Preventing Rowhammer Exploits via Low-Cost Domain-Aware Memory Allocation

TL;DR

Citadel is a low-cost, software-based memory allocator that prevents Rowhammer exploits by creating physically disjoint security domains, supporting thousands of domains with minimal overhead and no performance loss.

Contribution

It introduces Citadel, a novel memory allocator that isolates security domains in disjoint memory regions to prevent Rowhammer attacks, achieving high scalability with low overhead.

Findings

Supports thousands of security domains with 7.4% memory overhead

No performance loss observed in server systems

Outperforms existing domain isolation schemes in overhead and scalability

Abstract

Rowhammer is a hardware security vulnerability at the heart of every system with modern DRAM-based memory. Despite its discovery a decade ago, comprehensive defenses remain elusive, while the probability of successful attacks grows with DRAM density. Hardware-based defenses have been ineffective, due to considerable cost, delays in commercial adoption, and attackers' repeated ability to circumvent them. Meanwhile, more flexible software-based solutions either incur substantial performance and memory capacity overheads, or offer limited forms of protection. Citadel is a new memory allocator design that prevents Rowhammer-initiated security exploits by addressing the vulnerability's root cause: physical adjacency of DRAM rows. Citadel enables creation of flexible security domains and isolates different domains in physically disjoint memory regions, guaranteeing security by design. On a server system, Citadel supports thousands of security domains at a modest 7.4% average memory overhead and no performance loss. In contrast, recent domain isolation schemes fail to support many workload scenarios due to excessive overheads, and incur 4--6x higher overheads for supported scenarios. As a software solution, Citadel offers readily deployable Rowhammer-aware isolation on legacy, current, and future systems.