TRRespass: Exploiting the Many Sides of Target Row Refresh

@article{Frigo2020TRRespassET,
  title={TRRespass: Exploiting the Many Sides of Target Row Refresh},
  author={Pietro Frigo and Emanuele Vannacci and Hasan Hassan and Victor van der Veen and Onur Mutlu and Cristiano Giuffrida and Herbert Bos and Kaveh Razavi},
  journal={2020 IEEE Symposium on Security and Privacy (SP)},
  year={2020},
  pages={747-762}
}
After a plethora of high-profile RowHammer attacks, CPU and DRAM vendors scrambled to deliver what was meant to be the definitive hardware solution against the RowHammer problem: Target Row Refresh (TRR). A common belief among practitioners is that, for the latest generation of DDR4 systems that are protected by TRR, RowHammer is no longer an issue in practice. However, in reality, very little is known about TRR. How does TRR exactly prevent RowHammer? Which parts of a system are responsible… 
Uncovering In-DRAM RowHammer Protection Mechanisms:A New Methodology, Custom RowHammer Patterns, and Implications
TLDR
U-TRR is presented, an experimental methodology to analyze in-DRAM TRR implementations and shows how it allows us to craft RowHammer access patterns that successfully circumvent the TRR mechanisms employed in 45 DRAM modules of the three major DRAM vendors.
SMASH: Synchronized Many-sided Rowhammer Attacks from JavaScript
TLDR
This work builds SMASH (Synchronized MAny-Sided Hammering), a technique to succesfully trigger Rowhammer bit flips from JavaScript on modern DDR4 systems and demonstrates an end-to-end JavaScript exploit which can fully compromise the Firefox browser in 15 minutes on average.
BLACKSMITH: Scalable Rowhammering in the Frequency Domain
TLDR
A new class of non-uniform Rowhammer access patterns that bypass undocumented, proprietary in-DRAM Target Row Refresh (TRR) while operating in a production setting are presented and their extensive analysis using Blacksmith further provides new insights on the properties of currently-deployed TRR mitigations.
BlockHammer: Preventing RowHammer at Low Cost by Blacklisting Rapidly-Accessed DRAM Rows
TLDR
The key idea of BlockHammer is to track row activation rates using area-efficient Bloom filters, and use the tracking data to ensure that no row is ever activated rapidly enough to induce RowHammer bit-flips.
SoftTRR: Protect Page Tables Against RowHammer Attacks using Software-only Target Row Refresh
TLDR
The experimental results show that SoftTRR protects page tables from real-world rowhammer attacks and incurs small performance overhead as well as memory cost.
Quantifying Rowhammer Vulnerability for DRAM Security
TLDR
An analytical model of capacitive-coupling vulnerabilities in DRAMs is developed that presents a new Rowhammer attack insight and will guide future research in this area.
Stop! Hammer time: rethinking our approach to rowhammer mitigations
TLDR
This work argues that the systems community can and must drive a fundamental change in Rowhammer mitigation techniques and proposes novel hardware primitives in the CPU's integrated memory controller that would enable a variety of efficient software defenses, offering flexible safeguards against future attacks.
Mithril: Cooperative Row Hammer Protection on Commodity DRAM Leveraging Managed Refresh
TLDR
Mithril is proposed, the first RFM interfacecompatible, DRAM-MC cooperative RH-protection scheme providing deterministic protection guarantees and has minimal energy overheads for common use cases without adversarial memory access patterns.
A Retrospective and Futurespective of Rowhammer Attacks and Defenses on DRAM
TLDR
This work characterize rowhammer attacks comprehensively, shedding lights on possible new attack vectors that have not yet been explored, and summarizes and classify existing software defenses, from which new defense strategies are identified and worth future exploring.
QUAC-TRNG: High-Throughput True Random Number Generation Using Quadruple Row Activation in Commodity DRAM Chips
TLDR
QUAC-TRNG is developed, a new high-throughput TRNG that can be fully implemented in commodity DRAM chips, which are key components in most modern systems and evaluates the quality of the TRNG using the commonly-used NIST statistical test suite for randomness and finds that QUAC- TRNG successfully passes each test.
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 102 REFERENCES
When good protections go bad: Exploiting anti-DoS measures to accelerate rowhammer attacks
TLDR
The first rowhammer attack that overcomes all three protections when used in tandem is demonstrated, and is enabled by the recently introduced Cache Allocation Technology, a mechanism designed in part to protect virtual machines from inter-VM denial-of-service attacks.
Another Flip in the Wall of Rowhammer Defenses
TLDR
Novel Rowhammer attack and exploitation primitives are presented, showing that even a combination of all defenses is ineffective, and a new attack technique, one-location hammering, breaks previous assumptions on requirements for triggering the Rowhammer bug.
ZebRAM: Comprehensive and Compatible Software Protection Against Rowhammer Attacks
TLDR
ZebRAM isolates every DRAM row that contains data with guard rows that absorb any Rowhammer-induced bit flips; the only known method to protect against all forms of Rowhammer.
RAMBleed: Reading Bits in Memory Without Accessing Them
TLDR
It is demonstrated that Rowhammer is a threat to not only integrity, but to confidentiality as well, by employing Rowhammer as a read side channel, and the first security implication of successfully-corrected bit flips, which were previously considered benign.
ANVIL: Software-Based Protection Against Next-Generation Rowhammer Attacks
TLDR
A software-based defense, ANVIL, is developed, which thwarts all known rowhammer attacks on existing systems and is shown to be low-cost and robust, and experiments indicate that it is an effective approach for protecting existing and future systems from even advanced rowhAMmer attacks.
RowHammer: A Retrospective
  • O. Mutlu, Jeremie S. Kim
  • Computer Science
    IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems
  • 2020
TLDR
A principled approach to memory reliability and security research is described and advocated that can enable us to better anticipate and prevent vulnerabilities in DRAM and other types of memories, as the memory technologies scale to higher densities.
The RowHammer problem and other issues we may face as memory becomes denser
  • O. Mutlu
  • Computer Science
    Design, Automation & Test in Europe Conference & Exhibition (DATE), 2017
  • 2017
TLDR
This work discusses the RowHammer problem in DRAM, which is a prime (and perhaps the first) example of how a circuit-level failure mechanism can cause a practical and widespread system security vulnerability, and describes and advocates a principled approach to memory reliability and security research that can enable us to better anticipate and prevent such vulnerabilities.
Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks
TLDR
This paper provides concrete evidence of the susceptibility of ECC memory to Rowhammer attacks, and describes a novel approach that combines a custom-made hardware probe, Rowhammer bit flips, and a cold boot attack to reverse engineer ECC functions on commodity AMD and Intel processors.
TWiCe: Preventing Row-hammering by Exploiting Time Window Counters
TLDR
This paper proposes a new counter-based RH prevention solution named Time Window Counter (TWiCe) based row refresh, which accurately detects potential RH attacks only using a small number of counters with a minimal performance impact.
Drammer: Deterministic Rowhammer Attacks on Mobile Platforms
TLDR
It is shown that deterministic Rowhammer attacks are feasible on commodity mobile platforms and that they cannot be mitigated by current defenses, and the first Rowhammer-based Android root exploit is presented, relying on no software vulnerability, and requiring no user permissions.
...
1
2
3
4
5
...