More Web Proxy on the site http://driver.im/

research-article

Protecting Page Tables from RowHammer Attacks using Monotonic Pointers in DRAM True-Cells

Authors:

Timothy Sherwood,

Frederic T. Chong,

Yanjing LiAuthors Info & Claims

ASPLOS '19: Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems

Pages 645 - 657

https://doi.org/10.1145/3297858.3304039

Published: 04 April 2019 Publication History

Abstract

We identify an important asymmetry in physical DRAM cells that can be utilized to prevent RowHammer attacks by adding 18 lines of code to modify the OS memory allocator. Our small modification has a powerful impact on RowHammer's ability to bypass memory protection mechanisms and achieve a successful attack. Specifically, we identify two types of DRAM cells: true-cells and anti-cells. In a true-cell, a leaking capacitor will induce a '1'->'0' error, while in anti-cells, errors flow from '0'->'1'. We then create DRAM cell-type-aware memory allocation which enables a "monotonicity property" for a given data object. The monotonicity property is able to counter RowHammer attacks (and, to a broader extent, other memory attacks) by allocating only one type of cells for an object, thereby restricting error direction. We apply the monotonicity property to pointers in page tables by placing all page tables in true-cells that are above a "low water mark". We show that this approach successfully defends against page-table-based privilege escalation RowHammer attacks. Using established RowHammer-induced bit-flip error statistics, we provide proofs of the soundness and completeness of our technique and show that with our technique only one out of 2.04x10 ⁵ systems is vulnerable to the attack, and the expected attack time on the vulnerable system is 231 days. We also provide application performance results from prototypes implemented through modifications to Linux kernels. Our cross-layer approach avoids undesirable energy cost, hardware changes, performance overhead, and high software complexity associated with prior countermeasures.

References

[1]

Barbara Aichinger. 2015. DDR memory errors caused by Row Hammer. In HPEC. IEEE, 1--5.

[2]

JEDEC Solid State Technology Association. 2012. DDR3SDRAM Specification.

[3]

Zelalem Birhanu Aweke, Salessawi Ferede Yitbarek, Rui Qiao, Reetuparna Das, Matthew Hicks, Yossi Oren, and Todd Austin. 2016. ANVIL: Software-Based Protection Against Next-Generation Rowhammer Attacks. In Proceedings of the Twenty-First International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS '16). ACM, New York, NY, USA, 743--755.

Digital Library

[4]

Raghu Bharadwaj. 2017. Mastering Linux Kernel Development .Birmingham : Packt Publishing.

[5]

Sarani Bhattacharya and Debdeep Mukhopadhyay. 2016. Curious Case of Rowhammer: Flipping Secret Exponent Bits Using Timing Analysis. In CHES (Lecture Notes in Computer Science), Vol. 9813. Springer, 602--624.

[6]

Leyla Bilge and Tudor Dumitras. 2012. Before we knew it: an empirical study of zero-day attacks in the real world. In Proceedings of the 2012 ACM conference on Computer and communications security. ACM, 833--844.

Digital Library

[7]

Erik Bosman, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida. 2016. Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector. In IEEE Symposium on Security and Privacy. IEEE Computer Society, 987--1004.

[8]

Daniel Bovet and Marco Cesati. 2005. Understanding The Linux Kernel .Oreilly & Associates Inc.

Digital Library

[9]

Ferdinand Brasser, Lucas Davi, David Gens, Christopher Liebchen, and Ahmad-Reza Sadeghi. 2017. Can't touch this: Software-only mitigation against rowhammer attacks targeting kernel memory. In Proceedings of the 26th USENIX Security Symposium (Security). Vancouver, BC, Canada .

Digital Library

[10]

Yueqiang Cheng, Zhi Zhang, and Surya Nepal. 2018. Still Hammerable and Exploitable: on the Effectiveness of Software-only Physical Kernel Isolation. CoRR, Vol. abs/1802.07060 (2018).

[11]

Michael Grace, Yajin Zhou, Qiang Zhang, Shihong Zou, and Xuxian Jiang. 2012. Riskranker: scalable and accurate zero-day android malware detection. In Proceedings of the 10th international conference on Mobile systems, applications, and services. ACM, 281--294.

Digital Library

[12]

Daniel Gruss, Moritz Lipp, Michael Schwarz, Daniel Genkin, Jonas Juffinger, Sioli O'Connell, Wolfgang Schoechl, and Yuval Yarom. 2017. Another Flip in the Wall of Rowhammer Defenses. CoRR, Vol. abs/1710.00551 (2017).

