Abstract
We will discuss the RowHammer problem in DRAM, which is a prime (and likely the first) example of how a circuit-level failure mechanism in Dynamic Random Access Memory (DRAM) can cause a practical and widespread system security vulnerability. RowHammer is the phenomenon that repeatedly accessing a row in a modern DRAM chip predictably causes errors in physically-adjacent rows. It is caused by a hardware failure mechanism called read disturb errors. Building on our initial fundamental work that appeared at ISCA 2014, Google Project Zero demonstrated that this hardware phenomenon can be exploited by user-level programs to gain kernel privileges. Many other recent works demonstrated other attacks exploiting RowHammer, including remote takeover of a server vulnerable to RowHammer. We will analyze the root causes of the problem and examine solution directions. We will also discuss what other problems may be lurking in DRAM and other types of memories, e.g., NAND flash and Phase Change Memory, which can potentially threaten the foundations of reliable and secure systems, as the memory technologies scale to higher densities.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
RowHammer Discussion Group. https://groups.google.com/forum/#!forum/rowhammer-discuss
RowHammer on Twitter. https://twitter.com/search?q=rowhammer
Rowhammer: Source Code for Testing the Row Hammer Error Mechanism in DRAM Devices. https://github.com/CMU-SAFARI/rowhammer
Test DRAM for Bit Flips Caused by the RowHammer Problem. https://github.com/google/rowhammer-test
ThinkPad X210 BIOS Debugging. https://github.com/tadfisher/x210-bios
Tweet about RowHammer Mitigation on x210. https://twitter.com/isislovecruft/status/1021939922754723841
Top Picks in Hardware and Embedded Security - Workshop Collocated with ICCAD 2018 (2017). https://wp.nyu.edu/toppicksinhardwaresecurity/
Aga, M.T., Aweke, Z.B., Austin, T.: When good protections go bad: exploiting anti-DoS measures to accelerate rowhammer attacks. In: HOST (2017)
Aichinger, B.: The Known Failure Mechanism in DDR3 Memory referred to as Row Hammer, September 2014. http://ddrdetective.com/files/6414/1036/5710/The_Known_Failure_Mechanism_in_DDR3_memory_referred_to_as_Row_Hammer.pdf
Aichinger, B.: DDR memory errors caused by row hammer. In: HPEC (2015)
Apple Inc., About the security content of Mac EFI Security Update 2015-001, June 2015. https://support.apple.com/en-us/HT204934
Aweke, Z.B., et al.: Anvil: software-based protection against next-generation rowhammer attacks. In: ASPLOS (2016)
Bhattacharya, S., Mukhopadhyay, D.: Curious case of RowHammer: flipping secret exponent bits using timing analysis. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 602–624. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53140-2_29
Bosman, E., et al.: Dedup Est Machina: memory deduplication as an advanced exploitation vector. In: S&P (2016)
Brasser, F., Davi, L., Gens, D., Liebchen, C., Sadeghi, A.-R.: Can’t touch this: practical and generic software-only defenses against RowHammer attacks. In: USENIX Security (2017)
Burleson, W., et al.: Who is the major threat to tomorrow’s security? You, the hardware designer. In: DAC (2016)
Cai, Y., et al.: Error patterns in MLC NAND flash memory: measurement, characterization, and analysis. In: DATE (2012)
Cai, Y., et al.: Flash correct-and-refresh: retention-aware error management for increased flash memory lifetime. In: ICCD (2012)
Cai, Y., et al.: Error analysis and retention-aware error management for NAND flash memory. ITJ 17(1), 140–165 (2013)
