Row Hammer - Papers We Love

Transcript

1. Row Hammer: Flipping Bits in Memory Without Accessing Them Yoongu

   Kim Ross Daly Jeremie Kim Chris Fallin Ji Hye Lee Onur Mutlu Donghyuk Lee Chris Wilkerson Konrad Lai Papers We Love #026 | Vishnu Prem | @burnflare

2. Hello! Vishnu Prem Y4 Computer Science @ NUS. NUS Hackers.

   This is my second Papers We Love. Presented Diffie-Hellman Key Exchange a year ago.

3. The Paper Flipping Bits in Memory Without Accessing Them: An

   Experimental Study of DRAM Disturbance Errors Joint publication by CMU & Intel Labs. Hardware vulnerability in RAM that has security implications. Flaw is unpatchable

4. What’s DRAM A trip down memory lane.

5. Micron Technology MT4C1024 DRAM

6. DRAM Cell Holds a single bit Implemented using Field-Effect Transistor

   & Capacitor Worldline activates, data dumped into bitline; C is discharged If C < Threshold =~ 0 If C > Threshold =~ 1 Loses its charge every 64ms wordline bitline FET C

7. bit 1 case = 1V = 0V Step 0: Capacitor

   holds a charge wordline bitline

8. bit 1 case = 1V = 0V Step 1: Precharge

   bitline to (1V - 0V) / 2 = 0.5V = 0.5V

9. bit 1 case = 1V = 0V Step 2: Wordline

   raised to high V, transistor allows current to pass = 0.5V = High V

10. bit 1 case = 1V = 0V Step 3: Since

    1V > 0.5V, C is discharged onto bitline Increasing bitline slightly to 0.55V = 0.5V = High V Note: Charge is C is now destroyed

11. bit 1 case = 1V = 0V Step 4: Sense

    Amplifiers detect slight change in bitline’s 0.55V = 1 bit They amplify bitline to 1V = 0.5V = High V

12. bit 1 case = 1V = 0V Step 5: C

    is recharged (refreshed) back to 1V = 0.5V = High V

13. bit 1 case = 1V = 0V Step 6: Wordline

    is switched off; bitline is switched off Value 1 read! = 0.5V = High V

14. bit 0 case = 1V = 0V Step 0: Capacitor

    holds no charge

15. bit 0 case = 1V = 0V Step 1: Precharge

    bitline to (1V - 0V) / 2 = 0.5V = 0.5V

16. bit 0 case = 1V = 0V Step 2: Wordline

    raised to high V, transistor allows current to pass = 0.5V = High V

17. bit 0 case = 1V = 0V Step 3: Since

    0V < 0.5V, C is charged from bitline Decreasing bitline slightly to 0.45V = 0.5V = High V

18. bit 0 case = 1V = 0V Step 4: Sense

    Amplifiers detect slight change in bitline’s 0.45V = 0 bit They amplify bitline to 0V = 0.5V = High V

19. bit 0 case = 1V = 0V Step 5: C

    is discharged (refreshed) back to 0V = 0.5V = High V

20. bit 0 case = 1V = 0V Step 6: Wordline

    is switched off; bitline is switched off Value 0 read! = 0.5V = High V

21. Ok 1 bit is cool, many gigs how?

22. None
23. None

24. Sen Sense Amplifiers

25. wordline bitline FET C

26. Row Selection Column Selection Row Buffer w b F C

27. Row Colum Ro w b F C Row Colum Ro

    w b F C Row Colum Ro w b F C Row Colum Ro w b F C Row Colum Ro w b F C Row Colum Ro w b F C Row Colum Ro w b F C Row Colum Ro w b F C

28. DRAM Array Row Selection Column Selection DRAM Controller Row Buffer

29. DRAM Open Row 0 1 1 0 1 0 0

    1 0 1 1 0 1 1 0 0 0 1 1 0 1 1 1 1 0 1 1 1 0 1 1 0 0 1 1 0 0 1 0 1 0 1 1 1 1 0 0 1 0 1 1 0 1 1 1 1 0 1 1 1 0 1 0 1 Row Selection Column Selection DRAM Controller Row Buffer “Read Row 3, Col 4”

