DOCSLIB.ORG

Cross-VM Row Hammer Attacks and Privilege Escalation

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Cross-VM Row Hammer Attacks and Privilege Escalation One Bit Flips, One Cloud Flops: Cross-VM Row Hammer Attacks and Privilege Escalation Yuan Xiao, Xiaokuan Zhang, Yinqian Zhang, and Radu Teodorescu, The Ohio State University https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/xiao This paper is included in the Proceedings of the 25th USENIX Security Symposium August 10–12, 2016 • Austin, TX ISBN 978-1-931971-32-4 Open access to the Proceedings of the 25th USENIX Security Symposium is sponsored by USENIX One Bit Flips, One Cloud Flops: Cross-VM Row Hammer Attacks and Privilege Escalation Yuan Xiao Xiaokuan Zhang Yinqian Zhang Radu Teodorescu Department of Computer Science and Engineering The Ohio State University xiao.465, zhang.5840 @buckeyemail.osu.edu, yinqian, teodores @cse.ohio-state.edu { } { } Abstract ing the target memory regions, invalidate this assump- tion, raising broad security concerns. Row hammer attacks exploit electrical interactions be- Row hammer attacks exploit a vulnerability in the de- tween neighboring memory cells in high-density dy- sign of dynamic random-access memory (DRAM). Mod- namic random-access memory (DRAM) to induce mem- ern high-capacity DRAM has very high memory cell ory errors. By rapidly and repeatedly accessing DRAMs density which leads to greater electrical interaction be- with specific patterns, an adversary with limited privilege tween neighboring cells. Electrical interference from on the target machine may trigger bit flips in memory re- neighboring cells can cause accelerated leakage of ca- gions that he has no permission to access directly. In this pacitor charges and, potentially, data loss. Although paper, we explore row hammer attacks in cross-VM set- these so-called “disturbance errors” have been known tings, in which a malicious VM exploits bit flips induced for years, it has only recently been shown that these er- by row hammer attacks to crack memory isolation en- rors can be triggered by software. In particular, [23] has forced by virtualization. To do so with high fidelity, we demonstrated that malicious programs may issue spe- develop novel techniques to determine the physical ad- cially crafted memory access patterns, e.g., repeated and dress mapping in DRAM modules at runtime (to improve rapid activation of the same DRAM rows, to increase the effectiveness of double-sided row hammer attacks), the chances of causing a disturbance error in neighbor- methods to exhaustively hammer a large fraction of phys- ing rows. ical memory from a guest VM (to collect exploitable Row hammer vulnerabilities have been exploited in vulnerable bits), and innovative approaches to break security attacks shortly after its discovery [4, 10, 16, 20]. Xen paravirtualized memory isolation (to access arbi- In particular, Seaborn [4] demonstrated two privilege es- trary physical memory of the shared machine). Our study calation attacks that exploit row hammer vulnerabilities: also suggests that the demonstrated row hammer attacks One escaped from Google’s NaCl sandbox and the other are applicable in modern public clouds where Xen par- gained kernel memory accesses from userspace pro- avirtualization technology is adopted. This shows that grams running on Linux operating systems. Other stud- the presented cross-VM row hammer attacks are of prac- ies [10, 16, 20] aim to conduct row hammer attacks from tical importance. high-level programming languages, e.g., JavaScript, so that an adversary can induce memory errors and escalate 1 Introduction privileges remotely, by injecting malicious JavaScript code into the target’s web traffic (e.g., by hosting ma- Security of software systems is built upon correctly im- licious websites, cross-site scripting, man-in-the-middle plemented and executed hardware-software contracts. attacks, etc.). Violation of these contracts may lead to severe security In contrast to the client-side bit flip exploitations, breaches. For instance, operating system security re- server-side row hammer attacks are much less under- lies on the assumption that data and code stored in the stood. One particularly interesting scenario where memory subsystems cannot be altered without media- server-side row hammer attacks are of importance is tion by the software running with system privileges (e.g., in multi-tenant infrastructure clouds, where mutually- OS kernels, hypervisors, etc.). However, the recently distrusting cloud tenants (i.e., users of clouds) may co- demonstrated row hammer attacks [23], which are capa- locate their virtual machines (VM) on the same physical ble of inducing hardware memory errors without access- server, therefore sharing hardware resources, including USENIX Association 25th USENIX Security Symposium 19 DRAMs. Although server-grade processors and more Xen guest VMs. We first empirically study which row expensive DRAMs are believed to be less vulnerable to hammer attack methods (i.e., accessing