Cai, Y., et al.: Program interference in MLC NAND flash memory: characterization, modeling, and mitigation. In: ICCD (2013)
Cai, Y., et al.: Threshold voltage distribution in MLC NAND flash memory: characterization, analysis and modeling. In: DATE (2013)
Cai, Y., et al.: Neighbor-cell assisted error correction for MLC NAND flash memories. In: SIGMETRICS (2014)
Cai, Y., et al.: Vulnerabilities in MLC NAND flash memory programming: experimental analysis, exploits, and mitigation techniques. In: HPCA (2017)
Cai, Y.: NAND flash memory: characterization, analysis, modeling and mechanisms. Ph.D. thesis, Carnegie Mellon University (2012)
Cai, Y., et al.: Data retention in MLC NAND flash memory: characterization, optimization and recovery. In: HPCA (2015)
Cai, Y., et al.: Read disturb errors in MLC NAND flash memory: characterization, mitigation, and recovery. In: DSN (2015)
Cai, Y., Ghose, S., Haratsch, E.F., Luo, Y., Mutlu, O.: Error characterization, mitigation, and recovery in flash-memory-based solid-state drives. Proc. IEEE 105, 1666–1704 (2017)
Cai, Y., Ghose, S., Haratsch, E.F., Luo, Y., Mutlu, O.: Errors in Flash-Memory-Based Solid-State Drives: Analysis, Mitigation, and Recovery (2017). arXiv preprint: arXiv:1711.11427
Chandrasekar, K., et al.: Exploiting expendable process-margins in DRAMs for run-time performance optimization. In: DATE (2014)
Chang, K., et al.: Understanding latency variation in modern DRAM chips: experimental characterization, analysis, and optimization. In: SIGMETRICS (2016)
Chang, K., et al.: Improving DRAM performance by parallelizing refreshes with accesses. In: HPCA (2014)
Chen, E., et al.: Advances and future prospects of spin-transfer torque random access memory. IEEE Trans. Magn. 46, 1873–1878 (2010)
Das, A., et al.: VRL-DRAM: improving DRAM performance via variable refresh latency. In: DAC (2018)
Fridley, T., Santos, O.: Mitigations Available for the DRAM Row Hammer Vulnerability, March 2015. http://blogs.cisco.com/security/mitigations-available-for-the-dram-row-hammer-vulnerability
Frigo, P., et al.: Grand Pwning unit: accelerating microarchitectural attacks with the GPU. In: IEEE S&P (2018)
Gomez, H., Amaya, A., Roa, E.: DRAM Row-hammer attack reduction using dummy cells. In: NORCAS (2016)
Goodin, D.: Once thought safe, DDR4 memory shown to be vulnerable to Rowhammer (2016). https://arstechnica.com/information-technology/2016/03/once-thought-safe-ddr4-memory-shown-to-be-vulnerable-to-rowhammer/
Greenberg, A.: Forget Software – Now Hackers are Exploiting Physics (2016). https://www.wired.com/2016/08/new-form-hacking-breaks-ideas-computers-work/
Gruss, D., et al.: Another flip in the wall of rowhammer defenses. In: IEEE S&P (2018)
Gruss, D., et al.: Rowhammer.js: a remote software-induced fault attack in Javascript. CoRR, abs/1507.06955 (2015)
Harris, R.: Flipping DRAM bits - maliciously, December 2014. http://www.zdnet.com/article/flipping-dram-bits-maliciously/
Hassan, H., et al.: SoftMC: a flexible and practical open-source infrastructure for enabling experimental DRAM studies. In: HPCA (2017)
Hewlett-Packard Enterprise. HP Moonshot Component Pack Version 2015.05.0 (2015). http://h17007.www1.hp.com/us/en/enterprise/servers/products/moonshot/component-pack/index.aspx
Irazoqui, G., Eisenbarth, T., Sunar, B.: MASCAT: stopping microarchitectural attacks before execution. IACR Cryptology ePrint Archive (2016)
Jang, Y., Lee, J., Lee, S., Kim, T.: SGX-bomb: locking down the processor via rowhammer attack. In: SysTEX (2017)