30. DRAM Open Row 0 1 1 0 1 0 0

    1 0 1 1 0 1 1 0 0 0 1 1 0 1 1 1 1 0 1 1 1 0 1 1 0 0 1 1 0 0 1 0 1 0 1 1 1 1 0 0 1 0 1 1 0 1 1 1 1 0 1 1 1 0 1 0 1 Row Selection Column Selection DRAM Controller Row Buffer “Read Row 3, Col 4” 1. bitlines charged 2. wordline activated

31. DRAM Open Row 0 1 1 0 1 0 0

    1 0 1 1 0 1 1 0 0 0 1 1 0 1 1 1 1 0 1 1 0 0 1 0 1 0 1 1 1 1 0 0 1 0 1 1 0 1 1 1 1 0 1 1 1 0 1 0 1 0 1 1 1 0 1 1 0 Row Selection Column Selection DRAM Controller Row Buffer “Read Row 3, Col 4” 1. bitlines charged 2. wordline activated 3. cells discharge 4. sense amps read bit

32. DRAM Open Row 0 1 1 0 1 0 0

    1 0 1 1 0 1 1 0 0 0 1 1 0 1 1 1 1 0 1 1 1 0 1 1 0 0 1 1 0 0 1 0 1 0 1 1 1 1 0 0 1 0 1 1 0 1 1 1 1 0 1 1 1 0 1 0 1 0 1 1 1 0 1 1 0 Row Selection Column Selection DRAM Controller Row Buffer “Read Row 3, Col 4” 1. bitlines charged 2. wordline activated 3. cells discharge 4. sense amps read bit 5. sense amps amplify 6. row recharged

33. DRAM Open Row 0 1 1 0 1 0 0

    1 0 1 1 0 1 1 0 0 0 1 1 0 1 1 1 1 0 1 1 1 0 1 1 0 0 1 1 0 0 1 0 1 0 1 1 1 1 0 0 1 0 1 1 0 1 1 1 1 0 1 1 1 0 1 0 1 0 1 1 1 0 1 1 0 Row Selection Column Selection DRAM Controller Row Buffer “Read Row 3, Col 4” 1. bitlines charged 2. wordline activated 3. cells discharge 4. sense amps read bit 5. sense amps amplify 6. row recharged 7. all 8 bits known!

34. DRAM Open Row 0 1 1 0 1 0 0

    1 0 1 1 0 1 1 0 0 0 1 1 0 1 1 1 1 0 1 1 1 0 1 1 0 0 1 1 0 0 1 0 1 0 1 1 1 1 0 0 1 0 1 1 0 1 1 1 1 0 1 1 1 0 1 0 1 0 1 1 1 0 1 1 0 Row Selection Column Selection DRAM Controller Row Buffer “Read Row 3, Col 4” 1. bitlines charged 2. wordline activated 3. cells discharge 4. sense amps read bit 5. sense amps amplify 6. row recharged 7. all 8 bits known! “Read Row 3, Col 6”

35. DRAM Write Cell 0 1 1 0 1 0 0

    1 0 1 1 0 1 1 0 0 0 1 1 0 1 1 1 1 0 1 1 1 0 1 1 0 0 1 1 0 0 1 0 1 0 1 1 1 1 0 0 1 0 1 1 0 1 1 1 1 0 1 1 1 0 1 0 1 0 1 1 1 0 1 1 0 Row Selection Column Selection DRAM Controller Row Buffer “Write 0 on that cell”

36. DRAM Write Cell 0 1 1 0 1 0 0

    1 0 1 1 0 1 1 0 0 0 1 1 0 1 1 1 1 0 1 1 1 0 1 1 0 0 1 1 0 0 1 0 1 0 1 1 1 1 0 0 1 0 1 1 0 1 1 1 1 0 1 1 1 0 1 0 1 0 1 1 1 0 1 0 0 Row Selection Column Selection DRAM Controller Row Buffer “Write 0 on that cell” 1. write 0 on col buffer

