after installing blacksmith successfully and setting up the hugepage to 1 GB I tested the following : sudo ./blacksmith --dimm-id 1 --runtime-limit 120 --ranks 1 and i get this error message: mmap: Invalid argument how can I check if my --dimm-id is valid or not? I think its the argument that creates this issue! my OS : Linux ubuntu 5.11.0-27-generic 64-bit

After setting the hugepage size to 1G and build the blacksmith successfully, the program ends with the output "Illegal Instructions" and there is no content in the stdout.log

Hello,

I wanted to try your fuzzer on various computers but I always end up with the mmap: Cannot allocate memory error. I thought this would come from my configuration so I tried to increase the number of available huge pages.

I currently have the following memory configuration regarding huge pages:

▶ cat /proc/meminfo|grep Huge                         
AnonHugePages:         0 kB
ShmemHugePages:        0 kB
FileHugePages:         0 kB
HugePages_Total:     535
HugePages_Free:      535
HugePages_Rsvd:        0
HugePages_Surp:        0
Hugepagesize:       2048 kB
Hugetlb:         1095680 kB

On other devices I could even reach more than 1000 free huge pages, which I believe is enough for allocating 1GB of memory with huge pages. However the issue seems to come from somewhere else. I tried the execution on two different devices with ArchLinux, Debian 11 and Ubuntu 18.04 LTS with no success.

Am I missing something ?

Hi. I got it working on my gen3 I7 build, but I was wondering if this works on WSL2?

pstejska@PSTEJSKA03-PC:~/blacksmith-public/build$ sudo ./blacksmith --dimm-id 2 --runtime-limit 21600 --ranks 1 --sweeping Writing into logfile stdout.log pstejska@PSTEJSKA03-PC:~/blacksmith-public/build$ sudo ./blacksmith --dimm-id 1 --runtime-limit 21600 --ranks 1 --sweeping

[+] General information about this fuzzing run: Start timestamp:: 1637689072 Hostname: PSTEJSKA03-PC Commit SHA: NO_REPOSITORY Run time limit: 21600 (6 hours 0 minutes 0 seconds) [+] Printing run configuration (GlobalDefines.hpp): DRAMA_ROUNDS: 1000 CACHELINE_SIZE: 64 HAMMER_ROUNDS: 1000000 THRESH: 495 NUM_TARGETS: 10 MAX_ROWS: 30 NUM_BANKS: 16 DIMM: 1 CHANNEL: 1 MEM_SIZE: 1073741824 PAGE_SIZE: 4096

[+] Initializing memory with pseudorandom sequence. [-] Could not find conflicting address sets. Is the number of banks (16) defined correctly?

after running blacksmith with default param as mentioned in the description, it stopped immediately with the following erreur in the logfile :

` [+] General information about this fuzzing run: Start timestamp:: 1637072011 Hostname: 1cc27a1cdb50 Commit SHA: c8e65b709a83665f9528efdedcf064abdb04859f Run time limit: 120 (0 hours 2 minutes 0 seconds) [+] Printing run configuration (GlobalDefines.hpp): DRAMA_ROUNDS: 1000 CACHELINE_SIZE: 64 HAMMER_ROUNDS: 1000000 THRESH: 495 NUM_TARGETS: 10 MAX_ROWS: 30 NUM_BANKS: 16 DIMM: 1 CHANNEL: 1 MEM_SIZE: 1073741824 PAGE_SIZE: 4096

[-] Instruction setpriority failed. [+] Could not mount superpage from /mnt/huge/buff. Error: `

Hi

I installed blacksmith on a i3-8350k (Coffee-Lake-S) System. Unfortunately the test hangs after a while and the stdout.log shows some strange characters. Does anyone have an idea what could be the reason of this?

BR JKR stdout_2022_02_04_hangs.log

I'm not able to get past this error even when recompiling with different NUM_BANKS value - I tried 4, 8, 16 and even 32. Always the same output. I'm not sure what other parameters to adjust as the error message doesn't suggest anything else.

My output is:

[+] General information about this fuzzing run:
Start timestamp:: 1637333603
Hostname: ubuntu
Commit SHA: c8e65b709a83665f9528efdedcf064abdb04859f
Run time limit: 21600 (6 hours 0 minutes 0 seconds)
[+] Printing run configuration (GlobalDefines.hpp):
DRAMA_ROUNDS: 1000
CACHELINE_SIZE: 64
HAMMER_ROUNDS: 1000000
THRESH: 495
NUM_TARGETS: 10
MAX_ROWS: 30
NUM_BANKS: 32
DIMM: 1
CHANNEL: 1
MEM_SIZE: 1073741824
PAGE_SIZE: 4096

[+] Initializing memory with pseudorandom sequence.
[-] Could not find conflicting address sets. Is the number of banks (32) defined correctly?