Kang, U., et al.: Co-architecting controllers and DRAM to enhance DRAM process scaling. In: The Memory Forum (2014)
Khan, S., et al.: The efficacy of error mitigation techniques for DRAM retention failures: a comparative experimental study. In: SIGMETRICS (2014)
Khan, S., et al.: A case for memory content-based detection and mitigation of data-dependent failures in DRAM. CAL 16(2), 88–93 (2016)
Khan, S., et al.: PARBOR: an efficient system-level technique to detect data-dependent failures in DRAM. In: DSN (2016)
Kim, D.-H., et al.: Architectural support for mitigating row hammering in DRAM memories. IEEE CAL 14, 9–12 (2015)
Kim, J.S., Patel, M., Hassan, H., Mutlu, O.: Solar-DRAM: reducing DRAM access latency by exploiting the variation in local bitlines. In: ICCD (2018)
Kim, J.S., Patel, M., Hassan, H., Mutlu, O.: The DRAM latency PUF: quickly evaluating physical unclonable functions by exploiting the latency-reliability tradeoff in modern commodity DRAM devices. In: HPCA (2018)
Kim, J.S., Patel, M., Hassan, H., Orosa, L., Mutlu, O.: D-RaNGe: using commodity DRAM devices to generate true random numbers with low latency and high throughput. In: HPCA (2019)
Kim, Y.: Architectural techniques to enhance DRAM scaling. Ph.D. thesis, Carnegie Mellon University (2015)
Kim, Y., et al.: Flipping bits in memory without accessing them: an experimental study of DRAM disturbance errors. In: ISCA (2014)
Kocher, P., et al.: Spectre attacks: exploiting speculative execution In: S&P (2018)
Kultursay, E., et al.: Evaluating STT-RAM as an energy-efficient main memory alternative. In: ISPASS (2013)
Lanteigne, M.: How Rowhammer could be used to exploit weaknesses in computer hardware, March 2016. http://www.thirdio.com/rowhammer.pdf
Lee, B.C., et al.: Architecting phase change memory as a scalable DRAM alternative. In: ISCA (2009)
Lee, B.C., et al.: Phase change memory architecture and the quest for scalability. CACM 53, 99–106 (2010)
Lee, B.C., et al.: Phase change technology and the future of main memory. IEEE Micro 30, 143 (2010)
Lee, D.: Reducing DRAM latency by exploiting heterogeneity. ArXiV (2016)
Lee, D., et al.: Adaptive-latency DRAM: optimizing DRAM timing for the common-case. In: HPCA (2015)
Lee, D., et al.: Design-induced latency variation in modern DRAM chips: characterization, analysis, and latency reduction mechanisms. In: POMACS (2017)
Lee, E., Lee, S., Edward Suh, G., Ahn, J.H.: TWiCe: time window counter based row refresh to prevent Row-hammering. CAL 17, 96–99 (2018)
Lenovo. Row Hammer Privilege Escalation, March 2015. https://support.lenovo.com/us/en/product_security/row_hammer
Lipp, M., et al.: Nethammer: inducing rowhammer faults through network requests (2018). arxiv.org
Lipp, M., et al.: Meltdown: reading kernel memory from user space. In: USENIX Security (2018)
Liu, J., et al.: RAIDR: retention-aware intelligent DRAM refresh. In: ISCA (2012)
Liu, J., et al.: An experimental study of data retention behavior in modern DRAM devices: implications for retention time profiling mechanisms. In: ISCA (2013)
Luo, Y., et al.: WARM: improving NAND flash memory lifetime with write-hotness aware retention management. In: MSST (2015)
Luo, Y., et al.: Enabling accurate and practical online flash channel modeling for modern MLC NAND flash memory. JSAC 34, 2294–2311 (2016)
Luo, Y., Ghose, S., Cai, Y., Haratsch, E.F., Mutlu, O.: HeatWatch: improving 3D NAND flash memory device reliability by exploiting self-recovery and temperature awareness. In: HPCA (2018)