37. DRAM Write Cell 0 1 1 0 1 0 0

    1 0 1 1 0 1 1 0 0 0 1 1 0 1 1 1 1 0 1 1 1 0 1 1 0 0 1 1 0 0 1 0 1 0 1 1 1 1 0 0 1 0 1 1 0 1 1 1 1 0 1 1 1 0 1 0 1 0 1 1 1 0 1 0 0 Row Selection Column Selection DRAM Controller Row Buffer “Write 0 on that cell” 1. write 0 on col buffer 2. bitline set to 0V

38. DRAM Write Cell 0 1 1 0 1 0 0

    1 0 1 1 0 1 1 0 0 0 1 1 0 1 1 1 1 0 1 1 1 0 1 0 0 0 1 1 0 0 1 0 1 0 1 1 1 1 0 0 1 0 1 1 0 1 1 1 1 0 1 1 1 0 1 0 1 0 1 1 1 0 1 0 0 Row Selection Column Selection DRAM Controller Row Buffer “Write 0 on that cell” 1. write 0 on col buffer 2. bitline set to 0V 3. 0 propogates to cell

39. DRAM Close Row 0 1 1 0 1 0 0

    1 0 1 1 0 1 1 0 0 0 1 1 0 1 1 1 1 0 1 1 1 0 1 0 0 0 1 1 0 0 1 0 1 0 1 1 1 1 0 0 1 0 1 1 0 1 1 1 1 0 1 1 1 0 1 0 1 0 1 1 1 0 1 0 0 Row Selection Column Selection DRAM Controller Row Buffer “Read another row”

40. DRAM Close Row 0 1 1 0 1 0 0

    1 0 1 1 0 1 1 0 0 0 1 1 0 1 1 1 1 0 1 1 1 0 1 0 0 0 1 1 0 0 1 0 1 0 1 1 1 1 0 0 1 0 1 1 0 1 1 1 1 0 1 1 1 0 1 0 1 0 1 1 1 0 1 0 0 Row Selection Column Selection DRAM Controller Row Buffer “Read another row” 1. deactivate wordline 2. discharge hotline

41. DRAM Close Row 0 1 1 0 1 0 0

    1 0 1 1 0 1 1 0 0 0 1 1 0 1 1 1 1 0 1 1 1 0 1 0 0 0 1 1 0 0 1 0 1 0 1 1 1 1 0 0 1 0 1 1 0 1 1 1 1 0 1 1 1 0 1 0 1 Row Selection Column Selection DRAM Controller Row Buffer “Read another row” 1. deactivate wordline 2. discharge hotline 3. row buffer cleared

42. DRAM Refreshing 0 1 1 0 1 0 0 1

    0 1 1 0 1 1 0 0 0 1 1 0 1 1 1 1 0 1 1 1 0 1 1 0 0 1 1 0 0 1 0 1 0 1 1 1 1 0 0 1 0 1 1 0 1 1 1 1 0 1 1 1 0 1 0 1 Row Selection Column Selection DRAM Controller Row Buffer Capacitors lose their charge constantly DDR3: every cell will be refreshed every 64ms Refresh = exactly same action as reading a row

43. DRAM Refreshing 0 1 1 0 1 0 0 1

    0 1 1 0 1 1 0 0 0 1 1 0 1 1 1 1 0 1 1 1 0 1 1 0 0 1 1 0 0 1 0 1 0 1 1 1 1 0 0 1 0 1 1 0 1 1 1 1 0 1 1 1 0 1 0 1 Row Selection Column Selection DRAM Controller Row Buffer Capacitors lose their charge constantly DDR3: every cell will be refreshed every 64ms Refresh = exactly same action as reading a row

