SoftTRR: Protect Page Tables against Rowhammer Attacks using Software-only Target Row Refresh

Zhi Zhang\*, Yueqiang Cheng\*, Minghua Wang, Wei He, Wenhao Wang, Nepal Surya, Yansong Gao, Kang Li, Zhe Wang, Chenggang Wu (\*: co-first authors)



# Outline

- Background
- Motivation
- Overview
- Evaluation
- Conclusion

# Background

### What is Rowhammer?

#### What is Rowhammer ?





### Rowhammer:

#### Frequently accessing

DRAM rows

#### DRAM bank

A bank has rows of cells



#### DRAM bank

A bank has rows of cells

A cell has a capacitor and an access-transistor



### DRAM Refresh

- \* capacitors of cells can lose charge over time
- \* cells must be periodically refreshed
- $\star$  the refresh rate is typically 64 ms in DDR3 and DDR4

#### Rowhammer

Kim et al. (ISCA'14)

frequently opening rows *n+1* & *n-1* cause charge leakage (bit flips) in row *n* 



### Motivation

#### Rowhammer Attacks

- Rowhammer-induced page tables corruption is the most detrimental to system security and hard to mitigate (CTA ASPLOS'19)
- > Mainstream rowhammer attacks target level-1 page table corruption

### Limitations of the State-of-the-Art Works

# Limitations of the State-of-the-Art Works

# Practicality

> incurring modifications to kernel memory subsystem.

# Limitations of the State-of-the-Art Works

### Practicality

incurring modifications to kernel memory subsystem

Effectiveness

being ineffective against all existing rowhammer attacks targeting page tables (e.g., PThammer MICRO'20)

## Explicit Rowhammer Attacks

Require access to part of rows adjacent to L1PT rows for explicit hammering



## Explicit Rowhammer Attacks

Require access to part of rows adjacent to L1PT rows for explicit hammering

### Implicit Rowhammer Attacks

> PThammer, the only instance



Design Principles:

> effective in protecting page tables from explicit and implicit attacks

Design Principles:

- > effective in protecting page tables from explicit and implicit attacks
- compatible with OS kernels

Design Principles:

- > effective in protecting page tables from explicit and implicit attacks
- compatible with OS kernels
- > small performance overhead to a commodity system

# Key Insights

DRAM-chip-based TRR (ChipTRR), widely deployed in DDR4 modules.

high-level idea: ChipTRR counts rows' activations and refreshes adjacent rows to suppress bit flips if the activation counts reach a pre-defined limit.

# Key Insights

DRAM-chip-based TRR (ChipTRR), widely deployed in DDR4 modules.

- high-level idea: ChipTRR counts rows' activations and refreshes adjacent rows to suppress bit flips if the activation counts reach a pre-defined limit.
- security limitation: ChipTRR only tracks a limited number of rows, which renders its rowhammer-free guarantee broken by TRRespass IEEE 5&P'20.

# Key Insights

DRAM-chip-based TRR (ChipTRR), widely deployed in DDR4 modules.

- high-level idea: ChipTRR counts rows' activations and refreshes adjacent rows to suppress bit flips if the activation counts reach a pre-defined limit.
- security limitation: ChipTRR only tracks a limited number of rows, which renders its rowhammer-free guarantee broken by TRRespass IEEE S&P'20.

Software-only TRR (SoftTRR): protects page-table integrity by adopting the above idea while addresses the security limitation by leveraging MMU and OS kernel features.

#### **Memory-access Mediation**



#### Memory-access Mediation



SoftTRR leverages page tables and page-fault handler to frequently trace memory accesses to any rows adjacent to rows hosting page-tables.







In our implementation, SoftTRR focuses on protecting level-1 page tables (L1PTs) that are targeted by both explicit and implicit rowhammer attacks.

- In our implementation, SoftTRR focuses on protecting level-1 page tables (L1PTs) that are targeted by both explicit and implicit rowhammer attacks.
- > Page table collector asks task\_struct and hooks L1PT alloc and free functions for page collection
  - ✓ L1PT pages
  - ✓ DRAM-adjacent pages
  - ✓ their DRAM row locations

- In our implementation, SoftTRR focuses on protecting level-1 page tables (L1PTs) that are targeted by both explicit and implicit rowhammer attacks.
- > Page table collector asks task\_struct and hooks L1PT alloc and free functions for page collection
  - ✓ L1PT pages
  - ✓ DRAM-adjacent pages
  - ✓ their DRAM row locations
- > DRAM-adjacent page

- In our implementation, SoftTRR focuses on protecting level-1 page tables (L1PTs) that are targeted by both explicit and implicit rowhammer attacks.
- > Page table collector asks task\_struct and hooks L1PT alloc and free functions for page collection
  - ✓ L1PT pages
  - ✓ DRAM-adjacent pages
  - ✓ their DRAM row locations
- > DRAM-adjacent page: up to 6-row from a row hosting L1PTs (based on Kim et al. ISCA'20)



- In our implementation, SoftTRR focuses on protecting level-1 page tables (L1PTs) that are targeted by both explicit and implicit rowhammer attacks.
- > Page table collector asks task\_struct and hooks L1PT alloc and free functions for page collection
  - ✓ L1PT pages
  - ✓ DRAM-adjacent pages
  - $\checkmark$  their DRAM row locations
- > DRAM-adjacent page: up to 6-row from a row hosting L1PTs (based on Kim et al. ISCA'20)
- > An attacker can explicitly or implicitly hammer an adjacent page
- > Page table collector maintains three red-black trees for the collected information
  - ✓ pt\_rbtree
  - ✓ adj\_rbtree
  - ✓ pt\_row\_rbtree





- > Trace memory accesses to adjacent pages
- > Maintain a counter for each page-table row
- $\succ$  Trigger row-refresher when the counter reaches a pre-defined limit, similar to ChipTRR  $_{_{36}}$



![](_page_37_Figure_1.jpeg)

![](_page_38_Figure_1.jpeg)

- > Set-up tracing periodically
- > Determine timer\_inr and count\_limit

![](_page_39_Figure_1.jpeg)

- Set-up tracing periodically
- > Determine timer\_inr and count\_limit

- Set-up tracing periodically
  - ✓ Configuring *present* bit or *rsrv* bit in leaf PTEs (page table entries) can capture a memory access of *read*, *write* or *instruction fetch*.

- > Set-up tracing periodically
  - ✓ Configuring *present* bit or *rsrv* bit in leaf PTEs (page table entries) can capture a memory access of *read*, *write* or *instruction fetch*.

![](_page_41_Figure_3.jpeg)

MMU-supported page-fault error code

present set to 0 corresponds to P bit set to 0

| _31      |          |    |     |      |     |     |   |
|----------|----------|----|-----|------|-----|-----|---|
| Reserved |          |    |     |      |     |     |   |
| 15       |          | 5  | 4   | 3    | 2   | 1   | 0 |
| SGX      | Reserved | PK | I/D | RSVD | u/s | W/R | Р |

0 means that the fault was caused by a non-present page.

1 means that the fault was caused by a page-level protection violation.

![](_page_42_Picture_5.jpeg)

0 means that the fault was caused by reserved bit violation.

1 means that the fault was caused by a reserved bit set to 1 in a

page-table entry

MMU-supported page-fault error code

- present set to 0 corresponds to P bit set to 0
- rsrv bit set to 1 corresponds to RSVD bit set to 1

![](_page_43_Figure_3.jpeg)

0 means that the fault was caused by a non-present page. 1 means that the fault was caused by a page-level protection violation.

![](_page_43_Picture_5.jpeg)

σ

0 means that the fault was caused by reserved bit violation.

1 means that the fault was caused by a reserved bit set to 1 in a page-table entry

- > Set-up tracing periodically
  - ✓ Configuring *present* bit or *rsrv* bit in leaf PTEs (page table entries) can capture memory access of *read*, *write* or *instruction fetch*.
  - ✓ Choose *rsrv* bit as configuring *present* bit causes kernel abort.

- Set-up tracing periodically
- > Determine timer\_intr and count\_limit
  - threshold = ?

