Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

MAD: Memory Allocation meets Software Diversity

Manuel Wiesinger, Daniel Dorfmeister, Stefan Brunthaler

TL;DR

This work has identified a new approach that combines memory allocation with principles underlying software diversity and shows promising early results, called MAD, short for memory allocation diversity, which leverages two novel, complementary spatial diversification techniques to overcome this entropy obstacle.

Abstract

Vulnerabilities emanating from DRAM errors pose a vexing problem that remains, as of yet, unsolved and elusive but cannot be ignored. Prior defenses focused on specific details of early RowHammer attacks and fail to generalize with the generalizations of recent RowHammer attacks. Even worse, it is presently not clear that techniques from prior defenses will be able to cope with these generalizations or if an entirely new approach is required. Although still work-in-progress, we have identified a new approach that combines memory allocation with principles underlying software diversity and shows promising early results. At first glance, software diversity seems to be an unlikely contender, since it faces seemingly insurmountable obstacles, primarily the lack of sufficient entropy in memory subsystems. Our system - called MAD, short for memory allocation diversity - leverages two novel, complementary spatial diversification techniques to overcome this entropy obstacle. Entropy aside, MAD offers ease-of-implementation, negligible performance impact, and is both hardware and software agnostic. From a security perspective, MAD's goal is to deter RowHammer attacks by delaying them to the maximum extent possible. Such a delay opens the door for a variety of additional responses, e.g., proactive rebooting, or complementary in-depth analysis of ongoing attacks that would be too slow for an always-on defense.

MAD: Memory Allocation meets Software Diversity

TL;DR

This work has identified a new approach that combines memory allocation with principles underlying software diversity and shows promising early results, called MAD, short for memory allocation diversity, which leverages two novel, complementary spatial diversification techniques to overcome this entropy obstacle.

Abstract

Vulnerabilities emanating from DRAM errors pose a vexing problem that remains, as of yet, unsolved and elusive but cannot be ignored. Prior defenses focused on specific details of early RowHammer attacks and fail to generalize with the generalizations of recent RowHammer attacks. Even worse, it is presently not clear that techniques from prior defenses will be able to cope with these generalizations or if an entirely new approach is required. Although still work-in-progress, we have identified a new approach that combines memory allocation with principles underlying software diversity and shows promising early results. At first glance, software diversity seems to be an unlikely contender, since it faces seemingly insurmountable obstacles, primarily the lack of sufficient entropy in memory subsystems. Our system - called MAD, short for memory allocation diversity - leverages two novel, complementary spatial diversification techniques to overcome this entropy obstacle. Entropy aside, MAD offers ease-of-implementation, negligible performance impact, and is both hardware and software agnostic. From a security perspective, MAD's goal is to deter RowHammer attacks by delaying them to the maximum extent possible. Such a delay opens the door for a variety of additional responses, e.g., proactive rebooting, or complementary in-depth analysis of ongoing attacks that would be too slow for an always-on defense.
Paper Structure (13 sections, 4 figures, 1 table)

This paper contains 13 sections, 4 figures, 1 table.

Table of Contents

  1. Diversity meets RowHammer
  2. Threat Model and Assumptions
  3. Background
  4. Memory Allocation Diversity
  5. Evaluation
  6. Quantitative Security
  7. Probability of Success Under Worst Case Assumptions
  8. Implementation Complexity
  9. Related Work
  10. Kernel and User Space Separation
  11. Defenses Based on Memory Layout
  12. Defenses Preventing Bit Flips
  13. Conclusions & Future Work

Figures (4)

  • Figure 1: Comparison of page allocation for a given sequence with and without Mad. Without Mad, the second alloc call returns $\psi$, demonstrating enumeration. With Mad, block recycling ensures that the second invocation of alloc returns $\phi$ again.
  • Figure 2: Block Recycling = Horizontal + Vertical Diversity. Step A shows horizontal diversity, i.e., moving blocks from a shadow cache to the corresponding allocation cache. Step B shows vertical diversity, where found buddy blocks $b_{3}$ and $b_{4}$ in shadow cache $C_{S,0}$ will be merged into block $\mathcal{B}$ and put at a random location of the shadow cache of order $C_{S,1}$. Step C shows inverse vertical diversity, where randomly selected block $b'_1$ of order 1 in $C_{A,1}$ is split up into two blocks of order 0, block $\phi$ and block $\psi$, which will be put at random locations in $C_{A,0}$.
  • Figure 3: Comparison of Mad with a textbook buddy allocator under sparse-allocation massaging.
  • Figure 4: Comparison of block recycling frequency of Mad with a textbook buddy allocator.