[13]

Daniel Gruss, Clémentine Maurice, and Stefan Mangard. 2016. Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript. In DIMVA (LNCS), Vol. 9721. Springer, 300--321.

Digital Library

[14]

Part Guide. 2011. Intel® 64 and IA-32 Architectures Software Developer's Manual. Volume 3B: System programming Guide, Part, Vol. 2 (2011).

[15]

J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten. 2009. Lest we remember: cold-boot attacks on encryption keys. Commun. ACM, Vol. 52, 5 (2009), 91--98.

Digital Library

[16]

John L. Henning. 2007. SPEC CPU2006 Memory Footprint. SIGARCH Comput. Archit. News, Vol. 35, 1 (March 2007), 84--89.

Digital Library

[17]

Yeongjin Jang, Jaehyuk Lee, Sangho Lee, and Taesoo Kim. 2017. SGX-Bomb: Locking Down the Processor via Rowhammer Attack. In Proceedings of the 2nd Workshop on System Software for Trusted Execution. ACM, 5.

Digital Library

[18]

Brent Keeth, R. Jacob Baker, Brian Johnson, and Feng Lin. 2007. DRAM Circuit Design: Fundamental and High-Speed Topics 2nd ed.). Wiley-IEEE Press.

Digital Library

[19]

Yoongu Kim, Ross Daly, Jeremie Kim, Chris Fallin, Ji-Hye Lee, Donghyuk Lee, Chris Wilkerson, Konrad Lai, and Onur Mutlu. 2014. Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors. In ISCA. IEEE Computer Society, 361--372.

Digital Library

[20]

Radhesh Krishnan Konoth, Marco Oliverio, Andrei Tatar, Dennis Andriesse, Herbert Bos, Cristiano Giuffrida, and Kaveh Razavi. 2018. ZebRAM: Comprehensive and Compatible Software Protection Against Rowhammer Attacks. In 13th USENIX Symposium on Operating Systems Design and Implementation (OSDI 18). USENIX Association, Carlsbad, CA, 697--710.

Digital Library

[21]

Jamie Liu, Ben Jaiyen, Yoongu Kim, Chris Wilkerson, and Onur Mutlu. 2013. An experimental study of data retention behavior in modern DRAM devices: implications for retention time profiling mechanisms. In ISCA. ACM, 60--71.

Digital Library

[22]

Jamie Liu, Ben Jaiyen, Richard Veras, and Onur Mutlu. 2012b. RAIDR: Retention-aware intelligent DRAM refresh. In ISCA. IEEE Computer Society, 1--12.

Digital Library

[23]

Lei Liu, Zehan Cui, Mingjie Xing, Yungang Bao, Mingyu Chen, and Chengyong Wu. 2012a. A software memory partition approach for eliminating bank-level interference in multicore systems. In PACT. ACM, 367--376.

Digital Library

[24]

Robert Love. 2010. Linux Kernel Development 3rd ed.). Addison-Wesley Professional.

Digital Library

[25]

David Mosberger and Stephane Eranian. 2001. IA-64 Linux Kernel: Design and Implementation .Prentice Hall PTR, Upper Saddle River, NJ, USA.

Digital Library

[26]

Onur Mutlu. 2017. The RowHammer problem and other issues we may face as memory becomes denser. In DATE. IEEE, 1116--1121.

Digital Library

[27]

Moni Naor and Gil Segev. 2009. Public-key cryptosystems resilient to key leakage. In Advances in Cryptology-CRYPTO 2009. Springer, 18--35.

Digital Library

[28]

Peter Pessl, Daniel Gruss, Clé mentine Maurice, Michael Schwarz, and Stefan Mangard. 2016. DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks. In USENIX Security Symposium. USENIX Association, 565--581.

Digital Library

[29]

Phoronix. 2016. https://www.phoronix-test-suite.com/. Phoronix test suite.

[30]

Rui Qiao and Mark Seaborn. 2016. A new approach for rowhammer attacks. In HOST. IEEE Computer Society, 161--166.

[31]

Kaveh Razavi, Ben Gras, Erik Bosman, Bart Preneel, Cristiano Giuffrida, and Herbert Bos. 2016. Flip Feng Shui: Hammering a Needle in the Software Stack. In USENIX Security Symposium. USENIX Association, 1--18.

