1 of 72

Blacksmith: Scalable Rowhammering �in the Frequency Domain

Patrick Jattke¹ Victor van der Veen² Pietro Frigo³ Stijn Gunter¹ Kaveh Razavi¹

¹ETH Zurich ²Qualcomm Inc. ³VU Amsterdam

43rd IEEE Symposium on Security & Privacy

May 23-26, 2022, San Francisco, CA

1

2 of 72

Summary

Samsung

Micron

Frequent Item Count Estimation

0

1

0

1

0

1

BLACKSMITH

100%

2

3 of 72

Background

a DRAM bank

Row buffer

a DRAM chip

DRAM banks consist of rows and columns

3

4 of 72

Background

a bit flipped!

1

0

a DRAM bank

DRAM banks consist of rows and columns

Row buffer

a DRAM chip

The Rowhammer Effect

1

0

1

0

1

0

1

0

repeat�hammering

leaking charge

aggressor 1

aggressor 2

victim

4

5 of 72

Rowhammer Attacks Are Practical

Network

ECC memory

Smartphone

Browser

Scenarios

DRAM Types

ECC

5

6 of 72

Methodology

Attack window

64 ms

synchronous

…

7.8 µs

periodic REFRESH command

6

7 of 72

Methodology

8192 intervals x 166 ACTs

= 1.3󠀠󠀠 M ACTs in total

Attack window

refresh window (64 ms)

≜ 8192 refresh intervals

refresh interval (7.8 µs)

≈166 activations

REF

7

8 of 72

Methodology

Example: Executing a 6-sided pattern

Aggressor

REF

8

9 of 72

Methodology

Example: Executing a 6-sided pattern

Aggressor

REF

9

10 of 72

Methodology

Example: Executing a 6-sided pattern

REF

Aggressor

10

11 of 72

Methodology

Example: Executing a 6-sided pattern

REF

Aggressor

Round

1

11

12 of 72

Methodology

Example: Executing a 6-sided pattern

REF

Aggressor

Round

1

2

3

4

5

6

7

8

N-7

N-6

N-5

N-4

N-3

N-2

N-1

N

12

13 of 72

Methodology

Example: Executing a 6-sided pattern

REF

Aggressor

Round

1

2

3

4

5

6

7

8

N-7

N-6

N-5

N-4

N-3

N-2

N-1

N

13

14 of 72

Methodology

Sampler

stream of DRAM ACT cmds

add(r_D)

Model of a mitigation

ACT(r_A)

ACT(r_D)

ACT(r_C)

Normal operation

row
r_D
...

...

14

15 of 72

Methodology

Inhibitor

r_D

Model of a mitigation

Sampler

add(r_D)

stream of DRAM ACT cmds

At REFRESH time

TRR(r_D)

ACT(r_A)

ACT(r_D)

ACT(r_C)

Normal operation

row
r_D
...

...

15

16 of 72

Methodology

Model of a mitigation

Frequent item count estimation�is hard to solve in-DRAM

Sampler

add(r_d)

Inhibitor

r_D

stream of DRAM ACT cmds

mm²

ACT(r_A)

ACT(r_D)

ACT(r_C)

Normal operation

row
r_d
...

...

At REFRESH time

TRR(r_D)

16

17 of 72

Methodology

DRAM is becoming more vulnerable

Manufacturing Year

Minimum�Rowhammer

Threshold

DDR4

DDR3

2012

2015

2018

2021

0

50k

100k

150k

17

18 of 72

Methodology

DRAM is becoming more vulnerable

Manufacturing Year

Minimum�Rowhammer

Threshold

DDR4

DDR3

2012

2015

2018

2021

0

50k

100k

150k

DRAM is becoming more vulnerable (lower R_th):�⇒ enables new attack patterns with less activations per aggressor

