research-article

Public Access

Rowhammering Storage Devices

Authors:

Boris Pismenny,

Donald E. Porter,

Aviad ZuckAuthors Info & Claims

HotStorage '21: Proceedings of the 13th ACM Workshop on Hot Topics in Storage and File Systems

Pages 77 - 85

https://doi.org/10.1145/3465332.3470871

Published: 27 July 2021 Publication History

Abstract

Peripheral devices like SSDs are growing more complex, to the point they are effectively small computers themselves. Our position is that this trend creates a new kind of attack vector, where untrusted software could use peripherals strictly as intended to accomplish unintended goals. To exemplify, we set out to rowhammer the DRAM component of a simplified host-side FTL, issuing regular I/O requests that manage to flip bits in a way that triggers sensitive information leakage. We conclude that such attacks might soon be feasible, and we argue that systems need principled approaches for securing peripherals against them.

References

[1]

Adam Armstrong. KIOXIA CM6 PCIe 4.0 SSD Review. https://www.storagereview.com/review/kioxia-cm6-pcie-4-0-ssd-review, 2020. Accessed: Jun 2021.

[2]

Nitin Agrawal, Vijayan Prabhakaran, Ted Wobber, John D. Davis, Mark Manasse, and Rina Panigrahy. Design tradeoffs for SSD performance. In USENIX Annual Technical Conference (ATC), pages 57--70, 2008. https://www.usenix.org/legacy/events/usenix08/tech/full_papers/agrawal/agrawal.pdf.

Digital Library

[3]

Zelalem Birhanu Aweke, Salessawi Ferede Yitbarek, Rui Qiao, Reetuparna Das, Matthew Hicks, Yossi Oren, and Todd Austin. Anvil: Software-based protection against next-generation rowhammer attacks. In ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), pages 743--755, 2016.

Digital Library

[4]

Adam Bates, Benjamin Mood, Joe Pletcher, Hannah Pruse, Masoud Valafar, and Kevin Butler. On detecting co-resident cloud instances using network flow watermarking techniques. International Journal of Information Security, 13(2):171--189, 2014.

Digital Library

[5]

Billy Tallis. Marvell announces first pcie 5.0 nvme ssd controllers: Up to 14 gb/s. https://www.anandtech.com/show/16703/marvell-announces-first-pcie-50-nvme-ssd-controllers, 2021. Accessed: Jun 2021.

[6]

Andrew Birrell, Michael Isard, Chuck Thacker, and Ted Wobber. A design for high-performance flash disks. ACM SIGOPS Operating Systems Review, 41(2):88--93, 2007.

Digital Library

[7]

Edouard Bugnion, Jason Nieh, and Dan Tsafrir. Hardware and Software Support for Virtualization. Morgan & Claypool Publishers, 2017.

[8]

Yu Cai, Saugata Ghose, Yixin Luo, Ken Mai, Onur Mutlu, and Erich F Haratsch. Vulnerabilities in MLC NAND flash memory programming: Experimental analysis, exploits, and mitigation techniques. In IEEE International Symposium on High-Performance Computer Architecture (HPCA), pages 49--60, 2017.

[9]

Wonil Choi, Jie Zhang, Shuwen Gao, Jaesoo Lee, Myoungsoo Jung, and Mahmut Kandemir. An in-depth study of next generation interface for emerging non-volatile memories. In 5th Non-Volatile Memory Systems and Applications Symposium (NVMSA), pages 1--6, 2016.

[10]

Cisco. Cisco ASR 1000 Series Router Specifications. https://www.cisco.com/c/en/us/td/docs/routers/asr1000/install/guide/asr1routers/asr-1000-series-hig/asr-hig-spfy.pdf, 2008. Accessed: Dec 2020.

[11]

Google Cloud. Block storage performance. https://cloud.google.com/compute/docs/disks/performance, 2021. Accessed: Apr 2021.

[12]

Lucian Cojocar, Jeremie Kim, Minesh Patel, Lillian Tsai, Stefan Saroiu, Alec Wolman, and Onur Mutlu. Are we susceptible to rowhammer? an end-to-end methodology for cloud providers. In IEEE Symposium on Security and Privacy (S&P). IEEE, May 2020.