44. DRAM Refreshing 0 1 1 0 1 0 0 1

    0 1 1 0 1 1 0 0 0 1 1 0 1 1 1 1 0 1 1 1 0 1 1 0 0 1 1 0 0 1 0 1 0 1 1 1 1 0 0 1 0 1 1 0 1 1 1 1 0 1 1 1 0 1 0 1 Row Selection Column Selection DRAM Controller Row Buffer Capacitors lose their charge constantly DDR3: every cell will be refreshed every 64ms Refresh = exactly same action as reading a row

45. DRAM Refreshing 0 1 1 0 1 1 0 0

    0 1 1 0 1 1 1 1 0 1 1 1 0 1 1 0 0 1 1 0 0 1 0 1 0 1 1 1 1 0 0 1 0 1 1 0 1 1 1 1 0 1 1 1 0 1 0 1 0 1 1 0 1 0 0 1 Row Selection Column Selection DRAM Controller Row Buffer Capacitors lose their charge constantly DDR3: every cell will be refreshed every 64ms Refresh = exactly same action as reading a row

46. DRAM Refreshing 0 1 1 0 1 0 0 1

    0 1 1 0 1 1 0 0 0 1 1 0 1 1 1 1 0 1 1 1 0 1 1 0 0 1 1 0 0 1 0 1 0 1 1 1 1 0 0 1 0 1 1 0 1 1 1 1 0 1 1 1 0 1 0 1 Row Selection Column Selection DRAM Controller Row Buffer Capacitors lose their charge constantly DDR3: every cell will be refreshed every 64ms Refresh = exactly same action as reading a row

47. DRAM Key Takeaways Reading one bit requires entire row to

    be read & refreshed Every 64ms, every cell must be refreshed wordline bitline FET C

48. DRAM Disturbances A tale of 0s & 1s.

49. DRAM Disturbances Smaller, Faster, Cheaper Harder for manufacturers to electrical

    seal cells between each other Paper discovered sometimes this extreme compactness causes leakage in the cells
50. None
51. None

52. ~1.2M accesses per refresh

53. Row Hammer

54. Row Hammer in Code code1a: mov (X), %eax mov (Y),

    %ebx clflush (X) clflush (Y) jmp code1a 1 2 3 4 5 6 1 2 3 4 5 6 code1b: mov (X), %eax clflush (X) jmp code1a Experiment Control
55. None

56. Row Hammer in Code 0 0 0 0 0 0

    0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Row Selection Column Selection DRAM Controller Row Buffer code1b: mov (X), %eax clflush (X) jmp code1a 1 2 3 4 5 6 X

57. Row Hammer in Code 0 0 0 0 0 0

    0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Row Selection Column Selection DRAM Controller Row Buffer code1b: mov (X), %eax clflush (X) jmp code1a 1 2 3 4 5 6 X

58. Row Hammer in Code 0 0 0 0 0 0

    0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Row Selection Column Selection DRAM Controller Row Buffer code1b: mov (X), %eax clflush (X) jmp code1a 1 2 3 4 5 6 X No flips

59. Row Hammer in Code 0 0 0 0 0 0

    0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Row Selection Column Selection DRAM Controller Row Buffer code1a: mov (X), %eax mov (Y), %ebx clflush (X) clflush (Y) jmp code1a 1 2 3 4 5 6 X Y

60. Row Hammer in Code 0 0 0 0 0 0

    0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Row Selection Column Selection DRAM Controller Row Buffer code1a: mov (X), %eax mov (Y), %ebx clflush (X) clflush (Y) jmp code1a 1 2 3 4 5 6 X Y Induces flips 1 1

61. Row Hammer in Code code1a: mov (X), %eax mov (Y),

    %ebx clflush (X) clflush (Y) jmp code1a 1 2 3 4 5 6 1 2 3 4 5 6 code1b: mov (X), %eax clflush (X) jmp code1a Induces errors No errors

62. How do we pick the right X & Y? code1a:

    mov (X), %eax mov (Y), %ebx clflush (X) clflush (Y) jmp code1a 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Row Selection Column Selection DRAM Controller Row Buffer 1 2 3 4 5 6 X Y

