Skip to main content
SpringerLink
Log in
Book cover

International Workshop on Constructive Side-Channel Analysis and Secure Design

COSADE 2019: Constructive Side-Channel Analysis and Secure Design pp 3–12Cite as

RowHammer and Beyond

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11421))

Abstract

We will discuss the RowHammer problem in DRAM, which is a prime (and likely the first) example of how a circuit-level failure mechanism in Dynamic Random Access Memory (DRAM) can cause a practical and widespread system security vulnerability. RowHammer is the phenomenon that repeatedly accessing a row in a modern DRAM chip predictably causes errors in physically-adjacent rows. It is caused by a hardware failure mechanism called read disturb errors. Building on our initial fundamental work that appeared at ISCA 2014, Google Project Zero demonstrated that this hardware phenomenon can be exploited by user-level programs to gain kernel privileges. Many other recent works demonstrated other attacks exploiting RowHammer, including remote takeover of a server vulnerable to RowHammer. We will analyze the root causes of the problem and examine solution directions. We will also discuss what other problems may be lurking in DRAM and other types of memories, e.g., NAND flash and Phase Change Memory, which can potentially threaten the foundations of reliable and secure systems, as the memory technologies scale to higher densities.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. RowHammer Discussion Group. https://groups.google.com/forum/#!forum/rowhammer-discuss

  2. RowHammer on Twitter. https://twitter.com/search?q=rowhammer

  3. Rowhammer: Source Code for Testing the Row Hammer Error Mechanism in DRAM Devices. https://github.com/CMU-SAFARI/rowhammer

  4. Test DRAM for Bit Flips Caused by the RowHammer Problem. https://github.com/google/rowhammer-test

  5. ThinkPad X210 BIOS Debugging. https://github.com/tadfisher/x210-bios

  6. Tweet about RowHammer Mitigation on x210. https://twitter.com/isislovecruft/status/1021939922754723841

  7. Top Picks in Hardware and Embedded Security - Workshop Collocated with ICCAD 2018 (2017). https://wp.nyu.edu/toppicksinhardwaresecurity/

  8. Aga, M.T., Aweke, Z.B., Austin, T.: When good protections go bad: exploiting anti-DoS measures to accelerate rowhammer attacks. In: HOST (2017)

    Google Scholar 

  9. Aichinger, B.: The Known Failure Mechanism in DDR3 Memory referred to as Row Hammer, September 2014. http://ddrdetective.com/files/6414/1036/5710/The_Known_Failure_Mechanism_in_DDR3_memory_referred_to_as_Row_Hammer.pdf

  10. Aichinger, B.: DDR memory errors caused by row hammer. In: HPEC (2015)

    Google Scholar 

  11. Apple Inc., About the security content of Mac EFI Security Update 2015-001, June 2015. https://support.apple.com/en-us/HT204934

  12. Aweke, Z.B., et al.: Anvil: software-based protection against next-generation rowhammer attacks. In: ASPLOS (2016)

    Google Scholar 

  13. Bhattacharya, S., Mukhopadhyay, D.: Curious case of RowHammer: flipping secret exponent bits using timing analysis. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 602–624. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53140-2_29

    Chapter  Google Scholar 

  14. Bosman, E., et al.: Dedup Est Machina: memory deduplication as an advanced exploitation vector. In: S&P (2016)

    Google Scholar 

  15. Brasser, F., Davi, L., Gens, D., Liebchen, C., Sadeghi, A.-R.: Can’t touch this: practical and generic software-only defenses against RowHammer attacks. In: USENIX Security (2017)

    Google Scholar 

  16. Burleson, W., et al.: Who is the major threat to tomorrow’s security? You, the hardware designer. In: DAC (2016)

    Google Scholar 

  17. Cai, Y., et al.: Error patterns in MLC NAND flash memory: measurement, characterization, and analysis. In: DATE (2012)

    Google Scholar 

  18. Cai, Y., et al.: Flash correct-and-refresh: retention-aware error management for increased flash memory lifetime. In: ICCD (2012)

    Google Scholar 

  19. Cai, Y., et al.: Error analysis and retention-aware error management for NAND flash memory. ITJ 17(1), 140–165 (2013)

    Google Scholar 

  20. Cai, Y., et al.: Program interference in MLC NAND flash memory: characterization, modeling, and mitigation. In: ICCD (2013)

    Google Scholar 

  21. Cai, Y., et al.: Threshold voltage distribution in MLC NAND flash memory: characterization, analysis and modeling. In: DATE (2013)