Digital Library

[32]

Mark Seaborn and Thomas Dullien. 2015. Exploiting the DRAM rowhammer bug to gain kernel privileges. Black Hat (2015), 7--9.

[33]

Patrick Simmons. 2011. Security through amnesia: a software-based solution to the cold boot attack on disk encryption. In ACSAC. ACM, 73--82.

Digital Library

[34]

Stephen Smalley, Chris Vance, and Wayne Salamon. 2001. Implementing SELinux as a Linux security module. NAI Labs Report, Vol. 1, 43 (2001), 139.

[35]

Jason Syversen. 2008. Method and apparatus for defending against zero-day worm-based attacks. US Patent App. 11/632,669.

[36]

A. J. van de Goor and Ivo Schanstra. 2002. Address and Data Scrambling: Causes and Impact on Memory Tests. In DELTA. IEEE Computer Society, 128--136.

Digital Library

[37]

Victor van der Veen, Yanick Fratantonio, Martina Lindorfer, Daniel Gruss, Clémentine Maurice, Giovanni Vigna, Herbert Bos, Kaveh Razavi, and Cristiano Giuffrida. 2016. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms. In ACM Conference on Computer and Communications Security. ACM, 1675--1689.

Digital Library

[38]

Yuan Xiao, Xiaokuan Zhang, Yinqian Zhang, and Radu Teodorescu. 2016. One Bit Flips, One Cloud Flops: Cross-VM Row Hammer Attacks and Privilege Escalation. In USENIX Security Symposium. USENIX Association, 19--35.

Digital Library

Cited By

Kim DPark HYeo ILee YKim YLee HKwon K(2024)Rowhammer Attacks in Dynamic Random-Access Memory and Defense MethodsSensors10.3390/s2402059224:2(592)Online publication date: 17-Jan-2024
https://doi.org/10.3390/s24020592
Zhang ZChen DQi JCheng YJiang SLin YGao YNepal SZou YZhang JXiang YQuek TGao DZhou JCardenas A(2024)SoK: Rowhammer on Commodity Operating SystemsProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3656998(436-452)Online publication date: Jul-2024
https://doi.org/10.1145/3634737.3656998
Pourmehrani HBahrami JNooralinejad PPirsiavash HKarimi N(2024)FAT-RABBIT: Fault-Aware Training towards Robustness AgainstBit-flip Based Attacks in Deep Neural Networks2024 IEEE International Test Conference (ITC)10.1109/ITC51657.2024.00029(106-110)Online publication date: 3-Nov-2024
https://doi.org/10.1109/ITC51657.2024.00029
Show More Cited By

Index Terms

Protecting Page Tables from RowHammer Attacks using Monotonic Pointers in DRAM True-Cells
1. Security and privacy
  1. Security in hardware
2. Software and its engineering
  1. Software organization and properties
    1. Contextual software domains
      1. Operating systems
        Memory management
        Allocation / deallocation strategies
        Main memory

Recommendations

A Deeper Look into RowHammer’s Sensitivities: Experimental Analysis of Real DRAM Chips and Implications on Future Attacks and Defenses
MICRO '21: MICRO-54: 54th Annual IEEE/ACM International Symposium on Microarchitecture

RowHammer is a circuit-level DRAM vulnerability where repeatedly accessing (i.e., hammering) a DRAM row can cause bit flips in physically nearby rows. The RowHammer vulnerability worsens as DRAM cell size and cell-to-cell spacing shrink. Recent studies ...
Uncovering In-DRAM RowHammer Protection Mechanisms:A New Methodology, Custom RowHammer Patterns, and Implications
MICRO '21: MICRO-54: 54th Annual IEEE/ACM International Symposium on Microarchitecture

The RowHammer vulnerability in DRAM is a critical threat to system security. To protect against RowHammer, vendors commit to security-through-obscurity: modern DRAM chips rely on undocumented, proprietary, on-die mitigations, commonly known as Target ...
Protecting Enclaves from Intra-Core Side-Channel Attacks through Physical Isolation
CYSARM'20: Proceedings of the 2nd Workshop on Cyber-Security Arms Race

Systems that protect enclaves from privileged software must consider software-based side-channel attacks. Our system isolates enclaves on separate secure cores to stop attackers from running on the same core as the victim, which mitigates intra-core ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

ASPLOS '19: Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems

April 2019

1126 pages

ISBN:9781450362405

DOI:10.1145/3297858

General Chairs:
Iris Bahar
Brown University
,
Maurice Herlihy
Brown University
,
Program Chairs:
Emmett Witchel
University of Texas, Austin
,
Alvin Lebeck
Duke University

