proceedings of the 26th USENIX Security Symposium (Security), Vancouver, BC, Canada (2017)Google Scholar
- 4.JEDEC: DDR3 SDRAM Unbuffered DIMM Design Specification, rev. 1.06 (2013)Google Scholar
- 5.Khan, S., Lee, D., Mutlu, O.: Parbor: an efficient system-level technique to detect data-dependent failures in dram. In: 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 239–250. IEEE (2016)Google Scholar
- 6.Kim, Y., et al.: Flipping bits in memory without accessing them: an experimental study of dram disturbance errors. In: 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA), pp. 361–372, June 2014Google Scholar
- 8.Min, D.S., Langer, D.W.: Twisted line techniques for multi-gigabit dynamic random access memories, US Patent 6,034,879, 7 March 2000Google Scholar
- 9.Min, D.S., Seo, D.I., You, J., Cho, S., Chin, D., Park, Y.: Wordline coupling noise reduction techniques for scaled drams. In: 1990 Symposium on VLSI Circuits, Digest of Technical Papers, pp. 81–82. IEEE (1990)Google Scholar
- 10.Pessl, P., Gruss, D., Maurice, C., Schwarz, M., Mangard, S.: DRAMA: exploiting dram addressing for cross-CPU attacks. In: USENIX Security Symposium, pp. 565–581 (2016)Google Scholar
- 11.Razavi, K., Gras, B., Bosman, E., Preneel, B., Giuffrida, C., Bos, H.: Flip Feng Shui: hammering a needle in the software stack. In: USENIX Security Symposium, pp. 1–18 (2016)Google Scholar
- 12.Seaborn, M., Dullien, T.: Exploiting the DRAM rowhammer bug to gain kernel privileges (2015). https://googleprojectzero.blogspot.kr/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
- 13.Van Der Veen, V., et al.: Drammer: deterministic rowhammer attacks on mobile platforms. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1675–1689. ACM (2016)Google Scholar
- 14.Xiao, Y., Zhang, X., Zhang, Y., Teodorescu, R.: One bit flips, one cloud flops: cross-VM row hammer attacks and privilege escalation. In: USENIX Security Symposium, pp. 19–35 (2016)Google Scholar