CS-773 Paper Presentation��SafeGuard: Reducing the Security Risk from Row-Hammer via Low-Cost Integrity Protection

�

Gauri Patrikar�Avengers (# 3)

​

1

Outline

2

• Row-Hammer Mitigation Techniques
• Breaking Row-Hammer Mitigation
• SAFEGUARD
• SAFEGUARD with SECDED
• SAFEGUARD with Chipkill
• Comparison with other MAC organization
• Security Discussion

​

​

Mitigation techniques

3

Broad classification-

​

• Global Mitigation
• Precise Mitigation
• Isolation-based
• ECC-based

Outline

4

• Row-Hammer Mitigation Techniques
• Breaking Row-Hammer Mitigation
• Evaluation Methodology
• SAFEGUARD
• SAFEGUARD with SECDED
• SAFEGUARD with Chipkill
• Comparison with other MAC organization
• Security Discussion

​

​

Breaking Mitigation

​

5

Figure 1: Half double breaks precise mitigation

Figure 2 : Patterns discovered by TRRespass fuzzer, breaking Target-Row refresh

Figure 3: ECCploit combines single bit flips for silent corruption on ECC memory.

Outline

6

• Row-Hammer Mitigation Techniques
• Breaking Row-Hammer Mitigation
• Evaluation Methodology
• SAFEGUARD
• SAFEGUARD with SECDED
• SAFEGUARD with Chipkill
• Comparison with other MAC organization
• Security Discussion

​

​

Evaluation Methodology

• Fault-Sim for reliability evaluation
• Main memory using Ramulator
• 4 core, two cache level, LLC - 4MB, shared.
• Virtual page size is 4KB
• Main memory - 16GB DRAM DDR4-3200
• 500 million SimPoint region of the SPEC2017 rate benchmarks

7

Outline

8

• Row-Hammer Mitigation Techniques
• Breaking Row-Hammer Mitigation
• Evaluation Methodology
• SAFEGUARD
• SAFEGUARD with SECDED
• SAFEGUARD with Chipkill
• Comparison with other MAC organization
• Security Discussion

​

​

SAFEGUARD

9

• Repurpose the ECC bits to incorporate both the correction and integrity metadata.

​

• Detects failures instead of letting attacks become threats.

​

​

Figure 4: SAFEGUARD

SECDED

​

10

Figure 5: SECDED

• 8-bit Single Error Correction Double Error Detection (SECDED) code is used for protecting each 64-bit word.
• Each bus transfer undergoes ECC check.

​

​

Safeguard with SECDED

​

​

11

Figure 6:safeguard with SECDED

• 64 byte Granularity
• 10 bits for ECC1 and 54 bits for MAC
• When reading, first ECC1 then MAC check
• MAC mismatch signals Detected Unrecoverable Error (DUE)

Resiliency Comparison

• Safeguard can detect arbitrary failures.
• Cannot correct multi-bit errors.

12

Table 1: Resiliency of SECDED vs Safeguard

Column Faults

13

Column faults occur because of faulty pin or failure of the bit-line circuitry

​

Can be corrected by SECDED not Safeguard

Figure 7: Cache line fault Pattern

Extending Safeguard for column failure

14

• MAC check fails after ECC-1
• Iterative construction by recovery using column parity
• Remembers failed column
• Slow process but low rate of failure

Figure 8: Safeguard Extension

Reliability comparison

15

• Without parity - 1.25x failure rate than SECDED.
• With Parity - identical reliability with SECDED.

Figure 9: Safeguard vs SECDED reliability

Performance and Overhead

16

​

​

​

​

​

​

​

​

• Average slowdown of 0.7%

Figure 10: Performance Safeguard vs SECDED

Overheads

17

• ECC logic requires 3k XOR-gates
• Memory controller requires MAC computation unit and storage of 16 byte key.
• Simple parity units for vertical parity
• Less than 32-byte SRAM overhead

​

​

Chipkill

18

• Tolerates entire chip failures
• 18 memory chips- 16 give 64 bit data word(4 bits per device)
• 2 for chipkill redundant data.
• 4 bit Symbol based code (SSCDSD)

Figure 11: Conventional Chipkill

Safeguard with Chipkill

19

• Stores data in direct form
• MAC for error detection and Parity for correction
• Provides stronger error detection but same error correction as chipkill

Figure 12: Safeguard with Chipkill

Safeguard with Iterative Correction

20

• MAC mismatch triggers correction.
• Goes through each chip and corrects using parity and MAC verification
• No MAC match, then DUE
• Incurs high latency if error is present, which is rare.