18

19 of 72

Methodology

Existing Rowhammer patterns

x+2

x+1

x

x-1

x-2

x-3

x-4

x-5

x-6

x-7

x+2

x+1

x

x-1

x-2

x-3

x-4

x-5

x-6

x-7

Aggressor

Direct victim

Indirect victim

Single-sided

Double-sided

4-sided

x+2

x+1

x

x-1

x-2

x-3

x-4

x-5

x-6

x-7

19

20 of 72

Methodology

Existing Rowhammer patterns

x+2

x+1

x

x-1

x-2

x-3

x-4

x-5

x-6

x-7

x+2

x+1

x

x-1

x-2

x-3

x-4

x-5

x-6

x-7

x+2

x+1

x

x-1

x-2

x-3

x-4

x-5

x-6

x-7

Single-sided

Double-sided

4-sided

Access Frequency

Aggressor

Direct victim

Indirect victim

Single-sided

Double-sided

4-sided

20

21 of 72

Methodology

Existing Rowhammer patterns

x+2

x+1

x

x-1

x-2

x-3

x-4

x-5

x-6

x-7

x+2

x+1

x

x-1

x-2

x-3

x-4

x-5

x-6

x-7

x+2

x+1

x

x-1

x-2

x-3

x-4

x-5

x-6

x-7

Single-sided

Double-sided

4-sided

Access Frequency

Aggressor

Direct victim

Indirect victim

Single-sided

Double-sided

4-sided

💡Insight: All existing Rowhammer access patterns �hammer aggressors exclusively uniformly.

21

22 of 72

Methodology

Existing Rowhammer patterns

x+2

x+1

x

x-1

x-2

x-3

x-4

x-5

x-6

x-7

x+2

x+1

x

x-1

x-2

x-3

x-4

x-5

x-6

x-7

x+2

x+1

x

x-1

x-2

x-3

x-4

x-5

x-6

x-7

Single-sided

Double-sided

4-sided

Access Frequency

Aggressor

Direct victim

Indirect victim

Single-sided

Double-sided

4-sided

💡Insight: All existing Rowhammer access patterns �hammer aggressors exclusively uniformly.

Can non-uniformity help to bypass Rowhammer mitigations?

22

23 of 72

Methodology

Exp. 1: n-sided patterns with non-uniformity

Introducing non-uniform aggressor accesses

r₁

r₃

r₅

r₇

r₉

r₁₁

r₁₃

r₁

r₃

r₅

r₇

r₉

r₁₁

r₁

r₃

r₅

r₇

r₉

r₁₁

r₁

r₃

r₅

r₇

r₉

r₁₁

r₁₅

r₁₃

r₁₅

Round 1

Round 2

Round 3

Round 4

…

random rounds

23

24 of 72

Methodology

Exp. 1: n-sided patterns with non-uniformity

Exp. 2: randomized patterns

Introducing non-uniform aggressor accesses

r₁

r₃

r₅

r₇

r₉

r₁₁

r₁₃

r₁

r₃

r₅

r₇

r₉

r₁₁

r₁

r₃

r₅

r₇

r₉

r₁₁

r₁

r₃

r₅

r₇

r₉

r₁₁

r₁₅

r₁₃

r₁₅

Round 1

Round 2

Round 3

Round 4

…

random rounds

Round 1

Round 2

Round 3

Round 4

…

random same-bank rows

random round

random pattern location

r₁

r₃

r₁

r₃

...

24

25 of 72

Methodology

20 x

10 x

6 x

4 x

Our DRAM Test Devices

Micron

Hynix

Samsung

Unknown�(Kingston)

A

B

C

D

Dec. ‘16

to Jun. ‘20

2132-2666 MHz

4–32

GiB

1-2

DRAM ranks

25

26 of 72

Methodology

Non-Uniformity Results

Module*	n-sided	non-�uniform
A₁	✔︎	✔︎
A₂	✔︎	✔︎
A₃	✔︎	✔︎
A₄	✔︎	✔︎
A₆	✗	✔︎
A₇	✗	✔︎
A₉	✔︎	✔︎
A₁₀	✔︎	✔︎
A₁₁	✔︎	✔︎
A₁₄	✗	✔︎
A₁₆	✔︎	✔︎
A₁₇	✔︎	✔︎
A₁₈	✔︎	✗
B₁	✔︎	✗
B₂	✔︎	✗
B₉	✗	✔︎
C₀	✔︎	✔︎
D₀	✔︎	✔︎
D₁	✗	✔︎
D₃	✗	✔︎
	35%	42.5%

*Modules without any bit flips omitted

26

27 of 72

Methodology

Non-Uniformity Results

Module*	n-sided	non-�uniform
A₁	✔︎	✔︎
A₂	✔︎	✔︎
A₃	✔︎	✔︎
A₄	✔︎	✔︎
A₆	✗	✔︎
A₇	✗	✔︎
A₉	✔︎	✔︎
A₁₀	✔︎	✔︎
A₁₁	✔︎	✔︎
A₁₄	✗	✔︎
A₁₆	✔︎	✔︎
A₁₇	✔︎	✔︎
A₁₈	✔︎	✗
B₁	✔︎	✗
B₂	✔︎	✗
B₉	✗	✔︎
C₀	✔︎	✔︎
D₀	✔︎	✔︎
D₁	✗	✔︎
D₃	✗	✔︎
	35%	42.5%

*Modules without any bit flips omitted

Modules where NON-UNIFORMITY is �needed to trigger bit flips

27

28 of 72

Methodology

Non-Uniformity Results

Module*	n-sided	non-�uniform
A₁	✔︎	✔︎
A₂	✔︎	✔︎
A₃	✔︎	✔︎
A₄	✔︎	✔︎
A₆	✗	✔︎
A₇	✗	✔︎
A₉	✔︎	✔︎
A₁₀	✔︎	✔︎
A₁₁	✔︎	✔︎
A₁₄	✗	✔︎
A₁₆	✔︎	✔︎
A₁₇	✔︎	✔︎
A₁₈	✔︎	✗
B₁	✔︎	✗
B₂	✔︎	✗
B₉	✗	✔︎
C₀	✔︎	✔︎
D₀	✔︎	✔︎
D₁	✗	✔︎
D₃	✗	✔︎
	35%	42.5%

*Modules without any bit flips omitted

Modules where NON-UNIFORMITY is �needed to trigger bit flips

O1. Non-uniform aggressor accesses can lead to effective patterns on DIMMs where previous n-sided patterns could not trigger any bit flips.

28

29 of 72

Methodology

Non-Uniformity Results

Module*	n-sided	non-�uniform
A₁	✔︎	✔︎
A₂	✔︎	✔︎
A₃	✔︎	✔︎
A₄	✔︎	✔︎
A₆	✗	✔︎
A₇	✗	✔︎
A₉	✔︎	✔︎
A₁₀	✔︎	✔︎
A₁₁	✔︎	✔︎
A₁₄	✗	✔︎
A₁₆	✔︎	✔︎
A₁₇	✔︎	✔︎
A₁₈	✔︎	✗
B₁	✔︎	✗
B₂	✔︎	✗
B₉	✗	✔︎
C₀	✔︎	✔︎
D₀	✔︎	✔︎
D₁	✗	✔︎
D₃	✗	✔︎
	35%	42.5%

*Modules without any bit flips omitted

Modules where UNIFORMITY is �needed to trigger bit flips

29

30 of 72

Methodology | DIMM A10

When should we hammer an aggressor?

REF

...

O2. Accessing aggressors at the “right” time in a pattern enables�to bypass the mitigation (sampler).

REF

⇒ no bit flips

r₁

r₃

r₁

r₃

⇒ no bit flips

⇒ bit flips!

⇒ no bit flips

...

r₁

r₃

r₁

r₃

...

r₁

r₃

r₁

r₃

...

r₁

r₃

r₁

r₃

...

r₁

r₃

r₁

r₃

...

r₁

r₃

r₁

r₃

...

r₁

r₃

r₁

r₃

access distinct random row

30

31 of 72

Methodology | DIMM A10

When should we hammer an aggressor?

...

REF

r₁

r₃

r₁

r₃

...

r₁

r₃

r₁

r₃

...

r₁

r₃

r₁

r₃

...

r₁

r₃

r₁

r₃

...

r₁

r₃

r₁

r₃

...

r₁

r₃

r₁

r₃

...

r₁

r₃

r₁

r₃

phase = 0

phase = 1

phase = 2

phase = 3

phase = 4

phase = 5

phase = 6

PHASE

0

1

2

3

4

5

6

7

31

32 of 72

Methodology | DIMM A10

For how long should we hammer an aggressor?

r₁

r₃

REF

r₁

r₃

REF

r₁

r₃

...

REF

...

r₁

r₃

...

r₁

r₃

r₁

r₃

...

32

33 of 72

Methodology | DIMM A10

For how long should we hammer an aggressor?

r₁

r₃

REF

r₁

r₃

REF

r₁

r₃

...

REF

r₁

r₃

...

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

...

r₁

r₃

...

r₁

r₃

...

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

...

⇒ no bit flips

⇒ bit flips!

⇒ more bit flips!

⇒ no bit flips

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

⇒ no bit flips

...

O3. Up to a sweet spot, increasing the hammering intensity leads to more bit flips. Then the number of bit flips drops.

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

...

⇒ no bit flips

...

33

34 of 72

Methodology | DIMM A10

For how long should we hammer an aggressor?

r₁

r₃

REF

r₁

r₃

REF

r₁

r₃

...

REF

r₁

r₃

...

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

...

amplitude = 1

amplitude = 2

amplitude = 3

AMPLITUDE

1x

2x

3x

34

35 of 72

Methodology | DIMM B2

Should our patterns be longer than one refresh interval?

r₁

r₃

REF

r₁

r₃

REF

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

pattern length �= 2 REF intervals

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

...

r₁

r₃

r₁

r₃

...

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

...

r₁

r₃

35

36 of 72

Methodology | DIMM B2

Should our patterns be longer than one refresh interval?

r₁

r₃

REF

r₁

r₃

...

REF

r₁

r₃

...

r₁

r₃

...

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

...

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

...

r₁

r₃

r₁

r₃

...

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

...

r₁

r₃

...

36

37 of 72

Methodology | DIMM B2

Should our patterns be longer than one refresh interval?

O4. Hammering with longer patterns (>1 REF interval) and higher intensities in some intervals can bypass the mitigation more effectively.

r₁

r₃

REF

r₁

r₃

...

REF

r₁

r₃

...

r₁

r₃

...

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

...

r₁

r_b

r_c

r_d

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r_b

r_c

r_d

r₁

r₃

r₁

...

r₁

r₃

r₁

r₃

...

⇒ no bit flips

...

⇒ no bit flips

⇒ bit flips!

...

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

...

r₁

r₃

...

⇒ no bit flips

...

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

...

⇒ no bit flips

37

38 of 72

Methodology | DIMM B2

Should our patterns be longer than one refresh interval?

r₁

r₃

REF

r₁

r₃

...

REF

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

...

_r1

_rb

_rc

_rd

r₁

r₃

r₁

r₃

r₁

r₃

r₁

r₃

_r1

_rb

_rc

_rd

r₁

r₃

r₁

...

freq. = 1/2

freq. = 1

freq. = 1/2

FREQUENCY

38

39 of 72

Observations

O1. Non-uniform aggressor accesses can lead to effective patterns on DIMMs where previous n-sided patterns could not trigger any bit flips.

AMPLITUDE

PHASE

How to determine effective parameter values?

O2. Accessing aggressor’s at the “right” time in a pattern enables�them to bypass the mitigation (sampler).

O3. Up to a sweet spot, increasing the hammering intensity leads to more bit flips. Then the number of bit flips drops.

O4. Hammering with longer patterns (>1 REF interval) and higher intensities in some interval can bypass the mitigation more effectively.

FREQUENCY

39

40 of 72

Implementation

generic�large coverage of TRR implementations

scalable�“plug-and-play” for large-scale testing

extensible�adaptable to future mitigations

Our Design Goals

40

41 of 72

Implementation

Blacksmith Rowhammer Fuzzer

Build pattern

Hammer pattern

Check for bit flips

=

?

00101

11001

10101

11101

Randomize parameters

FREQUENCY

PHASE

AMPLITUDE

repeat

1/1

0

22

a1, a2:

1/4

44

37

1/2

117

2

a3, a4:

a5, a6:

…

41

42 of 72

Implementation

Pattern Building Algorithm – Example

1/2

0

1

a1

a2

1

a1

a2

2

a1

a2

a3

a4

a1

a2

1/4

0

1

frequency

phase

amplitude

3

a1

a2

a3

a4

a1

a2

a5

a6

1/4

0

1

4

a1

a2

a7

a8

a7

a8

a3

a4

a1

a2

a4

a5

a7

a8

a7

a8

1/2

2

5

a1

a2

a6

a7

a8

a9

a10

a9

a10

a3

a4

a1

a2

a4

a5

a6

a7

a8

a9

a10

a9

a10

1/2

2

42

43 of 72

Evaluation Results

PC-DDR4: Fuzzing

Module	Blacksmith�#Bit Flips	TRRespass�#Bit Flips
B0	63	–
B1	506	–
B2	15	5
B3	111	–
B4	1,107	–
B5	14	–
B6	78	–
B7	70	–
B8	258	–
B9	1,223	–

Module	Blacksmith�#Bit Flips	TRRespass�#Bit Flips
A0	82,183	–
A1	12,134	5
A2	134,702	7,404
A3	1,746	114
A4	5,132	22
A5	113,190	–
A6	98,425	4
A7	32,090	–
A8	92,660	–
A9	4,889	1
A10	3,051	505
A11	3,171	38
A12	43,581	–
A13	59,721	–
A14	64,083	4
A15	52,580	–
A16	99,552	1,450
A17	138,601	3,871
A18	80,601	1
A19	11,599	–

Module	Blacksmith�#Bit Flips	TRRespass�#Bit Flips
C0	26	–
C1	28	–
C2	2,551	–
C3	636	–
C4	769	–
C5	1,028	–

43

44 of 72

Evaluation Results

PC-DDR4: Fuzzing

Module	Blacksmith�#Bit Flips	TRRespass�#Bit Flips
B0	63	–
B1	506	–
B2	15	5
B3	111	–
B4	1,107	–
B5	14	–
B6	78	–
B7	70	–
B8	258	–
B9	1,223	–

Module	Blacksmith�#Bit Flips	TRRespass�#Bit Flips
A0	82,183	–
A1	12,134	5
A2	134,702	7,404
A3	1,746	114
A4	5,132	22
A5	113,190	–
A6	98,425	4
A7	32,090	–
A8	92,660	–
A9	4,889	1
A10	3,051	505
A11	3,171	38
A12	43,581	–
A13	59,721	–
A14	64,083	4
A15	52,580	–
A16	99,552	1,450
A17	138,601	3,871
A18	80,601	1
A19	11,599	–

Module	Blacksmith�#Bit Flips	TRRespass�#Bit Flips
C0	26	–
C1	28	–
C2	2,551	–
C3	636	–
C4	769	–
C5	1,028	–

Effective patterns found on 40/40 devices

Effective patterns found on 15/40 devices

44

45 of 72

Evaluation Results

PC-DDR4: Fuzzing

Module	Blacksmith�#Bit Flips	TRRespass�#Bit Flips
B0	63	–
B1	506	–
B2	15	5
B3	111	–
B4	1,107	–
B5	14	–
B6	78	–
B7	70	–
B8	258	–
B9	1,223	–

Module	Blacksmith�#Bit Flips	TRRespass�#Bit Flips
A0	82,183	–
A1	12,134	5
A2	134,702	7,404
A3	1,746	114
A4	5,132	22
A5	113,190	–
A6	98,425	4
A7	32,090	–
A8	92,660	–
A9	4,889	1
A10	3,051	505
A11	3,171	38
A12	43,581	–
A13	59,721	–
A14	64,083	4
A15	52,580	–
A16	99,552	1,450
A17	138,601	3,871
A18	80,601	1
A19	11,599	–

Module	Blacksmith�#Bit Flips	TRRespass�#Bit Flips
C0	26	–
C1	28	–
C2	2,551	–
C3	636	–
C4	769	–
C5	1,028	–

Most vulnerable device:�138,601 bit flips

45

46 of 72

Evaluation Results

PC-DDR4: Exploitability

PTE Exploit

sudo binary

RSA-2048

3s … 2h 8m

11s … 4h 2m

5m … 38m 35s

46

47 of 72

Evaluation Results

PC-DDR4

47

100 %

of PC-DDR4 DIMMs �are vulnerable�(40 PC-DIMMs)

High number of bit flips facilitates exploitation

DIMMs are weaker �than reported before

100 %

of LPDDR4X chips �are vulnerable�(19 LPDDR4X devices)

47

48 of 72

Conclusion

Blacksmith’s fuzzing with non-uniform, �frequency-based patterns is scalable and effective

→ All current TRR mitigations are vulnerable

Blacksmith’s approach generalizes well

→ We found bit flips on devices never seen before � from another DRAM manufacturer

We need principled mitigations with provable security guarantees instead of obscure proprietary mitigations

pjattke

pjattke@ethz.ch

comsec.ethz.ch/blacksmith

comsec-group/blacksmith

Next talk!

48

This ends my talk

We have seen that our novel type of frequency-based patterns paired with fuzzing is a scalable, widely applicable, and very effective approach
We showed that all current TRR mitigations are vulnerable and responsibly disclosed our findings to affected parties in May 2021

Recently, another DRAM manufacturer reached out to us and asked us to test their SO-DIMMs

We also found bit flips on these device with Blacksmith, which shows that our model is general for the mitigations that are currently deployed;
even if not, the underlying model of our fuzzer can easily be refined

Concluding my talk, our work shows that Rowhammer is not a solved problem and we need principled mitigations that provide provable security guarantees compared to the proprietary and obscure mitigations that DRAM vendors currently use

Thank you very much for your attention.

49 of 72

49

06.05.2020

All icons used in this presentation are licensed by The Noun Project.

Computer Security Group�

49

50 of 72

50

51 of 72

Background

DRAM is widely used today

51

52 of 72

Background

DRAM is widely used today

a DRAM bank

DRAM banks consist of rows and columns

Row buffer

a DRAM chip

52

53 of 72

Background

DRAM is widely used today

a bit flipped!

1

0

a DRAM bank

DRAM banks consist of rows and columns

Row buffer

a DRAM chip

The Rowhammer Effect

1

0

1

0

1

0

1

0

repeat�hammering

leaking charge

aggressor 1

aggressor 2

victim

53

54 of 72

Rowhammer Attacks Are Practical

Over the network

Across VMs

ECC memory

On smartphones

In the browser

VM1

VM2

Scenarios

DRAM Types

DDRx UDIMMs,�LPDDRx

ECC

54

55 of 72

Motivation

DRAM manufacturers claim Rowhammer-free devices: �Target Row Refresh (TRR) mitigation
Existing work [1] studied TRR: there are weak spots in mitigations

TRR is an umbrella term for different mitigations
≈30% of DDR4 DIMMs are still vulnerable using n-sided patterns

No tools exist yet that allow for thorough testing against RH

How can we build a tool that allows for thoroughly testing �DRAM devices against Rowhammer?