[13]

Finn de Ridder, Pietro Frigo, Emanuele Vannacci, Herbert Bos, Cristiano Giuffrida, and Kaveh Razavi. SMASH: Synchronized Many-sided Rowhammer Attacks From JavaScript. In USENIX Sec, August 2021.

[14]

Haggai Eran, Lior Zeno, Maroun Tork, Gabi Malka, and Mark Silberstein. NICA: An infrastructure for inline acceleration of network applications. In USENIX Annual Technical Conference (ATC), pages 345--362, 2019. https://www.usenix.org/conference/atc19/presentation/eran.

[15]

Mark Ermolov and Maxim Goryachy. How to hack a turned-off computer, or running unsigned code inintel management engine. BlackHat, https://papers.put.as/papers/firmware/2017/eu-17-Goryachy-How-To-Hack-A-Turned-Off-Computer-Or-Running-Unsigned-Code-In-Intel-Management-Engine.pdf, 2017. Accessed: Jan 2021.

[16]

Daniel Firestone, Andrew Putnam, Sambhrama Mundkur, Derek Chiou, Alireza Dabagh, Mike Andrewartha, Hari Angepat, Vivek Bhanu, Adrian Caulfield, Eric Chung, Harish Kumar Chandrappa, Somesh Chaturmohta, Matt Humphrey, Jack Lavier, Norman Lam, Fengfen Liu, Kalin Ovtcharov, Jitu Padhye, Gautham Popuri, Shachar Raindel, Tejas Sapre, Mark Shaw, Gabriel Silva, Madhan Sivakumar, Nisheeth Srivastava, Anshuman Verma, Qasim Zuhair, Deepak Bansal, Doug Burger, Kushagra Vaid, David A. Maltz, and Albert Greenberg. Azure accelerated networking: Smartnics in the public cloud. In USENIX Symposium on Networked Systems Design and Implementation (NSDI), pages 51--66, 2018. https://www.usenix.org/conference/nsdi18/presentation/firestone.

[17]

Pietro Frigo, Emanuele Vannacc, Hasan Hassan, Victor Van Der Veen, Onur Mutlu, Cristiano Giuffrida, Herbert Bos, and Kaveh Razavi. TRRespass: Exploiting the many sides of target row refresh. In IEEE Symposium on Security and Privacy (S&P), pages 747--762, 2020.

[18]

Matthew Garrett. Intel's remote AMT vulnerablity. https://mjg59.dreamwidth.org/48429.html, 2017. Accessed: Jan 2021.

[19]

Daniel Gruss, Moritz Lipp, Michael Schwarz, Daniel Genkin, Jonas Juffinger, Sioli O'Connell, Wolfgang Schoechl, and Yuval Yarom. Another flip in the wall of rowhammer defenses. In IEEE Symposium on Security and Privacy (S&P), pages 245--261, 2018.

[20]

Daniel Gruss, Clémentine Maurice, and Stefan Mangard. Rowhammer.js: A remote software-induced fault attack in javascript. In International conference on detection of intrusions and malware, and vulnerability assessment, pages 300--321. Springer, 2016.

Digital Library

[21]

H.L.J.Laloge. Polyglot database. https://github.com/Polydet/polyglot-database, 2018.

[22]

Trammell Hudson and Larry Rudolph. Thunderstrike: EFI firmware bootkits for Apple MacBooks. In ACM International Systems and Storage Conference (SYSTOR), pages 1--10, 2015.

Digital Library

[23]

Intel. Storage Performance Development Kit (SPDK). https://spdk.io, 2015. Accessed: Jan 2021.

[24]

Hyukjoong Kim, Dongkun Shin, Yun Ho Jeong, and Kyung Ho Kim. SHRD: Improving spatial locality in flash storage accesses by sequentializing in host and randomizing in device. In USENIX Conference on File and Storage Technologies (FAST), pages 271--284, 2017. https://www.usenix.org/conference/fast17/technical-sessions/presentation/kim.

[25]

Jeremie S. Kim, Minesh Patel, A. Giray Yaglikci, Hasan Hassan, Roknoddin Azizi, Lois Orosa, and Onur Mutlu. Revisiting rowhammer: An experimental analysis of modern dram devices and mitigation techniques. In 2020 ACM/IEEE 47th Annual International Symposium on Computer Architecture (ISCA), pages 638--651, 2020.

