# ZebRAM: Comprehensive and Compatible Software Protection against Rowhammer Attacks

Radhesh Krishnan Konoth, Marco Oliverio, Andrei Tatar, Dennis Andriesse, Herbert Bos, Cristiano Giuffrida and Kaveh Razavi





• Rowhammer -- a DRAM defect that allows an attacker to exploit a system

- Rowhammer -- a DRAM defect that allows an attacker to exploit a system
  - Even if there is no software bug (and formally verified)

- Rowhammer -- a DRAM defect that allows an attacker to exploit a system
  - Even if there is no software bug (and formally verified)
  - 87% of DDR3 DIMMs are vulnerable (Kim et al. ISCA'14)

- Rowhammer -- a DRAM defect that allows an attacker to exploit a system
  - Even if there is no software bug (and formally verified)
  - 87% of DDR3 DIMMs are vulnerable (Kim et al. ISCA'14)
  - DDR4 also contain this bug (Van der Veen et al. CCS'17)

- Rowhammer -- a DRAM defect that allows an attacker to exploit a system
  - Even if there is no software bug (and formally verified)
  - 87% of DDR3 DIMMs are vulnerable (Kim et al. ISCA'14)
  - DDR4 also contain this bug (Van der Veen et al. CCS'17)
- Existing defenses are ineffective

- Rowhammer -- a DRAM defect that allows an attacker to exploit a system
  - Even if there is no software bug (and formally verified)
  - 87% of DDR3 DIMMs are vulnerable (Kim et al. ISCA'14)
  - DDR4 also contain this bug (Van der Veen et al. CCS'17)
- Existing defenses are ineffective
  - Hardware solutions like ECC, TRR are found to ineffective

- Rowhammer -- a DRAM defect that allows an attacker to exploit a system
  - Even if there is no software bug (and formally verified)
  - 87% of DDR3 DIMMs are vulnerable (Kim et al. ISCA'14)
  - DDR4 also contain this bug (Van der Veen et al. CCS'17)
- Existing defenses are ineffective
  - Hardware solutions like ECC, TRR are found to ineffective (Cojocar et. al S&P'19, Gruss et al. Blackhat'18)

- Rowhammer -- a DRAM defect that allows an attacker to exploit a system
  - Even if there is no software bug (and formally verified)
  - 87% of DDR3 DIMMs are vulnerable (Kim et al. ISCA'14)
  - DDR4 also contain this bug (Van der Veen et al. CCS'17)
- Existing defenses are ineffective
  - Hardware solutions like ECC, TRR are found to ineffective (Cojocar et. al S&P'19, Gruss et al. Blackhat'18)
  - ANVIL CPU performance counters to detect Rowhammer attack (AWEKE et. al ASPLOS'16)

- Rowhammer -- a DRAM defect that allows an attacker to exploit a system
  - Even if there is no software bug (and formally verified)
  - 87% of DDR3 DIMMs are vulnerable (Kim et al. ISCA'14)
  - DDR4 also contain this bug (Van der Veen et al. CCS'17)
- Existing defenses are ineffective
  - Hardware solutions like ECC, TRR are found to ineffective (Cojocar et. al S&P'19, Gruss et al. Blackhat'18)
  - ANVIL fails against DMA-based attacks (Van der Veen et al. CCS'17)

- Rowhammer -- a DRAM defect that allows an attacker to exploit a system
  - Even if there is no software bug (and formally verified)
  - 87% of DDR3 DIMMs are vulnerable (Kim et al. ISCA'14)
  - DDR4 also contain this bug (Van der Veen et al. CCS'17)
- Existing defenses are ineffective
  - Hardware solutions like ECC, TRR are found to ineffective (Cojocar et. al S&P'19, Gruss et al. Blackhat'18)
  - ANVIL fails against DMA-based attacks (Van der Veen et al. CCS'17)
  - CATT isolates different security domains using guard rows (Brasser et al. SEC'17)

- Rowhammer -- a DRAM defect that allows an attacker to exploit a system
  - Even if there is no software bug (and formally verified)
  - 87% of DDR3 DIMMs are vulnerable (Kim et al. ISCA'14)
  - DDR4 also contain this bug (Van der Veen et al. CCS'17)
- Existing defenses are ineffective
  - Hardware solutions like ECC, TRR are found to ineffective (Cojocar et. al S&P'19, Gruss et al. Blackhat'18)
  - ANVIL fails against DMA-based attacks (Van der Veen et al. CCS'17)
  - CATT fails because different security domains share memory (Gruss et al. S&P'18)

- Rowhammer -- a DRAM defect that allows an attacker to exploit a system
  - Even if there is no software bug (and formally verified)
  - 87% of DDR3 DIMMs are vulnerable (Kim et al. ISCA'14)
  - DDR4 also contain this bug (Van der Veen et al. CCS'17)
- Existing defenses are ineffective
  - Hardware solutions like ECC, TRR are found to ineffective (Cojocar et. al S&P'19, Gruss et al. Blackhat'18)
  - ANVIL fails against DMA-based attacks (Van der Veen et al. CCS'17)
  - CATT fails because different security domains share memory (Gruss et al. S&P'18)
- ZebRAM

- Rowhammer -- a DRAM defect that allows an attacker to exploit a system
  - Even if there is no software bug (and formally verified)
  - 87% of DDR3 DIMMs are vulnerable (Kim et al. ISCA'14)
  - DDR4 also contain this bug (Van der Veen et al. CCS'17)
- Existing defenses are ineffective
  - Hardware solutions like ECC, TRR are found to ineffective (Cojocar et. al S&P'19, Gruss et al. Blackhat'18)
  - ANVIL fails against DMA-based attacks (Van der Veen et al. CCS'17)
  - CATT fails because different security domains share memory (Gruss et al. S&P'18)

#### • ZebRAM

• The first **comprehensive** and **compatible software-based** solution ...

- Rowhammer -- a DRAM defect that allows an attacker to exploit a system
  - Even if there is no software bug (and formally verified)
  - 87% of DDR3 DIMMs are vulnerable (Kim et al. ISCA'14)
  - DDR4 also contain this bug (Van der Veen et al. CCS'17)
- Existing defenses are ineffective
  - Hardware solutions like ECC, TRR are found to ineffective (Cojocar et. al S&P'19, Gruss et al. Blackhat'18)
  - ANVIL fails against DMA-based attacks (Van der Veen et al. CCS'17)
  - CATT fails because different security domains share memory (Gruss et al. S&P'18)

#### • ZebRAM

- The first **comprehensive** and **compatible software-based** solution ...
- $\circ$  ... to defend against this hardware bug.



• DRAM rows consists of DRAM cells







DRAM rows consists of DRAM cells
Each cell can store one bit information
Up on proximate access, DRAM cells leak charge to neighbouring cells ...



DRAM rows consists of DRAM cells
Each cell can store one bit information
Up on proximate access, DRAM cells leak charge to neighbouring cells ...







• Rowhammer bug

# How is this a security problem?

An attacker can flips a bit in:

- Cryptographic key, page table entry in kernel e.t.c.
- ... to compromise the system.



# How is this a security problem?

An attacker can flips a bit in:

- Cryptographic key, page table entry in kernel e.t.c.
- ... to compromise the system.

Two important points to note:

1. Attacker should able to read very fast



# How is this a security problem?

An attacker can flips a bit in:

- Cryptographic key, page table entry in kernel e.t.c.
- ... to compromise the system.

Two important points to note:

- 1. Attacker should able to read very fast
- 2. Can flip a bit on its **neighboring** row



Isolation

Isolation

To protect a process *A* from writing to process *B*'s memory:



Isolation

To protect a process A from writing to process B's memory:

➤ We isolate them using virtual address space








1. Separate security domains using guard rows

CATT uses this approach (Brasser et al. SEC'17)



1. Separate security domains using guard rows

CATT uses this approach (Brasser et al. SEC'17)

Limitation :

Security domains share memory (pagecache)
(Gruss et al. S&P'18)



- 1. Separate security domains using guard rows
- 2. Isolate security sensitive data using guard rows

An application can use a custom memory allocator:

➤ Allocate memory protected by guard rows

- 1. Separate security domains using guard rows
- 2. Isolate security sensitive data using guard rows

An application can use a custom memory allocator:

- ➤ Allocate memory protected by guard rows
- ➤ for storing sensitive data (Tatar et al. ATC'18)

| Consitivo data |
|----------------|
| Sensitive data |
|                |
|                |
|                |
|                |
|                |



- 1. Separate security domains using guard rows
- 2. Isolate security sensitive data using guard rows

An application can use a custom memory allocator:

- ➤ Allocate memory protected by guard rows
- ➤ for storing sensitive data (Tatar et al. ATC'18)

Limitation:

➤ Application specific defense

| Sensitive data |
|----------------|
|                |
|                |
|                |
|                |
|                |



Protect the whole system transparently..

Protect the whole system transparently..

...by placing guard row between every data row!

Protect the whole system transparently..

...by placing guard row between every data row!

| 1 |
|---|
| 1 |
| 1 |
| 1 |
| 1 |
| 1 |
| 1 |
| 1 |
| 1 |
| 1 |



Protect the whole system transparently..

...by placing guard row between every data row!









Protect the whole system transparently..

...by placing guard row between every data row!





Protect the whole system transparently..

DRAM address space

...by placing guard row between every data row!



Protect the whole system transparently..

...by placing guard row between every data row!





Protect the whole system transparently..

...by placing guard row between every data row!





Protect the whole system transparently..

...by placing guard row between every data row!





DRAM address space

How do we achieve these?

## ZebRAM Challenge 1

1. We want to isolate every row in DRAM using guard rows



# ZebRAM Challenge 1

- 1. We want to isolate every row in DRAM using guard rows
  - Map physical address to its location in DRAM (DRAM address)



Virtual address to Physical address:



#### Physical address to DRAM address



➤ DRAM organized in:

#### channel



### > DRAM organized in:

#### channel, DIMM



> DRAM organized in:

#### channel, DIMM, rank



> DRAM organized in:

#### channel, DIMM, rank, bank



#### ➤ DRAM organized in:

#### channel, DIMM, rank, bank, row



➤ DRAM organized in:

#### channel, DIMM, rank, bank, row, column



To understand this mapping:

To understand this mapping:

➤ Previous reverse-engineering work (Pessl et al. SEC'16)

To understand this mapping:

- ➤ Previous reverse-engineering work (Pessl et al. SEC'16)
- $\succ$  More reverse engineering

To understand this mapping:

- ➤ Previous reverse-engineering work (Pessl et al. SEC'16)
- ➤ More reverse engineering

DRAM address translation library, RAMSES

To understand this mapping:

- ➤ Previous reverse-engineering work (Pessl et al. SEC'16)
- ➤ More reverse engineering

DRAM address translation library, **RAMSES** Memory allocator, **ALIS** (Tatar et al. ATC'18)

To understand this mapping:

- ➤ Previous reverse-engineering work (Pessl et al. SEC'16)
- ➤ More reverse engineering

DRAM address translation library, **RAMSES** Memory allocator, **ALIS** (Tatar et al. ATC'18)

To understand this mapping:

- ➤ Previous reverse-engineering work (Pessl et al. SEC'16)
- ➤ More reverse engineering

DRAM address translation library, **RAMSES** Memory allocator, **ALIS** (Tatar et al. ATC'18)

For ZebRAM, we extended ALIS... ...to allocate memory in zebra pattern.

## ZebRAM Challenge 1

1. Translating physical addresses to DRAM addresses and placing guard rows



# Challenge 2 : Re-mapping physical address space

2. Transparently re-map the data rows and guard rows as two contiguous memory region



# Challenge 2 : Re-mapping physical address space

2. Transparently re-map the data rows and guard rows as two contiguous memory region



# Challenge 2 : Re-mapping physical address space

We use virtualization feature like Intel (VT-x) ...

...to transparently re-map the guard and data rows as two contiguous memory region


#### ZebRAM Challenge 3

3. Utilizing the unsafe region securely and efficiently



Securely means two things here :



Physical address space

Securely means two things here :

1. Handle bit flips that may occur on unsafe region



Physical address space

Securely means two things here :

1. Handle bit flips that may occur on unsafe region

ZebRAM implements a **integrity manager** that uses:

- 1. Hash verification (SHA-256)
- 2. Error correction code (ECC)



Securely means two things:

- 1. Handle bit flips that may occur on unsafe region
- 2. Protect the unsafe region from illegal bit flips



Physical address space

Securely means two things:

- 1. Handle bit flips that may occur on unsafe region
- 2. Protect the unsafe region from illegal bit flips



Physical address space

Securely means two things:

- 1. Handle bit flips that may occur on unsafe region
- 2. Protect the unsafe region from illegal bit flips

ZebRAM slows down the consecutive accesses to the same location in the unsafe region:



Securely means two things:

- 1. Handle bit flips that may occur on unsafe region
- 2. Protect the unsafe region from illegal bit flips

ZebRAM slows down the consecutive accesses to the same location in the unsafe region:

- 1. By implements a cache layer using safe memory
- 2. Enforcing Least-recently-added eviction policy



Efficiently:



Physical address space

Efficiently:

> Exposes the unsafe region as **swap space** to the OS

| Safe region<br>for OS |  |  |  |  |
|-----------------------|--|--|--|--|
| Integrity Manager     |  |  |  |  |
| Cache layer           |  |  |  |  |
| Swap space            |  |  |  |  |
| Physical address      |  |  |  |  |

space

Efficiently:

- > Exposes the unsafe region as **swap space** to the OS
- Helps to utilize efficient page replacement policies in commodity OS

| Safe region<br>for OS |  |  |  |  |  |
|-----------------------|--|--|--|--|--|
| Integrity Manager     |  |  |  |  |  |
| Cache layer           |  |  |  |  |  |
| Swap space            |  |  |  |  |  |
| Physical address      |  |  |  |  |  |

space







































#### Implementation



#### Evaluation setup

- Haswell i7-4790 machine
- Qemu-KVM hypervisor to run ZebRAM protected OS
- Ubuntu 16.04 64-bit OS
- 100Gbit/s link

#### Evaluation setup

- Haswell i7-4790 machine
- Qemu-KVM hypervisor to run ZebRAM protected OS
- Ubuntu 16.04 64-bit OS
- 100Gbit/s link

- SECURITY
- SPEC
- APACHE
- NGINX
- Micro benchmarks
- REDIS

#### Evaluation setup

- Haswell i7-4790 machine
- Qemu-KVM hypervisor to run ZebRAM protected OS
- Ubuntu 16.04 64-bit OS
- 100Gbit/s link

- SECURITY
- SPEC
- APACHE
- NGINX
- Micro benchmarks
- REDIS

#### Security Evaluation

We ran the Rowhammer exploit on the ZebRAM protected OS

|         | 1 bit flip | 2 bit flips | Total     | ZebRAM detection performance |                            |
|---------|------------|-------------|-----------|------------------------------|----------------------------|
| Run no. | in 64 bits | in 64 bits  | bit flips | Detected bit flips           | <b>Corrected bit flips</b> |
| 1       | 4,698      | 2           | 4,702     | 4,702                        | 4,698                      |
| 2       | 5,132      | 0           | 5,132     | 5,132                        | 5,132                      |
| 3       | 2,790      | 0           | 2,790     | 2,790                        | 2,790                      |
| 4       | 4,216      | 1           | 4,218     | 4,218                        | 4,216                      |
| 5       | 3,554      | 0           | 3,554     | 3,554                        | 3,554                      |

#### Security Evaluation

We ran the Rowhammer exploit on the ZebRAM protected OS

|    |       | 1 bit flip | 2 bit flips | Total     | ZebRAM detection performance |                            |
|----|-------|------------|-------------|-----------|------------------------------|----------------------------|
| Ru | n no. | in 64 bits | in 64 bits  | bit flips | <b>Detected bit flips</b>    | <b>Corrected bit flips</b> |
| [  | 1     | 4,698      | 2           | 4,702     | 4,702                        | 4,698                      |
|    | 2     | 5,132      | 0           | 5,132     | 5,132                        | 5,132                      |
|    | 3     | 2,790      | 0           | 2,790     | 2,790                        | 2,790                      |
|    | 4     | 4,216      | 1           | 4,218     | 4,218                        | 4,216                      |
|    | 5     | 3,554      | 0           | 3,554     | 3,554                        | 3,554                      |
# Security Evaluation

We ran the Rowhammer exploit on the ZebRAM protected OS

| Run no. | 1 bit flip<br>in 64 bits | 2 bit flips<br>in 64 bits | Total<br>bit flips | ZebRAM detecti<br>Detected bit flips | on performance<br>Corrected bit flips |
|---------|--------------------------|---------------------------|--------------------|--------------------------------------|---------------------------------------|
| 1       | 4,698                    | 2                         | 4,702              | = 4,702 100%                         | 4,698                                 |
| 2       | 5,132                    | 0                         | 5,132              | 5,132                                | 5,132                                 |
| 3       | 2,790                    | 0                         | 2,790              | 2,790                                | 2,790                                 |
| 4       | 4,216                    | 1                         | 4,218              | 4,218                                | 4,216                                 |
| 5       | 3,554                    | 0                         | 3,554              | 3,554                                | 3,554                                 |

# Security Evaluation

We ran the Rowhammer exploit on the ZebRAM protected OS

|         | 1 bit flip | 2 bit flips | Total     | ZebRAM detection performance |                            |
|---------|------------|-------------|-----------|------------------------------|----------------------------|
| Run no. | in 64 bits | in 64 bits  | bit flips | <b>Detected bit flips</b>    | <b>Corrected bit flips</b> |
| 1       | 4,698      | 2           | 4,702     | 4,702                        | 4,698 99.9%                |
| 2       | 5,132      | 0           | 5,132     | 5,132                        | 5,132                      |
| 3       | 2,790      | 0           | 2,790     | 2,790                        | 2,790                      |
| 4       | 4,216      | 1           | 4,218     | 4,218                        | 4,216                      |
| 5       | 3,554      | 0           | 3,554     | 3,554                        | 3,554                      |

# Security Evaluation

We ran the Rowhammer exploit on the ZebRAM protected OS

|         | 1 bit flip | 2 bit flips | Total     | ZebRAM detection performance |                            |
|---------|------------|-------------|-----------|------------------------------|----------------------------|
| Run no. | in 64 bits | in 64 bits  | bit flips | <b>Detected bit flips</b>    | <b>Corrected bit flips</b> |
| 1       | 4,698      | 2           | 4,702     | 4,702                        | 4,698                      |
| 2       | 5,132      | 0           | 5,132     | 5,132                        | 5,132                      |
| 3       | 2,790      | 0           | 2,790     | 2,790                        | 2,790                      |
| 4       | 4,216      | 1           | 4,218     | 4,218                        | 4,216                      |
| 5       | 3,554      | 0           | 3,554     | 3,554                        | 3,554                      |

#### Take away:

- ECC module alone **detected 100%** the bit flips
- ECC module corrected 99.97 % of the bit flips

We ran spec 2006 on three different setup:

- Baseline (unmodified Linux) with 4GB memory
- ZebRAM (ECC only)
- ZebRAM (ECC + SHA-256)

Spec 2006 benchmark shows ...



Spec 2006 benchmark shows ...

... 5% (geometric mean) overhead from unavailability of transparent huge page



MCF benchmark shows more than 5% performance overhead



# Performance Evaluation : Working Set Size

YCSB to generate the load and induce different working set size ...

 $\dots$  for redis (4.0.8) key-value store

We ran experiments on different setups:

- ZebRAM Basic uses only safe region and swaps out to SSD
- ZebRAM (ECC only)
- ZebRAM (ECC + SHA-256)
- Baseline



1.05x performance overhead till it starts using swap



When active working set is using 70% of the memory:

- ZebRAM (Basic) = 30x
- ZebRAM (ECC) = 3x
- ZebRAM (ECC + SHA-256) = 3.9x





- The ZebRAM is the first solution to provide complete protection against Rowhammer attacks
- Performance overhead:
  - Minimal when the active working set fits in the safe region
  - Function of the active working set size when it does not fit in the safe region
- Code for ZebRAM will be available soon at <a href="https://github.com/vusec">https://github.com/vusec</a>



