skip to main content
10.1145/3297858.3304039acmconferencesArticle/Chapter ViewAbstractPublication PagesasplosConference Proceedingsconference-collections
research-article

Protecting Page Tables from RowHammer Attacks using Monotonic Pointers in DRAM True-Cells

Published: 04 April 2019 Publication History

Abstract

We identify an important asymmetry in physical DRAM cells that can be utilized to prevent RowHammer attacks by adding 18 lines of code to modify the OS memory allocator. Our small modification has a powerful impact on RowHammer's ability to bypass memory protection mechanisms and achieve a successful attack. Specifically, we identify two types of DRAM cells: true-cells and anti-cells. In a true-cell, a leaking capacitor will induce a '1'->'0' error, while in anti-cells, errors flow from '0'->'1'. We then create DRAM cell-type-aware memory allocation which enables a "monotonicity property" for a given data object. The monotonicity property is able to counter RowHammer attacks (and, to a broader extent, other memory attacks) by allocating only one type of cells for an object, thereby restricting error direction. We apply the monotonicity property to pointers in page tables by placing all page tables in true-cells that are above a "low water mark". We show that this approach successfully defends against page-table-based privilege escalation RowHammer attacks. Using established RowHammer-induced bit-flip error statistics, we provide proofs of the soundness and completeness of our technique and show that with our technique only one out of 2.04x10 5 systems is vulnerable to the attack, and the expected attack time on the vulnerable system is 231 days. We also provide application performance results from prototypes implemented through modifications to Linux kernels. Our cross-layer approach avoids undesirable energy cost, hardware changes, performance overhead, and high software complexity associated with prior countermeasures.

