Content deleted Content added
Citation bot (talk | contribs) Added date. | Use this bot. Report bugs. | Suggested by Abductive | Category:Computer security exploits | #UCB_Category 39/156 |
No edit summary Tags: Reverted references removed Visual edit Mobile edit Mobile web edit |
||
Line 3:
{{Use mdy dates|date=March 2015}}
'''Row hammer''' (also written as '''rowhammer''') is a computer security exploit that takes advantage of an unintended and undesirable side effect in
The row hammer effect has been used in some
| url = https://arstechnica.com/security/2016/10/using-rowhammer-bitflips-to-root-android-phones-is-now-a-thing/
| title = Using Rowhammer bitflips to root Android phones is now a thing
| newspaper = Ars Technica
| access-date = October 25, 2016
▲}}</ref> and network-based attacks are also theoretically possible.<ref>{{cite news
Different hardware-based techniques exist to prevent the row hammer effect from occurring, including required support in some
== Background ==
Line 62 ⟶ 33:
}}</ref>
Memory cells (blue squares in both illustrations) are further organized into [[matrix (mathematics)|matrices]] and addressed through rows and columns. A memory address applied to a matrix is broken into the row address and column address, which are processed by the row and column [[address decoder]]s (in both illustrations, vertical and horizontal green rectangles, respectively). After a row address selects the row for a read operation (the selection is also known as [[row activation]]), bits from all cells in the row are transferred into the [[sense amplifier]]s that form the row buffer (red squares in both illustrations), from which the exact bit is selected using the column address. Consequently, read operations are of a destructive nature because the design of DRAM requires memory cells to be rewritten after their values have been read by transferring the cell charges into the row buffer. Write operations decode the addresses in a similar way, but as a result of the design entire rows must be rewritten for the value of a single bit to be changed.<ref name="isca14-paper">{{cite web |author1=Yoongu Kim |author2=Ross Daly |author3=Jeremie Kim |author4=Chris Fallin |author5=Ji Hye Lee |author6=Donghyuk Lee |author7=Chris Wilkerson |author8=Konrad Lai |author9=Onur Mutlu |date=June 24, 2014 |title=Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors |url=http://users.ece.cmu.edu/~yoonguk/papers/kim-isca14.pdf |access-date=March 10, 2015 |website=ece.cmu.edu |publisher=[[IEEE]]}}</ref>{{rp|2–3}}<ref name="cs7810"/><ref name="ece548"/><ref>{{cite web
| url = https://www.cs.princeton.edu/courses/archive/fall04/cos471/lectures/20-Memory.pdf
| archive-url = https://web.archive.org/web/20050519185856/http://www.cs.princeton.edu/courses/archive/fall04/cos471/lectures/20-Memory.pdf
Line 84 ⟶ 55:
[[File:Row hammer.svg|thumb|right|upright=1.4|Rapid row activations (yellow rows) may change the values of bits stored in victim row (purple row).<ref name="isca14-talk"/>{{rp|2}}]]
Increased densities of [[dynamic random-access memory|DRAM]] [[integrated circuit]]s have led to physically smaller memory cells containing less charge, resulting in lower operational [[noise margin]]s, increased rates of electromagnetic interactions between memory cells, and greater possibility of data loss. As a result, ''disturbance errors'' have been observed, being caused by cells interfering with each other's operation and manifesting as random changes in the values of bits stored in affected memory cells. The awareness of disturbance errors dates back to the early 1970s and [[Intel 1103]] as the first commercially available DRAM integrated circuits; since then, DRAM manufacturers have employed various [[vulnerability mitigation|mitigation]] techniques to counteract disturbance errors, such as improving the isolation between cells and performing production testing. However, researchers proved in a 2014 analysis that commercially available [[DDR3 SDRAM]] chips manufactured in 2012 and 2013 are susceptible to disturbance errors, while using the term ''row hammer'' to name the associated side effect that led to observed [[soft error|bit flips]].