    Google Scholar 

  22. Cai, Y., et al.: Neighbor-cell assisted error correction for MLC NAND flash memories. In: SIGMETRICS (2014)

    Google Scholar 

  23. Cai, Y., et al.: Vulnerabilities in MLC NAND flash memory programming: experimental analysis, exploits, and mitigation techniques. In: HPCA (2017)

    Google Scholar 

  24. Cai, Y.: NAND flash memory: characterization, analysis, modeling and mechanisms. Ph.D. thesis, Carnegie Mellon University (2012)

    Google Scholar 

  25. Cai, Y., et al.: Data retention in MLC NAND flash memory: characterization, optimization and recovery. In: HPCA (2015)

    Google Scholar 

  26. Cai, Y., et al.: Read disturb errors in MLC NAND flash memory: characterization, mitigation, and recovery. In: DSN (2015)

    Google Scholar 

  27. Cai, Y., Ghose, S., Haratsch, E.F., Luo, Y., Mutlu, O.: Error characterization, mitigation, and recovery in flash-memory-based solid-state drives. Proc. IEEE 105, 1666–1704 (2017)

    Article  Google Scholar 

  28. Cai, Y., Ghose, S., Haratsch, E.F., Luo, Y., Mutlu, O.: Errors in Flash-Memory-Based Solid-State Drives: Analysis, Mitigation, and Recovery (2017). arXiv preprint: arXiv:1711.11427

  29. Chandrasekar, K., et al.: Exploiting expendable process-margins in DRAMs for run-time performance optimization. In: DATE (2014)

    Google Scholar 

  30. Chang, K., et al.: Understanding latency variation in modern DRAM chips: experimental characterization, analysis, and optimization. In: SIGMETRICS (2016)

    Google Scholar 

  31. Chang, K., et al.: Improving DRAM performance by parallelizing refreshes with accesses. In: HPCA (2014)

    Google Scholar 

  32. Chen, E., et al.: Advances and future prospects of spin-transfer torque random access memory. IEEE Trans. Magn. 46, 1873–1878 (2010)

    Article  Google Scholar 

  33. Das, A., et al.: VRL-DRAM: improving DRAM performance via variable refresh latency. In: DAC (2018)

    Google Scholar 

  34. Fridley, T., Santos, O.: Mitigations Available for the DRAM Row Hammer Vulnerability, March 2015. http://blogs.cisco.com/security/mitigations-available-for-the-dram-row-hammer-vulnerability

  35. Frigo, P., et al.: Grand Pwning unit: accelerating microarchitectural attacks with the GPU. In: IEEE S&P (2018)

    Google Scholar 

  36. Gomez, H., Amaya, A., Roa, E.: DRAM Row-hammer attack reduction using dummy cells. In: NORCAS (2016)

    Google Scholar 

  37. Goodin, D.: Once thought safe, DDR4 memory shown to be vulnerable to Rowhammer (2016). https://arstechnica.com/information-technology/2016/03/once-thought-safe-ddr4-memory-shown-to-be-vulnerable-to-rowhammer/

  38. Greenberg, A.: Forget Software – Now Hackers are Exploiting Physics (2016). https://www.wired.com/2016/08/new-form-hacking-breaks-ideas-computers-work/

  39. Gruss, D., et al.: Another flip in the wall of rowhammer defenses. In: IEEE S&P (2018)

    Google Scholar 

  40. Gruss, D., et al.: Rowhammer.js: a remote software-induced fault attack in Javascript. CoRR, abs/1507.06955 (2015)

    Google Scholar 

  41. Harris, R.: Flipping DRAM bits - maliciously, December 2014. http://www.zdnet.com/article/flipping-dram-bits-maliciously/

  42. Hassan, H., et al.: SoftMC: a flexible and practical open-source infrastructure for enabling experimental DRAM studies. In: HPCA (2017)

    Google Scholar 

  43. Hewlett-Packard Enterprise. HP Moonshot Component Pack Version 2015.05.0 (2015). http://h17007.www1.hp.com/us/en/enterprise/servers/products/moonshot/component-pack/index.aspx

  44. Irazoqui, G., Eisenbarth, T., Sunar, B.: MASCAT: stopping microarchitectural attacks before execution. IACR Cryptology ePrint Archive (2016)

    Google Scholar 

  45. Jang, Y., Lee, J., Lee, S., Kim, T.: SGX-bomb: locking down the processor via rowhammer attack. In: SysTEX (2017)

    Google Scholar 

  46. Kang, U., et al.: Co-architecting controllers and DRAM to enhance DRAM process scaling. In: The Memory Forum (2014)

    Google Scholar 

  47. Khan, S., et al.: The efficacy of error mitigation techniques for DRAM retention failures: a comparative experimental study. In: SIGMETRICS (2014)

