NVM-Flip: Non-Volatile-Memory BitFlips on the System Level
Authors: 
Felix Staudigl, Jan Philipp Thoma, Christian Niesler, Karl Sturm, Rebecca Pelke, Dominik Germek, Jan Moritz Joseph, Tim Güneysu, Lucas Davi, Rainer LeupersAuthors Info & Claims
Felix Staudigl, Jan Philipp Thoma, Christian Niesler, Karl Sturm, Rebecca Pelke, Dominik Germek, Jan Moritz Joseph, Tim Güneysu, Lucas Davi, Rainer LeupersAuthors Info & ClaimsPages 11 - 20
Abstract
Emerging non-volatile memories (NVMs) are promising candidates to substitute conventional memories due to their low access latency, high integration density, and non-volatility. These superior properties stem from the memristor representing the centerpiece of each memory cell and is branded as the fourth fundamental circuit element. Memristors encode information in the form of its resistance by altering the physical characteristics of their filament. Hence, each memristor can store multiple bits increasing the memory density and positioning it as a potential candidate to replace DRAM and SRAM-based memories, such as caches.
However, new security risks arise with the benefits of these emerging technologies, like the recent NeuroHammer attack, which allows adversaries to deliberately flip bits in ReRAMs. While NeuroHammer has been shown to flip single bits within memristive crossbar arrays, the system-level impact remains unclear. Considering the significance of the Rowhammer attack on conventional DRAMs, NeuroHammer can potentially cause crucial damage to applications taking advantage of emerging memory technologies.
To answer this question, we introduce NVgem5, a versatile system-level simulator based on gem5. NVgem5 is capable of injecting bit-flips in eNVMs originating from NeuroHammer. Our experiments evaluate the impact of the NeuroHammer attack on main and cache memories. In particular, we demonstrate a single-bit fault attack on cache memories leaking the secret key used during the computation of RSA signatures. Our findings highlight the need for improved hardware security measures to mitigate the risk of hardware-level attacks in computing systems based on eNVMs.
References
[1]
An Chen. A Review of Emerging Non-Volatile Memory (NVM) Technologies and Applications. Solid-State Electronics (2016).
[2]
Binkert, N., Beckmann, B., Black, G., et al. The Gem5 Simulator. SIGARCH (2011).
[3]
Boneh, D., DeMillo, R. A., and Lipton, R. J. On the Importance of Eliminating Errors in Cryptographic Computations. J. Cryptol. (2001).
[4]
Chiappetta, M., Savas, E., and Yilmaz, C. Real Time Detection of Cache-based Side-Channel Attacks Using Hardware Performance Counters. Applied Soft Computing 49 (2016), 1162--1174.
[5]
Cojocar, L., Kim, J., Patel, M., et al. Are We Susceptible to Rowhammer? An End-to-End Methodology for Cloud Providers. In IEEE Symposium on Security and Privacy (SP) (May 2020), IEEE.
[6]
Cojocar, L., Kim, J., Patel, M., et al. Are we susceptible to rowhammer? an end-to-end methodology for cloud providers. In 2020 IEEE Symposium on Security and Privacy (SP) (2020), IEEE, pp. 712--728.
[7]
Cojocar, L., Razavi, K., Giuffrida, C., et al. Exploiting correcting codes: On the effectiveness of ecc memory against rowhammer attacks. In 2019 IEEE Symposium on Security and Privacy (SP) (2019), IEEE, IEEE, pp. 55--71.
[8]
De, A., Khan, M. N. I., Park, J., et al. Replacing eFlash with STTRAM in IoTs: Security Challenges and Solutions. Journal of Hardware and Systems Security (2017).
[9]
Demme, J., Maycock, M., Schmitz, J., et al. On The Feasibility of Online Malware Detection With Performance Counters. In The 40th Annual International Symposium on Computer Architecture, ISCA'13, Tel-Aviv, Israel, June 23--27, 2013 (2013), A. Mendelson, Ed., ACM, pp. 559--570.
[10]
DeSalvo, B., Vianello, E., Thomas, O., et al. Emerging resistive memories for low power embedded applications and neuromorphic systems. In 2015 IEEE International Symposium on Circuits and Systems (ISCAS) (2015), IEEE, pp. 3088-- 3091.
[11]
Di Dio, A., Koning, K., Bos, H., et al. Copy-on-flip: Hardening ecc memory against rowhammer attacks. In Proceedings of the Network and Distributed System Security (NDSS) Symposium (2023).
[12]
Dodo, S. B., Bishnoi, R., and Tahoori, M. B. Secure STT-MRAM Bit-Cell Design Resilient to Differential Power Analysis Attacks. IEEE Transactions on Very Large Scale Integration (VLSI) Systems (2020).
