research-article

ANVIL: Software-Based Protection Against Next-Generation Rowhammer Attacks

Authors:

Zelalem Birhanu Aweke,

Salessawi Ferede Yitbarek,

Reetuparna Das,

Todd AustinAuthors Info & Claims

ACM SIGARCH Computer Architecture News, Volume 44, Issue 2

Pages 743 - 755

https://doi.org/10.1145/2980024.2872390

Published: 25 March 2016 Publication History

Abstract

Ensuring the integrity and security of the memory system is critical. Recent studies have shown serious security concerns due to "rowhammer" attacks, where repeated accesses to a row of memory cause bit flips in adjacent rows. Recent work by Google's Project Zero has shown how to leverage rowhammer-induced bit-flips as the basis for security exploits that include malicious code injection and memory privilege escalation. Being an important security concern, industry has attempted to defend against rowhammer attacks. Deployed defenses employ two strategies: (1) doubling the system DRAM refresh rate and (2) restricting access to the CLFLUSH instruction that attackers use to bypass the cache to increase memory access frequency (i.e., the rate of rowhammering). We demonstrate that such defenses are inadequte: we implement rowhammer attacks that both avoid using the CLFLUSH instruction and cause bit flips with a doubled refresh rate. Our next-generation CLFLUSH-free rowhammer attack bypasses the cache by manipulating cache replacement state to allow frequent misses out of the last-level cache to DRAM rows of our choosing.

To protect existing systems from more advanced rowhammer attacks, we develop a software-based defense, ANVIL, which thwarts all known rowhammer attacks on existing systems. ANVIL detects rowhammer attacks by tracking the locality of DRAM accesses using existing hardware performance counters. Our detector identifies the rows being frequently accessed (i.e., the aggressors), then selectively refreshes the nearby victim rows to prevent hammering. Experiments running on real hardware with the SPEC2006 benchmarks show that ANVIL has less than a 1% false positive rate and an average slowdown of 1%. ANVIL is low-cost and robust, and our experiments indicate that it is an effective approach for protecting existing and future systems from even advanced rowhammer attacks.

References

[1]

https://twitter.com/lavados/status/685618703413698562. Accessed: 2016-01--21.

[2]

Program for Testing for the DRAM "rowhammer" Problem. https://github.com/mseaborn/rowhammer-test. Accessed: 2015-08--11.

[3]

National Security Agency. TEMPEST: A Signal Problem. https://www.nsa.gov/public_info/_files/cryptologic_spectrum/tempest.pdf. Accessed: 2015-08--11.

[4]

JEDEC Solid State Technology Association. DDR3 SDRAM Specification, 2010.

[5]

K. Bains, J.B. Halbert, C.P. Mozak, T.Z. Schoenborn, and Z. Greenfield. Row Hammer Refresh Command, 2014.

[6]

Ishwar Bhati, Mu-Tien Chang, Zeshan Chishti, Shih-Lien Lu, and Bruce Jacob. DRAM Refresh Mechanisms, Penalties, and Trade-Offs. In IEEE Transactions on Computers, VOL. 64, 2015.

[7]

Paul J. Drongowski. Instruction-Based Sampling: A New Performance Analysis Technique for AMD Family 10h Processors. 2007.

[8]

D. Gruss, C. Maurice, and S. Mangard. Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript. ArXiv e-prints, July 2015.

[9]

John L. Henning. SPEC CPU2006 Benchmark Descriptions. SIGARCH Comput. Archit. News, 34(4):1--17, September 2006.

[10]

M. Hicks, M. Finnicum, S.T. King, M. Martin, and J.M. Smith. Overcoming an Untrusted Computing Base: Detecting and Removing Malicious Hardware Automatically. In Security and Privacy (SP), 2010 IEEE Symposium on, pages 159--172, May 2010.

Digital Library

[11]

Rei-Fu Huang, Hao-Yu Yang, M.C. Chao, and Shih-Chin Lin. Alternate Hammering Test for Application-Specific DRAMs and an Industrial Case Study. In Design Automation Conference (DAC), 2012 49th ACM/EDAC/IEEE, pages 1012--1017, June 2012.

Digital Library

[12]

R. Hund, C. Willems, and T. Holz. Practical Timing Side Channel Attacks against Kernel Space ASLR. In Security and Privacy (SP), 2013 IEEE Symposium on, pages 191--205, May 2013.

Digital Library

[13]

Apple Inc. About the Security Content of Mac EFI Security Update 2015-001 . https://support.apple.com/en-us/HT204934. Accessed: 2015-08--11.

[14]

CISCO Inc. Mitigations Available for the DRAM Row Hammer Vulnerability. http://blogs.cisco.com/security/mitigations-available-for-the-dram-row-hammer-vulnerability.

[15]

HP Inc. HP Moonshot Component Pack Version 2015.05.0. http://h17007.www1.hp.com/us/en/enterprise/servers/products/moonshot/component-pack/index.aspx. Accessed: 2015-08--11.