    Google Scholar 

  48. Khan, S., et al.: A case for memory content-based detection and mitigation of data-dependent failures in DRAM. CAL 16(2), 88–93 (2016)

    Google Scholar 

  49. Khan, S., et al.: PARBOR: an efficient system-level technique to detect data-dependent failures in DRAM. In: DSN (2016)

    Google Scholar 

  50. Kim, D.-H., et al.: Architectural support for mitigating row hammering in DRAM memories. IEEE CAL 14, 9–12 (2015)

    Google Scholar 

  51. Kim, J.S., Patel, M., Hassan, H., Mutlu, O.: Solar-DRAM: reducing DRAM access latency by exploiting the variation in local bitlines. In: ICCD (2018)

    Google Scholar 

  52. Kim, J.S., Patel, M., Hassan, H., Mutlu, O.: The DRAM latency PUF: quickly evaluating physical unclonable functions by exploiting the latency-reliability tradeoff in modern commodity DRAM devices. In: HPCA (2018)

    Google Scholar 

  53. Kim, J.S., Patel, M., Hassan, H., Orosa, L., Mutlu, O.: D-RaNGe: using commodity DRAM devices to generate true random numbers with low latency and high throughput. In: HPCA (2019)

    Google Scholar 

  54. Kim, Y.: Architectural techniques to enhance DRAM scaling. Ph.D. thesis, Carnegie Mellon University (2015)

    Google Scholar 

  55. Kim, Y., et al.: Flipping bits in memory without accessing them: an experimental study of DRAM disturbance errors. In: ISCA (2014)

    Google Scholar 

  56. Kocher, P., et al.: Spectre attacks: exploiting speculative execution In: S&P (2018)

    Google Scholar 

  57. Kultursay, E., et al.: Evaluating STT-RAM as an energy-efficient main memory alternative. In: ISPASS (2013)

    Google Scholar 

  58. Lanteigne, M.: How Rowhammer could be used to exploit weaknesses in computer hardware, March 2016. http://www.thirdio.com/rowhammer.pdf

  59. Lee, B.C., et al.: Architecting phase change memory as a scalable DRAM alternative. In: ISCA (2009)

    Google Scholar 

  60. Lee, B.C., et al.: Phase change memory architecture and the quest for scalability. CACM 53, 99–106 (2010)

    Article  Google Scholar 

  61. Lee, B.C., et al.: Phase change technology and the future of main memory. IEEE Micro 30, 143 (2010)

    Article  Google Scholar 

  62. Lee, D.: Reducing DRAM latency by exploiting heterogeneity. ArXiV (2016)

    Google Scholar 

  63. Lee, D., et al.: Adaptive-latency DRAM: optimizing DRAM timing for the common-case. In: HPCA (2015)

    Google Scholar 

  64. Lee, D., et al.: Design-induced latency variation in modern DRAM chips: characterization, analysis, and latency reduction mechanisms. In: POMACS (2017)

    Google Scholar 

  65. Lee, E., Lee, S., Edward Suh, G., Ahn, J.H.: TWiCe: time window counter based row refresh to prevent Row-hammering. CAL 17, 96–99 (2018)

    Google Scholar 

  66. Lenovo. Row Hammer Privilege Escalation, March 2015. https://support.lenovo.com/us/en/product_security/row_hammer

  67. Lipp, M., et al.: Nethammer: inducing rowhammer faults through network requests (2018). arxiv.org

    Google Scholar 

  68. Lipp, M., et al.: Meltdown: reading kernel memory from user space. In: USENIX Security (2018)

    Google Scholar 

  69. Liu, J., et al.: RAIDR: retention-aware intelligent DRAM refresh. In: ISCA (2012)

    Google Scholar 

  70. Liu, J., et al.: An experimental study of data retention behavior in modern DRAM devices: implications for retention time profiling mechanisms. In: ISCA (2013)

    Google Scholar 

  71. Luo, Y., et al.: WARM: improving NAND flash memory lifetime with write-hotness aware retention management. In: MSST (2015)

    Google Scholar 

  72. Luo, Y., et al.: Enabling accurate and practical online flash channel modeling for modern MLC NAND flash memory. JSAC 34, 2294–2311 (2016)

    Google Scholar 

  73. Luo, Y., Ghose, S., Cai, Y., Haratsch, E.F., Mutlu, O.: HeatWatch: improving 3D NAND flash memory device reliability by exploiting self-recovery and temperature awareness. In: HPCA (2018)

