Show simple item record

dc.contributor.author
Frigo, Pietro
dc.contributor.author
Vannacci, Emanuele
dc.contributor.author
Hassan, Hasan
dc.contributor.author
van der Veen, Victor
dc.contributor.author
Multu, Onur
dc.contributor.author
Giuffrida, Cristiano
dc.contributor.author
Bos, Herbert
dc.contributor.author
Razavi, Kaveh
dc.date.accessioned
2020-10-13T13:30:05Z
dc.date.available
2020-10-03T02:37:24Z
dc.date.available
2020-10-06T09:53:29Z
dc.date.available
2020-10-06T12:44:40Z
dc.date.available
2020-10-13T13:30:05Z
dc.date.issued
2020
dc.identifier.isbn
978-1-7281-3497-0
en_US
dc.identifier.isbn
978-1-7281-3498-7
en_US
dc.identifier.other
10.1109/SP40000.2020.00090
en_US
dc.identifier.uri
http://hdl.handle.net/20.500.11850/444387
dc.description.abstract
fter a plethora of high-profile RowHammer attacks, CPU and DRAM vendors scrambled to deliver what was meant to be the definitive hardware solution against the RowHammer problem: Target Row Refresh (TRR). A common belief among practitioners is that, for the latest generation of DDR4 systems that are protected by TRR, RowHammer is no longer an issue in practice. However, in reality, very little is known about TRR. How does TRR exactly prevent RowHammer? Which parts of a system are responsible for operating the TRR mechanism? Does TRR completely solve the RowHammer problem or does it have weaknesses? In this paper, we demystify the inner workings of TRR and debunk its security guarantees. We show that what is advertised as a single mitigation mechanism is actually a series of different solutions coalesced under the umbrella term Target Row Refresh. We inspect and disclose, via a deep analysis, different existing TRR solutions and demonstrate that modern implementations operate entirely inside DRAM chips. Despite the difficulties of analyzing in-DRAM mitigations, we describe novel techniques for gaining insights into the operation of these mitigation mechanisms. These insights allow us to build TRRespass, a scalable black-box RowHammer fuzzer that we evaluate on 42 recent DDR4 modules. TRRespass shows that even the latest generation DDR4 chips with in-DRAM TRR, immune to all known RowHammer attacks, are often still vulnerable to new TRR-aware variants of RowHammer that we develop. In particular, TRRespass finds that, on present-day DDR4 modules, RowHammer is still possible when many aggressor rows are used (as many as 19 in some cases), with a method we generally refer to as Many-sided RowHammer. Overall, our analysis shows that 13 out of the 42 modules from all three major DRAM vendors (i.e., Samsung, Micron, and Hynix) are vulnerable to our TRR-aware RowHammer access patterns, and thus one can still mount existing state-of-the-art system-level RowHammer attacks. In addition to DDR4, we also experiment with LPDDR4(X)1 chips and show that they are susceptible to RowHammer bit flips too. Our results provide concrete evidence that the pursuit of better RowHammer mitigations must continue. © 2020 IEEE.
en_US
dc.language.iso
en
en_US
dc.publisher
IEEE
en_US
dc.title
TRRespass: Exploiting the many sides of target row refresh
en_US
dc.type
Conference Paper
dc.date.published
2020-07-30
ethz.book.title
2020 IEEE Symposium on Security and Privacy (SP)
en_US
ethz.pages.start
747
en_US
ethz.pages.end
762
en_US
ethz.event
41st IEEE Symposium on Security and Privacy (SP 2020) (virtual)
en_US
ethz.event.location
San Francisco, CA, USA
en_US
ethz.event.date
May 18-21, 2020
en_US
ethz.notes
Due to the Coronavirus (COVID-19) the conference was conducted virtually.
en_US
ethz.identifier.scopus
ethz.publication.place
Piscataway, NJ
en_US
ethz.publication.status
published
en_US
ethz.date.deposited
2020-10-03T02:37:29Z
ethz.source
SCOPUS
ethz.eth
yes
en_US
ethz.availability
Metadata only
en_US
ethz.rosetta.installDate
2020-10-06T09:53:46Z
ethz.rosetta.lastUpdated
2020-10-06T09:53:46Z
ethz.rosetta.exportRequired
true
ethz.rosetta.versionExported
true
ethz.COinS
ctx_ver=Z39.88-2004&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.atitle=TRRespass:%20Exploiting%20the%20many%20sides%20of%20target%20row%20refresh&rft.date=2020&rft.spage=747&rft.epage=762&rft.au=Frigo,%20Pietro&Vannacci,%20Emanuele&Hassan,%20Hasan&van%20der%20Veen,%20Victor&Multu,%20Onur&rft.isbn=978-1-7281-3497-0&978-1-7281-3498-7&rft.genre=proceeding&rft_id=info:doi/978-1-7281-3497-0&info:doi/978-1-7281-3498-7&rft.btitle=2020%20IEEE%20Symposium%20on%20Security%20and%20Privacy%20(SP)
 Search via SFX

Files in this item

FilesSizeFormatOpen in viewer

There are no files associated with this item.

Publication type

Show simple item record