- > Set-up tracing periodically
- > Determine timer\_intr and count\_limit
  - / threshold = timer\_inr × (count\_limit 1) and means no bit flip will be caused by hammering

![](_page_46_Figure_4.jpeg)

- > Set-up tracing periodically
- > Determine timer\_intr and count\_limit
  - threshold = timer\_inr × (count\_limit 1) and means no bit flip will be caused by hammering

 $\checkmark$  A safe threshold is 1 ms (based on Kim et al. ISCA'20)

- > Set-up tracing periodically
- > Determine timer\_intr and count\_limit
  - threshold = timer\_inr × (count\_limit 1) and means no bit flip will be caused by hammering
  - $\checkmark\,$  A safe threshold is 1 ms
  - ✓ timer\_inr is set to 1 ms and count\_limit is set to 2

![](_page_49_Figure_1.jpeg)

![](_page_50_Figure_1.jpeg)

![](_page_51_Figure_1.jpeg)

### Row Refresher

- Refresh A Specified Row
  - ✓ A simple read-access to a kernel virtual address can re-charge a specified row and prevent potential bit flips
  - ✓ A kernel virtual address should be mapped to the specified row

### Row Refresher

- Refresh A Specified Row
  - A simple read-access to a kernel virtual address can re-charge a corresponding row and prevent potential bit flips
  - $\checkmark$  A kernel virtual address should be mapped to the specified row
- Direct-physical Map
  - $\checkmark$  Linux maps available physical memory into the kernel space
  - A kernel virtual address can be found based on the mapping between a physical address and a DRAM row location, and the direct-physical map

### Evaluation

### Security Evaluation

Three popular rowhammer attacks target corrupting level-1 page tables:

- > Memory Spray (Blackhat'15): explicitly hammers user memory adjacent to L1PTEs
- > CATTmew (IEEE TDSC'19): explicitly hammers device driver buffer adjacent to L1PTEs
- > Pthammer (MICRO'20): implicitly hammers L1PTEs adjacent to other L1PTEs

### Security Evaluation

Three popular rowhammer attacks target corrupting level-1 page tables:

- > Memory Spray (Blackhat'15): explicitly hammers user memory adjacent to L1PTEs
- > CATTmew (IEEE TDSC'19): explicitly hammers device driver buffer adjacent to L1PTEs
- > Pthammer (MICRO'20): implicitly hammers L1PTEs adjacent to other L1PTEs

| Machina Model     |             | Hardware Co | nfiguration                         | Attack                  | SoftTRR          |
|-------------------|-------------|-------------|-------------------------------------|-------------------------|------------------|
| Machine Mouer     | CPU Arch.   | CPU Model   | DRAM (Part No.)                     | n Targeted Victim Pages | Bit Flip Failed? |
| Dell Optiplex 390 | KabyLake    | i7-7700k    | Kingston DDR4<br>(99P5701-005.A00G) | Memory Spray [46]       | ~                |
| Dell Optiplex 990 | SandyBridge | i5-2400     | Samsung DDR3<br>(M378B5273DH0-CH9)  | CATTmew [13]            | 1                |
| Thinkpad X230     | IvyBridge   | i5-3230M    | Samsung DDR3<br>(M471B5273DH0-CH9)  | PThammer [62]           | ~                |
|                   |             |             |                                     |                         | E0               |

n = 50

## Performance Evaluation

Three representative benchmarks:

- SPECspeed 2017 Integer: CPU-focused
- memcached: memory-focused
- > Phoronix test suite: system as a whole

## Performance Evaluation

Three representative benchmarks:

- SPECspeed 2017 Integer: CPU-focused
- memcached: memory-focused
- > Phoronix test suite: system as a whole

Runtime overhead on benchmarks in two scenarios:

- $\succ \Delta \pm 1$ : where an adjacent row is only 1-row from a row hosting level-1 page tables.
- >  $\Delta$ ±6: where an adjacent row is up to 6-row from a row hosting level-1 page tables.