Digital Library

[26]

Yoongu Kim, Ross Daly, Jeremie Kim, Chris Fallin, Ji Hye Lee, Donghyuk Lee, Chris Wilkerson, Konrad Lai, and Onur Mutlu. Flipping bits in memory without accessing them: An experimental study of dram disturbance errors. In ACM International Symposium on Computer Architecture (ISCA), pages 361--372, 2014.

Digital Library

[27]

Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, et al. Spectre attacks: Exploiting speculative execution. In IEEE Symposium on Security and Privacy (S&P), pages 1--19, 2019.

[28]

Anil Kurmus, Nikolas Ioannou, Matthias Neugschwandtner, Nikolaos Papandreou, and Thomas Parnell. From random block corruption to privilege escalation: A filesystem attack vector for rowhammer-like attacks. In USENIX Workshop on Offensive Technologies (WOOT), 2017. https://www.usenix.org/conference/woot17/workshop-program/presentation/kurmus.

[29]

Kim Kwonyoup and Lee Seungjoon. A new hope: The one last chance to save your ssd data. Black Hat USA, 2020, 2020. https://i.blackhat.com/eu-20/Wednesday/eu-20-Lee-A-New-Hope-The-One-Last-Chance-to-Save-Your-SSD-Data.pdf.

[30]

Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, and Mike Hamburg. Meltdown: Reading kernel memory from user space. In USENIX Security Symposium, pages 973--990, 2018. https://www.usenix.org/conference/usenixsecurity18/presentation/lipp.

[31]

Moritz Lipp, Michael Schwarz, Lukas Raab, Lukas Lamster, Misiker Tadesse Aga, Clémentine Maurice, and Daniel Gruss. Nethammer: Inducing rowhammer faults through network requests. In IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), pages 710--719, 2020.

[32]

Luther Martin. XTS: A mode of AES for encrypting hard disks. IEEE Security & Privacy, 8(3):68--69, 2010.

Digital Library

[33]

Avantika Mathur, Mingming Cao, Suparna Bhattacharya, Andreas Dilger, Alex Tomas, and Laurent Vivier. The new ext4 filesystem: current status and future plans. In Proceedings of the Linux symposium, volume 2, pages 21--33, 2007. https://www.kernel.org/doc/ols/2007/ols2007v2-pages-21-34.pdf.

[34]

Mellanox. Bluefield SmartNIC for Ethernet. https://www.mellanox.com/sites/default/files/related-docs/prod_adapter_cards/PB_BlueField_Smart_NIC.pdf, 2019. Accessed: Dec 2020.

[35]

Micron. Micron 9300 NVMe SSD. https://media-www.micron.com/-/media/client/global/documents/products/product-flyer/9300_ssd_product_brief.pdf?la=en&rev=b6908d03082d4fd7b022a2f40d1b731e, 2020. Accessed: Dec 2020.

[36]

Onur Mutlu and Jeremie S. Kim. Rowhammer: A retrospective, 2019. http://arxiv.org/abs/1904.09724. Accessed: Dec 2020.

[37]

Fan Ni, Chunyi Liu, Yang Wang, Chengzhong Xu, Xiao Zhang, and Song Jiang. A hash-based space-efficient page-level ftl for large-capacity ssds. In 2017 International Conference on Networking, Architecture, and Storage (NAS), pages 1--6, 2017.

[38]

Oracle. Oracle cloud infrastructure--cloud storage. https://www.oracle.com/cloud/storage/, 2021. Accessed: Apr 2021.

[39]

ID Pankov, AS Konoplev, and A Yu Chernov. Analysis of the security of uefi bios embedded software in modern intel-based computers. Automatic Control and Computer Sciences, 53(8):865--869, 2019.

[40]

Peter Pessl, Daniel Gruss, Clémentine Maurice, Michael Schwarz, and Stefan Mangard. DRAMA: Exploiting DRAM addressing for cross-cpu attacks. In 25th USENIX Security Symposium (USENIX Security 16), pages 565--581, 2016. https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/pessl.

[41]

Martin K Petersen. T10 data integrity feature (logical block guarding). https://www.usenix.org/legacy/event/lsf07/tech/petersen.pdf, 2007. Accessed: Dec 2020.