Luo, Y., Ghose, S., Cai, Y., Haratsch, E.F., Mutlu, O.: Improving 3D NAND flash memory lifetime by tolerating early retention loss and process variation. In: POMACS (2018)
Mandelman, J., et al.: Challenges and future directions for the scaling of dynamic random-access memory (DRAM). IBM J. Res. Dev. 46, 187–212 (2002)
Meza, J., et al.: A case for efficient hardware-software cooperative management of storage and memory. In: WEED (2013)
Meza, J., et al.: A large-scale study of flash memory errors in the field. In: SIGMETRICS (2015)
Meza, J., et al.: Revisiting memory errors in large-scale production data centers: analysis and modeling of new trends from the field. In: DSN (2015)
Mutlu, O.: Memory scaling: a systems architecture perspective. In: IMW (2013)
Mutlu, O.: The RowHammer problem and other issues we may face as memory becomes denser. In: DATE (2017)
Mutlu, O.: Error analysis and management for MLC NAND flash memory. In: Flash Memory Summit (2014)
Mutlu, O., Subramanian, L.: Research problems and opportunities in memory systems. In: SUPERFRI (2014)
PassMark Software. MemTest86: The Original Industry Standard Memory Diagnostic Utility (2015). http://www.memtest86.com/troubleshooting.htm
Patel, M., Kim, J.S., Mutlu, O.: The Reach Profiler (REAPER): enabling the mitigation of DRAM retention failures via profiling at aggressive conditions. In: ISCA (2017)
Pessl, P., Gruss, D., Maurice, C., Schwarz, M., Mangard, S.: DRAMA: exploiting dram addressing for cross-CPU attacks. In: USENIX Security (2016)
Poddebniak, D., Somorovsky, J., Schinzel, S., Lochter, M., Rösler, P.: Attacking deterministic signature schemes using fault attacks. In: EuroS&P (2018)
Qiao, R., Seaborn, M.: A new approach for rowhammer attacks. In: HOST (2016)
Qureshi, M.K., et al.: Scalable high performance main memory system using phase-change memory technology. In: ISCA (2009)
Qureshi, M.K., et al.: AVATAR: a Variable-Retention-Time (VRT) aware refresh for DRAM systems. In: DSN (2015)
Qureshi, M.K., et al.: Enhancing lifetime and security of phase change memories via start-gap wear leveling. In: MICRO (2009)
Raoux, S., et al.: Phase-change random access memory: a scalable technology. IBM J. Res. Dev. 52, 465–479 (2008)
Razavi, K., et al.: Flip Feng Shui: hammering a needle in the software stack. In: USENIX Security (2016)
Schroeder, B., et al.: Flash reliability in production: the expected and the unexpected. In: USENIX FAST (2016)
Seaborn, M., Dullien, T.: Exploiting the DRAM Rowhammer Bug to Gain Kernel Privileges (2015). http://googleprojectzero.blogspot.com.tr/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
Seaborn, M., Dullien, T.: Exploiting the DRAM rowhammer bug to gain kernel privileges. In: BlackHat (2016)
Seyedzadeh, S.M., Jones, A.K., Melhem, R.: Counter-based tree structure for row hammering mitigation in DRAM. CAL 16, 18–21 (2017)
Son, M., Park, H., Ahn, J., Yoo, S.: Making DRAM stronger against row hammering. In: DAC (2017)
Sridharan, V., et al.: Memory errors in modern systems: the good, the bad, and the ugly. In: ASPLOS (2015)
Sridharan, V., Liberty, D.: A study of DRAM failures in the field. In: SC (2012)
Sridharan, V., Stearley, J., DeBardeleben, N., Blanchard, S., Gurumurthi, S.: Feng Shui of supercomputer memory: positional effects in DRAM and SRAM faults. In: SC (2013)
Tatar, A., et al.: Throwhammer: rowhammer attacks over the network and defenses. In: USENIX ATC (2018)
Tatar, A., Giuffrida, C., Bos, H., Razavi, K.: Defeating software mitigations against rowhammer: a surgical precision hammer. In: Bailey, M., Holz, T., Stamatogiannakis, M., Ioannidis, S. (eds.) RAID 2018. LNCS, vol. 11050, pp. 47–66. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-00470-5_3
van der Veen, V., et al.: Drammer: deterministic rowhammer attacks on mobile platforms. In: CCS (2016)
van der Veen, V., et al.: GuardION: practical mitigation of DMA-based rowhammer attacks on ARM. In: Giuffrida, C., Bardin, S., Blanc, G. (eds.) DIMVA 2018. LNCS, vol. 10885, pp. 92–113. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93411-2_5
Wikipedia. Row hammer. https://en.wikipedia.org/wiki/Row_hammer
Wong, H.-S.P., et al.: Phase change memory. Proc. IEEE 98, 2201–2227 (2010)
Wong, H.-S.P., et al.: Metal-oxide RRAM. Proc. IEEE 100, 1951–1970 (2012)
Xiao, Y., et al.: One bit flips, one cloud flops: cross-VM row hammer attacks and privilege escalation. In: USENIX Security (2016)
Yoon, H., et al.: Row buffer locality aware caching policies for hybrid memories. In: ICCD (2012)
Yoon, H., et al.: Efficient data mapping and buffering techniques for multi-level cell phase-change memories. In: TACO (2014)
Zhou, P., et al.: A durable and energy efficient main memory using phase change memory technology. In ISCA (2009)
Acknowledgments
This short paper and the associated keynote talk are heavily based on two previous papers we have written on RowHammer, one that first introduced the phenomenon in ISCA 2014 [55] and the other that provides an analysis and future outlook on RowHammer [80]. They are a result of the research done together with many students and collaborators over the course of the past 7–8 years. In particular, three PhD theses have shaped the understanding that led to this work. These are Yoongu Kim’s thesis entitled “Architectural Techniques to Enhance DRAM Scaling” [54], Yu Cai’s thesis entitled “NAND Flash Memory: Characterization, Analysis, Modeling and Mechanisms” [24] and his continued follow-on work after his thesis, summarized in [27, 28], and Donghyuk Lee’s thesis entitled “Reducing DRAM Latency at Low Cost by Exploiting Heterogeneity” [62]. We also acknowledge various funding agencies (NSF, SRC, ISTC, CyLab) and industrial partners (AliBaba, AMD, Google, Facebook, HP Labs, Huawei, IBM, Intel, Microsoft, Nvidia, Oracle, Qualcomm, Rambus, Samsung, Seagate, VMware) who have supported the presented and other related work in my group generously over the years. The first version of this talk was delivered at a CMU CyLab Partners Conference in September 2015. Another version of the talk was delivered as part of an Invited Session at DAC 2016, with a collaborative accompanying paper entitled “Who Is the Major Threat to Tomorrow’s Security? You, the Hardware Designer” [16]. The most recent version is the invited talk given at the Top Picks in Hardware and Embedded Security workshop, co-located with ICCAD 2018 [7], where RowHammer was selected as a Top Pick among hardware and embedded security papers published between 2012–2017. I would like to also thank Christina Giannoula for her help in preparing this manuscript.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Mutlu, O. (2019). RowHammer and Beyond. In: Polian, I., Stöttinger, M. (eds) Constructive Side-Channel Analysis and Secure Design. COSADE 2019. Lecture Notes in Computer Science(), vol 11421. Springer, Cham. https://doi.org/10.1007/978-3-030-16350-1_1
Download citation
DOI: https://doi.org/10.1007/978-3-030-16350-1_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-16349-5
Online ISBN: 978-3-030-16350-1
eBook Packages: Computer ScienceComputer Science (R0)