# Rowhammer: A Retrospective

Onur Mutlu, Jeremie S. Kim

#### Background: DRAM Cells



#### **Figure 1: DRAM hierarchy**

Figure taken from *Fei Gao, Georgios Tziantzioulis, and David Wentzlaff. 2019. ComputeDRAM: In-Memory Compute Using Off-the-Shelf DRAMs. MICRO '52* Figure taken from *Y. Kim et al., "Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors," ISCA 2014*

"For example, in an x86 machine with a single DIMM, each row contains 1,048,576 cells that can store 128 kB of data."

#### Background: DRAM Cells



Figure 2: An example command sequence to read the DRAM from bank  $B_1$ , row  $R_1$ . If we want to read from another row  $R_2$  in the same bank, we need to first precharge that bank and activate  $R_2$ .

Figure taken from *Fei Gao, Georgios Tziantzioulis, and David Wentzlaff. 2019. ComputeDRAM: In-Memory Compute Using Off-the-Shelf DRAMs. MICRO '52*



Figure taken from *Bahar Talukder, Bashir Mohammad Sabquat & Ray, Biswajit & Forte, Domenic & Rahman, Md Tauhidur. (2019). PreLatPUF: Exploiting DRAM Latency Variations for Generating Robust Device Signatures. IEEE Access*

- The **PRECHARGE** command applies to a whole bank. It first closes the currently opened row by zeroing all word-lines in the target bank,<br>and subsequently drives all bit-lines to Vdd/2 as an initial value.
- The **ACTIVATE** command targets a specific row. The word-line of the addressed row is raised high, which connects the cells of that<br>row directly to the bit-lines. Charge sharing then occurs between the storage cell and the bit-line.
- The **READ/WRITE** commands apply to four or eight consecutive columns according to the burst mode. Based on the starting column address, the corresponding columns of data in the global row buffer are read out to or written from the I/O pins.

#### Motivation

- Bit cells in DRAMs are getting smaller; frequencies are getting faster
	- Each cell has lower capacitance, more prone to leakage.
	- Cells got closer to each other due to the high density.
	- Higher frequency means more reads/write can get executed during each refresh period.
- Rowhammer exploits the analog volatility of DRAM.

#### Method

In the original ISCA 2014 Paper, the authors found that repeatedly accessing adjacent rows of the victim row can occasionally cause the bit to flip.

Original paper used FPGA to directly hammer the DRAM modules. Follow-up works use CPU commands instead.



a. Induces errors

**b.** Does not induce errors

Code 1. Assembly code executed on Intel/AMD machines

#### RowHammer – Evaluation

- For all evaluations, unless otherwise stated:
	- **Activation Interval** = 55ns / access (open-read-close cycle), maximum allowed
	- **Refresh Interval** = 64ms refresh time, default value in DDR3 standard.
	- 2.33  $\times$  10<sup>6</sup> op/s

## $\text{RowH}$ ammer paper. However, it is important to note that these speculations are



Were there any speculations on who is company A, B and C, re

Searching for: speculations companies A B C rowhammer paper

- Searching for: speculations companies A B C rowhammer paper ieee
- Generating answers for you...

I couldn't find any speculations on who companies A, B and C are. According to a retrospective paper on RowHammer published in IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, the companies that were affected by RowHammer were not named in the original paper  $<sup>1</sup>$ .</sup>

Learn more: 1. bing.com 2. researchgate.net 3. arxiv.org 4. arxiv.org +3 more



not based on any concrete evidence and are purely speculative.

Some researchers and industry experts have speculated that the companies in question could be major DRAM manufacturers such as Samsung, Micron, or Hynix. These companies are among the largest DRAM manufacturers in the world and have been at the forefront of DRAM development for several years.

However, it is important to emphasize that the identities of the companies referred to as A, B, and C in the RowHammer paper have not been officially confirmed by the authors or any other reliable sources. The researchers intentionally did not disclose the identities of the companies to avoid any potential legal issues or negative impacts on the companies' reputations.



#### RowHammer – Effect on refresh time



Figure 4. Number of errors as the refresh interval is varied

#### RowHammer – Activation Interval



#### RowHammer – Activation per RI



Figure 6. Number of errors vs. number of activations

#### RowHammer – Affected rows



#### RowHammer – Victim Cells

- Spatial location of victim cells do not show any pattern, locality or skew.
	- Some cells may end up near each other, by chance.
	- Can cause multi-bit levels, making the error uncorrectable by ECC.
- **Errors are Mostly Repeatable** 
	- Number of errors vary ±0.25% from the average value.
	- Over 70% cells are constant offenders. i.e. They are prone to RH attacks.
- Weak Cells (Cells with low retention times) has nothing to do with RH vulnerability.
- Not related to temperature.