[42]

Salman Qazi, Yoongu Kim, Nicolas Boichat, Eric Shiu, and Mattias Nissler. Introducing half-double: New hammering technique for dram rowhammer bug. https://security.googleblog.com/2021/05/introducing-half-double-new-hammering.html, May 2021.

[43]

Rui Qiao and Mark Seaborn. A new approach for rowhammer attacks. In IEEE International Symposium on Hardware Oriented Security and Trust (HOST), pages 161--166, 2016.

[44]

Samsung. Samsung PM1733 NVMe SSD. https://samsungsemiconductor-us.com/labs/pdfs/PM1733_U2_Product_Brief.pdf, 2020. Accessed: Dec 2020.

[45]

Mark Seaborn and Thomas Dullien. Exploiting the DRAM rowhammer bug to gain kernel privileges. http://googleprojectzero.blogspot.com.tr/2015/03/exploiting-dram-rowhammer-bug-to-gain.html, 2015. Accessed: Jan 2021.

[46]

Igor Smolyar, Muli Ben-Yehuda, and Dan Tsafrir. Securing self-virtualizing Ethernet devices. In USENIX Security Symposium, pages 335--350, 2015. https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/smolyar.

[47]

Andrei Tatar, Cristiano Giuffrida, Herbert Bos, and Kaveh Razavi. Defeating software mitigations against rowhammer: a surgical precision hammer. In International Symposium on Research in Attacks, Intrusions, and Defenses, pages 47--66, 2018.

[48]

Andrei Tatar, Radhesh Krishnan Konoth, Elias Athanasopoulos, Cristiano Giuffrida, Herbert Bos, and Kaveh Razavi. Throwhammer: Rowhammer attacks over the network and defenses. In USENIX Annual Technical Conference (ATC), pages 213--226, 2018. https://www.usenix.org/conference/atc18/presentation/tatar.

[49]

Victor van der Veen, Yanick Fratantonio, Martina Lindorfer, Daniel Gruss, Clementine Maurice, Giovanni Vigna, Herbert Bos, Kaveh Razavi, and Cristiano Giuffrida. Drammer: Deterministic rowhammer attacks on mobile platforms. In ACM Conference on Computer and Communications Security (CCS), pages 1675--1689, 2016.

Digital Library

[50]

Victor van der Veen, Martina Lindorfer, Yanick Fratantonio, Harikrishnan Padmanabha Pillai, Giovanni Vigna, Christopher Kruegel, Herbert Bos, and Kaveh Razavi. GuardION: Practical mitigation of DMA-based rowhammer attacks on ARM. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (AHES), pages 92--113, 2018.

[51]

Pepe Vila, Boris Köpf, and José F Morales. Theory and practice of finding eviction sets. In IEEE Symposium on Security and Privacy (S&P), pages 39--54, 2019.

[52]

VMware. Project Hatchway: Persistent Storage for Cloud-Native Applications. https://blogs.vmware.com/cloudnative/2017/09/06/project-hatchway-persistent-storage-cloud-native-applications/, 2017. Accessed: Jan 2021.

[53]

Minghua Wang, Zhi Zhang, Yueqiang Cheng, and Surya Nepal. Dramdig: A knowledge-assisted tool to uncover dram address mapping. In ACM/IEEE Design Automation Conference (DAC), pages 1--6, 2020.

[54]

Yuan Xiao, Xiaokuan Zhang, Yinqian Zhang, and Radu Teodorescu. One bit flips, one cloud flops: Cross-vm row hammer attacks and privilege escalation. In USENIX Security Symposium, pages 19--35, 2016. https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/xiao.

Digital Library

[55]

Jie Zhang, Miryeong Kwon, Michael Swift, and Myoungsoo Jung. Manycore-based scalable ssd architecture towards one and more million IOPS. In Annual Non-Volatile Memories Workshop (NVMW), 2021. http://nvmw.ucsd.edu/nvmw2021-program/nvmw2021-data/nvmw2021-final27.pdf.

[56]

Tao Zhang, Aviad Zuck, Donald E. Porter, and Dan Tsafrir. Apps can quickly destroy your mobile's flash: why they don't, and how to keep it that way. In ACM International Conference on Mobile Systems, Applications, and Services (MobiSys), pages 207--221, 2019.

