Professional Documents
Culture Documents
EU 22 Kogler CSI Rowhammer
EU 22 Kogler CSI Rowhammer
Something
Mitigations
Since 2014 Numerous exploits fundamentally
ineffektive
better?
bitline
2 Andreas Kogler (7@0xhilbert) Jonas Juffinger (7@notimaginary )
Dynamic Random Access Memory (DRAM)
bitline
2 Andreas Kogler (7@0xhilbert) Jonas Juffinger (7@notimaginary )
Dynamic Random Access Memory (DRAM)
bitline
• Periodic refreshes required
bitline
• Periodic refreshes required
• Organized in rows
1 f o r ( i = 0 ; i < N ; ++i ) {
aggressor1 2 ∗ aggressor1 ;
3 ∗ aggressor2 ;
Victim
4 flush ( aggressor1 ) ;
aggressor2
5 flush ( aggressor2 ) ;
6 }
1 f o r ( i = 0 ; i < N ; ++i ) {
aggressor1 2 ∗ aggressor1 ;
3 ∗ aggressor2 ;
Victim
4 flush ( aggressor1 ) ;
aggressor2
5 flush ( aggressor2 ) ;
6 }
1 f o r ( i = 0 ; i < N ; ++i ) {
aggressor1 2 ∗ aggressor1 ;
3 ∗ aggressor2 ;
Victim
4 flush ( aggressor1 ) ;
aggressor2
5 flush ( aggressor2 ) ;
6 }
1 f o r ( i = 0 ; i < N ; ++i ) {
aggressor1 2 ∗ aggressor1 ;
3 ∗ aggressor2 ;
Victim
4 flush ( aggressor1 ) ;
aggressor2
5 flush ( aggressor2 ) ;
6 }
1 f o r ( i = 0 ; i < N ; ++i ) {
aggressor1 2 ∗ aggressor1 ;
3 ∗ aggressor2 ;
Victim
4 flush ( aggressor1 ) ;
aggressor2
5 flush ( aggressor2 ) ;
6 }
1 f o r ( i = 0 ; i < N ; ++i ) {
aggressor1 2 ∗ aggressor1 ;
3 ∗ aggressor2 ;
Victim
4 flush ( aggressor1 ) ;
aggressor2
5 flush ( aggressor2 ) ;
6 }
1 f o r ( i = 0 ; i < N ; ++i ) {
aggressor1 2 ∗ aggressor1 ;
3 ∗ aggressor2 ;
Victim
4 flush ( aggressor1 ) ;
aggressor2
5 flush ( aggressor2 ) ;
6 }
1 f o r ( i = 0 ; i < N ; ++i ) {
aggressor1 2 ∗ aggressor1 ;
3 ∗ aggressor2 ;
Victim
4 flush ( aggressor1 ) ;
aggressor2
5 flush ( aggressor2 ) ;
6 }
1 f o r ( i = 0 ; i < N ; ++i ) {
aggressor1 2 ∗ aggressor1 ;
3 ∗ aggressor2 ;
Victim
4 flush ( aggressor1 ) ;
aggressor2
5 flush ( aggressor2 ) ;
6 }
1 f o r ( i = 0 ; i < N ; ++i ) {
aggressor1 2 ∗ aggressor1 ;
3 ∗ aggressor2 ;
Victim
4 flush ( aggressor1 ) ;
aggressor2
5 flush ( aggressor2 ) ;
6 }
1 f o r ( i = 0 ; i < N ; ++i ) {
aggressor1 2 ∗ aggressor1 ;
Victim 3 ∗ aggressor2 ;
4 flush ( aggressor1 ) ;
aggressor2
5 flush ( aggressor2 ) ;
6 }
1 f o r ( i = 0 ; i < N ; ++i ) {
aggressor1 2 ∗ aggressor1 ;
Victim 3 ∗ aggressor2 ;
4 flush ( aggressor1 ) ;
aggressor2
5 flush ( aggressor2 ) ;
6 }
1 f o r ( i = 0 ; i < N ; ++i ) {
aggressor1 2 ∗ aggressor1 ;
Victim 3 ∗ aggressor2 ;
4 flush ( aggressor1 ) ;
aggressor2
5 flush ( aggressor2 ) ;
6 }
Agressor
Guard
Victim
Guard
Agressor
Agressor
Guard
Victim
Guard
Agressor
Agressor
Guard
Victim
Guard
Agressor
Agressor
Guard
Victim
Guard
Agressor
Agressor
Guard
Victim
Guard
Agressor
Agressor
Guard
Victim
Guard
Agressor
Agressor
Guard
Victim
Guard
Agressor
Agressor
Guard
Victim
Guard
Agressor
Agressor
Guard
Victim
Guard
Agressor
Agressor
Guard
Victim
Guard
Agressor
Agressor
Guard
Victim
Guard
Agressor
• Distance-1
Far Aggressor (F+ ) • (N+ → N− )∞
Near Aggressor (N+ ) • Classic double-sided Rowhammer
Victim (V)
Near Aggressor (N− )
Far Aggressor (F− )
• Distance-1
Far Aggressor (F+ ) • (N+ → N− )∞
Near Aggressor (N+ ) • Classic double-sided Rowhammer
Victim (V)
• First flip after:
Near Aggressor (N− )
Far Aggressor (F− )
• 18 000 hammers in 1.2 ms
• Distance-1
Far Aggressor (F+ ) • (N+ → N− )∞
Near Aggressor (N+ ) • Classic double-sided Rowhammer
Victim (V)
• First flip after:
Near Aggressor (N− )
Far Aggressor (F− )
• 18 000 hammers in 1.2 ms
3 Within the refresh window
7 Mitigated by TRR
• Half-Double
