Experimental Analysis of Vulnerabilities in MLC NAND Flash Memory Programming
V
u
l
n
e
r
a
b
i
l
i
t
i
e
s
i
n
M
L
C
N
A
N
D
F
l
a
s
h
M
e
m
o
r
y
P
r
o
g
r
a
m
m
i
n
g
:
E
x
p
e
r
i
m
e
n
t
a
l
A
n
a
l
y
s
i
s
,
E
x
p
l
o
i
t
s
,
a
n
d
M
i
t
i
g
a
t
i
o
n
T
e
c
h
n
i
q
u
e
s
H
P
C
A
S
e
s
s
i
o
n
3
A
–
M
o
n
d
a
y
,
3
:
1
5
p
m
,
S
a
l
o
n
F
128GB
NAND Flash
256GB
NAND Flash
NAND flash scaling:
shrink size
of each flash cell,
store
two bits
per cell
01
11
11
10
11
00
00
10
V
u
l
n
e
r
a
b
i
l
i
t
i
e
s
i
n
M
L
C
N
A
N
D
F
l
a
s
h
M
e
m
o
r
y
P
r
o
g
r
a
m
m
i
n
g
:
E
x
p
e
r
i
m
e
n
t
a
l
A
n
a
l
y
s
i
s
,
E
x
p
l
o
i
t
s
,
a
n
d
M
i
t
i
g
a
t
i
o
n
T
e
c
h
n
i
q
u
e
s
H
P
C
A
S
e
s
s
i
o
n
3
A
–
M
o
n
d
a
y
,
3
:
1
5
p
m
,
S
a
l
o
n
F
128GB
NAND Flash
256GB
NAND Flash
NAND flash scaling:
shrink size
of each flash cell,
store
two bits
per cell
As the cells become smaller, they
interfere
with each other during
programming
…
01
11
11
10
11
00
00
10
11
??
10
10
00
10
Program
V
u
l
n
e
r
a
b
i
l
i
t
i
e
s
i
n
M
L
C
N
A
N
D
F
l
a
s
h
M
e
m
o
r
y
P
r
o
g
r
a
m
m
i
n
g
:
E
x
p
e
r
i
m
e
n
t
a
l
A
n
a
l
y
s
i
s
,
E
x
p
l
o
i
t
s
,
a
n
d
M
i
t
i
g
a
t
i
o
n
T
e
c
h
n
i
q
u
e
s
H
P
C
A
S
e
s
s
i
o
n
3
A
–
M
o
n
d
a
y
,
3
:
1
5
p
m
,
S
a
l
o
n
F
128GB
NAND Flash
256GB
NAND Flash
NAND flash scaling:
shrink size
of each flash cell,
store
two bits
per cell
As the cells become smaller, they
interfere
with each other during
programming
…
…to reduce interference,
today’s MLC NAND flash chips use
two-step programming
01
11
11
10
11
00
00
10
11
??
10
10
00
10
??
?
0
0
0
Step 1
Program
Step 2
Using
real MLC NAND flash chips
,
we show that two-step programming introduces
new reliability and security vulnerabilities
V
u
l
n
e
r
a
b
i
l
i
t
i
e
s
i
n
M
L
C
N
A
N
D
F
l
a
s
h
M
e
m
o
r
y
P
r
o
g
r
a
m
m
i
n
g
:
E
x
p
e
r
i
m
e
n
t
a
l
A
n
a
l
y
s
i
s
,
E
x
p
l
o
i
t
s
,
a
n
d
M
i
t
i
g
a
t
i
o
n
T
e
c
h
n
i
q
u
e
s
H
P
C
A
S
e
s
s
i
o
n
3
A
–
M
o
n
d
a
y
,
3
:
1
5
p
m
,
S
a
l
o
n
F
Using
real MLC NAND flash chips
,
we show that two-step programming introduces
new reliability and security vulnerabilities
We find that
cells with only one bit
programmed are
more vulnerable
to
interference during
reads
and
writes
than fully-programmed cells
V
u
l
n
e
r
a
b
i
l
i
t
i
e
s
i
n
M
L
C
N
A
N
D
F
l
a
s
h
M
e
m
o
r
y
P
r
o
g
r
a
m
m
i
n
g
:
E
x
p
e
r
i
m
e
n
t
a
l
A
n
a
l
y
s
i
s
,
E
x
p
l
o
i
t
s
,
a
n
d
M
i
t
i
g
a
t
i
o
n
T
e
c
h
n
i
q
u
e
s
H
P
C
A
S
e
s
s
i
o
n
3
A
–
M
o
n
d
a
y
,
3
:
1
5
p
m
,
S
a
l
o
n
F
Flash Memory
LSB
MSB
.
