2019 2학기 고급운영체제론 ZebRAM: Comprehensive and Compatible Software Protection Against Rowhammer Attacks 3 # 단국대학교 컴퓨터학과 # 남혜민 # 발표자.

2019 2학기 고급운영체제론 ZebRAM: Comprehensive and Compatible Software Protection Against Rowhammer Attacks 3 # 단국대학교 컴퓨터학과 # 남혜민 # 발표자 : 남혜민 # 발표일 : (월) Software ICT Hall 시스템소프트 정보보호 연구실

Contents 1. Introduction 2. ZebRAM 3. Evaluation 4. QnA
Software ICT Hall 시스템소프트 정보보호 연구실

Intro : Word Cloud Software ICT Hall 시스템소프트 정보보호 연구실

Intro : 3-Line Summary “Introducing ZebRAM, a software-level protection against Rowhammer attacks that leverages the hardware features of DRAM.” Software ICT Hall 시스템소프트 정보보호 연구실

Intro : Rowhammer Attack
DRAM rows consists of DRAM cells Each cell can store one bit information Software ICT Hall 시스템소프트 정보보호 연구실

Intro : Rowhammer Attack
DRAM rows consists of DRAM cells Each cell can store one bit information Rowhammer bug … and induce bit flips in them: (1 => 0) or (0 => 1) Bit flips Aggressor row Victim row Software ICT Hall 시스템소프트 정보보호 연구실

Intro : Threat Model 1. Privilege escalation
2. Compromising co-hosted virtual machines Hypervisor, .etc 3. Attacks over the network Software ICT Hall 시스템소프트 정보보호 연구실

Intro : Simple Threat Ex.
An attacker can flips a bit in: Cryptographic key, page table entry in kernel etc. … to compromise the system. Two important points to note: Attacker should able to read very fast Can flip a bit on its neighboring row Software ICT Hall 시스템소프트 정보보호 연구실

Intro : Exploit Paper Software ICT Hall 시스템소프트 정보보호 연구실

Intro : Defenses Paper Rowhammer Existing defenses are ineffective
Even if there is no software bug (and formally verified) 87% of DDR3 DIMMs are vulnerable (Kim et al. ISCA’14) DDR4 also contain this bug (Van der Veen et al. CCS’17) Existing defenses are ineffective Hardware solutions like ECC, TRR are found to ineffective (Cojocar et. al S&P’19, Gruss et al. Blackhat’18) ANVIL - CPU performance counters to detect Rowhammer attack (AWEKE et. al ASPLOS’16) CATT - isolates different security domains using guard rows (Brasser et al. SEC’17) Software ICT Hall 시스템소프트 정보보호 연구실

Intro : Defenses Paper Rowhammer Existing defenses are ineffective
Even if there is no software bug (and formally verified) 87% of DDR3 DIMMs are vulnerable (Kim et al. ISCA’14) DDR4 also contain this bug (Van der Veen et al. CCS’17) Existing defenses are ineffective Hardware solutions like ECC, TRR are found to ineffective (Cojocar et. al S&P’19, Gruss et al. Blackhat’18) ANVIL - fails against DMA-based attacks (Van der Veen et al. CCS’17) CATT - fails because different security domains share memory (Gruss et al. S&P’18) Software ICT Hall 시스템소프트 정보보호 연구실

ZebRAM Software ICT Hall 시스템소프트 정보보호 연구실

ZebRAM Design : RowHammer Attack Protection
1. Full memory protection Safe in hardware > FAIL Software attempts safe > FAIL 2. Limit the rows that an attacker can access The goal is to design a system where the attacker directly destroys only a subset of the rows. In other words, to make it impossible to climb Software ICT Hall 시스템소프트 정보보호 연구실