#### Causes

- Proposed causes of RowHammer
	- **Electromagnetic coupling**: Changing the voltage of a wordline could inject noise into an adjacent wordline.
	- **Bridge** (DRAM manufacturing fault): Accelerate the flow of charge between two bridged cells.
	- **Hot-carrier injection**: Permanently damage the wordline by hot-carrier injection. Modify the amount of charge in cells or alter its characteristic.

#### Exploting RowHammer

- RowHammer errors violate two invariants that memory should provide:
	- 1) a read access should not modify data at any address
	- 2) a write access should modify data only at the address that it is supposed to write to.
- Thus, modifying memory by RowHammer breaches memory isolation and circumvents every memory protection mechanism.
- RowHammer-induced errors are predictably repeatable.

## Exploting RowHammer

- **Case Study #1: Flip Feng Shui**
- Attack one VM from another VM.

![](_page_14_Figure_3.jpeg)

- Hypervisors provide the illusion of full isolation:
	- Isolated Hardware Environment.
	- Isolated Software Environment.
	- Isolated data

![](_page_15_Figure_5.jpeg)

- Memory deduplication is frequently used to reduce resource consumption.
	- Deduplication: Pages with the same content are mapped to the same physical page.
	- Copy-On-Write: The deduplicated page will be copied and separated if some VM wrote to it.

![](_page_16_Figure_4.jpeg)

- What happens if Attacker VM writes to shared page?
- Copy-On-Write: The content will be copied and relinked. No Attack!

![](_page_17_Figure_3.jpeg)

- What happens if Attacker VM hammers a shared page?
- Attack is possible! Breaks Copy-On-Write.

![](_page_18_Figure_3.jpeg)

- **Memory templating**: identifying physical memory locations in which an attacker can induce a bit flip using a given hardware vulnerability.
- **Memory massaging**: steering targeted sensitive data towards the vulnerable physical memory locations.
- **Exploitation**: triggering the hardware vulnerability to corrupt the intended data for exploitation.

## Flip Feng Shui – Memory Templating

- Finding available "templates" for flipping bits.
	- When using RowHammer, equivalent to finding bits that are prone to RH.

## Flip Feng Shui – Memory Massaging

- The attacker need to know the victim's data.
	- For example, a public key held by the attacker.
- The attacker keeps the same data in its own virtual memory space at a RH-prone address, wait for deduplication to scan and merge.
	- To guarantee the row stays in the address allocated by the attacker, the attacker VM need to be started before the victim VM.
- Hammer the row.

## Flip Feng Shui – Exploitation

- Flip a bit in RSA public key to make it factorizable
- Flip a bit in APT repository to feed malicious packages.

Table 1: Examples of domains that are one bit flip away from ubuntu.com that we purchased.

![](_page_22_Picture_24.jpeg)

#### Flip Feng Shui – SSH Evaluation

![](_page_23_Figure_1.jpeg)

Figure 5: Number of usable 1-to-0 bit flips usable in the SSH authorized\_keys file for various modulus sizes.

Figure 8: CDF of success rate with increasing templates.

## Case Study #2 – Google Project Zero

• Published on GPZ blog, NOT PEER REVIEWED, NO ARTIFACT

#### • **NaCl sandbox escape**

- Native Client is a sandboxing system that only allows running a subset of x86/64 instructions.
- Developed by Google. Deprecated. Destaffed. Replaced with WebAssembly.
- **Kernel privilege escalation**

## Case Study #2 – NaCl sandbox escape

- Native Client
	- NaCl distributed as LLVM IR, then compiled in web browser.
	- Sets up x86 segments to restrict the memory range that the sandboxed code can access.
	- A code verifier to prevent use of unsafe instructions such as those that perform system calls.
	- Requires all jumps to be indirect jumps to 32-byte aligned address
	- Instruction must not cross the 32-byte address boundary
- NaCl assumes that the hardware behaves correctly. It assumes that memory locations don't change without being written to!

#### Case Study #2 – NaCl sandbox escape

- A bit flip in validated code can turn a safe instruction sequence into an unsafe one.
- jmp \*%rax -> jmp \*%rcx. The address in RCX in unchecked.
- 48 b8 0f 05 eb 0c f4 f4 f4 f4
- · Modifying the OPCODE is also possible.
	- $\frac{1}{1}$ mp  $0 \times 10$
	- hlt
	- hlt
	- hlt
	- hlt

#### Case Study #2 – NaCl sandbox escape

- Fills the sandbox's dynamic code area with 250MB of NaClized indirect jump instruction sequences using NaCl's dyncode create() API.
- In a loop:
	- Row-hammers the dynamic code area using CLFLUSH, picking random pairs of addresses.
	- Searches the dynamic code area for bit flips. If it sees an exploitable bit flip, it uses it to jump to shell code hidden inside NaCl-validated instructions. Otherwise, if the bit flip isn't exploitable, it continues.
- Mitigation: Disallow CLFLUSH in NaCl code.