[16]

Intel Inc. Intel 64 and IA-32 Architectures Optimization Reference Manual. September 2014.

[17]

Intel Inc. Intel® 64 and IA-32 Architectures Software Developer's Manual, Volume 3 (3A, 3B & 3C): System Programming Guide. June 2015.

[18]

Lenovo Inc. Row Hammer Privilege Escalation Lenovo Security Advisory: LEN-2015-009. https://support.lenovo.com/us/en/product_security/row_hammer. Accessed: 2015-08--11.

[19]

Micron Inc. DDR4 SDRAM MT40A2G4, MT40A1G8, MT40A512M16 Data sheet. 2015.

[20]

Aamer Jaleel, Kevin B. Theobald, Simon C. Steely, Jr., and Joel Emer. High Performance Cache Replacement Using Re-reference Interval Prediction (RRIP). In Proceedings of the 37th Annual International Symposium on Computer Architecture, ISCA '10, pages 60--71, New York, NY, USA, 2010. ACM.

Digital Library

[21]

JEDEC Solid State Technology Association . Low Power Double Data Rate 4 (LPDDR4), 2015.

[22]

Yier Jin, Nathan Kupp, and Yiorgos Makris. Experiences in hardware trojan design and implementation. In Proceedings of the 2009 IEEE International Workshop on Hardware-Oriented Security and Trust, HST '09, pages 50--57, Washington, DC, USA, 2009. IEEE Computer Society.

Digital Library

[23]

Dae-Hyun Kim, P.J. Nair, and M.K. Qureshi. Architectural support for mitigating row hammering in dram memories. Computer Architecture Letters, 14(1):9--12, Jan 2015.

[24]

Yoongu Kim, R. Daly, J. Kim, C. Fallin, Ji Hye Lee, Donghyuk Lee, C. Wilkerson, K. Lai, and O. Mutlu. Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors. In Computer Architecture (ISCA), 2014 ACM/IEEE 41st International Symposium on, pages 361--372, June 2014.

Digital Library

[25]

Mohsen Ghasempour, Mikel Lujan and Jim Garside. Armor: A Run-Time Memory Hot-Row Detector. http://apt.cs.manchester.ac.uk/projects/ARMOR/RowHammer/index.html. Accessed: 2015-08--11.

[26]

Janani Mukundan, Hillery Hunter, Kyu-hyoun Kim, Jeffrey Stuecheli, and José F. Martınez. Understanding and Mitigating Refresh Overheads in High-density DDR4 DRAM Systems. In Proceedings of the 40th Annual International Symposium on Computer Architecture, ISCA '13, pages 48--59, New York, NY, USA, 2013. ACM.

Digital Library

[27]

Yossef Oren, Vasileios P. Kemerlis, Simha Sethumadhavan, and Angelos D. Keromytis. The Spy in the Sandbox: Practical Cache Attacks in JavaScript and their Implications. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, October 12--6, 2015, pages 1406--1418. ACM, 2015.

Digital Library

[28]

Mark Seaborn and Thomas Dullien. Exploiting the DRAM rowhammer bug to gain kernel privileges. March 2015.

[29]

Yuval Yarom and Katrina Falkner. FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-channel Attack. In Proceedings of the 23rd USENIX Conference on Security Symposium, SEC'14, pages 719--732, Berkeley, CA, USA, 2014. USENIX Association.

Digital Library

Cited By

Mahmoud DLenders VStojilović M(2022)Electrical-Level Attacks on CPUs, FPGAs, and GPUs: Survey and Implications in the Heterogeneous EraACM Computing Surveys10.1145/349833755:3(1-40)Online publication date: 3-Feb-2022
https://dl.acm.org/doi/10.1145/3498337
Elnaggar RChen SSong PChakrabarty K(2022)Securing SoCs With FPGAs Against Rowhammer AttacksIEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems10.1109/TCAD.2021.310200441:7(2052-2065)Online publication date: Jul-2022
https://doi.org/10.1109/TCAD.2021.3102004
Lee GNa SByun IMin DKim JMartínez JDuato JJohn L(2021)CryoGuardProceedings of the 48th Annual International Symposium on Computer Architecture10.1109/ISCA52012.2021.00056(637-650)Online publication date: 14-Jun-2021
https://dl.acm.org/doi/10.1109/ISCA52012.2021.00056
Show More Cited By

Recommendations

Fundamentally Understanding and Solving RowHammer
ASPDAC '23: Proceedings of the 28th Asia and South Pacific Design Automation Conference

We provide an overview of recent developments and future directions in the RowHammer vulnerability that plagues modern DRAM (Dynamic Random Memory Access) chips, which are used in almost all computing systems as main memory.