63. Hammer: Memory Address Selection 1. 8 banks -> 1/8 chance

    of same bank address pair 2. Hammer 4 or 8 addresses at once 3. Double-side row hammer Bare metal access Unprivileged access 1. Get physical address from /proc/ PID/pagemap
64. None
65. None

66. 55ns activation ~ 1.1M activations / refersh 64ms refresh ~

    1.1M activations / refersh

67. Aggressor row vs. Victim row

68. Try it at home! *** Iteration 0 (after 0.00s) Took

    213.2 ms per address set Took 2.13183 sec in total for 10 address sets Took 49.348 nanosec per memory access (for 43200000 memory accesses) This gives 162114 accesses per address per 64 ms refresh period Checking for bit flips took 0.219196 sec

69. Exploiting Row Hammer Cool stuff, Why should I be afraid?

70. What’s Memory Protection? Unprotected vs. Protected Memory

71. Unprotected Memory Physical Memory 0x0000 0xFFFF

72. Unprotected Memory Physical Memory 0x0000 0xFFFF Process A

73. Unprotected Memory Physical Memory 0x0000 0xFFFF Process A 0x1111 0x3333

74. Unprotected Memory Physical Memory 0x0000 0xFFFF Process A Process B

    0x1111 0x3333

75. Unprotected Memory Physical Memory 0x0000 0xFFFF Process A Process B

    0x1111 0x3333 0x4444 0x9999

76. Unprotected Memory Physical Memory 0x0000 0xFFFF Process A Process B

    0x1111 0x3333 0x4444 0x9999

77. Unprotected Memory Physical Memory 0x0000 0xFFFF Process A Process B

    0x1111 0x3333 0x4444 0x9999 X

78. Protected Memory Physical Memory 0x0000 0xFFFF

79. Protected Memory Physical Memory 0x0000 0xFFFF Process A’s Virtual Memory

    0x0000 0xFFFF

80. Protected Memory Physical Memory 0x0000 0xFFFF Process A’s Virtual Memory

    0x0000 0xFFFF

81. Protected Memory Physical Memory 0x0000 0xFFFF Process A’s Virtual Memory

    0x0000 0xFFFF

82. Protected Memory Physical Memory 0x0000 0xFFFF Process A’s Virtual Memory

    0x0000 0xFFFF Process B’s Virtual Memory 0x0000 0xFFFF

83. Linux Page Tables A Page is a fixed length continuous

    block of memory. A page is usually 4k. Page Table stores mapping between virtual & physical addresses. PT is 4k. Each mapping in Page Table is a Page Table Entry (PTE). Up to 512 PTEs in a PT. 512 x 4kb = 2MB. Every 2MB of VM requires 4kb of PT space Physical Memory Virtual Memory

84. Virtual Address Space Physical Address Space

85. Virtual Address Space Physical Address Space Allocate shared file from

    /dev/ shm/ with rw

86. Virtual Address Space Physical Address Space Allocate shared file from

    /dev/ shm/ with rw Access to physical address is written via PT

87. Virtual Address Space Physical Address Space Allocate shared file from

    /dev/ shm/ with rw Access to physical address is written via PT mmap() shared file many times

88. Virtual Address Space Physical Address Space Allocate shared file from

    /dev/ shm/ with rw Access to physical address is written via PT mmap() shared file many times PT in physical memory maps virtual address to physical address

89. Virtual Address Space Physical Address Space Allocate shared file from

    /dev/ shm/ with rw Access to physical address is written via PT mmap() shared file many times PT in physical memory maps virtual address to physical address

90. Virtual Address Space Physical Address Space Allocate shared file from

    /dev/ shm/ with rw Access to physical address is written via PT mmap() shared file many times PT in physical memory maps virtual address to physical address induce a bit flip

91. x86-64 Page Table Entries Page Table contains array of 512

    PTEs Each PTE is 64bit, looks like this: 20 bits on 4GB system → 31% chance

92. Virtual Address Space Physical Address Space Allocate shared file from

    /dev/ shm/ with rw Access to physical address is written via PT mmap() shared file many times PT in physical memory maps virtual address to physical address induce a bit flip