    Google Scholar 

  74. Luo, Y., Ghose, S., Cai, Y., Haratsch, E.F., Mutlu, O.: Improving 3D NAND flash memory lifetime by tolerating early retention loss and process variation. In: POMACS (2018)

    Google Scholar 

  75. Mandelman, J., et al.: Challenges and future directions for the scaling of dynamic random-access memory (DRAM). IBM J. Res. Dev. 46, 187–212 (2002)

    Article  Google Scholar 

  76. Meza, J., et al.: A case for efficient hardware-software cooperative management of storage and memory. In: WEED (2013)

    Google Scholar 

  77. Meza, J., et al.: A large-scale study of flash memory errors in the field. In: SIGMETRICS (2015)

    Google Scholar 

  78. Meza, J., et al.: Revisiting memory errors in large-scale production data centers: analysis and modeling of new trends from the field. In: DSN (2015)

    Google Scholar 

  79. Mutlu, O.: Memory scaling: a systems architecture perspective. In: IMW (2013)

    Google Scholar 

  80. Mutlu, O.: The RowHammer problem and other issues we may face as memory becomes denser. In: DATE (2017)

    Google Scholar 

  81. Mutlu, O.: Error analysis and management for MLC NAND flash memory. In: Flash Memory Summit (2014)

    Google Scholar 

  82. Mutlu, O., Subramanian, L.: Research problems and opportunities in memory systems. In: SUPERFRI (2014)

    Google Scholar 

  83. PassMark Software. MemTest86: The Original Industry Standard Memory Diagnostic Utility (2015). http://www.memtest86.com/troubleshooting.htm

  84. Patel, M., Kim, J.S., Mutlu, O.: The Reach Profiler (REAPER): enabling the mitigation of DRAM retention failures via profiling at aggressive conditions. In: ISCA (2017)

    Google Scholar 

  85. Pessl, P., Gruss, D., Maurice, C., Schwarz, M., Mangard, S.: DRAMA: exploiting dram addressing for cross-CPU attacks. In: USENIX Security (2016)

    Google Scholar 

  86. Poddebniak, D., Somorovsky, J., Schinzel, S., Lochter, M., Rösler, P.: Attacking deterministic signature schemes using fault attacks. In: EuroS&P (2018)

    Google Scholar 

  87. Qiao, R., Seaborn, M.: A new approach for rowhammer attacks. In: HOST (2016)

    Google Scholar 

  88. Qureshi, M.K., et al.: Scalable high performance main memory system using phase-change memory technology. In: ISCA (2009)

    Google Scholar 

  89. Qureshi, M.K., et al.: AVATAR: a Variable-Retention-Time (VRT) aware refresh for DRAM systems. In: DSN (2015)

    Google Scholar 

  90. Qureshi, M.K., et al.: Enhancing lifetime and security of phase change memories via start-gap wear leveling. In: MICRO (2009)

    Google Scholar 

  91. Raoux, S., et al.: Phase-change random access memory: a scalable technology. IBM J. Res. Dev. 52, 465–479 (2008)

    Article  Google Scholar 

  92. Razavi, K., et al.: Flip Feng Shui: hammering a needle in the software stack. In: USENIX Security (2016)

    Google Scholar 

  93. Schroeder, B., et al.: Flash reliability in production: the expected and the unexpected. In: USENIX FAST (2016)

    Google Scholar 

  94. Seaborn, M., Dullien, T.: Exploiting the DRAM Rowhammer Bug to Gain Kernel Privileges (2015). http://googleprojectzero.blogspot.com.tr/2015/03/exploiting-dram-rowhammer-bug-to-gain.html

  95. Seaborn, M., Dullien, T.: Exploiting the DRAM rowhammer bug to gain kernel privileges. In: BlackHat (2016)

    Google Scholar 

  96. Seyedzadeh, S.M., Jones, A.K., Melhem, R.: Counter-based tree structure for row hammering mitigation in DRAM. CAL 16, 18–21 (2017)

    Google Scholar 

  97. Son, M., Park, H., Ahn, J., Yoo, S.: Making DRAM stronger against row hammering. In: DAC (2017)

    Google Scholar 

  98. Sridharan, V., et al.: Memory errors in modern systems: the good, the bad, and the ugly. In: ASPLOS (2015)

    Google Scholar 

  99. Sridharan, V., Liberty, D.: A study of DRAM failures in the field. In: SC (2012)

    Google Scholar 

  100. Sridharan, V., Stearley, J., DeBardeleben, N., Blanchard, S., Gurumurthi, S.: Feng Shui of supercomputer memory: positional effects in DRAM and SRAM faults. In: SC (2013)

