Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Read Disturbance in High Bandwidth Memory: A Detailed Experimental Study on HBM2 DRAM Chips

Ataberk Olgun, Majd Osseiran, Abdullah Giray Yaglikci, Yahya Can Tugrul, Haocong Luo, Steve Rhyner, Behzad Salami, Juan Gomez Luna, Onur Mutlu

TL;DR

The paper tackles the problem of read disturbance in HBM2 DRAM by delivering a rigorous experimental study on six chips across two FPGA boards, revealing substantial spatial and temporal variability in RowHammer and RowPress vulnerabilities and exposing an undocumented in-DRAM defense mechanism. By using a detailed testing infrastructure and diverse data patterns, hammer counts, and aggressor-on times, the authors quantify how vulnerability varies across chips, channels, and subarrays, and show that the undocumented TRR can be bypassed with specialized access patterns. The work contributes 23 observations and 8 takeaways, including the fact that up to $247$ bitflips can occur in a single row and that channel/subarray heterogeneity necessitates adaptive defenses. The study also provides practical implications for attackers and defenders, highlights the limitations of ECC in this context, and shares open-source tooling to enable reproducibility and future research.

Abstract

We experimentally demonstrate the effects of read disturbance (RowHammer and RowPress) and uncover the inner workings of undocumented read disturbance defense mechanisms in High Bandwidth Memory (HBM). Detailed characterization of six real HBM2 DRAM chips in two different FPGA boards shows that (1) the read disturbance vulnerability significantly varies between different HBM2 chips and between different components (e.g., 3D-stacked channels) inside a chip, (2) DRAM rows at the end and in the middle of a bank are more resilient to read disturbance, (3) fewer additional activations are sufficient to induce more read disturbance bitflips in a DRAM row if the row exhibits the first bitflip at a relatively high activation count, (4) a modern HBM2 chip implements undocumented read disturbance defenses that track potential aggressor rows based on how many times they are activated. We describe how our findings could be leveraged to develop more powerful read disturbance attacks and more efficient defense mechanisms. We open source all our code and data to facilitate future research at https://github.com/CMU-SAFARI/HBM-Read-Disturbance.

Read Disturbance in High Bandwidth Memory: A Detailed Experimental Study on HBM2 DRAM Chips

TL;DR

The paper tackles the problem of read disturbance in HBM2 DRAM by delivering a rigorous experimental study on six chips across two FPGA boards, revealing substantial spatial and temporal variability in RowHammer and RowPress vulnerabilities and exposing an undocumented in-DRAM defense mechanism. By using a detailed testing infrastructure and diverse data patterns, hammer counts, and aggressor-on times, the authors quantify how vulnerability varies across chips, channels, and subarrays, and show that the undocumented TRR can be bypassed with specialized access patterns. The work contributes 23 observations and 8 takeaways, including the fact that up to bitflips can occur in a single row and that channel/subarray heterogeneity necessitates adaptive defenses. The study also provides practical implications for attackers and defenders, highlights the limitations of ECC in this context, and shares open-source tooling to enable reproducibility and future research.

Abstract

We experimentally demonstrate the effects of read disturbance (RowHammer and RowPress) and uncover the inner workings of undocumented read disturbance defense mechanisms in High Bandwidth Memory (HBM). Detailed characterization of six real HBM2 DRAM chips in two different FPGA boards shows that (1) the read disturbance vulnerability significantly varies between different HBM2 chips and between different components (e.g., 3D-stacked channels) inside a chip, (2) DRAM rows at the end and in the middle of a bank are more resilient to read disturbance, (3) fewer additional activations are sufficient to induce more read disturbance bitflips in a DRAM row if the row exhibits the first bitflip at a relatively high activation count, (4) a modern HBM2 chip implements undocumented read disturbance defenses that track potential aggressor rows based on how many times they are activated. We describe how our findings could be leveraged to develop more powerful read disturbance attacks and more efficient defense mechanisms. We open source all our code and data to facilitate future research at https://github.com/CMU-SAFARI/HBM-Read-Disturbance.
Paper Structure (20 sections, 17 figures, 2 tables)

This paper contains 20 sections, 17 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Background & Motivation
  3. HBM2 Organization
  4. HBM2 Operation
  5. Motivation
  6. Experimental Infrastructure
  7. Testing Methodology
  8. Spatial Variation in RowHammer
  9. RowHammer Across Chips
  10. RowHammer Across Channels
  11. RowHammer Across Banks and Pseudo Channels
  12. The Effect of Aging
  13. RowHammer's Sensitivity to Hammer Count
  14. RowHammer and RowPress's Sensitivities to Aggressor Row On Time
  15. In-DRAM RowHammer Defenses
  16. ...and 5 more sections

Figures (17)

  • Figure 1: HBM2 DRAM system organization
  • Figure 2: FPGA-based HBM2 DRAM tester.
  • Figure 3: Tested HBM2 chips' temperature over time (24 hours). We draw temperature measurements taken every 5 seconds over a 24 hour time window.
  • Figure 4: ber across different HBM2 chips. Error bars show the range of across all tested rows in each chip.
  • Figure 5: hcfirst across different chips. Error bars show the range of across all tested rows in each chip.
  • ...and 12 more figures