.
.
.
.
.
Read
Without
Errors
Read
With
Errors
.
.
.
Using
real MLC NAND flash chips
,
we show that two-step programming introduces
new reliability and security vulnerabilities
We find that
cells with only one bit
programmed are
more vulnerable
to
interference during
reads
and
writes
than fully-programmed cells
V
u
l
n
e
r
a
b
i
l
i
t
i
e
s
i
n
M
L
C
N
A
N
D
F
l
a
s
h
M
e
m
o
r
y
P
r
o
g
r
a
m
m
i
n
g
:
E
x
p
e
r
i
m
e
n
t
a
l
A
n
a
l
y
s
i
s
,
E
x
p
l
o
i
t
s
,
a
n
d
M
i
t
i
g
a
t
i
o
n
T
e
c
h
n
i
q
u
e
s
H
P
C
A
S
e
s
s
i
o
n
3
A
–
M
o
n
d
a
y
,
3
:
1
5
p
m
,
S
a
l
o
n
F
Vulnerabilities can be
exploited
to
corrupt data and
reduce flash
lifetime
Flash Memory
LSB
MSB
.
.
.
.
.
.
Read
Without
Errors
Read
With
Errors
.
.
.
Error Rate
Lifetime
ECC Limit
N
o
r
m
a
l
M
a
l
i
c
i
o
u
s
V
u
l
n
e
r
a
b
i
l
i
t
i
e
s
i
n
M
L
C
N
A
N
D
F
l
a
s
h
M
e
m
o
r
y
P
r
o
g
r
a
m
m
i
n
g
:
E
x
p
e
r
i
m
e
n
t
a
l
A
n
a
l
y
s
i
s
,
E
x
p
l
o
i
t
s
,
a
n
d
M
i
t
i
g
a
t
i
o
n
T
e
c
h
n
i
q
u
e
s
H
P
C
A
S
e
s
s
i
o
n
3
A
–
M
o
n
d
a
y
,
3
:
1
5
p
m
,
S
a
l
o
n
F
We propose
three solutions
to minimize vulnerabilities at
negligible latency overhead
V
u
l
n
e
r
a
b
i
l
i
t
i
e
s
i
n
M
L
C
N
A
N
D
F
l
a
s
h
M
e
m
o
r
y
P
r
o
g
r
a
m
m
i
n
g
:
E
x
p
e
r
i
m
e
n
t
a
l
A
n
a
l
y
s
i
s
,
E
x
p
l
o
i
t
s
,
a
n
d
M
i
t
i
g
a
t
i
o
n
T
e
c
h
n
i
q
u
e
s
H
P
C
A
S
e
s
s
i
o
n
3
A
–
M
o
n
d
a
y
,
3
:
1
5
p
m
,
S
a
l
o
n
F
We propose
three solutions
to minimize vulnerabilities at
negligible latency overhead
One solution
completely eliminates vulnerabilities
4.9% increase
in flash programming latency
V
u
l
n
e
r
a
b
i
l
i
t
i
e
s
i
n
M
L
C
N
A
N
D
F
l
a
s
h
M
e
m
o
r
y
P
r
o
g
r
a
m
m
i
n
g
:
E
x
p
e
r
i
m
e
n
t
a
l
A
n
a
l
y
s
i
s
,
E
x
p
l
o
i
t
s
,
a
n
d
M
i
t
i
g
a
t
i
o
n
T
e
c
h
n
i
q
u
e
s
H
P
C
A
S
e
s
s
i
o
n
3
A
–
M
o
n
d
a
y
,
3
:
1
5
p
m
,
S
a
l
o
n
F
We propose
three solutions
to minimize vulnerabilities at
negligible latency overhead
One solution
completely eliminates vulnerabilities
4.9% increase
in flash programming latency
Two other solutions
mitigate
vulnerabilities
No increase
in flash latency,
errors not completely eliminated
Increases flash lifetime by 16%
V
u
l
n
e
r
a
b
i
l
i
t
i
e
s
i
n
M
L
C
N
A
N
D
F
l
a
s
h
M
e
m
o
r
y
P
r
o
g
r
a
m
m
i
n
g
:
E
x
p
e
r
i
m
e
n
t
a
l
A
n
a
l
y
s
i
s
,
E
x
p
l
o
i
t
s
,
a
n
d
M
i
t
i
g
a
t
i
o
n
T
e
c
h
n
i
q
u
e
s
H
P
C
A
S
e
s
s
i
o
n
3
A
–
M
o
n
d
a
y
,
3
:
1
5
p
m
,
S
a
l
o
n
F
We propose
three solutions
to minimize vulnerabilities at
negligible latency overhead
One solution
completely eliminates vulnerabilities
4.9% increase
in flash programming latency
Two other solutions
mitigate
vulnerabilities
No increase
in flash latency,
errors not completely eliminated
Increases flash lifetime by 16%
Want more? Come to our talk! Read our paper!