    Google Scholar 

  101. Tatar, A., et al.: Throwhammer: rowhammer attacks over the network and defenses. In: USENIX ATC (2018)

    Google Scholar 

  102. Tatar, A., Giuffrida, C., Bos, H., Razavi, K.: Defeating software mitigations against rowhammer: a surgical precision hammer. In: Bailey, M., Holz, T., Stamatogiannakis, M., Ioannidis, S. (eds.) RAID 2018. LNCS, vol. 11050, pp. 47–66. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-00470-5_3

    Chapter  Google Scholar 

  103. van der Veen, V., et al.: Drammer: deterministic rowhammer attacks on mobile platforms. In: CCS (2016)

    Google Scholar 

  104. van der Veen, V., et al.: GuardION: practical mitigation of DMA-based rowhammer attacks on ARM. In: Giuffrida, C., Bardin, S., Blanc, G. (eds.) DIMVA 2018. LNCS, vol. 10885, pp. 92–113. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93411-2_5

    Chapter  Google Scholar 

  105. Wikipedia. Row hammer. https://en.wikipedia.org/wiki/Row_hammer

  106. Wong, H.-S.P., et al.: Phase change memory. Proc. IEEE 98, 2201–2227 (2010)

    Article  Google Scholar 

  107. Wong, H.-S.P., et al.: Metal-oxide RRAM. Proc. IEEE 100, 1951–1970 (2012)

    Article  Google Scholar 

  108. Xiao, Y., et al.: One bit flips, one cloud flops: cross-VM row hammer attacks and privilege escalation. In: USENIX Security (2016)

    Google Scholar 

  109. Yoon, H., et al.: Row buffer locality aware caching policies for hybrid memories. In: ICCD (2012)

    Google Scholar 

  110. Yoon, H., et al.: Efficient data mapping and buffering techniques for multi-level cell phase-change memories. In: TACO (2014)

    Google Scholar 

  111. Zhou, P., et al.: A durable and energy efficient main memory using phase change memory technology. In ISCA (2009)

    Google Scholar 

Download references

Acknowledgments

This short paper and the associated keynote talk are heavily based on two previous papers we have written on RowHammer, one that first introduced the phenomenon in ISCA 2014 [55] and the other that provides an analysis and future outlook on RowHammer [80]. They are a result of the research done together with many students and collaborators over the course of the past 7–8 years. In particular, three PhD theses have shaped the understanding that led to this work. These are Yoongu Kim’s thesis entitled “Architectural Techniques to Enhance DRAM Scaling” [54], Yu Cai’s thesis entitled “NAND Flash Memory: Characterization, Analysis, Modeling and Mechanisms” [24] and his continued follow-on work after his thesis, summarized in [27, 28], and Donghyuk Lee’s thesis entitled “Reducing DRAM Latency at Low Cost by Exploiting Heterogeneity” [62]. We also acknowledge various funding agencies (NSF, SRC, ISTC, CyLab) and industrial partners (AliBaba, AMD, Google, Facebook, HP Labs, Huawei, IBM, Intel, Microsoft, Nvidia, Oracle, Qualcomm, Rambus, Samsung, Seagate, VMware) who have supported the presented and other related work in my group generously over the years. The first version of this talk was delivered at a CMU CyLab Partners Conference in September 2015. Another version of the talk was delivered as part of an Invited Session at DAC 2016, with a collaborative accompanying paper entitled “Who Is the Major Threat to Tomorrow’s Security? You, the Hardware Designer” [16]. The most recent version is the invited talk given at the Top Picks in Hardware and Embedded Security workshop, co-located with ICCAD 2018 [7], where RowHammer was selected as a Top Pick among hardware and embedded security papers published between 2012–2017. I would like to also thank Christina Giannoula for her help in preparing this manuscript.

Author information

Authors and Affiliations

  1. ETH Zürich, Zürich, Switzerland

    Onur Mutlu

  2. Carnegie Mellon University, Pittsburgh, USA

    Onur Mutlu

Authors
  1. Onur Mutlu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Onur Mutlu .

Editor information

Editors and Affiliations

  1. Universität Stuttgart, Stuttgart, Germany

    Ilia Polian

  2. Continental AG, Frankfurt, Germany

    Marc Stöttinger

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Mutlu, O. (2019). RowHammer and Beyond. In: Polian, I., Stöttinger, M. (eds) Constructive Side-Channel Analysis and Secure Design. COSADE 2019. Lecture Notes in Computer Science(), vol 11421. Springer, Cham. https://doi.org/10.1007/978-3-030-16350-1_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-16350-1_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-16349-5

  • Online ISBN: 978-3-030-16350-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation