Abstract
Rowhammer attacks intentionally induce bit flips to corrupt victim’s data whose integrity must be guaranteed. To perform sophisticated rowhammer attacks, attackers need to repeatedly access the neighboring rows of target data. In DRAM, however, the physical addresses of neighboring rows are not always contiguous even if they are located before or after a target row. Hence, it is important to know the mapping algorithm which maps between physical addresses and physical row indexes not only for an attack but also for protection.
In this paper, we introduce a method to reverse engineer the exact mapping algorithm and demonstrate that the assumption in previous rowhammer work is faulty. In addition, we introduce a novel and efficient rowhammer method and improve existing mitigations that has a security hole caused by the faulty assumption. Finally, we evaluate the effectiveness of the proposed attack and show that the proposed mitigation almost perfectly defends against rowhammer attacks.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
In fact, it is impossible to distinguish the rank bits and bank bits from the existing reverse engineering method. However, since we can track the difference of mapping algorithm for each rank, we can infer which bit of the bank bits is a rank bit.
References
Aweke, Z.B., et al.: ANVIL: software-based protection against next-generation rowhammer attacks. ACM SIGPLAN Not. 51(4), 743–755 (2016)
Baumann, R.: The impact of technology scaling on soft error rate performance and limits to the efficacy of error correction. In: International Electron Devices Meeting, IEDM 2002, pp. 329–332. IEEE (2002)
Brasser, F., Davi, L., Gens, D., Liebchen, C., Sadeghi, A.R.: Can’t touch this: software-only mitigation against rowhammer attacks targeting kernel memory. In: Proceedings of the 26th USENIX Security Symposium (Security), Vancouver, BC, Canada (2017)
JEDEC: DDR3 SDRAM Unbuffered DIMM Design Specification, rev. 1.06 (2013)
Khan, S., Lee, D., Mutlu, O.: Parbor: an efficient system-level technique to detect data-dependent failures in dram. In: 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 239–250. IEEE (2016)
Kim, Y., et al.: Flipping bits in memory without accessing them: an experimental study of dram disturbance errors. In: 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA), pp. 361–372, June 2014
Kim, Y., Seshadri, V., Lee, D., Liu, J., Mutlu, O.: A case for exploiting subarray-level parallelism (SALP) in dram. ACM SIGARCH Comput. Arch. News 40(3), 368–379 (2012)
Min, D.S., Langer, D.W.: Twisted line techniques for multi-gigabit dynamic random access memories, US Patent 6,034,879, 7 March 2000
Min, D.S., Seo, D.I., You, J., Cho, S., Chin, D., Park, Y.: Wordline coupling noise reduction techniques for scaled drams. In: 1990 Symposium on VLSI Circuits, Digest of Technical Papers, pp. 81–82. IEEE (1990)
Pessl, P., Gruss, D., Maurice, C., Schwarz, M., Mangard, S.: DRAMA: exploiting dram addressing for cross-CPU attacks. In: USENIX Security Symposium, pp. 565–581 (2016)
Razavi, K., Gras, B., Bosman, E., Preneel, B., Giuffrida, C., Bos, H.: Flip Feng Shui: hammering a needle in the software stack. In: USENIX Security Symposium, pp. 1–18 (2016)
Seaborn, M., Dullien, T.: Exploiting the DRAM rowhammer bug to gain kernel privileges (2015). https://googleprojectzero.blogspot.kr/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
Van Der Veen, V., et al.: Drammer: deterministic rowhammer attacks on mobile platforms. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1675–1689. ACM (2016)
Xiao, Y., Zhang, X., Zhang, Y., Teodorescu, R.: One bit flips, one cloud flops: cross-VM row hammer attacks and privilege escalation. In: USENIX Security Symposium, pp. 19–35 (2016)
Acknowledgement
This work was supported by the National Research Foundation of Korea (NRF) grant funded by the Korea government (MSIP) (No. 2017R1A2B4010914).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Oh, S., Kim, J. (2019). Reliable Rowhammer Attack and Mitigation Based on Reverse Engineering Memory Address Mapping Algorithms. In: Kang, B., Jang, J. (eds) Information Security Applications. WISA 2018. Lecture Notes in Computer Science(), vol 11402. Springer, Cham. https://doi.org/10.1007/978-3-030-17982-3_12
Download citation
DOI: https://doi.org/10.1007/978-3-030-17982-3_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-17981-6
Online ISBN: 978-3-030-17982-3
eBook Packages: Computer ScienceComputer Science (R0)