Mithril: Cooperative Row Hammer Protection on Commodity DRAM Leveraging Managed Refresh

Mithril: Cooperative Row Hammer Protection on Commodity DRAM Leveraging Managed Refresh

Mithril: Cooperative Row Hammer Protection on Commodity DRAM Leveraging Managed Refresh Michael Jaemin Kim, Jaehyun Park, Yeonhong Park, Wanju Doh, Namhoon Kim, Tae Jun Ham, Jae W. Lee, and Jung Ho Ahn Seoul National University [email protected] Abstract—Since its public introduction in the mid-2010s, the computer system. RH-induced bit-flip can be abused in various Row Hammer (RH) phenomenon has drawn significant attention attack scenarios. For example, the RH can be utilized to from the research community due to its security implications. modify an unauthorized memory location or enable other Although many RH-protection schemes have been proposed by processor vendors, DRAM manufacturers, and academia, they attack techniques such as privilege escalation and cross-VM still have shortcomings. Solutions implemented in the memory attacks [1], [11], [12], [17], [41], [49], [53]. controller (MC) pay an increasingly higher cost due to their The criticality of this problem motivated many RH protec- conservative design for the worst case in terms of the number tion solutions. There exist several software-based solutions [5], of DRAM banks and RH threshold to support. Meanwhile, the [9], [19], [30], [49], but such solutions often incur a high- DRAM-side implementation has a limited time margin for RH protection measures or requires extensive modifications to the performance cost and have limited coverage (i.e., only ef- standard DRAM interface. fective against a specific attack scenario). For these reasons, Recently, a new command for RH protection has been intro- architectural solutions have emerged as promising alternatives. duced in the DDR5/LPDDR5 standards, called refresh manage- By providing the RH mitigation at the DRAM device level, ment (RFM). RFM enables the separation of the tasks for RH pro- these mechanisms can provide strong protection against most tection to both MC and DRAM. It does so by having the former generate an RFM command at a specific activation frequency, attack scenarios with relatively low or negligible performance and the latter take proper RH protection measures within a given overhead. Most architectural RH defense solutions exploit one time window. Although promising, no existing study presents and of the two mechanisms: adjacent row refresh (ARR) and mem- analyzes RFM-based solutions for RH protection. In this paper, ory access throttling. ARR [29], [31], [39] is a non-standard we propose Mithril, the first RFM interface-compatible, DRAM- DRAM command that is issued by memory controllers to MC cooperative RH protection scheme providing deterministic protection guarantees. Mithril has minimal energy overheads for initiate an extra preventive refresh (REFprev) on potential RH common use cases without adversarial memory access patterns. victim rows. Throttling [16], [50] is a mechanism of limiting We also introduce Mithril+, an extension to provide minimal the overly frequent activations on the potential RH aggressor performance overheads at the expense of a tiny modification to row from the memory controller. the MC while utilizing an existing DRAM command. Using one of the remedies, existing architectural RH- protection schemes provide either probabilistic or determinis- I. INTRODUCTION tic protection guarantee for the target RHTH . The probabilistic DRAM has been an essential part of computer systems for protection schemes are efficient in that they often require very decades. One characteristic of DRAM is that DRAM inher- few extra structures, but they cannot completely prevent the ently leaks charges over time. Thus an auto-refresh command RH attack. On the other hand, the deterministic protection arXiv:2108.06703v1 [cs.CR] 15 Aug 2021 needs to recharge a DRAM cell at an interval of refresh schemes utilize an extra counter structure to track the potential window to avoid a loss of data. However, when a certain RH aggressor rows to provide the complete protection guar- row (aggressor) is activated at a rate surpassing a certain antee. Often, streaming algorithms (Section II-F) or grouped- threshold, the nearby row (victim) may experience a bit flip counter approaches are utilized to effectively manage the phenomenon. This reliability problem is called Row Hammer counter table. (RH) [28], [29] and the threshold number of activations within One of the important design decisions for the architectural a single refresh window causing the first-bit flip is called RH-protection scheme is where to implement the proposed RH-threshold (RHTH ). Unfortunately, the RH problem is solution within the system. In practice, most RH protection becoming more critical as fabrication technology scales [14]. solutions are either implemented in an on-die memory con- Recent works report RHTH to be as low as 20K, and several troller (MC) or a DRAM device. For example, Graphene [39], literatures identified that even non-adjacent victim rows could BlockHammer [50], and PARA [29] are implemented in the be influenced by the RH phenomenon [15], [28]. on-die MC, whereas TWiCe [31] and the industry-oriented RH The RH phenomenon has been a serious security vul- protection schemes [14], [37] are implemented in the DRAM. nerability as it breaks the basic integrity guarantee in the Unfortunately, both choices have their own drawbacks. 