핵심 개념
The authors conduct a comprehensive study to better understand the DRAM microarchitecture and activate-induced bitflip (AIB) characteristics of modern DRAM chips, leveraging three different reverse-engineering techniques and their recent knowledge of address mapping and data swizzling.
초록
The authors present a comprehensive study to uncover the DRAM microarchitecture and activate-induced bitflip (AIB) characteristics of modern DRAM chips. They utilize three reverse-engineering techniques - AIBs, RowCopy, and retention-time test - to gain insights at both the macroscopic and microscopic levels.
Macroscopic Analysis:
Observation-1: The data of a single read command is collected from multiple memory array tiles (MATs) and reorganized due to data swizzling.
Observation-2: The MAT width, or the number of cells in a row within a single MAT, is measured to be 512- or 1024-bit for tested ×4 DDR4 chips.
Observation-3: For some DRAM chips, activating a row can result in the unintended activation of the coupled row.
Observation-4: The subarray heights are not power of 2, and different across different generations and within a chip.
Observation-5: For certain DRAM chips with the open bitline structure, two edge subarrays work in tandem to create a single full subarray.
Observation-6: Edge subarrays exhibit lower bit error rate (BER) from AIB, which can be attributed to dummy bitlines.
Microscopic Analysis:
The authors categorize DRAM cells into top and bottom cells based on the 6F2 cell structure.
RowPress exhibits an alternating error pattern, which reverses when row parity, aggressor direction, or the written value changes.
RowHammer also shows a similar alternating pattern, which is reversed when row parity, aggressor direction, or the written value changes.
The authors discover a new adversarial data pattern that decreases the activation count triggering the first bitflips by up to 81% and exacerbates the overall BER of the victim row by up to 1.69×.
Based on the new observations, the authors identify previously unknown AIB vulnerabilities and propose a simple yet effective data masking mechanism as a protection solution.
통계
The activation count that triggers the first bitflips (Hcnt) can be decreased by up to 81% using a newly-discovered adversarial data pattern.
The overall bit error rate (BER) of the victim row can be exacerbated by up to 1.69× using the newly-discovered adversarial data pattern.
인용구
"Reliable and cross-validatable reverse-engineering techniques (§III): To reverse-engineer the DRAM microarchitecture without intrusive measures such as physical probing [4], [5], we use three techniques using standard DRAM commands in a controlled FPGA-based environment."
"Macroscopic DRAM microarchitectural analysis (§IV): We conduct a macroscopic analysis that does not require knowledge of the 6F2 cell structure to reverse-engineer the data swizzling and identify previously unreported structural Observations at the subarray, row, and memory array tile (MAT) levels."
"Microscopic DRAM error analysis (§V): With our microscopic analysis that exploits our knowledge of the 6F2 cell structure, we present the following observations."