BEGIN:VCALENDAR VERSION:2.0 PRODID:-//Talks.cam//talks.cam.ac.uk// X-WR-CALNAME:Talks.cam BEGIN:VEVENT SUMMARY:TRRespass: Exploiting the Many Sides of Target Row Refresh - Kaveh Razavi\, ETH Zurich DTSTART:20200602T130000Z DTEND:20200602T140000Z UID:TALK141778@talks.cam.ac.uk CONTACT:Jack Hughes DESCRIPTION:After a plethora of high-profile RowHammer attacks\, CPU and\n DRAM vendors scrambled to deliver what was meant to be the definitive\nhar dware solution against the RowHammer problem: Target Row Refresh\n(TRR). A common belief among practitioners is that\, for the latest\ngeneration of DDR4 systems that are protected by TRR\, RowHammer is no\nlonger an issue in practice. However\, in reality\, very little is known\nabout TRR. How does TRR exactly prevent RowHammer? Which parts of a\nsystem are responsib le for operating the TRR mechanism? Does TRR\ncompletely solve the RowHamm er problem or does it have weaknesses?\n\nIn this paper\, we demystify the inner workings of TRR and debunk its\nsecurity guarantees. We show that w hat is advertised as a single\nmitigation mechanism is actually a series o f different solutions\ncoalesced under the umbrella term Target Row Refres h. We inspect and\ndisclose\, via a deep analysis\, different existing TRR solutions and\ndemonstrate that modern implementations operate entirely i nside DRAM\nchips. Despite the difficulties of analyzing in-DRAM mitigatio ns\, we\ndescribe novel techniques for gaining insights into the operation of\nthese mitigation mechanisms. These insights allow us to build TRRespa ss\,\na scalable black-box RowHammer fuzzer that we evaluate on 42 recent DDR4\nmodules.\n\nTRRespass shows that even the latest generation DDR4 chi ps with in-DRAM\nTRR\, immune to all known RowHammer attacks\, are often s till vulnerable\nto new TRR-aware variants of RowHammer that we develop. I n particular\,\nTRRespass finds that\, on present-day DDR4 modules\, RowHa mmer is still\npossible when many aggressor rows are used (as many as 19 i n some\ncases)\, with a method we generally refer to as Many-sided RowHamm er.\nOverall\, our analysis shows that 13 out of the 42 modules from all t hree\nmajor DRAM vendors (i.e.\, Samsung\, Micron\, and Hynix) are vulnera ble to\nour TRR-aware RowHammer access patterns\, and thus one can still m ount\nexisting state-of-the-art system-level RowHammer attacks. In additio n to\nDDR4\, we also experiment with LPDDR4(X) chips and show that they ar e\nsusceptible to RowHammer bit flips too. Our results provide concrete\ne vidence that the pursuit of better RowHammer mitigations must continue.\n\ nBio: Kaveh Razavi is an assistant professor in the Department of\nInforma tion Technology and Electrical Engineering at ETH Zurich where he\nleads t he COMSEC group. His research interests are in the area of\nsystems securi ty and more broadly\, computer systems. He regularly\npublishes at top sys tems and security venues (e.g.\, S&P\, USENIX\nSecurity\, SOSP/OSDI\, etc. ) and his research has won a prestigious VENI\npersonal grant as well as i ndustry and academic awards including\nmultiple Pwnies and best papers.\n\ nRECORDING : Please note\, this event will be recorded and will be availab le after the event for an indeterminate period under a CC BY -NC-ND licens e. Audience members should bear this in mind before joining the webinar or asking questions.\n LOCATION:Webinar END:VEVENT END:VCALENDAR