- Use RH to induce a bit flip in a page table entry (PTE) that causes the PTE to point to a physical page containing a page table of the attacking process.
	- So the attacker process can write its own page table!
	- And can therefore access the entire physical memory

- **Find locations where a bit flip is useful.**
	- Bit 51 in a 64-bit word is the top bit of the physical page number in a PTE on x86-64. Not useful.
	- Bit 12 is the bottom bit of the PTE's physical page number. Useful.
- **Spray most of physical memory with page tables.** When a PTE's physical page number changes, there's a high probability that it will point to a page table for our process.
	- Repeatedly mmap () files to memory.

- Create a file in  $/\text{dev/shm}$  for mapping. Write a marker at the start of each 4K page so we can identify these pages.
- mmap () a large block of memory.
- Search this block for aggressor/victim addresses. Record the useful victim pages.
- munmap () all but the aggressor and victim pages and begin the exploit attempt.

- First, deliberately fragment physical memory.
	- Allocate a large portion of available physical memory.
	- Deallocate a page whenever we will cause the kernel to allocate a page.
- $mmap$  () the data file repeatedly at 2MB-aligned virtual address.
- Cause the kernel to populate some of the PTEs by accessing their corresponding pages. Only one PTE per table needed since we know where the vulnerable rows are.
- In the middle of this, we munmap () the victim page. With a high probability, the kernel will reuse this physical page as a page table.
	- We cannot read this page anymore, but we can RH it.
	- We won't be able to observe the bit flip directly.
- Scan the mapped memory region, see if any region no longer maps to the marked file we created.
- Check if the region contains a page table, a PTE.
- Check which virtual address this PTE is referring to by writing and scanning.

#### Exploting RowHammer – What has been hacked?

- Escape from the x86-64 sandbox environment Google Project Zero
- Exploiting the DRAM rowhammer bug to gain kernel privileges Google Project Zero
- Takeover of a victim VM by another attacker VM running on the same system
	- Compromises OpenSSH by modifying the public keys in a victim VM
	- Flips APT Ubuntu Archive Signing Keys to something more easily hackable

#### Exploting RowHammer – What else has been hacked?

- Drammer mobile device user-space program
	- Force a victim process to allocate its PTE in a RowHammer-vulnerable region of memory
- Remote takeover of a server via JavaScript code execution
- Takeover a mobile system by triggering RowHammer using the WebGL interface on a mobile GPU
- Takeover a remote system by triggering RowHammer through RDMA
- various other attacks [12], [31]–[33], [37], [54], [66], [73], [89], [107], [196], [197], [199], [234], [249], [258]. Thus,
- Researchers and practitioners will develop different types of attacks to exploit RowHammer in various contexts and in many more creative ways.

## Utilizing RowHammer (Again)

- PUF (Physical Unclonable Function)
	- The location of RowHammer-prone cells are fixed!
	- Generate bit flips in the region whose locations are unique to the device and can be used to identify the device
	- But Hammering on rows surrounding the region reserved by the RowHammer-based PUF causes the rows at the edges of the reserved DRAM region to have an increased number of bit flips.

#### RowHammer in Broader Context

- The emergence of RowHammer is not surprising at all.
- Fundamental problem: **cell-to-cell interference**
- All memory technologies exhibited such disturbance problems
	- SRAM, FLASH and hard disk drives
	- PCM, STT-MRAM and ReRAM
- This problem will accompany us into the future.

#### Responses to RowHammer

- Apple increased memory refresh rates
- Memtest86 included a RowHammer test
- A lot of other research and patents developed solutions to RowHammer

## Defending RowHammer

- We need both **immediate** and **long-term** solutions to the RowHammer problem
	- Immediate: Utilize things that are already present in current systems.
	- Long-term: Revise hardware.

## Defending RowHammer - Immediate

- Increase DRAM refresh rate in the memory controller
	- Apple, HP, Cisco, Lenovo, and IBM.
	- "Might be" practical and effective in reducing the vulnerability
	- Increased energy/power consumption, reduced system performance.
	- Total elimination as tested requires 7.8× increase in the refresh rate.
- ANVIL: Software-based detection of RowHammer attacks
	- Detect RowHammer with hardware counters
- Intelligently allocating and physically isolating pages
	- So RowHammer cannot hit anything important
- Prevented DMA-based attacks by isolating DMA buffers with additional buffer rows
- Analyze code, identify code segments that are probably RowHammer attacks and prevents them prior to execution
- ZebRAM Identify odd rows as safe and even rows as unsafe

#### Defending RowHammer - Authors

- Making better DRAM chips that are not vulnerable
- Using (strong) ECCs to correct RowHammer-induced errors
- Increasing the refresh rate for all of memory.
- Statically remapping/retiring RowHammer-prone cells via a one-time post-manufacturing analysis
- Dynamically remapping/retiring RowHammer-prone cells during system operation
- Accurately identifying hammered rows during runtime and refreshing their neighbors

#### Defending RowHammer - PARA

- Probabilistic Adjacent Row Activation
	- Every time a row is opened and closed, one of its adjacent rows is also opened (refreshed) with some low probability
	- Stateless : No expensive hardware data structures required
	- Performance and power consumption overheads are very low due to the infrequent activation (probability of refresh : 0.001 to 0.005)
- Need better cooperation between DRAM chip and memory controller due to remapping.