ZebRAM Design : Isolation
1. Separate Security domains using guard rows 2. Isolate security sensitive data using guard rows User space Guard Rows Kernel space Sensitive data DRAM address space CATT uses this approach (Brasser et al. SEC’17) (Tatar et al. ATC’18) Software ICT Hall 시스템소프트 정보보호 연구실

ZebRAM Design : Basic Odd Row : Data Even Row : Guard
Can stop all Rowhammer But, waste half of memory Data row Guard row DRAM address space DRAM address space Software ICT Hall 시스템소프트 정보보호 연구실

ZebRAM Design : Basic With the Buddy page allocation 3 1 2 Data row
Guard row Data region (Safe region) 1 2 Guard region (Unsafe region) 버디 에서 홀수 혹은 짝수를 강제로 사용하지 않게 하려면 이를 위해 물리적 메모리의 연속이 필요하다고 한다. DRAM address space DRAM address space Software ICT Hall 시스템소프트 정보보호 연구실

ZebRAM Design 1 2 Data row Data row Guard row Guard row Safe region
Physical address space Data row Guard row Data row Guard row 1 2 Safe region Unsafe region DRAM address space Physical address space Physical address space DRAM address space Software ICT Hall 시스템소프트 정보보호 연구실

ZebRAM Design : Physical to DRAM
Translating physical addresses to DRAM addresses and placing guard rows Physical address space Data row Guard row 1 RAMSES + ALIS* Physical address space DRAM address space DRAM address translation library, RAMSES Memory allocator, ALIS (Tatar et al. ATC’18) Software ICT Hall 시스템소프트 정보보호 연구실

ZebRAM Design : Re-mapping
Transparently re-map the data rows and guard rows as two contiguous memory region We use virtualization feature like Intel (VT-x) … Safe region for OS 2 VT-x Unsafe region DRAM address space DRAM address space Physical address space Physical address space Software ICT Hall 시스템소프트 정보보호 연구실

ZebRAM Design : Basic Using unsafe region to overcome memory waste.
Two conditions for using unsafe region 1. Correctly handle potential bit flips in unsafe areas 2. Access to an unsafe area must not cause a bit flip of the safe area. Data region (Safe region) Guard region (Unsafe region) 3 Physical address space Software ICT Hall 시스템소프트 정보보호 연구실

ZebRAM Design : Basic Securely means two things here :
Handle bit flips that may occur on unsafe region ZebRAM implements a integrity manager that uses: Hash verification (SHA-256) Error correction code (ECC) Safe region for OS Integrity Manager Unsafe region Physical address space Software ICT Hall 시스템소프트 정보보호 연구실

ZebRAM Design : Basic Securely means two things:
Handle bit flips that may occur on unsafe region Protect the unsafe region from illegal bit flips ZebRAM slows down the consecutive accesses to the same location in the unsafe region: By implements a cache layer using safe memory Enforcing Least-recently-added eviction policy Safe region f or OS Cache layer Unsafe region Physical address space Software ICT Hall 시스템소프트 정보보호 연구실

ZebRAM Design : Basic Efficiently:
Exposes the unsafe region as swap space to the OS Helps to utilize efficient page replacement policies in commodity OS Safe region f or OS Integrity Manager Cache layer Swap space Physical address space Software ICT Hall 시스템소프트 정보보호 연구실

ZebRAM Design : Components

ZebRAM Design : Components
1. Memory Remapper 2. Integrity Manager 3. Cache Manager 4. Swap Manager 컨트롤 패킷에 대한 보안 적용 필요 Software ICT Hall 시스템소프트 정보보호 연구실

Memory Remapper Split of physical memory into a safe and unsafe region
One region contains all the even-numbered rows The other contains all the odd-numbered rows. Data row Guard row 컨트롤 패킷에 대한 보안 적용 필요 DRAM address space DRAM address space Software ICT Hall 시스템소프트 정보보호 연구실

Integrity Manager Protects the integrity of the unsafe region
For error correction, usingh a commonly-used Single-Error Correction and Double-Error Detection (SECDED) ZebRAM provides the possibility to mix SECDED with collision resistant hash functions (SHA-256) -Hamming code- Software ICT Hall 시스템소프트 정보보호 연구실

Cache Manager Implements a fully associative cache Advantage
Reducing the access frequency on memory rows in the unsafe region. Speeds up access to the swap space Software ICT Hall 시스템소프트 정보보호 연구실

Swap Manager Uses the unsafe region
Protected by the Integrity Manager and Accessible only by the OS. Advantage OS will only access the slow Integrity-checked unsafe region when it runs out of fast safe memory. Software ICT Hall 시스템소프트 정보보호 연구실

# Life of a page in ZebRAM world

Life of a page in ZebRAM world
Safe region Swap Space Cache Kswapd Compression/ Decompression Hash Generation/ Verification ECC Encoder/ Decoder 21

Safe region Swap Space Cache Kswapd # Compression/ Decompression Hash Generation/ Verification ECC Encoder/ Decoder 21

Safe region # Swap Space Cache Kswapd Compression/ Decompression Hash Generation/ Verification ECC Encoder/ Decoder 21

Safe region # Swap Space X Cache Kswapd Compression/ Decompression Hash Generation/ Verification ECC Encoder/ Decoder 21

Safe region # Swap Space Cache Kswapd X Compression/ Decompression Hash Generation/ Verification ECC Encoder/ Decoder 21

Safe region # Swap Space Cache Kswapd # Compression/ Decompression Hash Generation/ Verification ECC Encoder/ Decoder 21

Implementation LKM # Swap Space Safe region Cache Kswapd
Compression/ Decompression Hash Generation/ Verification ECC Encoder/ Decoder 21

Evaluation 1. Security Evaluation 2. Performance Evaluation
2006 benchmark, Working Set Size 컨트롤 패킷에 대한 보안 적용 필요 Software ICT Hall 시스템소프트 정보보호 연구실

Evaluation : Security We ran the Rowhammer exploit on the ZebRAM protected OS Take away: ECC module alone detected 100% the bit flips ECC module corrected % of the bit flips = 100% 99.9% Software ICT Hall 시스템소프트 정보보호 연구실

Evaluation : Performance
Spec 2006 benchmark shows Software ICT Hall 시스템소프트 정보보호 연구실

Evaluation : Performance
When active working set is using 70% of the memory: ZebRAM (Basic) = 30x ZebRAM (ECC) = 3x ZebRAM (ECC + SHA-256) = 3.9x Software ICT Hall 시스템소프트 정보보호 연구실

Summary The ZebRAM is the first solution to provide complete protection against Rowhammer attacks Performance overhead: Minimal when the active working set fits in the safe region Function of the active working set size when it does not fit in the safe region Code for ZebRAM will be available soon at Software ICT Hall 시스템소프트 정보보호 연구실

Q & A Thanks for your Attention

2019 2학기 고급운영체제론 ZebRAM: Comprehensive and Compatible Software Protection Against Rowhammer Attacks 3 # 단국대학교 컴퓨터학과 # 남혜민 # 발표자.

Similar presentations

Presentation on theme: "2019 2학기 고급운영체제론 ZebRAM: Comprehensive and Compatible Software Protection Against Rowhammer Attacks 3 # 단국대학교 컴퓨터학과 # 남혜민 # 발표자."— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

2019 2학기 고급운영체제론 ZebRAM: Comprehensive and Compatible Software Protection Against Rowhammer Attacks 3 # 단국대학교 컴퓨터학과 # 남혜민 # 발표자.

Similar presentations

Presentation on theme: "2019 2학기 고급운영체제론 ZebRAM: Comprehensive and Compatible Software Protection Against Rowhammer Attacks 3 # 단국대학교 컴퓨터학과 # 남혜민 # 발표자."— Presentation transcript:

Similar presentations

About project

Feedback