memory with or row hammer attacks [23], studies have suggested that without mfence instructions, see Section 4) are most ef- even servers equipped with error correcting (ECC) mem- fective and lead to most bit flips. Then, in order to guar- ory are not immune to such attacks [12, 23]. antee that sufficient exploitable bit flips (i.e., located at In this paper, we aim to explore row hammer attacks specific memory locations and can be repeatedly induced in cross-VM settings, and shed some light on the secu- in row hammer attacks) are found, we conduct exhaus- rity, or lack thereof, in multi-tenant infrastructure clouds. tive row hammer attacks from a guest VM to test all The goal of this research is not to extensively study how DRAM rows that are accessible to the VM. Because each vulnerable the cloud servers are. Rather, we explore VM is limited to a small portion of the entire physical whether the isolation of cloud software systems—virtual memory, we also develop methods to explore more phys- machines and hypervisors—can be circumvented by row ical memory than assigned to our VM initially. In addi- hammer attacks (and if so, how?), should the underlying tion, we design a safe mode that makes bit flips induced hardware become vulnerable. by row hammer attacks less likely to crash the system. Towards this end, we demonstrate cross-VM row ham- Third, crack memory isolation enforced by virtual- mer attacks with high fidelity and determinism, which ization. Unlike prior work, which sprays large num- can be achieved in the following pipelined steps. bers of page tables and conducts random row hammer attacks hoping that bit flips will occur in a page table First, determine physical address mapping in DRAM. Double-sided row hammer attacks target a specific mem- entry (PTE) [4], in our approach (Section 5), we use hy- ory row by hammering its two neighboring rows to en- percalls to map page directories in the OS kernel of our hance the effectiveness of the attack [4, 23]. Conducting own VM to physical pages containing memory cells that such attacks, however, requires knowledge of the physi- are vulnerable to row hammer attacks. We then conduct cal memory mapping in DRAMs (i.e., bits in physical ad- row hammer attacks to deterministically flip the vulner- dresses that determine memory channels, DIMMs, ranks, able bit at anticipated positions in a page directory en- banks, and rows). This enables the identification of ad- try (PDE), making it point to a different page table. In dresses in neighboring rows of the same bank. How- the context of this paper, we call such attack techniques ever such information is not publicly available for In- page table replacement attacks to indicate that the orig- tel processors and memory controllers. Moreover, the inal page table has been replaced with a forged one. We same memory controller may map physical addresses to empirically demonstrate in Section 6 that such attacks al- DRAMs in different ways, depending on how DRAM low a Xen guest VM to have both read and write access modules are configured. to any memory pages on the machine. We demonstrate two examples to illustrate the power of the cross-VM row To address this issue, we developed a novel algo- hammer attacks: private key exfiltration from an HTTPS rithm to determine the memory mapping at runtime web server and code injection to bypass password au- (Section 3). Each bank in a DRAM chip has a row buffer thentication of an OpenSSH server. We emphasize that that caches the most recently used row in a bank. There- with the attack techniques we propose in this paper, the fore, by alternately accessing two rows in the same bank, attacker’s capability is only limited by imagination. we expect a higher memory access latency due to row buffer conflicts. The increase in access latency serves as We note our attacks primarily target Xen paravirtual- the basis for a timing channel which can be used to de- ized VMs, which, although are gradually superseded by termine if two physical memory addresses are mapped to hardware-assisted virtualization, are still widely used as the same DRAM bank. Building on the timing-channel cloud substrates in public cloud like Amazon EC2. This primitive, we developed a novel graph-based algorithm offers the adversary easy-to-break targets on servers with which models each bit in a physical address as a node in vulnerable hardware. Given the existing evidence of suc- a graph and establishes relationships between nodes us- cessful co-location attacks in public clouds [30, 32], we ing memory access latency. We show that the algorithm recommend discontinuing the use of such virtualization is capable of accurately detecting the row bits, column technology in cloud hosting services. bits and bank bits. We empirically show the algorithm Contributions. This paper makes the following contri- can accurately identify the DRAM mapping schemes au- butions to the field: tomatically within one or two minutes on the machines A novel graph-based algorithm incorporating timing- • we tested.
Load more

Recommended publications
  • ASIC Implementation of DDR SDRAM Memory Controller
    © 2016 IJEDR | Volume 4, Issue 4 | ISSN: 2321-9939 ASIC Implementation of DDR SDRAM Memory Controller Ramagiri Ramya, Naganaik M.Tech Scholar, ASST.PROF, HOD of ECE BRIG-IC, Hyderabad ________________________________________________________________________________________________________ Abstract - A Dedicated Memory Controller is of prime importance in applications that do not contain microprocessors (high-end applications). The Memory Controller provides command signals for memory refresh, read and write operation and initialization of SDRAM. Our work will focus on ASIC Design methodology of Double Data Rate (DDR) SDRAM Controller that is located between the DDR SDRAM and Bus Master. The Controller simplifies the SDRAM command interface to standard system read/write interface and also optimizes the access time of read/write cycle. Keywords - DDR SDRAM Controller, Read/Write Data path, Cadence RTL Compiler. ________________________________________________________________________________________________________ I. INTRODUCTION Memory devices are almost found in all systems and nowadays high speed and high performance memories are in great demand. For better throughput and speed, the controllers are to be designed with clock frequency in the range of megahertz. As the clock speed of the controller is increasing, the design challenges are also becoming complex. Therefore the next generation memory devices require very high speed controllers like double data rate and quad data rate memory controllers. In this paper, the double data rate SDRAM Controller is implemented using ASIC methodology. Synchronous DRAM (SDRAM) is preferred in embedded system memory design because of its speed and pipelining capability. In high-end applications, like microprocessors there will be specific built in peripherals to provide the interface to the SDRAM. But for other applications, the system designer must design a specific memory controller to provide command signals for memory refresh, read and write operation and initialization of SDRAM.
    [Show full text]
  • Microkernel Mechanisms for Improving the Trustworthiness of Commodity Hardware
    Microkernel Mechanisms for Improving the Trustworthiness of Commodity Hardware Yanyan Shen Submitted in fulfilment of the requirements for the degree of Doctor of Philosophy School of Computer Science and Engineering Faculty of Engineering March 2019 Thesis/Dissertation Sheet Surname/Family Name : Shen Given Name/s : Yanyan Abbreviation for degree as give in the University calendar : PhD Faculty : Faculty of Engineering School : School of Computer Science and Engineering Microkernel Mechanisms for Improving the Trustworthiness of Commodity Thesis Title : Hardware Abstract 350 words maximum: (PLEASE TYPE) The thesis presents microkernel-based software-implemented mechanisms for improving the trustworthiness of computer systems based on commercial off-the-shelf (COTS) hardware that can malfunction when the hardware is impacted by transient hardware faults. The hardware anomalies, if undetected, can cause data corruptions, system crashes, and security vulnerabilities, significantly undermining system dependability. Specifically, we adopt the single event upset (SEU) fault model and address transient CPU or memory faults. We take advantage of the functional correctness and isolation guarantee provided by the formally verified seL4 microkernel and hardware redundancy provided by multicore processors, design the redundant co-execution (RCoE) architecture that replicates a whole software system (including the microkernel) onto different CPU cores, and implement two variants, loosely-coupled redundant co-execution (LC-RCoE) and closely-coupled redundant co-execution (CC-RCoE), for the ARM and x86 architectures. RCoE treats each replica of the software system as a state machine and ensures that the replicas start from the same initial state, observe consistent inputs, perform equivalent state transitions, and thus produce consistent outputs during error-free executions.
    [Show full text]
  • SMASH: Synchronized Many-Sided Rowhammer Attacks from Javascript
    SMASH: Synchronized Many-sided Rowhammer Attacks from JavaScript Finn de Ridder Pietro Frigo Emanuele Vannacci Herbert Bos ETH Zurich VU Amsterdam VU Amsterdam VU Amsterdam VU Amsterdam Cristiano Giuffrida Kaveh Razavi VU Amsterdam ETH Zurich Abstract has instead been lagging behind. In particular, rather than Despite their in-DRAM Target Row Refresh (TRR) mitiga- addressing the root cause of the Rowhammer bug, DDR4 in- tions, some of the most recent DDR4 modules are still vul- troduced a mitigation known as Target Row Refresh (TRR). nerable to many-sided Rowhammer bit flips. While these TRR, however, has already been shown to be ineffective bit flips are exploitable from native code, triggering them against many-sided Rowhammer attacks from native code, in the browser from JavaScript faces three nontrivial chal- at least in its current in-DRAM form [12]. However, it is lenges. First, given the lack of cache flushing instructions in unclear whether TRR’s failing also re-exposes end users to JavaScript, existing eviction-based Rowhammer attacks are TRR-aware, JavaScript-based Rowhammer attacks from the already slow for the older single- or double-sided variants browser. In fact, existing many-sided Rowhammer attacks and thus not always effective. With many-sided Rowhammer, require frequent cache flushes, large physically-contiguous mounting effective attacks is even more challenging, as it re- regions, and certain access patterns to bypass in-DRAM TRR, quires the eviction of many different aggressor addresses from all challenging in JavaScript. the CPU caches. Second, the most effective many-sided vari- In this paper, we show that under realistic assumptions, it ants, known as n-sided, require large physically-contiguous is indeed possible to bypass TRR directly from JavaScript, memory regions which are not available in JavaScript.
    [Show full text]
  • A Modern Primer on Processing in Memory
    A Modern Primer on Processing in Memory Onur Mutlua,b, Saugata Ghoseb,c, Juan Gomez-Luna´ a, Rachata Ausavarungnirund SAFARI Research Group aETH Z¨urich bCarnegie Mellon University cUniversity of Illinois at Urbana-Champaign dKing Mongkut’s University of Technology North Bangkok Abstract Modern computing systems are overwhelmingly designed to move data to computation. This design choice goes directly against at least three key trends in computing that cause performance, scalability and energy bottlenecks: (1) data access is a key bottleneck as many important applications are increasingly data-intensive, and memory bandwidth and energy do not scale well, (2) energy consumption is a key limiter in almost all computing platforms, especially server and mobile systems, (3) data movement, especially off-chip to on-chip, is very expensive in terms of bandwidth, energy and latency, much more so than computation. These trends are especially severely-felt in the data-intensive server and energy-constrained mobile systems of today. At the same time, conventional memory technology is facing many technology scaling challenges in terms of reliability, energy, and performance. As a result, memory system architects are open to organizing memory in different ways and making it more intelligent, at the expense of higher cost. The emergence of 3D-stacked memory plus logic, the adoption of error correcting codes inside the latest DRAM chips, proliferation of different main memory standards and chips, specialized for different purposes (e.g., graphics, low-power, high bandwidth, low latency), and the necessity of designing new solutions to serious reliability and security issues, such as the RowHammer phenomenon, are an evidence of this trend.
    [Show full text]
  • Drammer: Deterministic Rowhammer Attacks on Mobile Platforms
    Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Victor van der Veen Yanick Fratantonio Martina Lindorfer Vrije Universiteit Amsterdam UC Santa Barbara UC Santa Barbara [email protected] [email protected] [email protected] Daniel Gruss Clémentine Maurice Giovanni Vigna Graz University of Technology Graz University of Technology UC Santa Barbara [email protected] [email protected] [email protected] Herbert Bos Kaveh Razavi Cristiano Giuffrida Vrije Universiteit Amsterdam Vrije Universiteit Amsterdam Vrije Universiteit Amsterdam [email protected] [email protected] [email protected] ABSTRACT 1. INTRODUCTION Recent work shows that the Rowhammer hardware bug can The Rowhammer hardware bug allows an attacker to mod- be used to craft powerful attacks and completely subvert a ify memory without accessing it, simply by repeatedly ac- system. However, existing efforts either describe probabilis- cessing, i.e., \hammering", a given physical memory loca- tic (and thus unreliable) attacks or rely on special (and often tion until a bit in an adjacent location flips. Rowhammer unavailable) memory management features to place victim has been used to craft powerful attacks that bypass all cur- objects in vulnerable physical memory locations. Moreover, rent defenses and completely subvert a system [16,32,35,47]. prior work only targets x86 and researchers have openly won- Until now, the proposed exploitation techniques are either dered whether Rowhammer attacks on other architectures, probabilistic [16,35] or rely on special memory management such as ARM, are even possible. features such as memory deduplication [32], MMU paravir- We show that deterministic Rowhammer attacks are feasi- tualization [47], or the pagemap interface [35].
    [Show full text]
  • Throwhammer: Rowhammer Attacks Over the Network and Defenses
    Throwhammer: Rowhammer Attacks over the Network and Defenses Andrei Tatar Radhesh Krishnan Konoth Elias Athanasopoulos VU Amsterdam VU Amsterdam University of Cyprus Cristiano Giuffrida Herbert Bos Kaveh Razavi VU Amsterdam VU Amsterdam VU Amsterdam Abstract never progressed beyond local privilege escalations or sandbox escapes. The attacker needs the ability to run Increasingly sophisticated Rowhammer exploits allow an code on the victim machine in order to flip bits in sen- attacker that can execute code on a vulnerable system sitive data. Hence, Rowhammer posed little threat from to escalate privileges and compromise browsers, clouds, attackers without code execution on the victim machines. and mobile systems. In all these attacks, the common In this paper, we show that this is no longer true and at- assumption is that attackers first need to obtain code tackers can flip bits by only sending network packets to execution on the victim machine to be able to exploit a victim machine connected to RDMA-enabled networks Rowhammer either by having (unprivileged) code exe- commonly used in clouds and data centers [1, 20, 45, 62]. cution on the victim machine or by luring the victim to a website that employs a malicious JavaScript applica- Rowhammer exploits today Rowhammer allows at- tion. In this paper, we revisit this assumption and show tackers to flip a bit in one physical memory location that an attacker can trigger and exploit Rowhammer bit by aggressively reading (or writing) other locations (i.e., flips directly from a remote machine by only sending hammering). As bit flips occur at the physical level, they network packets.
    [Show full text]
  • Can Microkernels Mitigate Microarchitectural Attacks?⋆
    Can Microkernels Mitigate Microarchitectural Attacks?? Gunnar Grimsdal1, Patrik Lundgren2, Christian Vestlund3, Felipe Boeira1, and Mikael Asplund1[0000−0003−1916−3398] 1 Department of Computer and Information Science, Link¨oping University, Sweden ffelipe.boeira,[email protected] 2 Westermo Network Technologies [email protected] 3 Sectra AB, Link¨oping,Sweden Abstract. Microarchitectural attacks such as Meltdown and Spectre have attracted much attention recently. In this paper we study how effec- tive these attacks are on the Genode microkernel framework using three different kernels, Okl4, Nova, and Linux. We try to answer the question whether the strict process separation provided by Genode combined with security-oriented kernels such as Okl4 and Nova can mitigate microar- chitectural attacks. We evaluate the attack effectiveness by measuring the throughput of data transfer that violates the security properties of the system. Our results show that the underlying side-channel attack Flush+Reload used in both Meltdown and Spectre, is effective on all in- vestigated platforms. We were also able to achieve high throughput using the Spectre attack, but we were not able to show any effective Meltdown attack on Okl4 or Nova. Keywords: Genode, Meltdown, Spectre, Flush+Reload, Okl4, Nova 1 Introduction It used to be the case that general-purpose operating systems were mostly found in desktop computers and servers. However, as IoT devices are becoming in- creasingly more sophisticated, they tend more and more to require a powerful operating system such as Linux, since otherwise all basic services must be im- plemented and maintained by the device developers. At the same time, security has become a prime concern both in IoT and in the cloud domain.
    [Show full text]
  • Throwhammer: Rowhammer Attacks Over the Network and Defenses
    Throwhammer: Rowhammer Attacks over the Network and Defenses Andrei Tatar and Radhesh Krishnan Konoth, Vrije Universiteit Amsterdam; Elias Athanasopoulos, University of Cyprus; Cristiano Giuffrida, Herbert Bos, and Kaveh Razavi, Vrije Universiteit Amsterdam https://www.usenix.org/conference/atc18/presentation/tatar This paper is included in the Proceedings of the 2018 USENIX Annual Technical Conference (USENIX ATC ’18). July 11–13, 2018 • Boston, MA, USA ISBN 978-1-939133-02-1 Open access to the Proceedings of the 2018 USENIX Annual Technical Conference is sponsored by USENIX. Throwhammer: Rowhammer Attacks over the Network and Defenses Andrei Tatar Radhesh Krishnan Konoth Elias Athanasopoulos VU Amsterdam VU Amsterdam University of Cyprus Cristiano Giuffrida Herbert Bos Kaveh Razavi VU Amsterdam VU Amsterdam VU Amsterdam Abstract never progressed beyond local privilege escalations or sandbox escapes. The attacker needs the ability to run Increasingly sophisticated Rowhammer exploits allow an code on the victim machine in order to flip bits in sen- attacker that can execute code on a vulnerable system sitive data. Hence, Rowhammer posed little threat from to escalate privileges and compromise browsers, clouds, attackers without code execution on the victim machines. and mobile systems. In all these attacks, the common In this paper, we show that this is no longer true and at- assumption is that attackers first need to obtain code tackers can flip bits by only sending network packets to execution on the victim machine to be able to exploit a victim machine connected to RDMA-enabled networks Rowhammer either by having (unprivileged) code exe- commonly used in clouds and data centers [1, 20, 45, 62].
    [Show full text]
  • Row Hammer Exploit in Cloud Environment
    Iowa State University Capstones, Theses and Creative Components Dissertations Fall 2018 Row hammer exploit in cloud environment Adithya Venkataraman Iowa State University Follow this and additional works at: https://lib.dr.iastate.edu/creativecomponents Part of the Computer and Systems Architecture Commons Recommended Citation Venkataraman, Adithya, "Row hammer exploit in cloud environment" (2018). Creative Components. 113. https://lib.dr.iastate.edu/creativecomponents/113 This Creative Component is brought to you for free and open access by the Iowa State University Capstones, Theses and Dissertations at Iowa State University Digital Repository. It has been accepted for inclusion in Creative Components by an authorized administrator of Iowa State University Digital Repository. For more information, please contact [email protected]. Row hammer exploit in c loud environment by Adithya Venkataraman A report submitted to the graduate faculty in partial fulfillment of the requirements for the degree of MASTER OF SCIENCE Major: Electrical and Computer Engineering Program of Study Committee: Akhilesh Tyagi, Major Professor The student author, whose presentation of the scholarship herein was approved by the program of study committee, is solely responsible for the content of this thesis. The Graduate College will ensure this dissertation is globally accessible and will not permit alterations after a degree is conferred. Iowa State University Ames, Iowa 2018 Copyright © Adithya Venkataraman, 2018. All rights reserved. ii TABLE OF CONTENTS Page
    [Show full text]
  • Quantifying Rowhammer Vulnerability for DRAM Security
    Quantifying Rowhammer Vulnerability for DRAM Security Yichen Jiang∗x, Huifeng Zhuyx, Dean Sullivan∗, Xiaolong Guoz, Xuan Zhangy and Yier Jin∗ ∗University of Florida, yWashington University in St. Louis, zKansas State University yichen.jiang@ufl.edu, [email protected], deanms@ufl.edu, [email protected], [email protected], [email protected]fl.edu Abstract—Rowhammer is a memory-based attack that leverages attack and evaluate cells’ susceptibility of being leaked during such capacitive-coupling to induce faults in modern dynamic random-access an attack. In our model, the equivalent resistance of intrinsic leakage memory (DRAM). Over the last decade, a significant number of Rowham- (denoted as R ) describes the retention time of the DRAM cells mer attacks have been presented to reveal that it is a severe security issue L capable of causing privilege escalations, launching distributed denial- storage capacitor. The equivalent resistance of capacitive coupling of-service (DDoS) attacks, and even runtime attack such as control leakage (denoted as RSW ) represents the DRAM cells resistance flow hijacking. Moreover, the Rowhammer vulnerability has also been to repeated aggressor row activations. We experimentally determine identified and validated in both cloud computing and data center these model parameters and how they can be used to characterize a environments, threatening data security and privacy at a large scale. Various solutions have been proposed to counter Rowhammer attacks DRAM’s resilience against Rowhammer attacks. To the best of our but existing methods lack a circuit-level explanation of the capacitive- knowledge, this is the first work to quantify the relationship between coupling phenomenon in modern DRAMs, the key cause of Rowhammer DRAM data retention and counts of aggressor row activations.
    [Show full text]
  • Machxo2 LPDDR SDRAM Controller IP Core User's Guide
    MachXO2™ LPDDR SDRAM Controller IP Core User’s Guide February 2014 IPUG92_01.3 Table of Contents Chapter 1. Introduction .......................................................................................................................... 4 Introduction ........................................................................................................................................................... 4 Quick Facts ........................................................................................................................................................... 4 Features ................................................................................................................................................................ 4 Chapter 2. Functional Description ........................................................................................................ 5 Overview ............................................................................................................................................................... 5 Initialization Block......................................................................................................................................... 5 Read Training Block..................................................................................................................................... 6 Data Control Block ....................................................................................................................................... 6 LPDDR I/Os ................................................................................................................................................
    [Show full text]
  • ¡ Semiconductor MSM5718C50/Md5764802this Version: Feb
    E2G1059-39-21 ¡ Semiconductor MSM5718C50/MD5764802This version: Feb. 1999 ¡ Semiconductor Previous version: Nov. 1998 MSM5718C50/MD5764802 18Mb (2M ´ 9) & 64Mb (8M ´ 8) Concurrent RDRAM DESCRIPTION The 18/64-Megabit Concurrent Rambus™ DRAMs (RDRAM®) are extremely high-speed CMOS DRAMs organized as 2M or 8M words by 8 or 9 bits. They are capable of bursting unlimited lengths of data at 1.67 ns per byte (13.3 ns per eight bytes). The use of Rambus Signaling Level (RSL) technology permits 600 MHz transfer rates while using conventional system and board design methodologies. Low effective latency is attained by operating the two or four 2KB sense amplifiers as high speed caches, and by using random access mode (page mode) to facilitate large block transfers. Concurrent (simultaneous) bank operations permit high effective bandwidth using interleaved transactions. RDRAMs are general purpose high-performance memory devices suitable for use in a broad range of applications including PC and consumer main memory, graphics, video, and any other application where high-performance at low cost is required. FEATURES • Compatible with Base RDRAMs • 600 MB/s peak transfer rate per RDRAM • Rambus Signaling Level (RSL) interface • Synchronous, concurrent protocol for block-oriented, interleaved (overlapped) transfers • 480 MB/s effective bandwidth for random 32 byte transfers from one RDRAM • 13 active signals require just 32 total pins on the controller interface (including power) • 3.3 V operation • Additional/multiple Rambus Channels each provide an additional 600 MB/s bandwidth • Two or four 2KByte sense amplifiers may be operated as caches for low latency access • Random access mode enables any burst order at full bandwidth within a page • Graphics features include write-per-bit and mask-per-bit operations • Available in horizontal surface mount plastic package (SHP32-P-1125-0.65-K) 1/45 ¡ Semiconductor MSM5718C50/MD5764802 PART NUMBERS The 18- and 64-Megabit RDRAMs are available in horizontal surface mount plastic package (SHP), with 533 and 600 MHz clock rate.
    [Show full text]