A New Approach for Rowhammer Attacks Rui Qiao Mark Seaborn Stony Brook University Google [email protected] [email protected] Abstract—Rowhammer is a hardware bug identified in recent table, and write access to page tables enables attacker to commodity DRAMs: repeated row activations can cause bit flips control the whole physical memory. The second exploit is in adjacent rows. Rowhammer has been recognized as both a a sandbox escape by causing bit flips in the instructions reliability and security issue. And it is a classic example that lay- ered abstractions and trust (in this case, virtual memory) can be enforcing control-flow integrity [17]. broken from hardware level. Previous rowhammer attacks either rely on rarely used special instructions or complicated memory The key challenge of triggering rowhammer is to reliably access patterns. In this paper, we propose a new approach for and frequently cause DRAM row activations. However, CPU rowhammer that is based on x86 non-temporal instructions. This cache can prevent DRAM accesses (and therefore row activa- approach bypasses existing rowhammer defense and is much tions). Previous rowhammer approaches either rely on the x86 less constrained for a more challenging task: remote rowhammer attacks, i.e., triggering rowhammer with existing, benign code. CLFLUSH instruction [15], or use carefully selected memory Moreover, we extend our approach and identify libc memset access patterns to evict cache lines [9], [10]. Therefore, and memcpy functions as a new rowhammer primitive. Our rowhammer attacks are usually assumed by software level discussions on rowhammer protection suggest that it is critical defenses to be based on these approaches. to understand this new threat to be able to defend in depth. I.I NTRODUCTION In this paper, we propose new approaches for triggering rowhammer. We further discuss their security implications un- Rowhammer is a kind of DRAM disturbance error: repeated der two different threat models. In the first model, the program DRAM row activations can cause bit flips in adjacent rows code is from untrusted sources, and may be sandboxed. The [15]. As a DRAM hardware bug, rowhammer is closely related second model only allows benign code to be executed, but to DRAM organization. DRAM consists of a two dimensional the program may be exposed to untrusted data inputs. We array of cells: the rows and columns are used for addressing a show that rowhammer attacks can be performed with our new cell. For each DRAM cell, the charged or uncharged state of approaches. Specifically, we make the following contributions: its capacitor is used to denote a single bit of stored value. In order to access a cell, its row needs to be activated in order to be copied to a row buffer. However, repeatedly activating a row • A new rowhammer method without CLFLUSH. Other can cause cells at adjacent rows discharge at an accelerated than existing methods, we demonstrate that rowhammer rate. If a cell state changes from charged to uncharged before can also be triggered with non-temporal store instructions. it is refreshed, the bit has flipped. This phenomenon is widely This method can be less constrained and more suitable recognized as the “rowhammer” problem. for some scenarios. The rowhammer problem exists in recent commodity • A new rowhammer primitive. We identify a new rowham- DRAM chips and mostly results from the design/process mer primitive that extends our non-temporal store based limitations for sub 40 nm memory technology such as DDR3 method. Specifically, libc functions memset and memcpy [15]: as the chip density increases, the cells become smaller are found capable of rowhammer. This can be convenient and the capacitors can hold less charge. The cells are also because of their wide usage. closer. Therefore the voltage fluctuations when activating a • Exploit with untrusted code. We develop an exploit that row are more likely to affect adjacent rows and finally result can escape from a sandbox, bypassing existing appli- in bit flips. It has been shown that 110 out of 129 recent cation layer rowhammer defense. We highlight the dif- DRAM modules from three major DRAM manufactures are ferences of the exploit as compared to the CLFLUSH susceptible to the rowhammer problem [15]. based approach, and illustrate how we overcome these Rowhammer was first considered as a reliability issue which challenges. may result in data corruption, but later it has been shown to • Remote rowhammer attacks. We describe the possible also be a security issue [17]. Two exploits were developed: remote rowhammer attacks, i.e., triggering rowhammer the first one gains kernel privilege by causing bit flips in with malicious inputs but benign code, based on the new page table entries (PTE) of an unprivileged, malicious process. rowhammer methods. Compared with user level software Specifically, the changed PTE may point one