Figure 13: Iterative correction

Permanent Chip Failure

21

• Faulty chip detected
• Start iterative correction from faulty chip to avoid latency
• Two issues -
• Additional MAC check latency still present
• Faulty data will eventually escape detection of 32 bit MAC
• Chipkill level reliability not present for permanent failures.

Safeguard with Eager Correction

22

• Skips first MAC check
• Eagerly repairs data of failed chip then MAC check
• If different chip is faulty, back to iterative correction
• If MAC fails, DUE declared

Figure 14: Eager Correction

Reliability Evaluation

23

​

​

• Eager Correction is assumed

​

• Virtual Identical correction capability to that of Chipkill.

Figure 15: Safeguard vs Chipkill reliability

Performance Evaluation and Overheads

24

• Average slowdown of 0.7%
• Less than 32 bytes of storage and logic overhead

Figure 16: Safeguard vs Chipkill performance

Outline

25

• Row-Hammer Mitigation Techniques
• Breaking Row-Hammer Mitigation
• Evaluation Methodology
• SAFEGUARD
• SAFEGUARD with SECDED
• SAFEGUARD with Chipkill
• Comparison with other MAC organization
• Security Discussion

Other MAC organization

• Intel SGX -
• For small designated region of memory
• Data line is protected by per-line MAC stored in separate location.
• Synergy Style -
• x8 ECC DIMMs
• 64 bit MAC in ECC chip
• 64 bit Parity in separate location

26

Performance Comparison

SGX and Synergy incur 18.7% and 7.8% slowdown compared to 0.7% slowdown of Safeguard

27

Figure 17: Performance comparison of Safeguard VS alternatives

DRAM Storage Overheads

Only Safeguard provides full memory as usable.

28

Table 2: DRAM storage overheads

Sensitivity to MAC latency

Safeguard incurs 5.8% overhead.

Outperforms SGX and Synergy 19.5% and 7.1% resp.

29

Figure 18: P

Outline

30

• Row-Hammer Mitigation Techniques
• Breaking Row-Hammer Mitigation
• Evaluation Methodology
• SAFEGUARD
• SAFEGUARD with SECDED
• SAFEGUARD with Chipkill
• Comparison with other MAC organization
• Security Discussion

Security Issues

31

• Actions after detection -
• Theoretically, attacker can flip arbitrary number of bits in a line, hardware alone cannot correct these errors
• Vulnerability to Denial-of-Service -
• Causing persistent failures can cause DoS attack
• Vulnerability to Replay attack -
• Protection for replay attack not considered as they are impractical for a remote adversary

​

Security Issues contd.

32

• Vulnerability to timing channels
• Correction can leak presence of data error due to timing gap. Safeguard can detect attacks based on this.
• RAMBleed can be protected using memory encryption
• Vulnerability to MAC collisions -
• If attack corrupts one line in memory every refresh period, 1000+ years of attack with 46-bit MAC for one MAC escape.
• 9 years for 32 bit MAC, assuming no preventative action

​

Conclusion

33

• No guaranteed protection against RH attack
• Focus on detecting bit flips caused by RH
• Reduce severity of RH attack from security risk to a reliability issue
• Safeguard provides strong detection of arbitrary failures
• Correction strengths similar to conventional ECC
• Avoids storage and performance overhead of conventional integrity-protected memories

References

• Ali Fakhrzadehgan,Yale N. Patt,Prashant J. Nair,Moinuddin K. Qureshi.(2022).SafeGuard: Reducing the Security Risk from Row-Hammer via Low-Cost Integrity Protection.
• https://www.ieee-security.org/TC/SP2019/SP19-Slides-pdfs/Lucian_Cojocar_Exploiting_Correcting_Codes_slides-ecc-new.pdf
• https://arxiv.org/pdf/2004.01807.pdf

​

34

Thank You !

Questions ?

35