TRRespass: Exploiting the Many Sides of Target Row Refresh

by   Pietro Frigo, et al.

After a plethora of high-profile RowHammer attacks, CPU and DRAM vendors scrambled to deliver what was meant to be the definitive hardware solution against the RowHammer problem: Target Row Refresh (TRR). A common belief among practitioners is that, for the latest generation of DDR4 systems that are protected by TRR, RowHammer is no longer an issue in practice. However, in reality, very little is known about TRR. In this paper, we demystify the inner workings of TRR and debunk its security guarantees. We show that what is advertised as a single mitigation mechanism is actually a series of different solutions coalesced under the umbrella term TRR. We inspect and disclose, via a deep analysis, different existing TRR solutions and demonstrate that modern implementations operate entirely inside DRAM chips. Despite the difficulties of analyzing in-DRAM mitigations, we describe novel techniques for gaining insights into the operation of these mitigation mechanisms. These insights allow us to build TRRespass, a scalable black-box RowHammer fuzzer. TRRespass shows that even the latest generation DDR4 chips with in-DRAM TRR, immune to all known RowHammer attacks, are often still vulnerable to new TRR-aware variants of RowHammer that we develop. In particular, TRRespass finds that, on modern DDR4 modules, RowHammer is still possible when many aggressor rows are used (as many as 19 in some cases), with a method we generally refer to as Many-sided RowHammer. Overall, our analysis shows that 13 out of the 42 modules from all three major DRAM vendors are vulnerable to our TRR-aware RowHammer access patterns, and thus one can still mount existing state-of-the-art RowHammer attacks. In addition to DDR4, we also experiment with LPDDR4 chips and show that they are susceptible to RowHammer bit flips too. Our results provide concrete evidence that the pursuit of better RowHammer mitigations must continue.


page 1

page 3

page 7

page 9


Uncovering In-DRAM RowHammer Protection Mechanisms: A New Methodology, Custom RowHammer Patterns, and Implications

The RowHammer vulnerability in DRAM is a critical threat to system secur...

Revisiting RowHammer: An Experimental Analysis of Modern DRAM Devices and Mitigation Techniques

In order to shed more light on how RowHammer affects modern and future d...

BlockHammer: Preventing RowHammer at Low Cost by Blacklisting Rapidly-Accessed DRAM Rows

Aggressive memory density scaling causes modern DRAM devices to suffer f...

Retrospective: Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors

Our ISCA 2014 paper provided the first scientific and detailed character...

Towards the Avoidance of Counterfeit Memory: Identifying the DRAM Origin

Due to the globalization in the semiconductor supply chain, counterfeit ...

RowHammer and Beyond

We will discuss the RowHammer problem in DRAM, which is a prime (and lik...

Are We Susceptible to Rowhammer? An End-to-End Methodology for Cloud Providers

Cloud providers are concerned that Rowhammer poses a potentially critica...

Please sign up or login with your details

Forgot password? Click here to reset