1 First, the MC-side implementation needs to provide RH TABLE I protection resources for the worst-case, where the expected SYMBOLS AND THEIR DESCRIPTIONS USED FOR DRAM REFRESH,ROW HAMMER, AND STREAMING ALGORITHM. RHTH level is very low, and the processor is connected to the maximum number of DRAM banks it supports. As a result, it Symbol Description requires a large extra area for the counter structures that the tREFW Per row auto-refresh interval (e.g. 32ms and RH protection mechanism utilizes. 64ms) RH Notation for RH threshold. The DRAM-side implementations are free from such con- TH REFprev Extra preventive refresh on the potential RH vic- cerns, as RHTH of a specific DRAM is estimated accurately tim rows. Executed during ARR, RFM command, by DRAM vendors, and the resource usage is proportional to or hidden in the auto-refresh. the number of DRAM banks since on-DRAM RH-protection rblast Distance that RH effect reaches. Realcnt Real number of occurrence in a data stream. schemes are often deployed at a per-bank or per-DIMM basis. Estcnt Reported number of Realcnt from the algorithm. However, such on-DRAM protection schemes suffer from the deployability issues. protection against a target RHTH . Finally, we propose 1) To secure the time margin for the extra REFprev for the potential RH victim rows, the DRAM-side schemes must algorithmic optimization for energy saving, 2) RFM extension either request the MC to generate the non-standard ARR to mitigate performance overhead by exploiting the memory access patterns of the ordinary workloads, and 3) hardware commands or perform extra REFprev during the auto-refresh in a way that is transparent to the MC. The former mechanism optimization that obviates the need for counter table reset, breaks the abstraction that DRAM is a passive device. In which was mandatory in the prior work. contrast, the latter mechanism [14] called the time-margin- The key contributions of this paper are as follows: stealing method is not always possible depending on the • We classify the possible combinations of different stream- DRAM characteristics and the auto-refresh margin. ing algorithms and remedies for RH-protection and inves- Refresh Management (RFM) is a new candidate for a tigate appropriate methods for the RFM-based scheme. remedy in addition to the prior ARR and throttling, which has • We propose Mithril, the first RFM-based RH-protection been newly introduced to the DDR5 and LPDDR5 specifica- scheme with deterministic safety guarantees, exploiting a tions [21], [22]. An MC sends an RFM command at a specific modified Counter-based Summary algorithm. activation frequency to a target DRAM bank without a target • We provide a rigorous mathematical proof of the modified row. The DRAM-side RH-protection scheme can exploit the algorithm and the RH safety of Mithril. time margin provided by the RFM command to take necessary • We suggest the energy and performance optimization tech- niques that exploit the memory access patterns of the actions, typically extra REFprev. This cooperation between the MC and DRAM effectively avoids the critical drawbacks common, non-adversarial workloads. of MC- or DRAM-only implementations. Despite its promising trait, the applicability of RFM for II. BACKGROUND the RH-protection scheme has not been publicly verified or A. DRAM Refresh appropriately evaluated to the best of our knowledge. A prior probabilistic scheme [29] may be trivially applied. However, DRAM stores a single bit in a cell, composed of one capac- the prior deterministic schemes cannot be directly applied to itor and one access transistor. These cells are organized into the RFM interface. The prior ARR-based schemes reactively rows and columns. A DRAM row, which shares a wordline, is issue the command targeting a specific row when the acti- the granularity of the activation (ACT) and precharge (PRE), vation count reaches a scheme-specific predefined threshold. which respectively allows and disallows the read or write However, periodic in its nature, the RFM command is prone to operation on the row. The read and write operation occurs the worst case where multiple rows simultaneously require the by accessing a certain number of columns in an activated REFprev in a short time period, unlike the ARR command. row. DRAM is composed of multiple banks. Each bank allows Throttling-based prior work also cannot utilize the RFM independent ACT, PRE, read, and write operations. Multiple command properly. Thus, prior ARR- or throttling-based RH- banks form a rank, which shares the memory channel to the protection schemes are inefficient over the RFM-interface. memory controller (MC) at the host side. Mithril, a novel DRAM-side, RFM-compatible, and de- Due to the inherent characteristic of a DRAM cell capacitor terministic RH-protection scheme takes a new approach in that the stored charge leaks over time, the cell value needs utilizing the RFM command.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    14 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us