ANVIL: Software-Based Protection Against Next-Generation Rowhammer Attacks Zelalem Birhanu Aweke,y Salessawi Ferede Yitbarek,y Rui Qiao,z Reetuparna Das,y Matthew Hicks,y Yossi Oren,∗ and Todd Austiny y University of Michigan z Stony Brook University ∗ Ben-Gurion University of the Negev Abstract 1. Introduction Ensuring the integrity and security of the memory system In recent years, hardware security has grown in importance is critical. Recent studies have shown serious security con- for all aspects of hardware design. The emergence of viable cerns due to “rowhammer” attacks, where repeated accesses hardware security vulnerabilities, such as side-channel at- to a row of memory cause bit flips in adjacent rows. Re- tacks [2] and malicious circuits [10, 22], ensures that this cent work by Google’s Project Zero has shown how to lever- trend continues today. Perhaps no recent hardware security age rowhammer-induced bit-flips as the basis for security vulnerability has garnered more concern than the rowham- exploits that include malicious code injection and memory mer attack [24]. The rowhammer attack allows the manip- privilege escalation. Being an important security concern, ulation of data in a row of a DRAM (referred to as the vic- industry has attempted to defend against rowhammer at- tim row) by repeatedly accessing (or “hammering”) adjacent tacks. Deployed defenses employ two strategies: (1) dou- rows. Serious security concerns arise when, for example, ad- bling the system DRAM refresh rate and (2) restricting ac- jacent DRAM rows are not within the same memory protec- cess to the CLFLUSH instruction that attackers use to bypass tion domain [28]. the cache to increase memory access frequency (i.e., the rate of rowhammering). 1.1 Rowhammer Attacks We demonstrate that such defenses are inadequte: we implement rowhammer attacks that both avoid using the The rowhammer attack exploits the physical architecture of CLFLUSH instruction and cause bit flips with a doubled re- modern DRAMs, which are composed of numerous rows fresh rate. Our next-generation CLFLUSH-free rowhammer of densely packed capacitive bit cells. The bit cells hold attack bypasses the cache by manipulating cache replace- the charge that represent program data values. Natural leak- ment state to allow frequent misses out of the last-level cache age of charge out of capacitive bit cells requires that the to DRAM rows of our choosing. DRAM rows be refreshed (i.e., their charge restored through To protect existing systems from more advanced rowham- a refresh operation) regularly. Current DRAM architectures mer attacks, we develop a software-based defense, ANVIL, (e.g., DDR3) require a refresh command to be issued every which thwarts all known rowhammer attacks on existing sys- 7.8us [3], refreshing individual rows once every 64ms. The tems. ANVIL detects rowhammer attacks by tracking the lo- rowhammer attack exploits an electrical cross-talk property cality of DRAM accesses using existing hardware perfor- within the dense interconnect of modern DRAMs. Repeated mance counters. Our detector identifies the rows being fre- accesses to one row (the aggressor) within a single refresh quently accessed (i.e., the aggressors), then selectively re- cycle (e.g., 100’s of thousands of accesses) speeds up the dis- freshes the nearby victim rows to prevent hammering. Ex- charge of bit cells in adjacent rows (victim rows) [11]. This periments running on real hardware with the SPEC2006 causes bit-flips in the victim rows most sensitive to hammer- benchmarks show that ANVIL has less than a 1% false posi- ing. tive rate and an average slowdown of 1%. ANVIL is low-cost Recent studies have demonstrated the rowhammer attack and robust, and our experiments indicate that it is an effec- on a wide variety of commercial system [24, 28]. These at- tive approach for protecting existing and future systems from tacks used the CLFLUSH x86 instruction to flush specific even advanced rowhammer attacks. cache lines, thereby allowing high locality rowhammer ac- cesses to reach the DRAM unhindered by on-chip caches. Shortly after viable rowhammmer demonstrations emerged, work began to weaponize the mechanism, i.e., utilize it to breach a secure system. Of note, Google’s Project Zero Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and demonstrates two such weaponizations of a CLFLUSH- the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires based rowhammer attack [28]. The first attack uses rowham- prior specific permission and/or a fee. Request permissions from [email protected]. ASPLOS ’16, April 02-06, 2016, Atlanta, GA, USA mering to insert malicious code into Google’s Native Client c 2016 ACM. ISBN 978-1-4503-4091-5/16/04$15.00 DOI: http://dx.doi.org/10.1145/2872362.2872390 sandbox. The second attack is a privilege escalation attack 743 that allows a process to gain write access to its own page with extremely high (cumulative) probability [24]. Such so- tables, and hence gain read-write access to all of physical lutions require the introduction of new hardware. memory. 