Jonas Juffinger

An Analysis of HMB-based SSD Rowhammer

Introduction

An analysis of hmb-based ssd rowhammer. Investigates Rowhammer attacks from SSD Host Memory Buffer (HMB). Analysis finds SSDs hammer DRAM but lack sufficient access to trigger bit flips. HMB issues lead to SSD lock-ups.

Abstract

Rowhammer has been shown to be an extensive attack vector. In the years since its discovery, numerous exploits have been shown, attacking a wide range of targets from kernels, through web browsers to machine learning models. These attacks were not always mounted from code running on the CPU of a system. Various devices peripheral to the CPU, like GPUs or networks cards can cause Rowhammer bit flips through DMA accesses to the main memory. In this work, we take a look at solid state drives (SSDs) and if they can be exploited as confused deputies to perform Rowhammer attacks. With the introduction of NVMe, a standardized protocol that allows SSDs to communicate directly over PCIe with the CPU, SSDs have reached performance numbers of a million input/output operations per second. PCIe also enables SSDs to use DMA for direct accesses to the main memory. This lead to the introduction of the host memory buffer (HMB) feature, that allows SSDs to use a small fraction of the host DRAM. We are the first that reverse engineer how different SSDs utilize this host memory buffer and answer the question if the accesses from the SSD to the HMB are a potential attack vector to cause Rowhammer bit flips. Our analysis of three SSDs shows, that bit flips in the HMB cause the SSDs to lock up, which results in a denial of service or, even worse, data loss. We also show how we can cause frequent accesses from the SSD to the HMB on all three SSDs. On one SSD, we reach 5000 DRAM accesses per refresh interval. We measure the Rowhammer impact of these accesses and show that they are effectively hammering the DRAM. However, 5000 DRAM accesses are not enough to cause Rowhammer bit flips, even on modern, highly vulnerable DRAM.

Review

This paper investigates a novel and increasingly relevant attack surface for Rowhammer: Solid State Drives (SSDs), specifically those leveraging the Host Memory Buffer (HMB) feature. Rowhammer, a widely recognized memory vulnerability, has evolved significantly, with attacks no longer confined to CPU-initiated operations but extending to peripheral devices capable of DMA to main memory. The authors position their work as the first to reverse engineer how SSDs utilize HMB and determine if these accesses constitute a viable vector for Rowhammer bit flips. This addresses a critical gap in understanding the security implications of high-performance SSDs, which, with NVMe and PCIe, have direct memory access capabilities. The research employs a reverse engineering approach, analyzing the HMB utilization on three distinct SSD models. A key finding is that inducing bit flips within the HMB itself does not lead to a Rowhammer exploit, but rather causes the SSDs to lock up, resulting in a denial-of-service condition or potential data loss. Despite this, the authors successfully demonstrate the ability to induce frequent accesses from the SSD to the HMB across all tested devices. On one particular SSD, they achieve a significant rate of 5000 DRAM accesses per refresh interval, verifying that these operations effectively "hammer the DRAM." However, the analysis ultimately concludes that this frequency, even on modern, highly vulnerable DRAM, is insufficient to reliably trigger Rowhammer bit flips. While the study did not yield a successful Rowhammer bit-flip exploit originating from SSD HMB access, its contributions are substantial. The identification of SSD lock-up and data loss as consequences of HMB bit flips reveals a significant security concern beyond traditional Rowhammer. Furthermore, the detailed methodology for inducing and measuring SSD-to-HMB access rates establishes a foundational understanding of this interaction, paving the way for future research into potential exploitable behaviors. This work rigorously explores a previously unexamined attack vector, providing valuable insights into the complex interplay between SSDs, host memory, and emerging Rowhammer defenses, even if the primary goal of demonstrating bit flips was not achieved under current conditions.

Full Text

Comments

You need to be logged in to post a comment.