Digital Library

[57]

Zhe Zhou, Zhou Li, and Kehuan Zhang. All your VMs are disconnected: Attacking hardware virtualized network. In ACM Conference on Data and Application Security and Privacy (COADSPY), 2017.

Digital Library

[58]

Aviad Zuck, Philipp Gühring, Tao Zhang, Donald E Porter, and Dan Tsafrir. Why and how to increase ssd performance transparency. In USENIX Workshop on Hot Topics in Operating Systems (HOTOS), 2019.

Digital Library

Cited By

Trivedi AJansen MDoekemeijer KTalluri STehrany N(2024) Reviving Storage Systems Education in the 21 st Century — An experience report 2024 IEEE 24th International Symposium on Cluster, Cloud and Internet Computing (CCGrid)10.1109/CCGrid59990.2024.00074(616-625)Online publication date: 6-May-2024
https://doi.org/10.1109/CCGrid59990.2024.00074
Kim ILee GLee SChoi W(2023)A Deep Neural Network Attack Simulation against Data Storage of Autonomous VehiclesSAE International Journal of Connected and Automated Vehicles10.4271/12-07-02-00087:2Online publication date: 29-Sep-2023
https://doi.org/10.4271/12-07-02-0008

Index Terms

Rowhammering Storage Devices
1. Hardware
  1. Communication hardware, interfaces and storage
    1. External storage
  2. Integrated circuits
    1. Semiconductor memory
      1. Dynamic memory
2. Security and privacy
  1. Systems security
    1. File system security

Recommendations

High-performance NAND and PRAM hybrid storage design for consumer electronics

Recently PRAM (Phase-change RAM) is emerging as a promising next generation non-volatile memory device, because it supports fast byte-level access capability and in-place update (no erase-before-program constraint) unlike traditional NAND Flash. ...
Cache Line Pinning for Mitigating Row Hammer Attack
ICPP '24: Proceedings of the 53rd International Conference on Parallel Processing

RowHammer attack is a serious security threat to DRAM-based memory that causes bit flips in nearby rows when a DRAM row is accessed frequently. Many mitigation strategies are proposed against the RowHammer attack, and a few of the mitigation strategies ...
Marionette: A RowHammer Attack via Row Coupling
ASPLOS '25: Proceedings of the 30th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 1

A body of recent work has revealed that two different rows in a DRAM bank, from the perspective of a processor-memory interface, are connected to the same wordline but two separate row buffers (bitline sense amplifiers) in certain DRAM chips. Such a pair ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

HotStorage '21: Proceedings of the 13th ACM Workshop on Hot Topics in Storage and File Systems

July 2021

119 pages

ISBN:9781450385503

DOI:10.1145/3465332

Program Chairs:
Philip Shilane
Dell Technologies
,
Youjip Won
Korea Advanced Institute of Science and Technology (KAIST)

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGOPS: ACM Special Interest Group on Operating Systems

In-Cooperation

USENIX Assoc: USENIX Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 July 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

NSF
BSF

Conference

HotStorage '21

Sponsor:

SIGOPS

HotStorage '21: 13th ACM Workshop on Hot Topics in Storage and File Systems

July 27 - 28, 2021

Virtual, USA

Acceptance Rates

HotStorage '21 Paper Acceptance Rate 15 of 40 submissions, 38%;

Overall Acceptance Rate 34 of 87 submissions, 39%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
821
Total Downloads

Downloads (Last 12 months)309
Downloads (Last 6 weeks)35

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Trivedi AJansen MDoekemeijer KTalluri STehrany N(2024) Reviving Storage Systems Education in the 21 st Century — An experience report 2024 IEEE 24th International Symposium on Cluster, Cloud and Internet Computing (CCGrid)10.1109/CCGrid59990.2024.00074(616-625)Online publication date: 6-May-2024
https://doi.org/10.1109/CCGrid59990.2024.00074
Kim ILee GLee SChoi W(2023)A Deep Neural Network Attack Simulation against Data Storage of Autonomous VehiclesSAE International Journal of Connected and Automated Vehicles10.4271/12-07-02-00087:2Online publication date: 29-Sep-2023
https://doi.org/10.4271/12-07-02-0008

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten