• Corpus ID: 231985901

SoftTRR: Protect Page Tables Against RowHammer Attacks using Software-only Target Row Refresh

  title={SoftTRR: Protect Page Tables Against RowHammer Attacks using Software-only Target Row Refresh},
  author={Zhi Zhang and Yueqiang Cheng and Minghua Wang and Wei He and Wenhao Wang and Surya Nepal and Yansong Gao and Kang Li and Zhe Wang and Chenggang Wu},
Rowhammer attacks that corrupt level-1 page tables to gain kernel privilege are the most detrimental to system security and hard to mitigate. However, recently proposed software-only mitigations are not effective against such kernel privilege escalation attacks. In this paper, we propose an effective and practical software-only defense, called SoftTRR, to protect page tables from all existing rowhammer attacks on x86. The key idea of SoftTRR is to refresh the rows occupied by page tables when a… 

Figures and Tables from this paper

A Retrospective and Futurespective of Rowhammer Attacks and Defenses on DRAM

This work characterize rowhammer attacks comprehensively, shedding lights on possible new attack vectors that have not yet been explored, and summarizes and classify existing software defenses, from which new defense strategies are identified and worth future exploring.

Fundamentally Understanding and Solving RowHammer

Two major directions are argued for to amplify research and development efforts in building a much deeper understanding of the RowHammer problem and its many dimensions, in both cutting-edge DRAM chips and computing systems deployed in the field, and the design and development of extremely efficient and fully-secure solutions via system-memory cooperation.

Stop! Hammer time: rethinking our approach to rowhammer mitigations

This work argues that the systems community can and must drive a fundamental change in Rowhammer mitigation techniques and proposes novel hardware primitives in the CPU's integrated memory controller that would enable a variety of efficient software defenses, offering flexible safeguards against future attacks.

HiRA: Hidden Row Activation for Reducing Refresh Latency of Off-the-Shelf DRAM Chips

Hidden Row Activation (HiRA) is proposed, a new operation that can reliably parallelize a DRAM row’s refresh operation with refresh or activation of any of the 32% of the rows within the same bank and reduces the overall latency of two refresh operations.

Panopticon: A Complete In-DRAM Rowhammer Mitigation

Panopticon is a complete in-DRAM Rowhammer mitigation that is both inexpensive and, for DDR4, requires no changes to any hardware components other than DRAM.



ANVIL: Software-Based Protection Against Next-Generation Rowhammer Attacks

A software-based defense, ANVIL, is developed, which thwarts all known rowhammer attacks on existing systems and is shown to be low-cost and robust, and experiments indicate that it is an effective approach for protecting existing and future systems from even advanced rowhAMmer attacks.

CAn't Touch This: Software-only Mitigation against Rowhammer Attacks targeting Kernel Memory

The design and implementation of a practical and efficient software-only defense against rowhammer attacks, called CATT, is presented, which prevents the attacker from leveraging roWhammer to corrupt kernel memory from user mode.

Another Flip in the Wall of Rowhammer Defenses

Novel Rowhammer attack and exploitation primitives are presented, showing that even a combination of all defenses is ineffective, and a new attack technique, one-location hammering, breaks previous assumptions on requirements for triggering the Rowhammer bug.

Protecting Page Tables from RowHammer Attacks using Monotonic Pointers in DRAM True-Cells

This work identifies an important asymmetry in physical DRAM cells that can be utilized to prevent RowHammer attacks by adding 18 lines of code to modify the OS memory allocator and creates DRAM cell-type-aware memory allocation which enables a "monotonicity property" for a given data object.

Uncovering In-DRAM RowHammer Protection Mechanisms:A New Methodology, Custom RowHammer Patterns, and Implications

U-TRR is presented, an experimental methodology to analyze in-DRAM TRR implementations and shows how it allows us to craft RowHammer access patterns that successfully circumvent the TRR mechanisms employed in 45 DRAM modules of the three major DRAM vendors.

PThammer: Cross-User-Kernel-Boundary Rowhammer through Implicit Accesses

PThammer, a confused-deputy attack that causes accesses to memory locations that the attacker is not allowed to access, is presented, demonstrating that it is a viable attack, resulting in a system compromise (e.g., kernel privilege escalation).

RAMBleed: Reading Bits in Memory Without Accessing Them

It is demonstrated that Rowhammer is a threat to not only integrity, but to confidentiality as well, by employing Rowhammer as a read side channel, and the first security implication of successfully-corrected bit flips, which were previously considered benign.

RIP-RH: Preventing Rowhammer-based Inter-Process Attacks

RIP-RH is presented, a DRAM-aware memory allocator that allows for dynamic management of multiple user-space processes and ensures that the memory partitions belonging to individual processes are physically isolated.

BlockHammer: Preventing RowHammer at Low Cost by Blacklisting Rapidly-Accessed DRAM Rows

The key idea of BlockHammer is to track row activation rates using area-efficient Bloom filters, and use the tracking data to ensure that no row is ever activated rapidly enough to induce RowHammer bit-flips.

TWiCe: Preventing Row-hammering by Exploiting Time Window Counters

This paper proposes a new counter-based RH prevention solution named Time Window Counter (TWiCe) based row refresh, which accurately detects potential RH attacks only using a small number of counters with a minimal performance impact.