Presentation is loading. Please wait.

Presentation is loading. Please wait.

Presented by Allan Benelli

Published byAlfréd Halász Modified over 5 years ago

Similar presentations

Presentation on theme: "Presented by Allan Benelli"— Presentation transcript:

1 Presented by Allan Benelli
Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors my name is ... Today I am going to present the paper  ... published 2014 by  some guys from Carnegie Mellon University which are in this room today and Intel Labs.  *Work done while at Carnegie Mellon University ISCA 2014 Presented by Allan Benelli ETH Zürich 07 November 2018

2 Problem

3 Problem The continued scaling of DRAM process technology has enabled smaller cells to be placed closer to each other This gives us: Increase of cells per unit area Decrease of cost per bit memory But also: Reduced noise margin, more vulnerable to data loss Electromagnetic coupling effects between cells Higher variation in process technology increases number of outlier cells

4 Problem As a result, high-density DRAM is more likely to suffer from disturbance, a phenomenon in which different cells interfere with each other’s operation. If a cell is disturbed beyond its noise margin, it malfunctions and experiences a disturbance error. 

5 Background

6 DRAM Cell

7 DRAM Access & Refresh Open Row: raise wordline, transfer data into row-buffer Read/Write: access row-buffer's data Close Row: lower wordline, clear row-buffer Refresh: restore the charge in cells (DDR3 ~ 64ms, in fact same as opening a row)

8 Goal

9 Goal Expose the existence and the widespread nature of disturbance errors in commodity DRAM chips sold and used "today" (2014).

10 Novelty, Key Approach, and Ideas

11 Novelty It demonstrates the existence of DRAM disturbance errors on real DRAM devices from three major manufacturers and real systems using such devices (with user-level assembly code) Known as "RowHammer" It characterizes in detail the characteristics and symptoms of DRAM disturbance errors using an FPGA-based DRAM testing platform It proposes and explores various solutions to prevent DRAM disturbance errors. It shows a novel, low-cost system-level approach as a viable solution to the RowHammer problem

12 Key-Ideas & Approach Causes of Disturbance Errors
Electromagnetic coupling Toggling the wordline voltage briefly increases the voltage of adjacent wordlines, this slightly opens adjacent rows -> Leakage of charge Conductive bridges Hot-carrier injection

13 Toggling the wordline Repeated toggling of the wordline causes the nearby cells to leak charge 1 1 Victim rows Aggressor row

14 Toggling the wordline Repeated toggling of the wordline causes the nearby cells to leak charge 1 1 Victim rows Aggressor row

15 Mechanisms

16 How to Induce Errors x86 CPU DRAM Module DDR3 X Y loop: mov (X), %eax
mov (Y), %ebx clflush (X) clflush (Y) mfence jmp loop X 1111 This is the assembly code that behaves precisely in the manner that I just described. It first opens row X and fetches a cacheline into the processor. But since the next access is to a different row, the processor is forced to close row X before opening row Y. And from row Y, another cacheline is fetched. Subsequently, the two flush instructions evict the cachelines from the processor. Each iteration of the code toggles the two rows X and Y, and after many iterations, many errors appear in adjacent rows. Y 1111 Y. Kim’s Talk on: “Flipping Bits in Memory Without Accessing Them

17 Key Results: Methodology and Evaluation

18 Methodology 8 FPGA boards with DDR3 DRAM memory controller
Tested 129 DRAM modules from manufactures A, B and C, with capacities from 512MB-2GB and production year 08-14                                                                                                                          Access Interval (AI)                                                                    - Time between two accesses                                                                    Refresh Interval (RI)                                                                    - Time between two refreshes                                                                    Data Pattern (DP)                                                                    - Data stored in DRAM                                                                    - e.g. RowStripe (~RowStripe)                                                         alternate rows 1s and 0s

19 Disturbance Errors are Widespread
Most modules are at risk In 110 / 129 tested modules they were able to induce errors The modules without errors were built before 2012 (except one)

20 Error = Charge Loss Two types of errors
- '1' -> '0' and '0' -> '1' Two types of cells (chosen by manufacture) True-cell: Charged = 1 -> only '1' -> '0' errors Anti-cell: Charged = 0 -> only '0' -> '1' errors A given cell suffers only one type Errors are a loss of charge

21 Address Correlation Peaks at +/- 1 But why this distribution?
Physical address may differ from logical address Fault rows are often re-mapped to spare rows Aggressor row can affect more than two rows

22 Sensitivity Shorter RI -> fewer errors
To eliminate all disturbance errors the refresh interval must be shortened by 7x for the worst module

23 Sensitivity Longer AI -> fewer errors

24 Sensitivity Errors also dependent on data stored in other cells RowStripe causes ~10x more errors than Solid Solid RowStripe ColStripe Checkered 111111 000000 111111 101010 010101 101010

25 Error Correction Code - ECC
Couldn’t we just use simple Error Correction Codes as SECDED? SECDED (:= Single Error Correction, Double Error-Detection) detects up to two errors and can correct one error How many errors per row? SECDED is not safe!

26 Other results Victim Cells != Weak Cells
Weak cells := Cells with the shortest retention times Errors are repeatable, but needs a lot of testing time Errors are almost independent by temperature change Some cells have two aggressors

27 Possible Solutions Make better chips Correct errors
… depends on process technology Correct errors … multibit errors and overhead Refresh all rows frequently … shorten RI -> overhead Retire cells (manufacture) … exhaustive search, many spare cells required Retire cells (end-user) … end-user pays for identifying and remapping Identify hot rows, refresh neighbours  … counters needed, complex

28 Proposed Solution PARA (Probabilistic Adjacent Row Activation) Idea:
When a row is open/closed, an adjacent row is opened with small probability Mechanism: When a row is closed, flip a biased coin (p<<1) If head, refresh one of the two adjacent row Problem: Needs to know how logical mapping is done by manufacturer Advantages: Refreshes row infrequently (low power & performance-overhead) Stateless (low cost & low complexity)

29 Summary

30 Summary Disturbance errors are widespread in commodity DRAM chips from recent years. 110 of 129 modules are vulnerable When a row is opened repeatedly, adjacent rows leak charge "It's like breaking into an apartment by repeatedly slamming a neighbor's door until the vibrations open the door you were after“ (Slides of O.Mutlu) The paper... characterizes disturbance errors using FPGA-based testing examines seven solutions to tolerate, prevent or mitigate these errors and proposes PARA, as most efficient and low-overhead solution

31 Strengths

32 Strengths The first paper to expose the widespread existence of disturbance errors in DRAM chips Is the basis for a lot of further work (321 citations) Identifies a new reliability problem and a security vulnerability, RowHammer, that affects an entire generation of computing systems being used today  RowHammer is still relevant today! Real-system approach, not only theoretical With PARA a neat solution is provided Clear structured paper with a good flow

33 Weaknesses

34 Weaknesses Assumes the existence of security exploits, but just touches the topic and doesn't provide a working example. Paper is limited to x86-architecture. Paper relies on the memory controller flipping a coin. If the outcome of these coinflips could be predicted, an attacker may circumvent PARA. It's not explained how the coin could be implemented and how such problems would be avoided. It is not discussed why the Intel processors have more bit flips than the AMD

35 Thoughts and Ideas

36 Thoughts and Ideas What about RowHammer today?
Google Project Zero exploited the DRAM RowHamemer bug to gain kernel privileges Recent studies and reports also suggest vulnerability of DDR4 Ram, mobilephones (ARM), GPU of mobilephones and RowHammer Attacks over the Network. “Solutions”: Shorten RI to 32ms, ECC, TTR and restrict clflush Worth reading, if you want to understand further papers on RowHammer What about ARM / Mobile plattforms? What about SRAM, flash and harddisk? ARM --> next presentation NAND Flash --> Paper Read disturb errors: Reading from one page can alter the values stored in other unread pages

37 Takeaways

38 Key Takeaways RowHammer is a real issue - Disturbance errors are widespread! The fact that computer parts are getting smaller and smaller and the associated problems including RowHammer should receive much more attention than it currently enjoys. Technological progress in manufacturing technology and the scale down to smaller dimensions can produce unexpected errors that one wouldn't think of. The fact that computer parts are getting smaller and smaller and the associated problems including RowHammer should receive much more attention than it currently enjoys, as it is a serious threat and recent studies and reports also suggest vulnerability of DDR4 Ram, graphics cards and mobile phones.

39 Questions/Open Discussion

40 Discussion Is it very likely for a normal application to hammer a row accidentally? Is shortening the refresh interval (and lengthen the activation interval) a practical approach? Is PARA enough? Do you have other solutions in mind? How would you implement such a coin flip used in PARA? Was this paper a roadmap for hackers? What have manufacturere done till now? Doubling refresh rate, ECC, TTR, restricting access to the CLFLUSH (Chrome) --> not sufficent, clflush free attack --> TTR anyway some errors

41 Additional Slides

42 Additional papers and webpages
Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript [D. Gruss et al. 2015] Throwhammer: Rowhammer Attacks over the Network and Defenses [A. Tatar et al. 2018] DDR4: Exploiting the DRAM rowhammer bug to gain kernel privileges [Mark Seaborn, et al.2015] Read Disturb Errors in MLC NAND Flash Mermory: … [Y. Cai, O.Mutlu, et al. 2015] ANVIL: Software-Based Protection Agains Next-Generation Rowhammer Attacks [Z. Aweke et al., 2016] Grand Pwning Unit: Accelerating Microarchitectural Attacks with the GPU [P. Frigo et al. 2018] Anvil -> clflus free

Download ppt "Presented by Allan Benelli"

Similar presentations

Thank you for your introduction.