#### Runtime Overhead

| Bonchmarks             | Drograms        | SoftTRR Overhead |                            |  |
|------------------------|-----------------|------------------|----------------------------|--|
| Deneminarks            | Figrans         | $\Delta_{\pm 1}$ | $\Delta_{\pm 6}$ (default) |  |
|                        | perlbench_s     | 0.67%            | 0.67%                      |  |
|                        | gcc_s           | 0.23%            | 0.92%                      |  |
|                        | mcf_s           | -0.76%           | 0.30%                      |  |
|                        | omnetpp_s       | -0.81%           | 1.82%                      |  |
|                        | xalancbmk_s     | 0.36%            | 2.50%                      |  |
| SPECspeed 2017 Integer | x264_s          | 0.00%            | 0.61%                      |  |
|                        | deepsjeng_s     | 0.00%            | 0.28%                      |  |
|                        | leela_s         | 0.23%            | 0.46%                      |  |
|                        | exchange2_s     | -0.70%           | -0.23%                     |  |
|                        | xz_s            | 1.48%            | 0.93%                      |  |
|                        | Mean            | 0.07%            | 0.83%                      |  |
|                        | Apache          | -0.16%           | 0.32%                      |  |
|                        | unpack-linux    | 1.31%            | 1.84%                      |  |
|                        | iozone          | 0.89%            | -1.15%                     |  |
|                        | postmark        | 0.89%            | 0.00%                      |  |
|                        | stream:Copy     | 0.01%            | 0.00%                      |  |
|                        | stream:Scale    | 0.60%            | 0.23%                      |  |
|                        | stream:Triad    | 0.07%            | 0.37%                      |  |
|                        | stream:Add      | 0.03%            | 0.35%                      |  |
| Dhamanin               | compress-7zip   | 1.52%            | 2.24%                      |  |
| Phoronix               | openssl         | 0.14%            | 0.13%                      |  |
|                        | pybench         | 0.00%            | 0.52%                      |  |
|                        | phpbench        | 0.92%            | 0.01%                      |  |
|                        | cacheben:read   | -0.38%           | 0.26%                      |  |
|                        | cacheben:write  | -0.26%           | -0.44%                     |  |
|                        | cacheben:modify | -0.01%           | 0.67%                      |  |
|                        | ramspeed:INT    | -0.09%           | -0.63%                     |  |
|                        | ramspeed:FP     | -0.15%           | -0.63%                     |  |
|                        | Mean            | 0.22%            | 0.24%                      |  |
|                        | Statistics      |                  |                            |  |
| memcached              | Ops             | 0.39%            | 0.18%                      |  |
| memcacheu              | TPS             | 0.39%            | 0.15%                      |  |
|                        | Net_rate        | 0.46%            | 0.31%                      |  |

## Runtime Memory Consumption

- > In a LAMP (Linux, Apache, MySQL and PHP) system with SoftTRR deployed
- > Nikto stresses the LAMP system from another machine

### Runtime Memory Consumption

- > In a LAMP (Linux, Apache, MySQL and PHP) system with SoftTRR deployed
- > Nikto stresses the LAMP system from another machine

![](_page_61_Figure_3.jpeg)

# System Robustness

| Linux Test Project |           | Vanilla System | SoftTRR          |                            |  |
|--------------------|-----------|----------------|------------------|----------------------------|--|
|                    |           | vannia System  | $\Delta_{\pm 1}$ | $\Delta_{\pm 6}$ (default) |  |
|                    | open      | ~              | ~                | ~                          |  |
| File               | close     | ~              | ~                | ~                          |  |
| I HC               | ftruncate | ~              | ~                | ~                          |  |
|                    | rename    | ~              | ~                | ~                          |  |
|                    | Listen    | ~              | ~                | ~                          |  |
| Network            | Socket    | ~              | ~                | ~                          |  |
| THEEWOIR           | Send      | ~              | ~                | ~                          |  |
|                    | Recv      | ~              | ~                | ~                          |  |
|                    | mmap      | ~              | ~                | ~                          |  |
|                    | munmap    | ~              | ~                | ~                          |  |
| Memory             | brk       | ~              | ~                | ~                          |  |
|                    | mlock     | ~              | ~                | ~                          |  |
|                    | munlock   | ~              | ~                | ~                          |  |
|                    | mremap    | ~              | ~                | ~                          |  |
|                    | getpid    | ~              | ~                | ~                          |  |
| Process            | exit      | ~              | ~                | ~                          |  |
|                    | clone     | ~              | ~                | ~                          |  |
|                    | ioctl     | ~              | ~                | ~                          |  |
| Misc.              | prctl     | ~              | ~                | ~                          |  |
|                    | vhangup   | ~              | ~                | ~                          |  |

✓ the stress test does not report any problem

#### Conclusion

★ SoftTRR is a more effective and practical software-only mitigation,
Compared to existing works

★ In its implementation, SoftTRR works as a loadable kernel module to defend against rowhammer attacks on L1PT pages. SoftTRR leverages MMU and OS kernel features to collect L1PT pages, track memory access, and refresh target L1PT pages

\* SoftTRR is evaluated to be effective against 3 representative rowhammer attacks and incur small overhead and memory footprints

Thanks & Questions?