[1] P. Frigo et al., “TRRespass: Exploiting the Many Sides of Target Row Refresh,” IEEE S&P ‘20

55

56 of 72

Background

DRAM is widely used today

DRAM banks consist of rows and columns

Row buffer

rows

56

57 of 72

Background

DRAM is widely used today

DRAM banks consist of rows and columns

Row buffer

columns

…

57

58 of 72

Previous Work

reverse engineering

experiment-based

limited insights

not transferable

time-intensive�not scalable

58

59 of 72

Methodology

Our DRAM Test Devices & Test Infrastructure

Evaluation Platform

Intel i7-8700K
ASUS Z390 board
256GB Intel/Kingston M.2 SSD
Ubuntu 18.04 LTS�(4.15.0)

59

60 of 72

Methodology | DIMM A10

When should we hammer an aggressor?

O2. Accessing aggressors at the “right” time in a pattern enables�them to bypass the mitigation (sampler).

Offsets causing bit flips

60

61 of 72

Methodology | DIMM A10

For how long should we hammer an aggressor?

O3. Up to a sweet spot, increasing the hammering intensity leads to more bit flips. Then the number of bit flips drops.

61

62 of 72

Methodology | DIMM A10

For how long should we hammer an aggressor?

O3. Up to a sweet spot, increasing the hammering intensity leads to more bit flips. Then the number of bit flips drops.

62

63 of 72

Methodology | DIMM A10

For how long should we hammer an aggressor?

O3. Up to a sweet spot, increasing the hammering intensity leads to more bit flips. Then the number of bit flips drops.

63

64 of 72

Methodology | DIMM A10

For how long should we hammer an aggressor?

O3. Up to a sweet spot, increasing the hammering intensity leads to more bit flips. Then the number of bit flips drops.

64

65 of 72

Methodology | DIMM B2

Should our patterns be longer than one refresh interval?

O4. Hammering with longer patterns (>1 REF interval) and higher intensities in some interval can bypass the mitigation more effectively.

65

66 of 72

Evaluation Results

LPDDR4X

: #Effective patterns found in 12 hrs or max(hh:mm), the time needed to find 128 eff. patterns

Effective patterns found on 16/19 devices

66

67 of 72

Evaluation Results

LPDDR4X

Other parameters are needed:

– pattern length: up to 16 tREFI

– amplitude: up to 6 tREFI

Blacksmith found bit flips on all three of them within 2h 52s.

: #Effective patterns found in 12 hrs or max(hh:mm), the time needed to find 128 eff. patterns

Effective patterns found on 16/19 devices

67

68 of 72

Evaluation Results

LPDDR4X

High number of bit flips facilitates exploitation

100 %

of LPDDR4X chips �are vulnerable�(19 LPDDR4X devices)

Chips are weaker than reported before

68

69 of 72

Novel Insights about Mitigations

TRR mitigations are chip-dependent

Sampler size of majority:�≤ 30 aggressors
Some mitigations take the DRAM address into account

On certain DIMMs: sophisticated patterns are needed to bypass �TRR mitigations

69

70 of 72

Responsible Disclosure

Q1-2021: Findings reported to NCSC-CH
Q2-2021: NCSC-CH disclosed our vulnerability to
affected DRAM manufacturers: Samsung, SK Hynix, Micron;
OEMs: Intel, AMD;
and other affected parties: Apple, Microsoft, Google, Amazon, …
Q4-2021: NCSC-CH assigned CVE-2021-42114 to Blacksmith
15.11.2021: Public disclosure

National Cyber Security Centre (NCSC)

70

71 of 72

Pattern Portability

71

72 of 72

Implementation

Pattern Building Algorithm

72