• ((F+ → F− )β → N+ → N− )∞
Far Aggressor (F+ ) • Many distance-2 accesses with a few distance-1
Near Aggressor (N+ ) accesses
Victim (V)
Near Aggressor (N− )
Far Aggressor (F− )
• Half-Double
• ((F+ → F− )β → N+ → N− )∞
Far Aggressor (F+ ) • Many distance-2 accesses with a few distance-1
Near Aggressor (N+ ) accesses
Victim (V)
• First flip after:
Near Aggressor (N− )
Far Aggressor (F− )
• 296 960 hammers in 20 ms
• Dilution β = 57 (5120 distance-1 accesses)
• Half-Double
• ((F+ → F− )β → N+ → N− )∞
Far Aggressor (F+ ) • Many distance-2 accesses with a few distance-1
Near Aggressor (N+ ) accesses
Victim (V)
• First flip after:
Near Aggressor (N− )
Far Aggressor (F− )
• 296 960 hammers in 20 ms
• Dilution β = 57 (5120 distance-1 accesses)
3 Within the refresh window
• Half-Double
• ((F+ → F− )β → N+ → N− )∞
Far Aggressor (F+ ) • Many distance-2 accesses with a few distance-1
Near Aggressor (N+ ) accesses
Victim (V)
• First flip after:
Near Aggressor (N− )
Far Aggressor (F− )
• 296 960 hammers in 20 ms
• Dilution β = 57 (5120 distance-1 accesses)
3 Within the refresh window
3 Assisted by TRR
• Half-Double
• ((F+ → F− )β → N+ → N− )∞
Far Aggressor (F+ ) • Many distance-2 accesses with a few distance-1
Near Aggressor (N+ ) accesses
Victim (V)
• First flip after:
Near Aggressor (N− )
Far Aggressor (F− )
• 296 960 hammers in 20 ms
• Dilution β = 57 (5120 distance-1 accesses)
3 Within the refresh window
3 Assisted by TRR
if ( /*misprediction*/ ) {
• Verify if address save to
access(probe + (*ptr & 1));
access
}
if ( is_cached(probe) ) { • Spectre gadget
// ptr[0-4] valid
}
if ( /*misprediction*/ ) {
• Verify if address save to
access(probe + (*ptr & 1));
access
}
if ( is_cached(probe) ) { • Spectre gadget
// ptr[0-4] valid • Cached → accessible
}
if ( /*misprediction*/ ) {
• Verify if address save to
access(probe + (*ptr & 1));
access
}
if ( is_cached(probe) ) { • Spectre gadget
// ptr[0-4] valid • Cached → accessible
} • Suppresses corruption faults
C2
C1 C3 ≈23m root
≈22m ≈11m
ECC HexPADS
ChipKill ARMOR
TRR NO OOM
PARA B-CATT
PRA G-CATT
Refresh Rate ZebRAM
MASCAT MemGuard
MC MAC
Compute
MC MAC
Compute
MC MAC
Compute
MC MAC =
Compute
MC MAC =
Compute No
MC MAC =
Compute No
Correct
1 Flip
MC MAC =
Compute No
Correct
1 Flip
OS
MC MAC =
Compute No
Correct
1 Flip
Corruption Exception
OS
MC MAC =
Compute No
Correct
1 Flip
Corruption Exception
OS
Exception Handler
MC MAC =
Compute No
Correct
1 Flip
Corruption Exception
OS
Exception Handler
MC MAC =
Compute No
Correct
1 Flip
Corruption Exception
OS
Exception Handler
Correction
as a Search
Corruption Exception
OS
Exception Handler
Correction
as a Search
Corruption Exception
OS
Exception Handler
Correction
as a Search
Corruption Exception
OS
Exception Handler
Correction
as a Search
Corruption Exception
OS
Exception Handler
Correction
as a Search
Corruption Exception
OS
Advanced Correction Exception Handler
Correction
as a Search
Corruption Exception
OS
Advanced Correction Exception Handler
e.g. Reload from Disk Correction
as a Search
Corruption Exception
OS
Advanced Correction Exception Handler
e.g. Reload from Disk Correction
as a Search
Corruption Exception
OS
Advanced Correction Exception Handler
e.g. Reload from Disk Correction
as a Search
Corruption Exception
OS
Advanced Correction Exception Handler
e.g. Reload from Disk Correction
as a Search
Corruption Exception
OS
Advanced Correction Exception Handler
e.g. Reload from Disk Correction
as a Search
Corruption Exception
OS