Thank you for your introduction.
A Case for Refresh Pausing in DRAM Memory Systems

A Case for Refresh Pausing in DRAM Memory Systems
Computer Organization and Architecture

Computer Organization and Architecture
+ CS 325: CS Hardware and Software Organization and Architecture Internal Memory.

+ CS 325: CS Hardware and Software Organization and Architecture Internal Memory.
Computer Organization and Architecture The CPU Structure.

Computer Organization and Architecture The CPU Structure.
1 Error Correction Coding for Flash Memories Eitan Yaakobi, Jing Ma, Adrian Caulfield, Laura Grupp Steven Swanson, Paul H. Siegel, Jack K. Wolf Flash Memory.

1 Error Correction Coding for Flash Memories Eitan Yaakobi, Jing Ma, Adrian Caulfield, Laura Grupp Steven Swanson, Paul H. Siegel, Jack K. Wolf Flash Memory.
Justin Meza Qiang Wu Sanjeev Kumar Onur Mutlu Revisiting Memory Errors in Large-Scale Production Data Centers Analysis and Modeling of New Trends from.

Justin Meza Qiang Wu Sanjeev Kumar Onur Mutlu Revisiting Memory Errors in Large-Scale Production Data Centers Analysis and Modeling of New Trends from.
3/20/2013 Threshold Voltage Distribution in MLC NAND Flash: Characterization, Analysis, and Modeling Yu Cai 1, Erich F. Haratsch 2, Onur Mutlu 1, and Ken.

3/20/2013 Threshold Voltage Distribution in MLC NAND Flash: Characterization, Analysis, and Modeling Yu Cai 1, Erich F. Haratsch 2, Onur Mutlu 1, and Ken.
Yu Cai1, Erich F. Haratsch2 , Onur Mutlu1 and Ken Mai1

Yu Cai1, Erich F. Haratsch2 , Onur Mutlu1 and Ken Mai1
Program Interference in MLC NAND Flash Memory: Characterization, Modeling, and Mitigation Yu Cai 1 Onur Mutlu 1 Erich F. Haratsch 2 Ken Mai 1 1 Carnegie.

Program Interference in MLC NAND Flash Memory: Characterization, Modeling, and Mitigation Yu Cai 1 Onur Mutlu 1 Erich F. Haratsch 2 Ken Mai 1 1 Carnegie.
Computing Hardware Starter.

Computing Hardware Starter.
CSCI 4717/5717 Computer Architecture

CSCI 4717/5717 Computer Architecture
Microprocessor-based systems Curse 7 Memory hierarchies.

Microprocessor-based systems Curse 7 Memory hierarchies.
2010 IEEE ICECS - Athens, Greece, 12-15 December1 Using Flash memories as SIMO channels for extending the lifetime of Solid-State Drives Maria Varsamou.

2010 IEEE ICECS - Athens, Greece, December1 Using Flash memories as SIMO channels for extending the lifetime of Solid-State Drives Maria Varsamou.
OCR GCSE Computing © Hodder Education 2013 Slide 1 OCR GCSE Computing Chapter 2: Memory.

OCR GCSE Computing © Hodder Education 2013 Slide 1 OCR GCSE Computing Chapter 2: Memory.
Embedded System Lab. Daeyeon Son Neighbor-Cell Assisted Error Correction for MLC NAND Flash Memories Yu Cai 1, Gulay Yalcin 2, Onur Mutlu 1, Erich F. Haratsch.

Embedded System Lab. Daeyeon Son Neighbor-Cell Assisted Error Correction for MLC NAND Flash Memories Yu Cai 1, Gulay Yalcin 2, Onur Mutlu 1, Erich F. Haratsch.
© GCSE Computing Computing Hardware Starter. Creating a spreadsheet to demonstrate the size of memory. 1 byte = 1 character or about 1 pixel of information.

© GCSE Computing Computing Hardware Starter. Creating a spreadsheet to demonstrate the size of memory. 1 byte = 1 character or about 1 pixel of information.
Carnegie Mellon University, *Seagate Technology

Carnegie Mellon University, *Seagate Technology
1 Lecture 2: Memory Energy Topics: energy breakdowns, handling overfetch, LPDRAM, row buffer management, channel energy, refresh energy.

1 Lecture 2: Memory Energy Topics: energy breakdowns, handling overfetch, LPDRAM, row buffer management, channel energy, refresh energy.
Data Retention in MLC NAND FLASH Memory: Characterization, Optimization, and Recovery. 서동화 dhdh0113@gmail.com.

Data Retention in MLC NAND FLASH Memory: Characterization, Optimization, and Recovery. 서동화

Similar presentations

Ads by Google