trrespass exploiting the many sides of target row refresh
play

TRRespass: Exploiting the Many Sides of Target Row Refresh Pietro - PowerPoint PPT Presentation

Nov 19, 2022 •14 likes •354 views

TRRespass: Exploiting the Many Sides of Target Row Refresh Pietro Frigo 1 Emanuele Vannacci 1 Hasan Hassan 2 Victor Van der Veen 3 Onur Mutlu 2 Herbert Bos 1 Cristiano Giuffrida 1 Kaveh Razavi 1 1 Vrije Universiteit Amsterdam 2 ETH Zrich 3

  1. TRRespass: Exploiting the Many Sides of Target Row Refresh Pietro Frigo 1 Emanuele Vannacci 1 Hasan Hassan 2 Victor Van der Veen 3 Onur Mutlu 2 Herbert Bos 1 Cristiano Giuffrida 1 Kaveh Razavi 1 1 Vrije Universiteit Amsterdam 2 ETH Zürich 3 Qualcomm Technologies Inc. 1

  2. Teaser • Memory vendors advertise RowHammer-free devices • What is Target Row Refresh (TRR)? Not a single mitigation! • Reverse-engineering of in-DRAM mitigations • The Many-sided RowHammer • Hammering up to 20 aggressor rows • 3 major vendors all vulnerable: Samsung, Micron, SK Hynix • Currently representing over 95% of the DRAM market 2

  3. Memory request flow DIMMs DRAM CPU Memory Controller DRAM commands 3

  4. DRAM Refresh • DRAM is dynamic because data must be refresh periodically • Retention time (i.e., 64ms) • The MC issues a REFRESH command every 7.8µs • Only a small portion of memory is refreshed with a command • 8192 refreshes within a 64ms interval 4

  5. Memory array 1 1 1 1 Row 0 0 1 1 0 Row 1 1 1 1 1 Row 2 0 1 0 1 Row 3 Row buffer 5

  6. Read operation: Row 1 1 1 1 1 Row 0 - - - - Row 1 1 1 1 1 Row 2 0 1 0 1 Row 3 0 1 1 0 ACTIVATE Row 1 6

  7. Read operation: Row 3 1 1 1 1 Row 0 0 1 1 0 Row 1 1 1 1 1 Row 2 0 1 0 1 Row 3 - - - - PRECHARGE Row 1 7

  8. Read operation: Row 3 1 1 1 1 Row 0 0 1 1 0 Row 1 1 1 1 1 Row 2 - - - - Row 3 0 1 0 1 ACTIVATE Row 3 8

  9. RowHammer 1 1 1 1 Row 0 0 1 1 0 Row 1 1 0 1 1 Row 2 0 1 0 1 Row 3 - - - - Bit flip! 9

  10. Double-sided RowHammer 1 1 1 1 1 1 1 1 Row 0 0 1 1 0 Row 1 Aggressor row 1 0 1 1 Row 2 Victim row 0 1 0 1 Row 3 Aggressor row - - - - Bit flip! 10

  11. Hardware mitigations • Error-correcting code (ECC) [1] Refreshing a row restores the cells electric charge: it prevents flips. • Double refresh • Target Row Refresh (TRR) [1 ] L. Cojocaret al., “Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks,” in S&P, 2019. 11

  12. Target Row Refresh • TRR-like mitigations track rows activations and refresh victim rows • Many possible implementations in practice • Security through obscurity • Pseudo TRR (pTRR) • Memory controller implementation • In-DRAM TRR • Embedded in the DRAM circuitry 12

  13. Timeline pTRR DDR3 In-DRAM TRR Intel reports pTRR on Earliest manufacturing date DDR3 server systems of RH-free DRAM modules '12 '13 '14 '15 '16 '17 '18 '19 Last generation DIMMs we focus on pTRR DDR4 First DDR4 generation is pTRR protected 13

  14. Goals • Reverse engineer TRR to demystify in-DRAM mitigations • Memory device assessment • A Novel hammering pattern: The Many-sided RowHammer • Hammering up to 20 aggressor rows allows to bypass TRR • Automatically test memory devices: TRRespass • Automate hammering patterns generation 14

  15. Challenges • Analysis from the CPU side not possible • No timing side-channels • FPGA-based memory controller [1,2] [1 ] H. Hassan et al., “SoftMC: A Flexible and Practical Open - Source Infrastructure for Enabling Experimental DRAM Studies,” in HPC A, 2017 [2 ] SAFARI Research Group, “SoftMC — GitHub Repository,” https:// github.com/CMU -SAFARI/SoftMC. 15

  16. Building blocks Abstractions: • Sampler • Track aggressor rows activations • Keep a set of rows • Inhibitor • Prevent bit flips • Refresh victims 16