## Defending RowHammer – Long-term

- A small stack for maintaining access history information and decide to refresh
- Counter-based defences

#### Circuit-Level Studies

- RowHammer effect is governed by the charge pumping process.
	- Root cause: Charge recombination of the victim cell with electrons from the current channels between neighboring cells and their corresponding bitlines.
- Feature size aggravates the RowHammer effect
- Gamma Rays increase susceptibility to RowHammer
	- Low data retention time is not related to RowHammer susceptibility
- Temperature annealing can "repair" retention-weak cells, but not RowHammer-prone cells
- Hydrogen annealing can improve DRAM reliability against crosstalk, mitigate RowHammer attacks.

#### Current status

- RowHammer failure is still observed in state-of-the art DRAM devices.
	- DDR4
	- ECC DRAM
	- LPDDR3
	- IPDDR<sub>2</sub>
- DDR5 introduced RFM (Refresh Management)
	- MC will issue a refresh to a bank periodically, based on the ACTs it received.
	- RFM enables the separation of the tasks for RH-protection to both MC and DRAM by having the former generate an RFM command at a specific activation frequency and the latter take proper RH-protection measures within a given time window. *(M. J. Kim et al., "Mithril: Cooperative Row Hammer Protection on Commodity DRAM Leveraging Managed Refresh," HPCA 2022)*
	- No literature of successful RowHammer attack on DDR5 modules

#### Future Concerns

- Data Retention Failures
- DRAM Retention Failures
	- New failure patterns, such as variable retention time caused by trap-assisted gate-induced drain leakage, complicates things.
- NAND flash data retention issues
- Other vulnerabilities to NAND Flash Memory
	- Cell-to-cell interference; variation.
	- Exploit vulnerabilities in flash memory programming operations on existing SSDs to cause malicious data corruption.

Analog/Mixed Signal Information Flow Tracking

## VeriCoq-Analog

![](_page_46_Figure_1.jpeg)

- Analog designs are commonly handcrafted at the transistor level.
- Solutions
	- Perform IFT at the transistor level
	- Extract high-level analog modules (e.g. amplifiers, mixers, etc.) from the transistor level design and perform IFT at the analog module level.
- Considerations
	- In analog circuits, information may be carried not only through voltage but also through current.
	- Analog circuits involve transistors in various configurations.
	- The voltage on the bulk terminal of a transistor may also be manipulated to leak information to the source or drain terminals.
	- Other components, such as capacitors, resistors, etc. should also be considered for information flow.

## VeriCoq-Analog Model

- MOSFETs:
	- Any sensitive value on the gate is transferred to the drain and the source.
	- Any sensitive value on the bulk is transferred to the drain and the source.
	- Any sensitive value on the source is transferred to the drain and vice versa.
- BJTs:
	- Any sensitive value on the base is transferred to the emitter and the collector.
	- Any sensitive value on the emitter is transferred to the collector and vice versa
- Capacitors, inductors and resistors: Transparent
- Diodes: Also transparent, since voltage at both terminal can change current.
- … Then, create Verilog models for these devices.

#### VeriCoq-Analog Model

• High-sensitivity signals are expressed as a "1". Nonsensitive values are expressed as a "0".

```
1 // Modeling analog data flow in capacitors
2 // Resisitors, inductors and diodes are defined similarly
3 module cap (a, b);
    inout a, b;
    assign a = a \& b;6
    assign b = a \& b;
8 endmodule
\Omega10 // Modeling analog data flow in NMOS transistors
11 // PMOS transistors are defined similarly
12 module nch (d, b, q, s);
    input q;
13
    inout d, b, s;
14
15
    assign d = d \& b \& q \& s;16
    assign s = d \& b \& g \& s;17
18 endmodule
19
20 // Modeling analog data flow in NPN transistors
21 // PNP transistors are defined similarly
22 module npn (b, c, e);
    input b;
23
    inout c, e;
24
25
26
    assign c = b \& c \& e;assign e = b \& c \& e;27
28 endmodule
```
Fig. 9. Sample module definitions to mimic analog data flows in VeriCoq-IFT

#### VeriCoq-Analog Model

- High false-positive rate, as it basically models "Everything is connected to everything else."
- Requires the developer to accurately mark components as sensitivity reducers, or no path.