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

In-Cooperation

SIGBED: ACM Special Interest Group on Embedded Systems

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 April 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ASPLOS '19

Sponsor:

ASPLOS '19: Architectural Support for Programming Languages and Operating Systems

April 13 - 17, 2019

RI, Providence, USA

Acceptance Rates

ASPLOS '19 Paper Acceptance Rate 74 of 351 submissions, 21%;

Overall Acceptance Rate 535 of 2,713 submissions, 20%

Upcoming Conference

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

24
Total Citations
View Citations
575
Total Downloads

Downloads (Last 12 months)54
Downloads (Last 6 weeks)3

Reflects downloads up to 19 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Kim DPark HYeo ILee YKim YLee HKwon K(2024)Rowhammer Attacks in Dynamic Random-Access Memory and Defense MethodsSensors10.3390/s2402059224:2(592)Online publication date: 17-Jan-2024
https://doi.org/10.3390/s24020592
Zhang ZChen DQi JCheng YJiang SLin YGao YNepal SZou YZhang JXiang YQuek TGao DZhou JCardenas A(2024)SoK: Rowhammer on Commodity Operating SystemsProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3656998(436-452)Online publication date: Jul-2024
https://doi.org/10.1145/3634737.3656998
Pourmehrani HBahrami JNooralinejad PPirsiavash HKarimi N(2024)FAT-RABBIT: Fault-Aware Training towards Robustness AgainstBit-flip Based Attacks in Deep Neural Networks2024 IEEE International Test Conference (ITC)10.1109/ITC51657.2024.00029(106-110)Online publication date: 3-Nov-2024
https://doi.org/10.1109/ITC51657.2024.00029
Nam HBaek SWi MKim MPark JSong CKim NAhn J(2024)DRAMScope: Uncovering DRAM Microarchitecture and Characteristics by Issuing Memory Commands2024 ACM/IEEE 51st Annual International Symposium on Computer Architecture (ISCA)10.1109/ISCA59077.2024.00083(1097-1111)Online publication date: 29-Jun-2024
https://doi.org/10.1109/ISCA59077.2024.00083
Bae HChung MGong YChung S(2023)Twin ECC: A Data Duplication Based ECC for Strong DRAM Error Resilience2023 Design, Automation & Test in Europe Conference & Exhibition (DATE)10.23919/DATE56975.2023.10137096(1-6)Online publication date: Apr-2023
https://doi.org/10.23919/DATE56975.2023.10137096
Woo SElsasser WHamburg MLinstadt EMiller MSong TTringali J(2023)RAMPART: RowHammer Mitigation and Repair for Server Memory SystemsProceedings of the International Symposium on Memory Systems10.1145/3631882.3631886(1-15)Online publication date: 2-Oct-2023
https://dl.acm.org/doi/10.1145/3631882.3631886
Monjur MCalzadillas JYu Q(2023)Hardware Security Risks and Threat Analyses in Advanced Manufacturing IndustryACM Transactions on Design Automation of Electronic Systems10.1145/360350228:5(1-22)Online publication date: 9-Sep-2023
https://dl.acm.org/doi/10.1145/3603502
Loughlin KRosenblum JSaroiu SWolman ASkarlatos DKasikci BDruschel PKaufmann AMace JFlinn JSeltzer M(2023)Siloz: Leveraging DRAM Isolation Domains to Prevent Inter-VM RowhammerProceedings of the 29th Symposium on Operating Systems Principles10.1145/3600006.3613143(417-433)Online publication date: 23-Oct-2023
https://dl.acm.org/doi/10.1145/3600006.3613143
Zhang ZHe WCheng YWang WGao YLiu DLi KNepal SFu AZou Y(2023) Implicit Hammer : Cross-Privilege-Boundary Rowhammer Through Implicit Accesses IEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.321466620:5(3716-3733)Online publication date: 1-Sep-2023
https://doi.org/10.1109/TDSC.2022.3214666
Tan WChen YLi YLiu YWu JDing YZhang C(2023)PTStore: Lightweight Architectural Support for Page Table Isolation2023 60th ACM/IEEE Design Automation Conference (DAC)10.1109/DAC56929.2023.10247657(1-6)Online publication date: 9-Jul-2023
https://doi.org/10.1109/DAC56929.2023.10247657
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents