# **Digital Design & Computer Arch.** Lecture 2b: Mysteries in Comp. Arch.

Prof. Onur Mutlu

ETH Zürich Spring 2022 25 February 2022

# How Do Problems Get Solved by Electrons?

#### Recall: The Transformation Hierarchy

Computer Architecture (expanded view)



Computer Architecture (narrow view)

## Levels of Transformation

"The purpose of computing is [to gain] insight" (*Richard Hamming*) We gain and generate insight by solving problems How do we ensure problems are solved by electrons?

#### Algorithm

Step-by-step procedure that is guaranteed to terminate where each step is precisely stated and can be carried out by a computer

- Finiteness
- Definiteness
- Effective computability

Many algorithms for the same problem

Microarchitecture An implementation of the ISA

#### Problem

Algorithm

Program/Language Runtime System

(VM, OS, MM) ISA (Architecture)

Microarchitecture

Logic

Devices

Electrons



ISA

(Instruction Set Architecture)

Interface/contract between SW and HW.

What the programmer assumes hardware will satisfy.

Digital logic circuits

Building blocks of micro-arch (e.g., gates)

## Aside: A Famous Work By Hamming

- Hamming, "Error Detecting and Error Correcting Codes," Bell System Technical Journal 1950.
- Introduced the concept of Hamming distance
  - number of locations in which the corresponding symbols of two equal-length strings is different
- Developed a theory of codes used for error detection and correction

#### Also see:

- □ Hamming, "You and Your Research," Talk at Bell Labs, 1986.
- <u>http://www.cs.virginia.edu/~robins/YouAndYourResearch.html</u>

#### Levels of Transformation, Revisited

#### A user-centric view: computer designed for users



The entire stack should be optimized for user

#### The Power of Abstraction

#### Levels of transformation create abstractions

- Abstraction: A higher level only needs to know about the interface to the lower level, not how the lower level is implemented
- E.g., high-level language programmer does not really need to know what the ISA is and how a computer executes instructions

#### Abstraction improves productivity

- No need to worry about decisions made in underlying levels
- E.g., programming in Java vs. C vs. assembly vs. binary vs. by specifying control signals of each transistor every cycle
- Then, why would you want to know what goes on underneath or above?

## Crossing the Abstraction Layers

 As long as everything goes well, not knowing what happens underneath (or above) is not a problem.

#### What if

- The program you wrote is running slow?
- The program you wrote does not run correctly?
- The program you wrote consumes too much energy?
- Your system just shut down and you have no idea why?
- Someone just compromised your system and you have no idea how?

#### What if

- The hardware you designed is too hard to program?
- The hardware you designed is too slow because it does not provide the right primitives to the software?

#### What if

You want to design a much more efficient and higher performance system?

#### Crossing the Abstraction Layers

- Two goals of this course (especially the second half) are
  - to understand how a processor works underneath the software layer and how decisions made in hardware affect the software/programmer
  - to enable you to comfortably make design and optimization decisions that cross the boundaries of different layers and system components

# Some Example "Mysteries"

#### Four Mysteries: Familiar with Any?

Rowhammer (2012-2014)

Meltdown & Spectre (2017-2018)

Memories Forget: Refresh (2011-2012)

Memory Performance Attacks (2006-2007)

# Mystery #1: RowHammer

#### The Story of RowHammer

- One can predictably induce bit flips in commodity DRAM chips
   >80% of the tested DRAM chips are vulnerable
- First example of how a simple hardware failure mechanism can create a widespread system security vulnerability



#### Modern DRAM is Prone to Disturbance Errors



Repeatedly opening and closing a row enough times within a refresh interval induces **disturbance errors** in adjacent rows in **most real DRAM chips you can buy today** 

14

Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors, (Kim et al., ISCA 2014)

## Most DRAM Modules Are Vulnerable

A company B company







**C** company

| Up to               | Up to               | Up to               |
|---------------------|---------------------|---------------------|
| 1.0×10 <sup>7</sup> | 2.7×10 <sup>6</sup> | 3.3×10 <sup>5</sup> |
| errors              | errors              | errors              |

Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors, (Kim et al., ISCA 2014)

## Recent DRAM Is More Vulnerable



## Recent DRAM Is More Vulnerable



## Recent DRAM Is More Vulnerable



All modules from 2012–2013 are vulnerable

## Why Is This Happening?

- DRAM cells are too close to each other!
  - They are not electrically isolated from each other
- Access to one cell affects the value in nearby cells
  - due to electrical interference between
    - the cells
    - wires used for accessing the cells
  - Also called cell-to-cell coupling/interference
- Example: When we activate (apply high voltage) to a row, an adjacent row gets slightly activated as well
  - Vulnerable cells in that slightly-activated row lose a little bit of charge
  - □ If row hammer happens enough times, charge in such cells gets drained

## Higher-Level Implications

This simple circuit-level failure mechanism has enormous implications on upper layers of the transformation hierarchy







loop: mov (X), %eax mov (Y), %ebx clflush (X) clflush (Y) mfence jmp loop





- Avoid *cache hits* Flush X from cache
- Avoid *row hits* to X
   Read Y in another row





loop: mov (X), %eax mov (Y), %ebx clflush (X) clflush (Y) mfence jmp loop





loop: mov (X), %eax mov (Y), %ebx clflush (X) clflush (Y) mfence jmp loop





loop: mov (X), %eax mov (Y), %ebx clflush (X) clflush (Y) mfence jmp loop



## Observed Errors in Real Systems

| CPU Architecture          | Errors | Access-Rate |
|---------------------------|--------|-------------|
| Intel Haswell (2013)      | 22.9K  | 12.3M/sec   |
| Intel Ivy Bridge (2012)   | 20.7K  | 11.7M/sec   |
| Intel Sandy Bridge (2011) | 16.1K  | 11.6M/sec   |
| AMD Piledriver (2012)     | 59     | 6.1M/sec    |

#### A real reliability & security issue

Kim+, "Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors," ISCA 2014.

#### One Can Take Over an Otherwise-Secure System

#### Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors

Abstract. Memory isolation is a key property of a reliable and secure computing system — an access to one memory address should not have unintended side effects on data stored in other addresses. However, as DRAM process technology

## Project Zero

Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors (Kim et al., ISCA 2014)

News and updates from the Project Zero team at Google

Exploiting the DRAM rowhammer bug to gain kernel privileges (Seaborn, 2015)

Monday, March 9, 2015

Exploiting the DRAM rowhammer bug to gain kernel privileges

## RowHammer Security Attack Example

- "Rowhammer" is a problem with some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows (Kim et al., ISCA 2014).
  - Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors (Kim et al., ISCA 2014)
- We tested a selection of laptops and found that a subset of them exhibited the problem.
- We built two working privilege escalation exploits that use this effect.
  - Exploiting the DRAM rowhammer bug to gain kernel privileges (Seaborn, 2015)
- One exploit uses rowhammer-induced bit flips to gain kernel privileges on x86-64 Linux when run as an unprivileged userland process.
- When run on a machine vulnerable to the rowhammer problem, the process was able to induce bit flips in page table entries (PTEs).
- It was able to use this to gain write access to its own page table, and hence gain read-write access to all of physical memory.

### Security Implications



It's like breaking into an apartment by repeatedly slamming a neighbor's door until the vibrations open the door you were after

## More Security Implications (I)

#### "We can gain unrestricted access to systems of website visitors."

Not there yet, but ...



ROOT privileges for web apps!

Daniel Gruss (@lavados), Clémentine Maurice (@BloodyTangerine), December 28, 2015 - 32c3, Hamburg, Germany



Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript (DIMVA'16)

29

#### More Security Implications (II)

"Can gain control of a smart phone deterministically"

## Hammer And Root

# androids Millions of Androids

Drammer: Deterministic Rowhammer

Attacks on Mobile Platforms, CCS'16 31

Source: https://fossbytes.com/drammer-rowhammer-attack-android-root-devices/

## More Security Implications (III)

 Using an integrated GPU in a mobile system to remotely escalate privilege via the WebGL interface

ars TECHNICA

BIZ & IT TECH SCIENCE POLICY CARS GAMING & CULTURE

#### 

# Drive-by Rowhammer attack uses GPU to compromise an Android phone

JavaScript based GLitch pwns browsers by flipping bits inside memory chips.

DAN GOODIN - 5/3/2018, 12:00 PM

#### Grand Pwning Unit: Accelerating Microarchitectural Attacks with the GPU

Pietro Frigo Vrije Universiteit Amsterdam p.frigo@vu.nl Cristiano Giuffrida Vrije Universiteit Amsterdam giuffrida@cs.vu.nl Herbert Bos Vrije Universiteit Amsterdam herbertb@cs.vu.nl Kaveh Razavi Vrije Universiteit Amsterdam kaveh@cs.vu.nl

## More Security Implications (IV)

#### Rowhammer over RDMA (I)

ars TECHNICA

BIZ & IT TECH SCIENCE POLICY CARS GAMING & CULTURE

THROWHAMMER —

# Packets over a LAN are all it takes to trigger serious Rowhammer bit flips

The bar for exploiting potentially serious DDR weakness keeps getting lower.

DAN GOODIN - 5/10/2018, 5:26 PM

#### **Throwhammer: Rowhammer Attacks over the Network and Defenses**

Andrei Tatar VU Amsterdam Radhesh Krishnan VU Amsterdam Elias Athanasopoulos University of Cyprus

Herbert Bos VU Amsterdam Kaveh Razavi VU Amsterdam Cristiano Giuffrida VU Amsterdam

### More Security Implications (V)

Rowhammer over RDMA (II)

# Security in a serious way

Nethammer—Exploiting DRAM Rowhammer Bug Through Network Requests



#### Nethammer: Inducing Rowhammer Faults through Network Requests

Moritz Lipp Graz University of Technology

Daniel Gruss Graz University of Technology Misiker Tadesse Aga University of Michigan

Clémentine Maurice Univ Rennes, CNRS, IRISA

Lukas Lamster Graz University of Technology Michael Schwarz Graz University of Technology

Lukas Raab Graz University of Technology

#### More Security Implications (VI)

IEEE S&P 2020



#### RAMBleed: Reading Bits in Memory Without Accessing Them

Andrew Kwong University of Michigan ankwong@umich.edu Daniel Genkin University of Michigan genkin@umich.edu Daniel Gruss Graz University of Technology daniel.gruss@iaik.tugraz.at Yuval Yarom University of Adelaide and Data61 yval@cs.adelaide.edu.au

### More Security Implications (VII)

#### USENIX Security 2019

#### Terminal Brain Damage: Exposing the Graceless Degradation in Deep Neural Networks Under Hardware Fault Attacks

Sanghyun Hong, Pietro Frigo<sup>†</sup>, Yiğitcan Kaya, Cristiano Giuffrida<sup>†</sup>, Tudor Dumitraș

University of Maryland, College Park <sup>†</sup>Vrije Universiteit Amsterdam



A Single Bit-flip Can Cause Terminal Brain Damage to DNNs One specific bit-flip in a DNN's representation leads to accuracy drop over 90%

Our research found that a specific bit-flip in a DNN's bitwise representation can cause the accuracy loss up to 90%, and the DNN has 40-50% parameters, on average, that can lead to the accuracy drop over 10% when individually subjected to such single bitwise corruptions...

**Read More** 

## More Security Implications (VIII)

### USENIX Security 2020

### DeepHammer: Depleting the Intelligence of Deep Neural Networks through Targeted Chain of Bit Flips

Fan YaoAdnan Siraj RakiUniversity of Central FloridaArizona Sifan.yao@ucf.eduasrakin@asu.edu

Adnan Siraj RakinDeliang FanArizona State Universityasrakin@asu.edudfan@asu.edu

Degrade the **inference accuracy** to the level of **Random Guess** 

Example: ResNet-20 for CIFAR-10, 10 output classes

Before attack, Accuracy: 90.2% After attack, Accuracy: ~10% (1/10)



## More Security Implications?



### Where RowHammer Was Discovered...



Kim+, "Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors," ISCA 2014.

# How Do We Fix The Problem?

## Some Potential Solutions





Refresh frequently Power, Performance

### • Sophisticated Error Correction Cost, Power

## • Access counters Cost, Power, Complexity

## Apple's Security Patch for RowHammer

### https://support.apple.com/en-gb/HT204934

Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5

Impact: A malicious application may induce memory corruption to escalate privileges

Description: A disturbance error, also known as Rowhammer, exists with some DDR3 RAM that could have led to memory corruption. This issue was mitigated by increasing memory refresh rates.

CVE-ID

CVE-2015-3693 : Mark Seaborn and Thomas Dullien of Google, working from original research by Yoongu Kim et al (2014)

HP, Lenovo, and many other vendors released similar patches

# A Cheaper Solution

- PARA: <u>Probabilistic Adjacent Row Activation</u>
- Key Idea
  - After closing a row, we activate (i.e., refresh) one of its neighbors with a low probability: p = 0.005
- Reliability Guarantee
  - When p=0.005, errors in one year:  $9.4 \times 10^{-14}$
  - By adjusting the value of p, we can provide an arbitrarily strong protection against errors

## Probabilistic Activation in Real Life (I)

| Aptio Setup Utili<br>Chipset                                                                                                                                                                                                                                                                                                                                                                                                                                               | ty – Copyright (C) 2018 Americ                                                                                                     | can Megatrends, Inc.                                                                                                                                                                                  |  |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|
| Channel 0 Slot 0<br>Size<br>Number of Ranks<br>Manufacturer<br>Channel 0 Slot 1<br>Channel 1 Slot 0<br>Size<br>Number of Ranks<br>Manufacturer<br>Channel 1 Slot 1<br>Memory ratio/reference clock<br>options moved to<br>Overclock->Memory->Custom Prof:<br>menu<br>MRC ULT Safe Config<br>Maximum Memory Frequency<br>HOB Buffer Size<br>Max TOLUD<br>SA GV<br>SA GV Low Freq<br>Retrain on Fast Fail<br>Command Tristate<br>Enable RH Prevention<br>Row Hammer Solution | [Disabled]<br>[Auto]<br>[Auto]<br>[Dynamic]<br>[Enabled]<br>[MRC default]<br>[Enabled]<br>[Enabled]<br>[Enabled]<br>[Hardware RHP] | <pre>++: Select Screen<br/>fl: Select Item<br/>Enter: Select<br/>+/-: Change Opt.<br/>F1: General Help<br/>F2: Previous Values<br/>F3: Optimized Defaults<br/>F4: Save &amp; Exit<br/>ESC: Exit</pre> |  |
| Version 2.18.12                                                                                                                                                                                                                                                                                                                                                                                                                                                            | 63. Copyright (C) 2018 America                                                                                                     | n Megatrends, Inc.                                                                                                                                                                                    |  |

**SAFARI** 

https://twitter.com/isislovecruft/status/1021939922754723841

## Probabilistic Activation in Real Life (II)



**SAFARI** 

https://twitter.com/isislovecruft/status/1021939922754723841

## Some Thoughts on RowHammer

 A simple hardware failure mechanism can create a widespread system security vulnerability

How to find, exploit and fix the vulnerability requires a strong understanding across the transformation layers
 And, a strong understanding of tools available to you

- Fixing needs to happen for two types of chips
  - Existing chips (already in the field)
  - Future chips
- Mechanisms for fixing are different between the two types

## Aside: Byzantine Failures

- This class of failures is known as Byzantine failures
- Characterized by
  - Undetected erroneous computation
  - Opposite of "fail fast (with an error or no result)"
- "erroneous" can be "malicious" (intent is the only distinction)
- Very difficult to detect and confine Byzantine failures
- Do all you can to avoid them
- Lamport et al., "The Byzantine Generals Problem," ACM TOPLAS 1982.

## Aside: Byzantine Generals Problem

### The Byzantine Generals Problem

LESLIE LAMPORT, ROBERT SHOSTAK, and MARSHALL PEASE SRI International

Reliable computer systems must handle malfunctioning components that give conflicting information to different parts of the system. This situation can be expressed abstractly in terms of a group of generals of the Byzantine army camped with their troops around an enemy city. Communicating only by messenger, the generals must agree upon a common battle plan. However, one or more of them may be traitors who will try to confuse the others. The problem is to find an algorithm to ensure that the loyal generals will reach agreement. It is shown that, using only oral messages, this problem is solvable if and only if more than two-thirds of the generals are loyal; so a single traitor can confound two loyal generals. With unforgeable written messages, the problem is solvable for any number of generals and possible traitors. Applications of the solutions to reliable computer systems are then discussed.

Categories and Subject Descriptors: C.2.4. [Computer-Communication Networks]: Distributed Systems—network operating systems; D.4.4 [Operating Systems]: Communications Management network communication; D.4.5 [Operating Systems]: Reliability—fault tolerance

General Terms: Algorithms, Reliability

Additional Key Words and Phrases: Interactive consistency

#### https://dl.acm.org/citation.cfm?id=357176

## Other Chips Have Errors, Too

#### ACM TECHNEWS

### Tiny Chips, Big Headaches

By The New York Times February 7, 2022 Comments



#### Cores that don't count

Peter H. Hochschild Paul Turner Jeffrey C. Mogul Google Sunnyvale, CA, US Rama Govindaraju Parthasarathy Ranganathan Google Sunnyvale, CA, US David E. Culler Amin Vahdat Google Sunnyvale, CA, US



Researchers worry they are finding rare defects because they are trying to solve bigger and bigger computing problems, which stresses their systems in unexpected ways.

Credit: Tom Schierlitz/Trunk Archive

With transistors in computer chips shrinking in size, concern is growing about larger and more intricate cloud computing networks' fundamental dependence on less reliable and less predictable chips.

Recent studies by Facebook and Google researchers described outages with difficult-to-diagnose causes, arguing that underlying hardware was to blame.

Stanford University's Subhasish Mitra said people increasingly think manufacturing defects correspond with silent hardware errors, while scientists worry they are finding rare defects because they are attempting to meet bigger computing challenges, leading to unexpected system stressors.

The smallest error in a microprocessor hosting billions of transistors can disrupt systems that routinely execute billions of calculations each second, and mounting evidence suggests the problem is getting generationally worse.

## We Covered Until This Point in the Lecture

## Really Interested?

- Our first detailed study: Rowhammer analysis and solutions (June 2014)
  - Yoongu Kim, Ross Daly, Jeremie Kim, Chris Fallin, Ji Hye Lee, Donghyuk Lee, Chris Wilkerson, Konrad Lai, and Onur Mutlu,
     "Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors"
     Proceedings of the <u>41st International Symposium on Computer Architecture</u> (ISCA), Minneapolis, MN, June 2014. [Slides (pptx) (pdf)] [Lightning Session Slides (pptx) (pdf)] [Source Code and Data]
- Our Source Code to Induce Errors in Modern DRAM Chips (June 2014)
  - <u>https://github.com/CMU-SAFARI/rowhammer</u>
- Google Project Zero's Attack to Take Over a System (March 2015)
  - Exploiting the DRAM rowhammer bug to gain kernel privileges (Seaborn+, 2015)
  - <u>https://github.com/google/rowhammer-test</u>
  - Double-sided Rowhammer

## RowHammer: Eight Years Ago...

Yoongu Kim, Ross Daly, Jeremie Kim, Chris Fallin, Ji Hye Lee, Donghyuk Lee, Chris Wilkerson, Konrad Lai, and Onur Mutlu,
 "Flipping Bits in Memory Without Accessing Them: An

 Experimental Study of DRAM Disturbance Errors"
 Proceedings of the <u>41st International Symposium on Computer</u>
 <u>Architecture</u> (ISCA), Minneapolis, MN, June 2014.

 [Slides (pptx) (pdf)] [Lightning Session Slides (pptx) (pdf)] [Source Code and Data]

### Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors

Yoongu Kim<sup>1</sup> Ross Daly<sup>\*</sup> Jeremie Kim<sup>1</sup> Chris Fallin<sup>\*</sup> Ji Hye Lee<sup>1</sup> Donghyuk Lee<sup>1</sup> Chris Wilkerson<sup>2</sup> Konrad Lai Onur Mutlu<sup>1</sup> <sup>1</sup>Carnegie Mellon University <sup>2</sup>Intel Labs

## RowHammer: 2019 and Beyond...

Onur Mutlu and Jeremie Kim,
 "RowHammer: A Retrospective"
 *IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems (TCAD) Special Issue on Top Picks in Hardware and Embedded Security*, 2019.
 [Preliminary arXiv version]
 [Slides from COSADE 2019 (pptx)]
 [Slides from VLSI-SOC 2020 (pptx) (pdf)]
 [Talk Video (1 hr 15 minutes, with Q&A)]

