Download presentation
Presentation is loading. Please wait.
Published byがんま あかさか Modified over 5 years ago
1
2019 2학기 고급운영체제론 ZebRAM: Comprehensive and Compatible Software Protection Against Rowhammer Attacks 3 # 단국대학교 컴퓨터학과 # 남혜민 # 발표자 : 남혜민 # 발표일 : (월) Software ICT Hall 시스템소프트 정보보호 연구실
2
Contents 1. Introduction 2. ZebRAM 3. Evaluation 4. QnA
Software ICT Hall 시스템소프트 정보보호 연구실
3
Intro : Word Cloud Software ICT Hall 시스템소프트 정보보호 연구실
4
Intro : 3-Line Summary “Introducing ZebRAM, a software-level protection against Rowhammer attacks that leverages the hardware features of DRAM.” Software ICT Hall 시스템소프트 정보보호 연구실
5
Intro : Rowhammer Attack
DRAM rows consists of DRAM cells Each cell can store one bit information Software ICT Hall 시스템소프트 정보보호 연구실
6
Intro : Rowhammer Attack
DRAM rows consists of DRAM cells Each cell can store one bit information Rowhammer bug … and induce bit flips in them: (1 => 0) or (0 => 1) Bit flips Aggressor row Victim row Software ICT Hall 시스템소프트 정보보호 연구실
7
Intro : Threat Model 1. Privilege escalation
2. Compromising co-hosted virtual machines Hypervisor, .etc 3. Attacks over the network Software ICT Hall 시스템소프트 정보보호 연구실
8
Intro : Simple Threat Ex.
An attacker can flips a bit in: Cryptographic key, page table entry in kernel etc. … to compromise the system. Two important points to note: Attacker should able to read very fast Can flip a bit on its neighboring row Software ICT Hall 시스템소프트 정보보호 연구실
9
Intro : Exploit Paper Software ICT Hall 시스템소프트 정보보호 연구실
10
Intro : Defenses Paper Rowhammer Existing defenses are ineffective
Even if there is no software bug (and formally verified) 87% of DDR3 DIMMs are vulnerable (Kim et al. ISCA’14) DDR4 also contain this bug (Van der Veen et al. CCS’17) Existing defenses are ineffective Hardware solutions like ECC, TRR are found to ineffective (Cojocar et. al S&P’19, Gruss et al. Blackhat’18) ANVIL - CPU performance counters to detect Rowhammer attack (AWEKE et. al ASPLOS’16) CATT - isolates different security domains using guard rows (Brasser et al. SEC’17) Software ICT Hall 시스템소프트 정보보호 연구실
11
Intro : Defenses Paper Rowhammer Existing defenses are ineffective
Even if there is no software bug (and formally verified) 87% of DDR3 DIMMs are vulnerable (Kim et al. ISCA’14) DDR4 also contain this bug (Van der Veen et al. CCS’17) Existing defenses are ineffective Hardware solutions like ECC, TRR are found to ineffective (Cojocar et. al S&P’19, Gruss et al. Blackhat’18) ANVIL - fails against DMA-based attacks (Van der Veen et al. CCS’17) CATT - fails because different security domains share memory (Gruss et al. S&P’18) Software ICT Hall 시스템소프트 정보보호 연구실
12
ZebRAM Software ICT Hall 시스템소프트 정보보호 연구실
13
ZebRAM Design : RowHammer Attack Protection
1. Full memory protection Safe in hardware > FAIL Software attempts safe > FAIL 2. Limit the rows that an attacker can access The goal is to design a system where the attacker directly destroys only a subset of the rows. In other words, to make it impossible to climb Software ICT Hall 시스템소프트 정보보호 연구실
14
ZebRAM Design : Isolation
1. Separate Security domains using guard rows 2. Isolate security sensitive data using guard rows User space Guard Rows Kernel space Sensitive data DRAM address space CATT uses this approach (Brasser et al. SEC’17) (Tatar et al. ATC’18) Software ICT Hall 시스템소프트 정보보호 연구실
15
ZebRAM Design : Basic Odd Row : Data Even Row : Guard
Can stop all Rowhammer But, waste half of memory Data row Guard row DRAM address space DRAM address space Software ICT Hall 시스템소프트 정보보호 연구실
16
ZebRAM Design : Basic With the Buddy page allocation 3 1 2 Data row
Guard row Data region (Safe region) 1 2 Guard region (Unsafe region) 버디 에서 홀수 혹은 짝수를 강제로 사용하지 않게 하려면 이를 위해 물리적 메모리의 연속이 필요하다고 한다. DRAM address space DRAM address space Software ICT Hall 시스템소프트 정보보호 연구실
17
ZebRAM Design 1 2 Data row Data row Guard row Guard row Safe region
Physical address space Data row Guard row Data row Guard row 1 2 Safe region Unsafe region DRAM address space Physical address space Physical address space DRAM address space Software ICT Hall 시스템소프트 정보보호 연구실
18
ZebRAM Design : Physical to DRAM
Translating physical addresses to DRAM addresses and placing guard rows Physical address space Data row Guard row 1 RAMSES + ALIS* Physical address space DRAM address space DRAM address translation library, RAMSES Memory allocator, ALIS (Tatar et al. ATC’18) Software ICT Hall 시스템소프트 정보보호 연구실
19
ZebRAM Design : Re-mapping
Transparently re-map the data rows and guard rows as two contiguous memory region We use virtualization feature like Intel (VT-x) … Safe region for OS 2 VT-x Unsafe region DRAM address space DRAM address space Physical address space Physical address space Software ICT Hall 시스템소프트 정보보호 연구실
20
ZebRAM Design : Basic Using unsafe region to overcome memory waste.
Two conditions for using unsafe region 1. Correctly handle potential bit flips in unsafe areas 2. Access to an unsafe area must not cause a bit flip of the safe area. Data region (Safe region) Guard region (Unsafe region) 3 Physical address space Software ICT Hall 시스템소프트 정보보호 연구실
21
ZebRAM Design : Basic Securely means two things here :
Handle bit flips that may occur on unsafe region ZebRAM implements a integrity manager that uses: Hash verification (SHA-256) Error correction code (ECC) Safe region for OS Integrity Manager Unsafe region Physical address space Software ICT Hall 시스템소프트 정보보호 연구실
22
ZebRAM Design : Basic Securely means two things:
Handle bit flips that may occur on unsafe region Protect the unsafe region from illegal bit flips ZebRAM slows down the consecutive accesses to the same location in the unsafe region: By implements a cache layer using safe memory Enforcing Least-recently-added eviction policy Safe region f or OS Cache layer Unsafe region Physical address space Software ICT Hall 시스템소프트 정보보호 연구실
23
ZebRAM Design : Basic Efficiently:
Exposes the unsafe region as swap space to the OS Helps to utilize efficient page replacement policies in commodity OS Safe region f or OS Integrity Manager Cache layer Swap space Physical address space Software ICT Hall 시스템소프트 정보보호 연구실
24
ZebRAM Design : Components
Software ICT Hall 시스템소프트 정보보호 연구실
25
ZebRAM Design : Components
1. Memory Remapper 2. Integrity Manager 3. Cache Manager 4. Swap Manager 컨트롤 패킷에 대한 보안 적용 필요 Software ICT Hall 시스템소프트 정보보호 연구실
26
Memory Remapper Split of physical memory into a safe and unsafe region
One region contains all the even-numbered rows The other contains all the odd-numbered rows. Data row Guard row 컨트롤 패킷에 대한 보안 적용 필요 DRAM address space DRAM address space Software ICT Hall 시스템소프트 정보보호 연구실
27
Integrity Manager Protects the integrity of the unsafe region
For error correction, usingh a commonly-used Single-Error Correction and Double-Error Detection (SECDED) ZebRAM provides the possibility to mix SECDED with collision resistant hash functions (SHA-256) -Hamming code- Software ICT Hall 시스템소프트 정보보호 연구실
28
Cache Manager Implements a fully associative cache Advantage
Reducing the access frequency on memory rows in the unsafe region. Speeds up access to the swap space Software ICT Hall 시스템소프트 정보보호 연구실
29
Swap Manager Uses the unsafe region
Protected by the Integrity Manager and Accessible only by the OS. Advantage OS will only access the slow Integrity-checked unsafe region when it runs out of fast safe memory. Software ICT Hall 시스템소프트 정보보호 연구실
30
# Life of a page in ZebRAM world
Software ICT Hall 시스템소프트 정보보호 연구실
31
Life of a page in ZebRAM world
Safe region Swap Space Cache Kswapd Compression/ Decompression Hash Generation/ Verification ECC Encoder/ Decoder 21
32
Life of a page in ZebRAM world
Safe region Swap Space Cache Kswapd Compression/ Decompression Hash Generation/ Verification ECC Encoder/ Decoder 21
33
Life of a page in ZebRAM world
Safe region Swap Space Cache Kswapd Compression/ Decompression Hash Generation/ Verification ECC Encoder/ Decoder 21
34
Life of a page in ZebRAM world
Safe region Swap Space Cache Kswapd Compression/ Decompression Hash Generation/ Verification ECC Encoder/ Decoder 21
35
Life of a page in ZebRAM world
Safe region Swap Space Cache Kswapd Compression/ Decompression Hash Generation/ Verification ECC Encoder/ Decoder 21