RowHammer is the phenomenon ...
RowPress: Amplifying Read Disturbance in Modern DRAM Chips
ISCA '23: Proceedings of the 50th Annual International Symposium on Computer Architecture

Memory isolation is critical for system reliability, security, and safety. Unfortunately, read disturbance can break memory isolation in modern DRAM chips. For example, RowHammer is awell-studied read-disturb phenomenon where repeatedly opening and ...
ANVIL: Software-Based Protection Against Next-Generation Rowhammer Attacks
ASPLOS '16: Proceedings of the Twenty-First International Conference on Architectural Support for Programming Languages and Operating Systems

Ensuring the integrity and security of the memory system is critical. Recent studies have shown serious security concerns due to "rowhammer" attacks, where repeated accesses to a row of memory cause bit flips in adjacent rows. Recent work by Google's ...

Comments

Information & Contributors

Information

Published In

cover image ACM SIGARCH Computer Architecture News

ACM SIGARCH Computer Architecture News Volume 44, Issue 2

ASPLOS'16

May 2016

774 pages

ISSN:0163-5964

DOI:10.1145/2980024

Editor:
Doug DeGroot
acm dot org

Issue’s Table of Contents

ASPLOS '16: Proceedings of the Twenty-First International Conference on Architectural Support for Programming Languages and Operating Systems
March 2016
824 pages
ISBN:9781450340915
DOI:10.1145/2872362
General Chair:
Tom Conte
Georgia Tech, USA
,
Program Chair:
Yuanyuan Zhou
University of California, San Diego, USA

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 25 March 2016

Published in SIGARCH Volume 44, Issue 2

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Center for Future Architectures Research (C-FAR)

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

177
Total Citations
View Citations
1,499
Total Downloads

Downloads (Last 12 months)122
Downloads (Last 6 weeks)13

Reflects downloads up to 22 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Mahmoud DLenders VStojilović M(2022)Electrical-Level Attacks on CPUs, FPGAs, and GPUs: Survey and Implications in the Heterogeneous EraACM Computing Surveys10.1145/349833755:3(1-40)Online publication date: 3-Feb-2022
https://dl.acm.org/doi/10.1145/3498337
Elnaggar RChen SSong PChakrabarty K(2022)Securing SoCs With FPGAs Against Rowhammer AttacksIEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems10.1109/TCAD.2021.310200441:7(2052-2065)Online publication date: Jul-2022
https://doi.org/10.1109/TCAD.2021.3102004
Lee GNa SByun IMin DKim JMartínez JDuato JJohn L(2021)CryoGuardProceedings of the 48th Annual International Symposium on Computer Architecture10.1109/ISCA52012.2021.00056(637-650)Online publication date: 14-Jun-2021
https://dl.acm.org/doi/10.1109/ISCA52012.2021.00056
He WZhang ZCheng YWang WSong WGao YZhang QLi KLiu DNepal S(2025)WhistleBlower: A System-Level Empirical Study on RowHammerIEEE Transactions on Computers10.1109/TC.2023.323597374:3(805-819)Online publication date: Mar-2025
https://doi.org/10.1109/TC.2023.3235973
Balaji SCharumathi DAhmed MAppu A(2024)The influence of job satisfaction on retention of primary healthcare professionals in Tamil NaduInternational Journal of ADVANCED AND APPLIED SCIENCES10.21833/ijaas.2024.02.02511:2(238-247)Online publication date: Feb-2024
https://doi.org/10.21833/ijaas.2024.02.025
M PMutyam MTavva V(2024)Cache Line Pinning for Mitigating Row Hammer AttackProceedings of the 53rd International Conference on Parallel Processing10.1145/3673038.3673114(802-811)Online publication date: 12-Aug-2024
https://dl.acm.org/doi/10.1145/3673038.3673114
Kosasih WFeng YChuengsatiansup CYarom YZhu ZQuek TGao DZhou JCardenas A(2024)SoK: Can We Really Detect Cache Side-Channel Attacks by Monitoring Performance Counters?Proceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3637649(172-185)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3637649
Adiletta ATol MDoröz YSunar BQuek TGao DZhou JCardenas A(2024)Mayhem: Targeted Corruption of Register and Stack VariablesProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3637638(467-482)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3637638
Eichler CRöckl JJung BSchlenk RMüller THönig T(2024)Profiling with trust: system monitoring from trusted execution environmentsDesign Automation for Embedded Systems10.1007/s10617-024-09283-128:1(23-44)Online publication date: 1-Mar-2024
https://dl.acm.org/doi/10.1007/s10617-024-09283-1
Mechelinck RDorfmeister DFischer BVolckaert SBrunthaler S(2024)GlueZilla: Efficient and Scalable Software to Hardware Binding using RowhammerDetection of Intrusions and Malware, and Vulnerability Assessment10.1007/978-3-031-64171-8_22(416-438)Online publication date: 9-Jul-2024
https://doi.org/10.1007/978-3-031-64171-8_22
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Issue’s Table of Contents