## RowHammer: A Retrospective

Onur Mutlu§‡Jeremie S. Kim‡§§ETH Zürich‡Carnegie Mellon University

## Takeaway

## Breaking the abstraction layers (between components and transformation hierarchy levels)

and knowing what is underneath

enables you to **understand** and **solve** problems

## RowHammer in 2020 & 2021

## RowHammer is Getting Much Worse

 Jeremie S. Kim, Minesh Patel, A. Giray Yaglikci, Hasan Hassan, Roknoddin Azizi, Lois Orosa, and Onur Mutlu, "Revisiting RowHammer: An Experimental Analysis of Modern Devices and Mitigation Techniques" Proceedings of the <u>47th International Symposium on Computer</u> <u>Architecture</u> (ISCA), Valencia, Spain, June 2020.
 [Slides (pptx) (pdf)]
 [Lightning Talk Slides (pptx) (pdf)]
 [Talk Video (20 minutes)]
 [Lightning Talk Video (3 minutes)]

### **Revisiting RowHammer: An Experimental Analysis of Modern DRAM Devices and Mitigation Techniques**

Jeremie S. Kim<sup>§†</sup> Minesh Patel<sup>§</sup> A. Giray Yağlıkçı<sup>§</sup> Hasan Hassan<sup>§</sup> Roknoddin Azizi<sup>§</sup> Lois Orosa<sup>§</sup> Onur Mutlu<sup>§†</sup> <sup>§</sup>ETH Zürich <sup>†</sup>Carnegie Mellon University

## Existing Solutions Do Not Work

 Pietro Frigo, Emanuele Vannacci, Hasan Hassan, Victor van der Veen, Onur Mutlu, Cristiano Giuffrida, Herbert Bos, and Kaveh Razavi,
 "TRRespass: Exploiting the Many Sides of Target Row Refresh" Proceedings of the <u>41st IEEE Symposium on Security and Privacy</u> (S&P), San Francisco, CA, USA, May 2020.
 [Slides (pptx) (pdf)]
 [Lecture Slides (pptx) (pdf)]
 [Lecture Video (17 minutes)]
 [Lecture Video (59 minutes)]
 [Source Code]
 [Web Article]
 Best paper award.
 Pwnie Award 2020 for Most Innovative Research. Pwnie Awards 2020

## TRRespass: Exploiting the Many Sides of Target Row Refresh

Pietro Frigo<sup>\*†</sup> Emanuele Vannacci<sup>\*†</sup> Hasan Hassan<sup>§</sup> Victor van der Veen<sup>¶</sup> Onur Mutlu<sup>§</sup> Cristiano Giuffrida<sup>\*</sup> Herbert Bos<sup>\*</sup> Kaveh Razavi<sup>\*</sup>

\*Vrije Universiteit Amsterdam

<sup>§</sup>ETH Zürich

¶Qualcomm Technologies Inc.

## Hard to Guarantee RowHammer-Free Chips

 Lucian Cojocar, Jeremie Kim, Minesh Patel, Lillian Tsai, Stefan Saroiu, Alec Wolman, and Onur Mutlu,
 <u>"Are We Susceptible to Rowhammer? An End-to-End</u> <u>Methodology for Cloud Providers"</u> *Proceedings of the <u>41st IEEE Symposium on Security and</u> <u>Privacy</u> (S&P), San Francisco, CA, USA, May 2020.
 [Slides (pptx) (pdf)]
 [Talk Video (17 minutes)]* 

### Are We Susceptible to Rowhammer? An End-to-End Methodology for Cloud Providers

Lucian Cojocar, Jeremie Kim<sup>§†</sup>, Minesh Patel<sup>§</sup>, Lillian Tsai<sup>‡</sup>, Stefan Saroiu, Alec Wolman, and Onur Mutlu<sup>§†</sup> Microsoft Research, <sup>§</sup>ETH Zürich, <sup>†</sup>CMU, <sup>‡</sup>MIT

## RowHammer Has Many Dimensions

 Lois Orosa, Abdullah Giray Yaglikci, Haocong Luo, Ataberk Olgun, Jisung Park, Hasan Hassan, Minesh Patel, Jeremie S. Kim, and Onur Mutlu,
 "A Deeper Look into RowHammer's Sensitivities: Experimental Analysis of Real DRAM Chips and Implications on Future Attacks and Defenses" Proceedings of the <u>54th International Symposium on Microarchitecture</u> (MICRO), Virtual, October 2021.
 [Slides (pptx) (pdf)]
 [Short Talk Slides (pptx) (pdf)]
 [Lightning Talk Slides (pptx) (pdf)]
 [Lightning Talk Video (1.5 minutes)]
 [arXiv version]