36
Life of a page in ZebRAM world
Safe region Swap Space Cache Kswapd Compression/ Decompression Hash Generation/ Verification ECC Encoder/ Decoder 21
37
Life of a page in ZebRAM world
Safe region Swap Space Cache Kswapd # Compression/ Decompression Hash Generation/ Verification ECC Encoder/ Decoder 21
38
Life of a page in ZebRAM world
Safe region # Swap Space Cache Kswapd Compression/ Decompression Hash Generation/ Verification ECC Encoder/ Decoder 21
39
Life of a page in ZebRAM world
Safe region # Swap Space Cache Kswapd Compression/ Decompression Hash Generation/ Verification ECC Encoder/ Decoder 21
40
Life of a page in ZebRAM world
Safe region # Swap Space Cache Kswapd Compression/ Decompression Hash Generation/ Verification ECC Encoder/ Decoder 21
41
Life of a page in ZebRAM world
Safe region # Swap Space Cache Kswapd Compression/ Decompression Hash Generation/ Verification ECC Encoder/ Decoder 21
42
Life of a page in ZebRAM world
Safe region # Swap Space X Cache Kswapd Compression/ Decompression Hash Generation/ Verification ECC Encoder/ Decoder 21
43
Life of a page in ZebRAM world
Safe region # Swap Space Cache Kswapd X Compression/ Decompression Hash Generation/ Verification ECC Encoder/ Decoder 21
44
Life of a page in ZebRAM world
Safe region # Swap Space Cache Kswapd Compression/ Decompression Hash Generation/ Verification ECC Encoder/ Decoder 21
45
Life of a page in ZebRAM world
Safe region # Swap Space Cache Kswapd # Compression/ Decompression Hash Generation/ Verification ECC Encoder/ Decoder 21
46
Life of a page in ZebRAM world
Safe region # Swap Space Cache Kswapd Compression/ Decompression Hash Generation/ Verification ECC Encoder/ Decoder 21
47
Life of a page in ZebRAM world
Safe region # Swap Space Cache Kswapd Compression/ Decompression Hash Generation/ Verification ECC Encoder/ Decoder 21
48
Life of a page in ZebRAM world
Safe region # Swap Space Cache Kswapd Compression/ Decompression Hash Generation/ Verification ECC Encoder/ Decoder 21
49
Life of a page in ZebRAM world
Safe region # Swap Space Cache Kswapd Compression/ Decompression Hash Generation/ Verification ECC Encoder/ Decoder 21
50
Implementation LKM # Swap Space Safe region Cache Kswapd
Compression/ Decompression Hash Generation/ Verification ECC Encoder/ Decoder 21
51
Evaluation 1. Security Evaluation 2. Performance Evaluation
2006 benchmark, Working Set Size 컨트롤 패킷에 대한 보안 적용 필요 Software ICT Hall 시스템소프트 정보보호 연구실
52
Evaluation : Security We ran the Rowhammer exploit on the ZebRAM protected OS Take away: ECC module alone detected 100% the bit flips ECC module corrected % of the bit flips = 100% 99.9% Software ICT Hall 시스템소프트 정보보호 연구실
53
Evaluation : Performance
Spec 2006 benchmark shows Software ICT Hall 시스템소프트 정보보호 연구실
54
Evaluation : Performance
When active working set is using 70% of the memory: ZebRAM (Basic) = 30x ZebRAM (ECC) = 3x ZebRAM (ECC + SHA-256) = 3.9x Software ICT Hall 시스템소프트 정보보호 연구실
55
Summary The ZebRAM is the first solution to provide complete protection against Rowhammer attacks Performance overhead: Minimal when the active working set fits in the safe region Function of the active working set size when it does not fit in the safe region Code for ZebRAM will be available soon at Software ICT Hall 시스템소프트 정보보호 연구실
56
Q & A Thanks for your Attention
Software ICT Hall 시스템소프트 정보보호 연구실
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.