  17. Case study: Vendor C How big is the sampler? • Pick N aggressor rows • Perform a series of hammers (activations of aggressors) • 8K activations • After each series of hammers, issue R refreshes • 10 Rounds Activations Refreshes Activations Refreshes Round 17

  18. Case study: Vendor C # Corruptions 18

  19. Case study: Vendor C # Corruptions 19

  20. Case study: Vendor C # Corruptions 20

  21. Case study: Observations • The TRR mitigation acts on every refresh command 21

  22. Case study: Vendor C # Corruptions 22

  23. Case study: Vendor C # Corruptions 23

  24. Case study: Observations • The TRR mitigation acts on every refresh command • The mitigation can sample more than one aggressor per refresh interval • The mitigation can refresh only a single victim within a refresh operation 24

  25. Case study: Vendor C # Corruptions 25

  26. Case study: Vendor C # Corruptions 26

  27. Case study: Observations • The TRR mitigation acts on every refresh command • The mitigation can sample more than one aggressor per refresh interval • The mitigation can refresh only a single victim within a refresh operation • Sweeping the number of refresh operations and aggressor rows while hammering reveals the sampler size 27

  28. Case study: Vendor C with tREFi == 7.8 μs 28

  29. Case study: Observations • The TRR mitigation acts on every refresh command • The mitigation can sample more than one aggressor per refresh interval • The mitigation can refresh only a single victim within a refresh operation • Sweeping the number of refresh operations and aggressor rows while hammering reveals the sampler size • The sampling mechanism is affected by the addresses of aggressor rows 29

  30. TRRespass: The RowFuzzer • Black-box fuzzing for RowHammer • Ignore the MC optimizations • Scalable approach for testing • The sampler can track a limited number of aggressor rows • # Aggressors • The sampler design may be row address dependent • Aggressor Location 30

  31. TRRespass: Results • 42 DIMMS from 3 of the major vendors : Samsung, Micron, SK Hynix • 95% of the market • Testing 256MB of contiguous memory against the best pattern • 13 DIMMs with bit flips • Multiple effective patterns for each of them • Bit flips with double refresh • Fuzzing is effective. • How to Improve? Parameter selection. 31

  32. Exploitation • Memory templating • Find the right hammering pattern • Locations of aggressors not always fundamental • Bit flips are repeatable • Spurious flips • We demonstrate the feasibility of 3 example attacks: • Privilege escalation [1] • Access to co-hosted VM via RSA key corruption [2] • Sudo exploit: opcode flipping [3] [1] M. Seaborn and T. Dullien , “Exploiting the DRAM Rowhammer Bug to Gain Kernel Privileges,” in Black Hat USA, 2015 [2] K. Razavi et al., “Flip Feng Shui: Hammering a Needle in the Software Stack ,” in USENIX Sec., 2016 32 [3] D. Gruss et al., “Another Flip in the Wall of Rowhammer Defenses,” in S&P, 2018.

  33. Conclusion • Bit flips with more than 20 aggressor rows! • DDR4 devices are much more vulnerable than DDR3 • Bit flips with less than 50K activations • Fuzzing can help in memory testing • Reverse engineering to find meaningful parameters • RowHammer is still a serious problem • No prompt mitigations available 33

  34. Questions! 34

Recommend

Meta-classifiers for exploiting feature dependencies in automatic target recognition Umamahesh

Meta-classifiers for exploiting feature dependencies in automatic target recognition Umamahesh

Meta-classifiers for exploiting feature dependencies in automatic target recognition Umamahesh Srinivas iPAL Group Meeting September 03, 2010 (Work being submitted to IEEE Radar Conference 2011) Outline Automatic Target Recognition

528 views • 37 slides
Exploiting Branch Target Injection Jann Horn, Google Project Zero 1 Outline Introduction

Exploiting Branch Target Injection Jann Horn, Google Project Zero 1 Outline Introduction

Exploiting Branch Target Injection Jann Horn, Google Project Zero 1 Outline Introduction Reverse-engineering branch prediction Leaking host memory from KVM 2 Disclaimer I haven't worked in CPU design I don't

670 views • 40 slides
OmpSs + OpenACC Multi-target Task-Based Programming Model Exploiting OpenACC GPU Kernel Guray

OmpSs + OpenACC Multi-target Task-Based Programming Model Exploiting OpenACC GPU Kernel Guray

www.bsc.es www.bsc.es OmpSs + OpenACC Multi-target Task-Based Programming Model Exploiting OpenACC GPU Kernel Guray Ozen guray.ozen@bsc.es Exascale in BSC Marenostrum 4 (13.7 Petaflops ) General purpose cluster (3400 nodes) with Intel

464 views • 20 slides
Refresh RUS 1 Network RUS: Electrification Refresh 30 year perspective as part of Long

Refresh RUS 1 Network RUS: Electrification Refresh 30 year perspective as part of Long