93. Virtual Address Space Physical Address Space Allocate shared file from

    /dev/ shm/ with rw Access to physical address is written via PT mmap() shared file many times PT in physical memory maps virtual address to physical address induce a bit flip rw access to that (kernal owned) PT maps to Z Y

94. PT is mapping a virtual address we own Virtual Address

    Space Physical Address Space Allocate shared file from /dev/ shm/ with rw Access to physical address is written via PT mmap() shared file many times PT in physical memory maps virtual address to physical address induce a bit flip rw access to that (kernal owned) PT

95. PT is mapping a virtual address we own rw entire

    physical memory! Virtual Address Space Physical Address Space Allocate shared file from /dev/ shm/ with rw Access to physical address is written via PT mmap() shared file many times PT in physical memory maps virtual address to physical address induce a bit flip rw access to that (kernal owned) PT

96. Exploiting Write Access to PTE Modify SUID (Set User ID

    upon execution) executables such as /bin/ping Overwriting entry point to run shell code Our shell code now runs as root!

97. Page Reuse Previous exploit requires us to be lucky We

    can increase our chances using PT reuse and create our own luck We know weak cells in a particular DRAM are repeatable

98. Physical Address Space allocate a huge amount of physical memory

    as 4kb pages

99. Physical Address Space allocate a huge amount of physical memory

    as 4kb pages row hammer everywhere to find weak bits

100. Physical Address Space allocate a huge amount of physical memory

     as 4kb pages row hammer everywhere to find weak bits release optimum 4kb page back to OS using munmap()

101. Physical Address Space allocate a huge amount of physical memory

     as 4kb pages row hammer everywhere to find weak bits release optimum 4kb page back to OS using munmap() allocate more memory so page gets used as PT

102. Physical Address Space allocate a huge amount of physical memory

     as 4kb pages row hammer everywhere to find weak bits release optimum 4kb page back to OS using munmap() allocate more memory so page gets used as PT spray everywhere with PTs like before

103. Physical Address Space allocate a huge amount of physical memory

     as 4kb pages row hammer everywhere to find weak bits release optimum 4kb page back to OS using munmap() allocate more memory so page gets used as PT spray everywhere with PTs like before

104. bitflip target bit via row hammer Physical Address Space allocate

     a huge amount of physical memory as 4kb pages row hammer everywhere to find weak bits release optimum 4kb page back to OS using munmap() allocate more memory so page gets used as PT spray everywhere with PTs like before

105. bitflip target bit via row hammer rw entire physical memory!

     Physical Address Space allocate a huge amount of physical memory as 4kb pages row hammer everywhere to find weak bits release optimum 4kb page back to OS using munmap() allocate more memory so page gets used as PT spray everywhere with PTs like before

106. More Row Hammer Exploits NaCl - Google Native Client Flip

     Feng Shui - Compromise OpenSSH & apt-get Drammer - Android POC

107. Mitigations Stopping this.

108. None

109. Solutions Proposed Make better chips Self correction (ECC DRAM) Increase

     refresh rate Targeted row refresh Probabilistic Adjacent Row Activation

110. Targeted Row Refresh Identify “hot” rows and refresh neighbours Count

     activations for a row Refresh neighbours when counter reaches threshold LPDDR4 has this in spec

111. Probabilistic Adjacent Row Activation Proposal in the paper Every time

     a row is opened or closed, refresh an adjacent row with very low probability Statistically, adjacent rows will be refreshed if one row is hammered

112. References & Links Thank you! The paper Google Project Zero

     blogpost Blackhat presentation Drammer Android POC

113. Row Hammer: Flipping Bits in Memory Without Accessing Them Yoongu

     Kim Ross Daly Jeremie Kim Chris Fallin Ji Hye Lee Onur Mutlu Donghyuk Lee Chris Wilkerson Konrad Lai Papers We Love #026 | Vishnu Prem | @burnflare