of the malicious based memory corruptions which only affect the current process’s writable page to a physical frame containing page process, one distinguishing feature of rowhammer is that ∗This work was supported in part by grant from ONR (N00014-15-1-2378). bit flips can be caused in other processes or kernel. code1a: code1b: III.N ON-TEMPORAL STORES:ANEW METHOD FOR mov (X), %eax mov (X), %eax OWHAMMER mov (Y), %eax clflush (X) R clflush (X) In this section, we introduce the involved instructions, chal- clflush (Y) mfence mfence lenges, and implementation details for our new rowhammer jmp code1a jmp code1b method. Fig. 1. Rowhammer with CLFLUSH A. Non-temporal Instructions II.B ACKGROUND In computation, data references can have different patterns. Some are temporal: data will be accessed again soon in A. DRAM future. Some are spatial: data in adjacent locations will be From a low level, the basic unit of storing information in accessed. And some are non-temporal: data is referenced dynamic random-access memory (DRAM) is a cell. It consists just once and not again in the near future. As most data of a capacitor and a transistor. The capacitor can either be accesses exhibit either temporal or spatial locality, caches are charged or uncharged, representing a binary data value. And introduced to effectively improve performance. However, non- the transistor is used for accessing the cell. temporal accesses could pollute cache and harm performance. From a high level, a DRAM module can have one or To address this problem, non-temporal instructions were in- two ranks, where one rank corresponds to one side of the troduced by CPU vendors for supporting cacheability control. dual inline memory modules (DIMMs). Each rank is divided Once non-temporal data references are expected, programmers into banks, which can be accessed concurrently to increase or compilers can use these non-temporal instructions to mini- parallelism. In each bank, cells are organized into rows and mize cache pollution. On the other hand, because their cache columns. To access a particular cell, the corresponding row is bypass characteristics are desirable, we explore the possibility first activated, and then data is read into the row buffer of the of using them for rowhammer. bank, and the accesses are served from row buffer. Non-temporal instructions can be loads, stores and DRAM cells lose charge gradually. Therefore, they need prefetches. The only x86 non-temporal load instruction to be recharged periodically to keep the stored value. This MOVNTDQA is not useful for rowhammer because it requires process is called refresh. The time period for a cell to lose the underlying memory to be write combining (WC) type to data because of discharging is called retention time, which is bypass cache. The only x86 non-temporal prefetch instruc- specified by DDR3 DRAM specification [12] to be at least 64 tion PREFETCHNTA is not helpful either, because it may ms. A refresh must happen on every row within this time. (pre)fetch data into L2 cache from L3 cache, therefore not In most systems, memory controller uses physical rather reliably generating DRAM accesses and hence row activations. than virtual addresses for selecting the underlying rank, bank, We can use non-temporal stores for rowhammer because row, and column of the DRAM. Although not documented, they treat target memory as uncached “write combining (WC)” this mapping of some CPUs can be reverse engineered [16]. type [3]1. There are a handful of x86 non-temporal store B. Rowhammer: The DRAM Bug instructions, some examples are: As discussed, rowhammer can be triggered if a DRAM row • MOVNTI: this instruction moves a 32-bit or 64-bit inte- is repeatedly activated. Figure1 shows the code snippets used ger from source register operand to destination memory for rowhammer from the original paper [15]. X and Y are operand, with a non-temporal hint. addresses that belong to the same bank, but different rows. • MOVNTDQ: similarly, this instruction stores a 128-bit Note that code1a can induce bit flips, while code1b cannot. value from a SSE register to memory using a non- This is because in code1b, if a single row (which X belongs temporal hint. to) is repeatedly accessed, the data will be served from the B. Write-Combining Buffers row buffer since there is no need to reactivate the row. On Although non-temporal stores serve as a basis for our the other hand, code1a alternates the accesses to two different rowhammer method, a straight-forward implementation would rows (but on the same bank). Therefore, the next memory read not work due to write-combining buffers. is not from the same row, and the content of the row buffer cannot be used. This essentially forces the two rows to be As discussed, the memory used by non-temporal stores are activated in turn, and finally there can be bit flips in nearby treated as “write combining (WC)” type [3].