### A Deeper Look into RowHammer's Sensitivities: Experimental Analysis of Real DRAM Chips and Implications on Future Attacks and Defenses

Lois Orosa\*<br/>ETH ZürichA. Giray Yağlıkçı\*<br/>ETH ZürichHaocong Luo<br/>ETH ZürichAtaberk Olgun<br/>ETH Zürich, TOBB ETÜJisung Park<br/>ETH ZürichHasan HassanMinesh PatelJeremie S. KimOnur Mutlu

ETH Zürich

ETH Zürich

ETH Zürich

ETH Zürich

## Industry-Adopted Solutions Do Not Work

 Hasan Hassan, Yahya Can Tugrul, Jeremie S. Kim, Victor van der Veen, Kaveh Razavi, and Onur Mutlu,
 "Uncovering In-DRAM RowHammer Protection Mechanisms: A New Methodology, Custom RowHammer Patterns, and Implications" Proceedings of the <u>54th International Symposium on Microarchitecture</u> (MICRO), Virtual, October 2021.
 [Slides (pptx) (pdf)]
 [Short Talk Slides (pptx) (pdf)]
 [Lightning Talk Slides (pptx) (pdf)]
 [Lightning Talk Video (100 seconds)]
 [arXiv version]

### Uncovering In-DRAM RowHammer Protection Mechanisms: A New Methodology, Custom RowHammer Patterns, and Implications

| Hasan Hassan $^{\dagger}$ | Yahya Can Tuğrul <sup>†‡</sup>            | Jeremie S. Ki | $\mathbf{m}^{\dagger}$ Victor van der Veen <sup><math>\sigma</math></sup> |
|---------------------------|-------------------------------------------|---------------|---------------------------------------------------------------------------|
|                           | Kaveh Razavi $^{\dagger}$                 | Onur Mutlı    | 1 <sup>†</sup>                                                            |
| †ETH Zürich               | <sup>‡</sup> TOBB University of Economics | & Technology  | $^{\sigma}$ Qualcomm Technologies Inc.                                    |

## BlockHammer Solution in 2021

 A. Giray Yaglikci, Minesh Patel, Jeremie S. Kim, Roknoddin Azizi, Ataberk Olgun, Lois Orosa, Hasan Hassan, Jisung Park, Konstantinos Kanellopoulos, Taha Shahroodi, Saugata Ghose, and Onur Mutlu,
 "BlockHammer: Preventing RowHammer at Low Cost by Blacklisting Rapidly-Accessed DRAM Rows"
 Proceedings of the <u>27th International Symposium on High-Performance</u> Computer Architecture (HPCA), Virtual, February-March 2021.
 [Slides (pptx) (pdf)]
 [Short Talk Slides (pptx) (pdf)]
 [Talk Video (22 minutes)]

### BlockHammer: Preventing RowHammer at Low Cost by Blacklisting Rapidly-Accessed DRAM Rows

A. Giray Yağlıkçı<sup>1</sup> Minesh Patel<sup>1</sup> Jeremie S. Kim<sup>1</sup> Roknoddin Azizi<sup>1</sup> Ataberk Olgun<sup>1</sup> Lois Orosa<sup>1</sup> Hasan Hassan<sup>1</sup> Jisung Park<sup>1</sup> Konstantinos Kanellopoulos<sup>1</sup> Taha Shahroodi<sup>1</sup> Saugata Ghose<sup>2</sup> Onur Mutlu<sup>1</sup> <sup>1</sup>ETH Zürich <sup>2</sup>University of Illinois at Urbana–Champaign