[13]
Frigo, P., Vannacc, E., Hassan, H., et al. Trrespass: Exploiting the many sides of target row refresh. In 2020 IEEE Symposium on Security and Privacy (SP) (2020), IEEE, pp. 747--762.
[14]
Gallo, M. L., and Sebastian, A. An Overview of Phase-Change Memory Device Physics. J. Phys. D Appl. Phys. 53, 21 (2020), 213002.
[15]
Gruss, D., Maurice, C., Wagner, K., et al. FlushFlush: A Fast and Stealthy Cache Attack. In Detection of Intrusions and Malware, and Vulnerability Assessment - 13th International Conference, DIMVA 2016, San Sebastián, Spain, July 7--8, 2016, Proceedings (2016), J. Caballero, U. Zurutuza, and R. J. Rodríguez, Eds., vol. 9721 of Lecture Notes in Computer Science, Springer, pp. 279--299.
[16]
Guide, P. Intel® 64 and ia-32 architectures software developer's manual. Volume 3B: System programming Guide, Part 2, 11 (2011).
[17]
Intel. Intel® Optane? Memory Series, 2022.
[18]
Jiang, Y., Zhu, H., Shan, H., et al. Trrscope: Understanding target row refresh mechanism for modern ddr protection. In 2021 IEEE International Symposium on Hardware Oriented Security and Trust (HOST) (2021), IEEE, pp. 239--247.
[19]
Khan, M. N. I., Bhasin, S., Yuan, A., et al. Side-Channel Attack on STTRAM Based Cache for Cryptographic Application. In 2017 IEEE International Conference on Computer Design (ICCD) (2017), IEEE.
[20]
Khan, M. N. I., and Ghosh, S. Analysis of Row Hammer Attack on STTRAM. In IEEE 36th International Conference on Computer Design (ICCD) (Oct. 2018), IEEE.
[21]
Khan, M. N. I., and Ghosh, S. Information Leakage Attacks on Emerging Non-Volatile Memory and Countermeasures. In Proceedings of the International Symposium on Low Power Electronics and Design (2018), ACM.
[22]
Kim, Y., Daly, R., Kim, J., et al. Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors. In 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA) (June 2014), IEEE.
[23]
Kim, Y., Daly, R., Kim, J. S., et al. Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors. In ACM/IEEE 41st International Symposium on Computer Architecture, ISCA 2014, Minneapolis, MN, USA, June 14--18, 2014 (2014), IEEE Computer Society, pp. 361--372.
[24]
Krautter, J., Mayahinia, M., Gnad, D. R., et al. Data Leakage through Self- Terminated Write Schemes in Memristive Caches. In 2022 27th Asia and South Pacific Design Automation Conference (ASP-DAC) (2022), IEEE.
[25]
Lee, M.-J., Lee, C. B., Lee, D., et al. A Fast, High-Endurance and Scalable Non-Volatile Memory Device Made from Asymmetric Ta2O5-x/TaO2-x Bilayer Structures. Nature Materials (2011).
[26]
Leidel, J. D., and Chen, Y. HMC-Sim-2.0: A Simulation Platform for Exploring Custom Memory Cube Operations. In IEEE International Parallel and Distributed Processing Symposium Workshops (IPDPSW) (May 2016), IEEE.
[27]
Li, H. H., Chen, Y., Liu, C., et al. Looking ahead for resistive memory technology: A broad perspective on ReRAM technology for future storage and computing. IEEE Consumer Electronics Magazine 6, 1 (Jan. 2017), 94--103.
[28]
Lipp, M., Schwarz, M., Raab, L., et al. Nethammer: Inducing rowhammer faults through network requests. In 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) (2020), IEEE, pp. 710--719.
[29]
Liu, F., Yarom, Y., Ge, Q., et al. Last-level cache side-channel attacks are practical. In 2015 IEEE Symposium on Security and Privacy (May 2015), IEEE.
[30]
Liu, F., Zhao, W., Zhao, Y., et al. SME: ReRAM-based Sparse-Multiplication- Engine to Squeeze-Out Bit Sparsity of Neural Network, 2021.
[31]
Mao, M., Cao, Y., Yu, S., et al. Programming Strategies to Improve Energy Efficiency and Reliability of ReRAM Memory Systems. In IEEE Workshop on Signal Processing Systems (SiPS) (Oct. 2015), IEEE.
[32]
Mark Seaborn, T. D. Exploiting the DRAM Rowhammer Bug to Gain Kernel Privileges, 2015.
[33]
Morelos-Zaragoza, R. H. The Art of Error Correcting Coding. John Wiley & Sons, 2006.
[34]
Mutlu, O., and Kim, J. S. Rowhammer: A retrospective. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 39, 8 (2019), 1555--1571.