Advanced Correction Exception Handler
e.g. Reload from Disk Correction
as a Search
Corruption Exception
OS
Advanced Correction Exception Handler
e.g. Reload from Disk Correction
as a Search
Corruption Exception
OS
Advanced Correction Exception Handler
e.g. Reload from Disk Correction
as a Search
Corruption Exception
OS
Advanced Correction Exception Handler
e.g. Reload from Disk Correction
as a Search
Corruption Exception
OS
Advanced Correction Exception Handler
e.g. Reload from Disk Correction
as a Search
M1 M2 M3 M4
64 64 64 64
⊕
Phys Addr1 QK PA2 QK PA3 QK PA4 QK
56
⊕ ⊕
MAC
M1 M2 M3 M4
64 64 64 64
⊕
Phys Addr1 QK PA2 QK PA3 QK PA4 QK
56
⊕ ⊕
MAC
M1 M2 M3 M4
64 64 64 64
⊕
Phys Addr1 QK PA2 QK PA3 QK PA4 QK
56
⊕ ⊕
MAC
M1 M2 M3 M4
64 64 64 64
⊕
Phys Addr1 QK PA2 QK PA3 QK PA4 QK
56
⊕ ⊕
MAC
M1 M2 M3 M4
64 64 64 64
⊕
Phys Addr1 QK PA2 QK PA3 QK PA4 QK
56
⊕ ⊕
MAC
11.6 d
2.7 h
1.7 min
Correction Time
1s
10 ms
100 µs
1 µs
10 ns HW Avg SW ECC
1 2 3 4 5 6 7 8
Number of Flips
0%
2%
4%
ks
bo cho
dy les
tr
ca ack
nn
e
de al
du
flu p
id fer
an re
im t
st fre at
PARSEC
re qm e
am i
c n
sw lus e
ap ter
tio
ba ns
ch rne
ol s
es
ky
ff
lu t
CSI:Rowhammer – Performance Overhead
l b c
oc u n
c
oc ean b
ea cp
n
ra nc
di p
os
SPLASH-2x
it
Andreas Kogler (7@0xhilbert)
wa ra y
te vo ix d
r l
wa nsq rend
te ua
r re
gm spa d
ti
ge gm par al
om sp se
et las c
ric h2
m x
ea
GMEAN
n
6.60 ns (512-bit data)
5.13 ns (256-bit data)
• Approximate Equality
• Approximate Equality
• Approximate Equality
• Silent Data Corruption rate less than once per 109 billion years.
• Approximate Equality
• Silent Data Corruption rate less than once per 109 billion years.
• Rowhammer second preimage after one year: 9.75 · 10−5 %
Hardware acceleration
Hardware acceleration
• Ice Lake SP Xeon Server die size: 628 mm2
Hardware acceleration
• Ice Lake SP Xeon Server die size: 628 mm2
• Fits roughly 500 000 QARMA blocks
Hardware acceleration
• Ice Lake SP Xeon Server die size: 628 mm2
• Fits roughly 500 000 QARMA blocks
• 8 bit flips correction: 5.44 h → 40 ms
Roberto Avanzi. The QARMA Block Cipher Family: Almost MDS Matrices Over Rings
With Zero Divisors, Nearly Symmetric Even-Mansour Constructions With Non-Involutory
Central Rounds, and Search Heuristics for Low-Latency S-Boxes. In: IACR Transactions
on Symmetric Cryptology 2017.1 (2017), pp. 4–44.
Daniel Gruss, Moritz Lipp, Michael Schwarz, Daniel Genkin, Jonas Juffinger,
Sioli O’Connell, Wolfgang Schoechl, and Yuval Yarom. Another Flip in the Wall of
Rowhammer Defenses. In: S&P. 2018.
Yoongu Kim, Ross Daly, Jeremie Kim, Chris Fallin, Ji Hye Lee, D607onghyuk Lee,
Chris Wilkerson, Konrad Lai, and Onur Mutlu. Flipping bits in memory without accessing
them: An experimental study of DRAM disturbance errors. In: ACM SIGARCH Computer
Architecture News 42.3 (2014), pp. 361–372.
Andreas Kogler, Jonas Juffinger, Salman Qazi, Yoongu Kim, Moritz Lipp,
Nicolas Boichat, Eric Shiu, Mattias Nissler, and Daniel Gruss. Half-Double: Hammering
From the Next Row Over. In: In major revision at USENIX Security Symposium. 2022.
Tamara Silbergleit Lehman, Andrew D. Hilton, and Benjamin C. Lee. PoisonIvy: Safe
speculation for secure memory. In: MICRO. 2016.
Mark Seaborn and Thomas Dullien. Test DRAM for bit flips caused by the rowhammer
problem. Retrieved on July 27, 2015. 2015. url:
https://github.com/google/rowhammer-test.
Weidong Shi and Hsien-Hsin S. Lee. Authentication Control Point and Its Implications
For Secure Processor Design. In: MICRO. 2006.
Two conditions