Authors:
Yu Cai,
Saugata Ghose
, Yixin Luo, Ken Mai, Onur Mutlu, Erich F. Haratsch
This session at HPCA explores the experimental analysis, exploits, and mitigation techniques related to vulnerabilities in MLC NAND flash memory programming. The presentation delves into the risks associated with NAND flash memory, such as data corruption and errors during read operations. It discusses potential exploits and ways to address these security concerns. Various techniques for enhancing the integrity and reliability of NAND flash memory are highlighted, emphasizing the importance of understanding and mitigating vulnerabilities in programming practices.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
Vulnerabilities in MLC NAND Flash Memory Programming: Experimental Analysis, Exploits, and Mitigation Techniques HPCA Session 3A Monday, 3:15 PM, Salon F 11 00 01 11 128GB NAND Flash 256GB NAND Flash 00 10 11 10
Vulnerabilities in MLC NAND Flash Memory Programming: Experimental Analysis, Exploits, and Mitigation Techniques HPCA Session 3A Monday, 3:15 PM, Salon F 11 00 01 11 128GB NAND Flash 256GB NAND Flash 00 10 11 10 10 11 Program 00 ?? 10 10
Vulnerabilities in MLC NAND Flash Memory Programming: Experimental Analysis, Exploits, and Mitigation Techniques HPCA Session 3A Monday, 3:15 PM, Salon F 11 00 01 11 128GB NAND Flash 256GB NAND Flash 00 10 11 10 10 11 Program 00 ?? 00 ?0 ?? Step 2 Step 1 10 10
Vulnerabilities in MLC NAND Flash Memory Programming: Experimental Analysis, Exploits, and Mitigation Techniques HPCA Session 3A Monday, 3:15 PM, Salon F
Vulnerabilities in MLC NAND Flash Memory Programming: Experimental Analysis, Exploits, and Mitigation Techniques HPCA Session 3A Monday, 3:15 PM, Salon F Controller Flash Memory MSB . . . MSB data LSB Read With Errors . . . . . . MSB 1 MSB n MSB 0 Read Without Errors LSB n LSB 0 LSB 1
Vulnerabilities in MLC NAND Flash Memory Programming: Experimental Analysis, Exploits, and Mitigation Techniques HPCA Session 3A Monday, 3:15 PM, Salon F Controller Flash Memory MSB . . . MSB data LSB Read With Errors . . . . . . MSB 1 MSB n MSB 0 Read Without Errors LSB n LSB 0 LSB 1 ECC Limit Error Rate Lifetime
Vulnerabilities in MLC NAND Flash Memory Programming: Experimental Analysis, Exploits, and Mitigation Techniques HPCA Session 3A Monday, 3:15 PM, Salon F
Vulnerabilities in MLC NAND Flash Memory Programming: Experimental Analysis, Exploits, and Mitigation Techniques HPCA Session 3A Monday, 3:15 PM, Salon F
Vulnerabilities in MLC NAND Flash Memory Programming: Experimental Analysis, Exploits, and Mitigation Techniques HPCA Session 3A Monday, 3:15 PM, Salon F Lifetime (P/E Cycles) 8K Solution #3 16% Baseline 6K 4K 2K 0 10K 20K 30K 40K Read Disturb Count
Vulnerabilities in MLC NAND Flash Memory Programming: Experimental Analysis, Exploits, and Mitigation Techniques HPCA Session 3A Monday, 3:15 PM, Salon F Lifetime (P/E Cycles) 8K Solution #3 16% Baseline 6K 4K 2K 0 10K 20K 30K 40K Read Disturb Count