[35]
Osvik, D. A., Shamir, A., and Tromer, E. Cache Attacks and Countermeasures: The Case of AES. In Topics in Cryptology -- CT-RSA 2006. Springer Berlin Heidelberg, Berlin, Heidelberg, Jan. 2006, pp. 1--20.
[36]
Parkin, S., Jiang, X., Kaiser, C., et al. Magnetically Engineered Spintronic Sensors and Memory. Proc. IEEE 91, 5 (2003), 661--680.
[37]
Poremba, M., and Xie, Y. NVMain: An Architectural-Level Main Memory Simulator for Emerging Non-volatile Memories. In IEEE Computer Society Annual Symposium on VLSI (Aug. 2012), IEEE.
[38]
Rai, S., Garg, S., Pilato, C., et al. Vertical IP Protection of the Next-Generation Devices: Quo Vadis? In Design, Automation Test in Europe Conference Exhibition (DATE) (2021), pp. 1905--1914.
[39]
Razavi, K., Gras, B., Bosman, E., et al. Flip feng shui: Hammering a needle in the software stack. In 25th USENIX Security Symposium (USENIX Security 16) (Austin, TX, Aug. 2016), USENIX Association, pp. 1--18.
[40]
Rosenfeld, P., Cooper-Balis, E., and Jacob, B. DRAMSim2: A Cycle Accurate Memory System Simulator. IEEE Computer Architecture Letters 10, 1 (Jan. 2011), 16--19.
[41]
Saileshwar, G., and Qureshi, M. K. MIRAGE: Mitigating Conflict-Based Cache Attacks with a Practical Fully-Associative Design. In 30th USENIX Security Symposium, USENIX Security 2021, August 11--13, 2021 (2021), M. Bailey and R. Greenstadt, Eds., USENIX Association, pp. 1379--1396.
[42]
Seaborn, M., and Dullien, T. Exploiting the DRAM Rowhammer Bug to gain Kernel Privileges. Black Hat (2015).
[43]
Serino, A., and Cheng, L. Real-time operating systems for cyber-physical systems: Current status and future research. In 2020 International Conferences on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData) and IEEE Congress on Cybermatics (Cybermatics) (2020), IEEE, pp. 419--425.
[44]
Sisejkovic, D., and Leupers, R. Trustworthy Hardware Design with Logic Locking. In IFIP/IEEE 29th International Conference on Very Large Scale Integration (VLSI-SoC) (2021), pp. 1--2.
[45]
Smith, A. J. Cache Memories. ACM Computing Surveys 14, 3 (Sept. 1982), 473--530.
[46]
Song,W., and Liu, P. Dynamically Finding Minimal Eviction Sets Can Be Quicker Than You Think for Side-Channel Attacks against the LLC. In 22nd International Symposium on Research in Attacks, Intrusions and Defenses, RAID (2019).
[47]
Staudigl, F., Al Indari, H., Schön, D., et al. NeuroHammer: Inducing Bit-Flips in Memristive Crossbar Memories. In 2022 Design, Automation & Test in Europe Conference & Exhibition (DATE) (2022), IEEE.
[48]
Staudigl, F., Merchant, F., and Leupers, R. A Survey of Neuromorphic Computing-in-Memory: Architectures, Simulators, and Security. IEEE Design & Test (2022).
[49]
Tanenbaum, A. S., and Goodman, J. Computerarchitektur: Strukturen, Konzepte, Grundlagen. Pearson Studium München et al., 2006.
[50]
Tatar, A., Konoth, R. K., Athanasopoulos, E., et al. Throwhammer: Rowhammer attacks over the network and defenses. In 2018 {USENIX} Annual Technical Conference ({USENIX} {ATC} 18) (2018), pp. 213--226.
[51]
Thoma, J. P., and Güneysu, T. Write Me and I'll Tell You Secrets - Write-After- Write Effects On Intel CPUs. In 25th International Symposium on Research in Attacks, Intrusions and Defenses, RAID (2022), ACM.
[52]
Thoma, J. P., Niesler, C., Funke, D. A., et al. ClepsydraCache -- Preventing Cache Attacks with Time-Based Evictions. In 32nd USENIX Security Symposium (USENIX Security 23) (Anaheim, CA, Aug. 2023), USENIX Association.
[53]
Thoziyoor, S., Muralimanohar, N., Ahn, J. H., et al. CACTI 5.1. Tech. rep., Technical Report HPL-2008--20, HP Labs, 2008.
[54]
Tromer, E., Osvik, D. A., and Shamir, A. Efficient Cache Attacks on AES, and Countermeasures. Journal of Cryptology 23, 1 (2010), 37--71.
[55]
Van Schaik, S., Milburn, A., Osterlund, S., et al. Ridl: Rogue in-flight data load. In 2019 IEEE Symposium on Security and Privacy (SP 2019) (United States, May 2019), Proceedings - IEEE Symposium on Security and Privacy, Institute of Electrical and Electronics Engineers Inc., pp. 88--105. 40th IEEE Symposium on Security and Privacy, SP 2019 ; Conference date: 19-05--2019 Through 23-05--2019.
[56]
Vieira, J., Roma, N., Falcao, G., et al. gem5-ndp: Near-Data Processing Architecture Simulation From Low Level Caches to DRAM. In IEEE 34th International Symposium on Computer Architecture and High Performance Computing (SBACPAD) (Nov. 2022), IEEE.
[57]
Vila, P., Köpf, B., and Morales, J. F. Theory and practice of finding eviction sets. In 2019 IEEE Symposium on Security and Privacy (SP) (2019), IEEE, pp. 39--54.
[58]
von Witzleben, M., Fleck, K., Funck, C., et al. Investigation of the Impact of High Temperatures on the Switching Kinetics of Redox-based Resistive Switching Cells using a Highspeed Nanoheater. Adv. Electron. Mat. (2017).
[59]
Waser, R., and Aono, M. Nanoionics-based Resistive Switching Memories. Nature Materials (2007).
[60]
Werner, M., Unterluggauer, T., Giner, L., et al. ScatterCache: Thwarting Cache Attacks via Cache Set Randomization. In USENIX (2019), N. Heninger and P. Traynor, Eds.
[61]
Xu, S., Chen, X., Wang, Y., et al. PIMSim: A Flexible and Detailed Processingin- Memory Simulator. IEEE Computer Architecture Letters 18, 1 (Jan. 2019), 6--9.
[62]
Yan, M., Sprabery, R., Gopireddy, B., et al. Attack directories, not caches: Side channel attacks in a non-inclusive world. In 2019 IEEE Symposium on Security and Privacy (SP) (2019), pp. 888--904.
[63]
Yang, C., Liu, B., Li, H., et al. Thwarting Replication Attack Against Memristor- Based Neuromorphic Computing System. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems (2020).
[64]
Yarom, Y., and Falkner, K. FLUSHRELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack. In Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, August 20--22, 2014 (2014), K. Fu and J. Jung, Eds., USENIX Association, pp. 719--732.
[65]
Zahoor, F., Zulkifli, T. Z. A., and Khanday, F. A. Resistive Random Access Memory (RRAM): an Overview of Materials, Switching Mechanism, Performance, Multilevel Cell (MLC) Storage, Modeling, and Applications. Nanoscale Research Letters (2020).
[66]
Zhang, T., Zhang, Y., and Lee, R. B. CloudRadar: A Real-Time Side-Channel Attack Detection System in Clouds. In Research in Attacks, Intrusions, and Defenses - 19th International Symposium, RAID 2016, Paris, France, September 19--21, 2016, Proceedings (2016), F. Monrose, M. Dacier, G. Blanc, and J. García-Alfaro, Eds., vol. 9854 of Lecture Notes in Computer Science, Springer, pp. 118--140.
Index Terms
- NVM-Flip: Non-Volatile-Memory BitFlips on the System Level
Recommendations
Emerging NVM: A Survey on Architectural Integration and Research Challenges
There has been a surge of interest in Non-Volatile Memory (NVM) in recent years. With many advantages, such as density and power consumption, NVM is carving out a place in the memory hierarchy and may eventually change our view of computer architecture. ...
ANVIL: Software-Based Protection Against Next-Generation Rowhammer Attacks
ASPLOS'16Ensuring the integrity and security of the memory system is critical. Recent studies have shown serious security concerns due to "rowhammer" attacks, where repeated accesses to a row of memory cause bit flips in adjacent rows. Recent work by Google's ...
Redesign the Memory Allocator for Non-Volatile Main Memory
Special Issue on Hardware and Algorithms for Learning On-a-chip and Special Issue on Alternative Computing SystemsThe non-volatile memory (NVM) has the merits of byte-addressability, fast speed, persistency and low power consumption, which make it attractive to be used as main memory. Commonly, user process dynamically acquires memory through memory allocators. ...
Comments
Information & Contributors
Information
Published In
June 2024
97 pages
ISBN:9798400705557
DOI:10.1145/3643650
- Program Chairs:
- Maanak Gupta,
- Mahmoud Abdelsalam,
- Mir Pritom,
- Feras Awaysheh
Copyright © 2024 Owner/Author.
This work is licensed under a Creative Commons Attribution-NonCommercial International 4.0 License.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 19 June 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
Conference
CODASPY '24
Sponsor:
CODASPY '24: Fourteenth ACM Conference on Data and Application Security and Privacy
June 21, 2024
Porto, Portugal
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 217Total Downloads
- Downloads (Last 12 months)217
- Downloads (Last 6 weeks)53
Reflects downloads up to 25 Dec 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in