<ref name="isca14-paper"/><ref name="sophos">{{cite web |author=Ducklin |first=Paul |date=March 12, 2015 |title='Row hammering' – how to exploit a computer by overworking its memory |url=https://nakedsecurity.sophos.com/2015/03/12/row-hammering-how-to-exploit-a-computer-by-overworking-its-memory/ |access-date=March 14, 2015 |publisher=[[Sophos]]}}</ref><ref name="isca14-talk">{{cite web
| url = http://users.ece.cmu.edu/~omutlu/pub/dram-row-hammer_kim_talk_isca14.pdf
| title = Flipping Bits in Memory Without Accessing Them: DRAM Disturbance Errors
Line 114 ⟶ 85:
}}</ref>
A variant called ''double-sided hammering'' involves targeted activations of two DRAM rows surrounding a victim row: in the illustration provided in this section, this variant would be activating both yellow rows with the aim of inducing bit flips in the purple row, which in this case would be the victim row. Tests show that this approach may result in a significantly higher rate of disturbance errors, compared to the variant that activates only one of the victim row's neighboring DRAM rows.<ref name="googleprojectzero">{{cite web |last1=Seaborn |first1=Mark |last2=Dullien |first2=Thomas |date=March 9, 2015 |title=Exploiting the DRAM rowhammer bug to gain kernel privileges |url=http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html |access-date=March 10, 2015 |website=googleprojectzero.blogspot.com}}</ref><ref name="blackhat">{{cite web
| url = https://www.blackhat.com/docs/us-15/materials/us-15-Seaborn-Exploiting-The-DRAM-Rowhammer-Bug-To-Gain-Kernel-Privileges.pdf
| title = Exploiting the DRAM rowhammer bug to gain kernel privileges: How to cause and exploit single bit errors
Line 163 ⟶ 134:
}}</ref>
Since the release of [[Ivy Bridge (microarchitecture)|Ivy Bridge]] [[microarchitecture]], [[Intel]] [[Xeon]] processors support the so-called ''pseudo target row refresh'' (pTRR) that can be used in combination with pTRR-compliant DDR3 [[dual in-line memory module]]s (DIMMs) to mitigate the row hammer effect by automatically refreshing possible victim rows, with no negative impact on performance or power consumption. When used with DIMMs that are not pTRR-compliant, these Xeon processors by default fall back on performing DRAM refreshes at twice the usual frequency, which results in slightly higher memory access latency and may reduce the memory bandwidth by up to 2–4%.<ref name="intel-d2s2e4">{{cite web |author=Marcin Kaczmarski |date=August 2014 |title=Thoughts on Intel Xeon E5-2600 v2 Product Family Performance Optimisation – Component selection guidelines |url=http://infobazy.gda.pl/2014/pliki/prezentacje/d2s2e4-Kaczmarski-Optymalna.pdf |access-date=March 11, 2015 |publisher=[[Intel]] |page=13}}</ref>
The [[LPDDR4]] mobile memory standard published by [[JEDEC]]<ref name="jedec-lpddr4">{{cite web
Line 171 ⟶ 142:
| publisher = [[JEDEC]] | format = PDF
| pages = 222–223
}}</ref> includes optional hardware support for the so-called ''target row refresh'' (TRR) that prevents the row hammer effect without negatively impacting performance or power consumption.<ref name="memcon-net105">{{cite web |author=Greenberg |first=Marc |date=October 15, 2014 |title=Reliability, Availability, and Serviceability (RAS) for DDR DRAM interfaces |url=http://www.memcon.com/pdfs/proceedings2014/NET105.pdf |url-status=dead |archive-url=https://web.archive.org/web/20160705220034/http://www.memcon.com/pdfs/proceedings2014/NET105.pdf |archive-date=July 5, 2016 |access-date=March 11, 2015 |website=memcon.com |pages=2, 7, 10, 20, 27}}</ref><ref>{{cite web
| url = http://www.memcon.com/pdfs/proceedings2014/MOB102.pdf#page=11
| title = DRAM scaling challenges and solutions in LPDDR4 context
| |||