Electrification Refresh RUS 1 Network RUS: Electrification Refresh 30 year perspective as part of Long Term Planning Process 'to give funders choices for investment in CP6 and beyond' 3 key objectives: Identify the extent of

268 views • 25 slides
e-SIDES Ethical and Societal Implications of Data Sciences What is e-SIDES? Horizon 2020

e-SIDES Ethical and Societal Implications of Data Sciences What is e-SIDES? Horizon 2020

e-SIDES Ethical and Societal Implications of Data Sciences What is e-SIDES? Horizon 2020 grant, running for 3 years Three partners in consortium: eLaw team Planned results 7 community events; Final conference; 7 white

443 views • 28 slides
and sides between congruent triangles basing on the fact that corresponding parts in congruent

and sides between congruent triangles basing on the fact that corresponding parts in congruent

D AY 62 C ONGRUENT ANGLES AND SIDES I NTRODUCTION The most important parts of the triangle that we consider here are sides and three angles. Congruent triangles have corresponding sides of the same length and corresponding angles with

495 views • 14 slides
congruent because the images, the pre-image, and the image, congruent one having undergone a rigid

congruent because the images, the pre-image, and the image, congruent one having undergone a rigid

D AY 51 I DENTIFYING C ONGRUENT SIDES OF A TRIANGLE I NTRODUCTION When a figure undergoes a rigid motion, its shape and size do not change. As a result, it becomes easy to trace the sides that originate from the initial sides before the

373 views • 10 slides
Detecting and exploiting amino acid vulnerabilities in cancer Oncode Institute - NKI-AVL Reuven

Detecting and exploiting amino acid vulnerabilities in cancer Oncode Institute - NKI-AVL Reuven

Detecting and exploiting amino acid vulnerabilities in cancer Oncode Institute - NKI-AVL Reuven Agami Course Basic and Translational Oncology 2018 How to -specifically- kill cancer cells? Target DNA replication (chemotherapy) Suffocate them

518 views • 37 slides
Di ff erentially-Private Batch Query Answering Exploiting the Workload vs. Exploiting the Data

Di ff erentially-Private Batch Query Answering Exploiting the Workload vs. Exploiting the Data

Di ff erentially-Private Batch Query Answering Exploiting the Workload vs. Exploiting the Data Gerome Miklau University of Massachusetts, Amherst DIMACS Workshop on Recent Work on Di ff erential Privacy across Computer Science October 2012

1.39k views • 136 slides
JSNA Refresh www.WalsallIntelligence.org.uk JSNA 2018-2019 refresh Gap in life expectancy Ageing

JSNA Refresh www.WalsallIntelligence.org.uk JSNA 2018-2019 refresh Gap in life expectancy Ageing

JSNA Refresh www.WalsallIntelligence.org.uk JSNA 2018-2019 refresh Gap in life expectancy Ageing 1 in 4 of 10 & 11 LAC rate from 95 year olds (year 0 to 77.2 yrs population to 98 in 2017 6) obese 0 to 82 yrs 2017 attainment but more to

309 views • 15 slides
Whats My Identity? By Miss Elliott Squares vs. Rectangles Squares Rectangles 4 sides

Whats My Identity? By Miss Elliott Squares vs. Rectangles Squares Rectangles 4 sides

Whats My Identity? By Miss Elliott Squares vs. Rectangles Squares Rectangles 4 sides 4 sides 4 right angles 4 right angles 4 equal sides Opposite sides are equal (2 pairs) Circle the squares with red and the

289 views • 15 slides
Exploiting Depmap cancer dependency data using the depmap R package Theo Killian Gatto Lab 1

Exploiting Depmap cancer dependency data using the depmap R package Theo Killian Gatto Lab 1

UCLouvain Institut de Duve - Computational Biology and Bioinformatics Exploiting Depmap cancer dependency data using the depmap R package Theo Killian Gatto Lab 1 Cancer Dependency Map Precision cancer medicine seeks to target

504 views • 13 slides
Adding value to food waste and by-products REFRESH Community of Experts webinar series

Adding value to food waste and by-products REFRESH Community of Experts webinar series

Adding value to food waste and by-products REFRESH Community of Experts webinar series www.refreshcoe.eu 4/10/2019 REFRESH is funded by the Horizon 2020 Framework Programme of the European Union under Grant Agreement no. 641933. The contents

715 views • 55 slides
Winston-Salem State University Undergrad Brand Refresh WSSU UG Brand Refresh | Progress IMC:

Winston-Salem State University Undergrad Brand Refresh WSSU UG Brand Refresh | Progress IMC:

Winston-Salem State University Undergrad Brand Refresh WSSU UG Brand Refresh | Progress IMC: Brainstorm | Persona Exercise | Meetings Admissions Staff: Focus Group | Persona Exercise 68 FYE Students: Focus Groups Other Students:

279 views • 6 slides
Measuring and managing retail food waste REFRESH Community of Experts webinar series

Measuring and managing retail food waste REFRESH Community of Experts webinar series

Measuring and managing retail food waste REFRESH Community of Experts webinar series www.refreshcoe.eu 5/7/2019 REFRESH is funded by the Horizon 2020 Framework Programme of the European Union under Grant Agreement no. 641933. The contents of

842 views • 62 slides
Tackling consumer food waste REFRESH Community of Experts webinar series www.refreshcoe.eu

Tackling consumer food waste REFRESH Community of Experts webinar series www.refreshcoe.eu

Tackling consumer food waste REFRESH Community of Experts webinar series www.refreshcoe.eu 5/2/2019 REFRESH is funded by the Horizon 2020 Framework Programme of the European Union under Grant Agreement no. 641933. The contents of this document

828 views • 53 slides
Voluntary Agreements to Address Food Waste REFRESH Community of Experts webinar series

Voluntary Agreements to Address Food Waste REFRESH Community of Experts webinar series

Voluntary Agreements to Address Food Waste REFRESH Community of Experts webinar series www.refreshcoe.eu 4/11/2019 REFRESH is funded by the Horizon 2020 Framework Programme of the European Union under Grant Agreement no. 641933. The contents

538 views • 50 slides
Planned Refresh of TDR Pilot 1 Schedules / SINS September 12, 2017 Disclaimer "The

Planned Refresh of TDR Pilot 1 Schedules / SINS September 12, 2017 Disclaimer "The

U.S. General Services Administration Planned Refresh of TDR Pilot 1 Schedules / SINS September 12, 2017 Disclaimer "The purpose of this webinar is to allow GSA FAS to verbally present the DRAFT planned solicitation refresh and related

661 views • 14 slides
PC Refresh in the Consumerized IT Environment David Buchholz, Director of Consumerization, Intel

PC Refresh in the Consumerized IT Environment David Buchholz, Director of Consumerization, Intel

PC Refresh in the Consumerized IT Environment David Buchholz, Director of Consumerization, Intel IT John Mahvi, Business Client Product Line Manager, Intel IT Moderator: Chris Peters, Global Business Marketing Strategist, Intel W hy Refresh

265 views • 11 slides
and Sustainable Food Systems in the Circular Economy REFRESH final Policy Workshop Brussels, 22

and Sustainable Food Systems in the Circular Economy REFRESH final Policy Workshop Brussels, 22

Integrated Policies for Food Waste and Sustainable Food Systems in the Circular Economy REFRESH final Policy Workshop Brussels, 22 March 2019 Hilke Bos-Brouwers, Stephanie Wunder, Venice Graf REFRESH is funded by the Horizon 2020 Framework

931 views • 80 slides
SCIM Refresh Presented by Paul Mortimer Asset Management Policy Advisor paulmortimer@nhs.net 1

SCIM Refresh Presented by Paul Mortimer Asset Management Policy Advisor paulmortimer@nhs.net 1

SCIM Refresh Presented by Paul Mortimer Asset Management Policy Advisor paulmortimer@nhs.net 1 Why a Refresh? 2 What Boards say: The guidance isnt always easy to follow Expectations of information requirements and format is

681 views • 27 slides
VLSID 2016 KOLKATA, INDIA January 4-8, 2016 Massed Refresh: An Energy-Efficient Technique to

VLSID 2016 KOLKATA, INDIA January 4-8, 2016 Massed Refresh: An Energy-Efficient Technique to

VLSID 2016 KOLKATA, INDIA January 4-8, 2016 Massed Refresh: An Energy-Efficient Technique to Reduce Refresh Overhead in Hybrid Memory Cube Architectures Ishan Thakkar , Sudeep Pasricha Department of Electrical and Computer Engineering

784 views • 43 slides
C3 B: Exploiting the Num erous C3 B: Exploiting the Num erous Possibilities W eb Technology

C3 B: Exploiting the Num erous C3 B: Exploiting the Num erous Possibilities W eb Technology

C3 B: Exploiting the Num erous C3 B: Exploiting the Num erous Possibilities W eb Technology Offers to Elevate Questions Offers to Elevate Questions Arnaud Wijnant wijnant@uvt.nl Maurice Martens m.g.j.martens@uvt.nl IBUC 2010 Baltimore 11/

403 views • 12 slides
Unitarity Triangle Sides at e + e - colliders Phillip Urquijo University of Bonn On behalf of

Unitarity Triangle Sides at e + e - colliders Phillip Urquijo University of Bonn On behalf of

Unitarity Triangle Sides at e + e - colliders Phillip Urquijo University of Bonn On behalf of the Belle Collaboration Sides of the UT New physics 0.7 R t excluded area has CL > 0.95 m & m CKM s m d searches

751 views • 58 slides

More recommend