1.3 Contributions of This Work 1.2 Mitigating Rowhammer Attacks In this work, we show that current rowhammer mitigation techniques for existing systems (i.e., disallowing cache flush The response from the hardware industry focuses on pro- instructions and doubling refresh rates) do not work. We tecting both legacy and future systems. For legacy systems, demonstrate in this paper two attacks that defeat these pro- industry employs two mitigation strategies. The first miti- tections. Specifically, we demonstrate the first CLFLUSH- gation strategy is to double the refresh rate of DRAM sys- free rowhammer attack, thereby thwarting efforts to deter tems, from once every 64ms to once every 32ms. Many hard- rowhammering by restricting access to the CLFLUSH in- ware manufacturers, for example HP [15] and Lenovo [18], struction. The attack manipulates cache replacement state to deployed firmware updates that double refresh rates as a ensure high-frequency misses out of the last-level cache to rowhammer protection. However, this approach is insuffi- DRAM rows of our choosing. The algorithm is able to effi- cient, as shown by us in Section 2.1 and by others [24]. The ciently implement a successful rowhammer attack within state of the art in rowhammer attacks are effective at caus- one 64ms DRAM refresh cycle, creating approximately ing bit-flips within a 32ms refresh window. The second mit- 220,000 DRAM row accesses 1. A critical implication of igation strategy involves restricting access to the CLFLUSH the CLFLUSH-free attack is that now any program with instruction which attacks use to flush cache lines and gain access to loads and stores can perform a rowhammer at- direct access to DRAM rows. For example, Google recently tack. In addition, we demonstrate that is it straightforward to updated the Chrome Native Client sandbox (which allows rowhammer DRAM under a double-rate 32ms refresh cycle, local execution of remotely downloaded binaries) to prevent underscoring the futility of this popular, but costly, protec- the loading of any code containing the CLFLUSH instruc- tion mechanism. tion [28]. Again, we show that this protection is insufficient As such, existing systems immediately require a more by detailing the first CLFLUSH-free rowhammer attack. robust means of protection against rowhammer attacks. To An emerging defense, as suggested by some manufactur- this end, we present ANVIL, a software-based rowham- ers, is that increasing ECC scrub rates could be a rowham- mer detector which protects existing and future commod- mer protection mechanism [14]. But, prior work [24] shows ity DRAMs. We implement ANVIL using an existing hard- multiple bit-flips per word when executing rowhammer at- ware performance monitoring infrastructure. ANVIL works tacks, making this approach of questionable value in pro- by monitoring the locality of DRAM row accesses out of tecting existing or future systems. the last-level cache. In the event that row access locality be- Protections for future DRAM architectures are begin- comes too high (i.e., indicating repeated accesses to the same ning to appear in industry announcements and the litera- DRAM row), the detector selectively refreshes neighboring ture. For example, the upcoming LPDDR4 specification and potential victim rows with a read operation (for DRAM, a new DDR4 modules include a targeted row refresh (TRR) read operation fully refreshes the accessed DRAM row). capability designed to thwart rowhammer attacks [19, 21]. We implement ANVIL as a Linux kernel module that uti- The mechanism tracks the number of row activations within lizes Intel architectures’ performance monitoring capabili- a fixed time window, and selectively refreshes rows neigh- ties to detect DRAM row access locality out of the last-level boring a too-frequently accessed DRAM row. However, Mi- cache. The performance monitoring capabilities we rely on cron DDR4 documentation [19] suggests that this mecha- are also available on AMD-based systems [6]. The detec- nism is an “optional module”, thus there may exist future tor uses a multi-staged approach to reduce detector over- DDR4 systems still susceptible to rowhammer attacks. In heads, leading to an average slowdown (for non-malicious fact, bit flips due to rowhammering in DDR4 system have programs running on real hardware) of about 1%, and worst- been reported [7]. Intel has partially disclosed the existence case slowdown of 3.2%. In addition, our detector has a la- of pseudo-targeted row refresh (pTRR) in Xeon-class Ivy- tency of only 12ms.