## Detailed Lectures on RowHammer

- Computer Architecture, Fall 2020, Lecture 4b
  - RowHammer (ETH Zürich, Fall 2020)
  - https://www.youtube.com/watch?v=KDy632z23UE&list=PL5Q2soXY2Zi9xidyIgBxUz 7xRPS-wisBN&index=8
- Computer Architecture, Fall 2020, Lecture 5a
  - RowHammer in 2020: TRRespass (ETH Zürich, Fall 2020)
  - https://www.youtube.com/watch?v=pwRw7QqK\_qA&list=PL5Q2soXY2Zi9xidyIgBxU z7xRPS-wisBN&index=9
- Computer Architecture, Fall 2020, Lecture 5b
  - RowHammer in 2020: Revisiting RowHammer (ETH Zürich, Fall 2020)
  - https://www.youtube.com/watch?v=gR7XR-Eepcg&list=PL5Q2soXY2Zi9xidyIgBxUz7xRPS-wisBN&index=10
- Computer Architecture, Fall 2020, Lecture 5c

SAFARI

- Secure and Reliable Memory (ETH Zürich, Fall 2020)
- https://www.youtube.com/watch?v=HvswnsfG3oQ&list=PL5Q2soXY2Zi9xidyIgBxUz 7xRPS-wisBN&index=11

#### https://www.youtube.com/onurmutlulectures

## The Story of RowHammer Lecture ...

Onur Mutlu,
 "The Story of RowHammer"
 Keynote Talk at <u>Secure Hardware, Architectures, and Operating Systems</u>
 <u>Workshop</u> (SeHAS), held with <u>HiPEAC 2021 Conference</u>, Virtual, 19 January 2021.
 [Slides (pptx) (pdf)]
 [Talk Video (1 hr 15 minutes, with Q&A)]





## Maslow's (Human) Hierarchy of Needs



### We need to start with reliability and security...

## How Reliable/Secure/Safe is This Bridge?





## Collapse of the "Galloping Gertie"





## How Secure Are These People?



### Security is about preventing unforeseen consequences

#### Source: https://s-media-cache-ak0.pinimg.com/originals/48/09/54/4809543a9c7700246a0cf8acdae27abf.jpg

## Can We Depend on Computers?



#### SAFARI

Source: https://taxistartup.com/wp-content/uploads/2015/03/UK-Self-Driving-Cars.jpg

## Two Other Goals of This Course

Enable you to think critically

Enable you to think broadly

## RowHammer: Retrospective

- New mindset that has enabled a renewed interest in HW security attack research:
  - Real (memory) chips are vulnerable, in a simple and widespread manner
     → this causes real security problems
  - Hardware reliability  $\rightarrow$  security connection is now mainstream discourse
- Many new RowHammer attacks...
  - Tens of papers in top security venues
  - More to come as RowHammer is getting worse (DDR4 & beyond)
- Many new RowHammer solutions...
  - Apple security release; Memtest86 updated
  - Many solution proposals in top venues (latest in ISCA 2019)
  - Principled system-DRAM co-design (in original RowHammer paper)
  - More to come...

## Perhaps Most Importantly...

- RowHammer enabled a shift of mindset in mainstream security researchers
  - □ General-purpose hardware is fallible, in a widespread manner
  - Its problems are exploitable
- This mindset has enabled many systems security researchers to examine hardware in more depth
  - And understand HW's inner workings and vulnerabilities
- It is no coincidence that two of the groups that discovered Meltdown and Spectre heavily worked on RowHammer attacks before
  - More to come...

## RowHammer: 2019 and Beyond...

Onur Mutlu and Jeremie Kim,
 "RowHammer: A Retrospective"
 *IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems (TCAD) Special Issue on Top Picks in Hardware and Embedded Security*, 2019.
 [Preliminary arXiv version]
 [Slides from COSADE 2019 (pptx)]
 [Slides from VLSI-SOC 2020 (pptx) (pdf)]
 [Talk Video (1 hr 15 minutes, with Q&A)]

## RowHammer: A Retrospective

Onur Mutlu§‡Jeremie S. Kim‡§§ETH Zürich‡Carnegie Mellon University

## The Story of RowHammer Lecture ...

Onur Mutlu,
 "The Story of RowHammer"
 Keynote Talk at <u>Secure Hardware, Architectures, and Operating Systems</u>
 <u>Workshop</u> (SeHAS), held with <u>HiPEAC 2021 Conference</u>, Virtual, 19 January 2021.
 [Slides (pptx) (pdf)]
 [Talk Video (1 hr 15 minutes, with Q&A)]



# **Digital Design & Computer Arch.** Lecture 2b: Mysteries in Comp. Arch.

Prof. Onur Mutlu

ETH Zürich Spring 2022 25 February 2022