References

[1]
Barbara Aichinger. 2015. DDR memory errors caused by Row Hammer. In HPEC. IEEE, 1--5.
[2]
JEDEC Solid State Technology Association. 2012. DDR3SDRAM Specification.
[3]
Zelalem Birhanu Aweke, Salessawi Ferede Yitbarek, Rui Qiao, Reetuparna Das, Matthew Hicks, Yossi Oren, and Todd Austin. 2016. ANVIL: Software-Based Protection Against Next-Generation Rowhammer Attacks. In Proceedings of the Twenty-First International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS '16). ACM, New York, NY, USA, 743--755.
[4]
Raghu Bharadwaj. 2017. Mastering Linux Kernel Development .Birmingham : Packt Publishing.
[5]
Sarani Bhattacharya and Debdeep Mukhopadhyay. 2016. Curious Case of Rowhammer: Flipping Secret Exponent Bits Using Timing Analysis. In CHES (Lecture Notes in Computer Science), Vol. 9813. Springer, 602--624.
[6]
Leyla Bilge and Tudor Dumitras. 2012. Before we knew it: an empirical study of zero-day attacks in the real world. In Proceedings of the 2012 ACM conference on Computer and communications security. ACM, 833--844.
[7]
Erik Bosman, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida. 2016. Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector. In IEEE Symposium on Security and Privacy. IEEE Computer Society, 987--1004.
[8]
Daniel Bovet and Marco Cesati. 2005. Understanding The Linux Kernel .Oreilly & Associates Inc.
[9]
Ferdinand Brasser, Lucas Davi, David Gens, Christopher Liebchen, and Ahmad-Reza Sadeghi. 2017. Can't touch this: Software-only mitigation against rowhammer attacks targeting kernel memory. In Proceedings of the 26th USENIX Security Symposium (Security). Vancouver, BC, Canada .
[10]
Yueqiang Cheng, Zhi Zhang, and Surya Nepal. 2018. Still Hammerable and Exploitable: on the Effectiveness of Software-only Physical Kernel Isolation. CoRR, Vol. abs/1802.07060 (2018).
[11]
Michael Grace, Yajin Zhou, Qiang Zhang, Shihong Zou, and Xuxian Jiang. 2012. Riskranker: scalable and accurate zero-day android malware detection. In Proceedings of the 10th international conference on Mobile systems, applications, and services. ACM, 281--294.
[12]
Daniel Gruss, Moritz Lipp, Michael Schwarz, Daniel Genkin, Jonas Juffinger, Sioli O'Connell, Wolfgang Schoechl, and Yuval Yarom. 2017. Another Flip in the Wall of Rowhammer Defenses. CoRR, Vol. abs/1710.00551 (2017).
[13]
Daniel Gruss, Clémentine Maurice, and Stefan Mangard. 2016. Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript. In DIMVA (LNCS), Vol. 9721. Springer, 300--321.
[14]
Part Guide. 2011. Intel® 64 and IA-32 Architectures Software Developer's Manual. Volume 3B: System programming Guide, Part, Vol. 2 (2011).
[15]
J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten. 2009. Lest we remember: cold-boot attacks on encryption keys. Commun. ACM, Vol. 52, 5 (2009), 91--98.
[16]
John L. Henning. 2007. SPEC CPU2006 Memory Footprint. SIGARCH Comput. Archit. News, Vol. 35, 1 (March 2007), 84--89.
[17]
Yeongjin Jang, Jaehyuk Lee, Sangho Lee, and Taesoo Kim. 2017. SGX-Bomb: Locking Down the Processor via Rowhammer Attack. In Proceedings of the 2nd Workshop on System Software for Trusted Execution. ACM, 5.
[18]
Brent Keeth, R. Jacob Baker, Brian Johnson, and Feng Lin. 2007. DRAM Circuit Design: Fundamental and High-Speed Topics 2nd ed.). Wiley-IEEE Press.
[19]
Yoongu Kim, Ross Daly, Jeremie Kim, Chris Fallin, Ji-Hye Lee, Donghyuk Lee, Chris Wilkerson, Konrad Lai, and Onur Mutlu. 2014. Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors. In ISCA. IEEE Computer Society, 361--372.
[20]
Radhesh Krishnan Konoth, Marco Oliverio, Andrei Tatar, Dennis Andriesse, Herbert Bos, Cristiano Giuffrida, and Kaveh Razavi. 2018. ZebRAM: Comprehensive and Compatible Software Protection Against Rowhammer Attacks. In 13th USENIX Symposium on Operating Systems Design and Implementation (OSDI 18). USENIX Association, Carlsbad, CA, 697--710.
[21]
Jamie Liu, Ben Jaiyen, Yoongu Kim, Chris Wilkerson, and Onur Mutlu. 2013. An experimental study of data retention behavior in modern DRAM devices: implications for retention time profiling mechanisms. In ISCA. ACM, 60--71.
[22]
Jamie Liu, Ben Jaiyen, Richard Veras, and Onur Mutlu. 2012b. RAIDR: Retention-aware intelligent DRAM refresh. In ISCA. IEEE Computer Society, 1--12.
[23]
Lei Liu, Zehan Cui, Mingjie Xing, Yungang Bao, Mingyu Chen, and Chengyong Wu. 2012a. A software memory partition approach for eliminating bank-level interference in multicore systems. In PACT. ACM, 367--376.
[24]
Robert Love. 2010. Linux Kernel Development 3rd ed.). Addison-Wesley Professional.
[25]
David Mosberger and Stephane Eranian. 2001. IA-64 Linux Kernel: Design and Implementation .Prentice Hall PTR, Upper Saddle River, NJ, USA.
[26]
Onur Mutlu. 2017. The RowHammer problem and other issues we may face as memory becomes denser. In DATE. IEEE, 1116--1121.
[27]
Moni Naor and Gil Segev. 2009. Public-key cryptosystems resilient to key leakage. In Advances in Cryptology-CRYPTO 2009. Springer, 18--35.
[28]
Peter Pessl, Daniel Gruss, Clé mentine Maurice, Michael Schwarz, and Stefan Mangard. 2016. DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks. In USENIX Security Symposium. USENIX Association, 565--581.
[29]
Phoronix. 2016. https://www.phoronix-test-suite.com/. Phoronix test suite.
[30]
Rui Qiao and Mark Seaborn. 2016. A new approach for rowhammer attacks. In HOST. IEEE Computer Society, 161--166.
[31]
Kaveh Razavi, Ben Gras, Erik Bosman, Bart Preneel, Cristiano Giuffrida, and Herbert Bos. 2016. Flip Feng Shui: Hammering a Needle in the Software Stack. In USENIX Security Symposium. USENIX Association, 1--18.
[32]
Mark Seaborn and Thomas Dullien. 2015. Exploiting the DRAM rowhammer bug to gain kernel privileges. Black Hat (2015), 7--9.
[33]
Patrick Simmons. 2011. Security through amnesia: a software-based solution to the cold boot attack on disk encryption. In ACSAC. ACM, 73--82.
[34]
Stephen Smalley, Chris Vance, and Wayne Salamon. 2001. Implementing SELinux as a Linux security module. NAI Labs Report, Vol. 1, 43 (2001), 139.
[35]
Jason Syversen. 2008. Method and apparatus for defending against zero-day worm-based attacks. US Patent App. 11/632,669.
[36]
A. J. van de Goor and Ivo Schanstra. 2002. Address and Data Scrambling: Causes and Impact on Memory Tests. In DELTA. IEEE Computer Society, 128--136.
[37]
Victor van der Veen, Yanick Fratantonio, Martina Lindorfer, Daniel Gruss, Clémentine Maurice, Giovanni Vigna, Herbert Bos, Kaveh Razavi, and Cristiano Giuffrida. 2016. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms. In ACM Conference on Computer and Communications Security. ACM, 1675--1689.
[38]
Yuan Xiao, Xiaokuan Zhang, Yinqian Zhang, and Radu Teodorescu. 2016. One Bit Flips, One Cloud Flops: Cross-VM Row Hammer Attacks and Privilege Escalation. In USENIX Security Symposium. USENIX Association, 19--35.

Cited By

View all

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
ASPLOS '19: Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems
April 2019
1126 pages
ISBN:9781450362405
DOI:10.1145/3297858
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

In-Cooperation

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 April 2019

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. DRAM true-cell
  2. monotonously
  3. page tables
  4. privilege escalation
  5. rowhammer attacks
  6. security

Qualifiers

  • Research-article

Conference

ASPLOS '19

Acceptance Rates

ASPLOS '19 Paper Acceptance Rate 74 of 351 submissions, 21%;
Overall Acceptance Rate 535 of 2,713 submissions, 20%

Upcoming Conference

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)53
  • Downloads (Last 6 weeks)3
Reflects downloads up to 01 Jan 2025

Other Metrics

Citations

Cited By

View all

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media