My kernel is 5.13.0-19-generic on ubuntu 21.10

Any help is appreciated.

BlackSmith 0.0.2 has no support for ARM processors:

[81%] Building CXX object CMakeFiles/bs.dir/src/Fuzzer/AggressorAccessPattern.cpp.o In file included from /home/parallels/blacksmith/include/Memory/DramAnalyzer.hpp:13, from /home/parallels/blacksmith/include/Memory/Memory.hpp:13, from /home/parallels/blacksmith/include/Forges/TraditionalHammerer.hpp:9, from /home/parallels/blacksmith/src/Forges/TraditionalHammerer.cpp:1: /home/parallels/blacksmith/include/Utilities/AsmPrimitives.hpp: In static member function ‘static void TraditionalHammerer::hammer_sync(std::vector<volatile char*>&, int, volatile char*, volatile char*)’: /home/parallels/blacksmith/include/Utilities/AsmPrimitives.hpp:56:3: error: unknown register name ‘%rcx’ in ‘asm’ 56 | asm volatile("rdtscp\n" | ^~~ /home/parallels/blacksmith/include/Utilities/AsmPrimitives.hpp:56:3: error: unknown register name ‘%rcx’ in ‘asm’ 56 | asm volatile("rdtscp\n" | ^~~ /home/parallels/blacksmith/include/Utilities/AsmPrimitives.hpp:56:3: error: unknown register name ‘%rcx’ in ‘asm’ 56 | asm volatile("rdtscp\n" | ^~~ /home/parallels/blacksmith/include/Utilities/AsmPrimitives.hpp:56:3: error: unknown register name ‘%rcx’ in ‘asm’ 56 | asm volatile("rdtscp\n" | ^~~ make[2]: *** [CMakeFiles/bs.dir/build.make:104: CMakeFiles/bs.dir/src/Forges/TraditionalHammerer.cpp.o] Error 1 make[2]: *** Waiting for unfinished jobs.... make[1]: *** [CMakeFiles/Makefile2:387: CMakeFiles/bs.dir/all] Error 2 make: *** [Makefile:136: all] Error 2

In my opinion, THRESH is the threshold to distinguish row buffer miss rather than cache miss since in function measure_time() each memory access is followed by a clflushopt to flush it from cache.

Hi @pjattke ,

I've used the Blacksmith fuzzer to find patterns that produce a large number of bit flips on some DIMMs. However, on other DIMMs from the same manufacturer and having similar geometry (same number of ranks and banks), I have not managed to produce even a single bit flip even after repeated invocations of the fuzzer (I've roughly run the fuzzer 6 different times, each fuzzing for a duration of 6 hours). I assume it is unlikely for these DIMMs to be completely robust to the Rowhammer exploit and exploring the search space further should produce bit flips? Did you also come across something similar in your experiments? Do you have any practical advice (perhaps alter the THRESH value defined in GlobalDefines.hpp or run the fuzzer on a particular CPU) so I can produce bit flips on these DIMMs too?

Let me know if you would require further information and thanks again for your time! cc @kaustav-goswami and @dxaen

Hi @pjattke, I have some questions regarding the use of some time-based side channels in the blacksmith code.

• If I understood correctly, the find_bank_conflicts() method of DramAnalyzer is using a timing side-channel to find addresses that map to each DRAM bank. However, since blacksmith also uses DRAMA to figure out the DRAM functions to map physical addresses to the DRAM geometry (channel, rank, bank, row, etc) what is the need for this side channel?

• find_bank_conflicts() checks if the time that is taken to access 2 addresses is above a threshold to determine if the 2 addresses belong to the same bank. How did you determine this threshold? My understanding is that the code is looking for Row buffer misses when accessing the 2 addresses (which would take longer implying that they belong to the same bank), but how did you set a value to the threshold? Is the threshold dependent on each individual DIMM or does it depend on the microarchitecture? Also, why is it that the same pair of addresses is checked twice? Is this done to account for jitter?

• Lastly, the hammer_sync() method of TraditionalHammerer uses a timing side-channel to detect the start of a refresh interval to synchronize hammering within the interval. The timing side-channel uses 2 addresses in the same bank in order to do the sync. Is there any reason as to why the method uses 2 addresses? Can detecting the start of a refresh be detected just by accessing a single address?

Thanks for your time and wish you a happy new year. cc @kaustav-goswami and @dxaen.

@jgarte and I, with the help of other volunteers, are packaging Blacksmith in Guix. Once completed, Blacksmith can be deployed on any GNU+Linux distribution, with or without Guix, in a reproducible way.

I am opening this thread so that we can update our progress, including any issues.

Did anyone try running blacksmith on CPUs other than Coffee Lake?

I was able to run it successfully on Kaby Lake, but it didn't work on Comet Lake. It errors out immediately saying it could not find conflicting address sets and asks if the number of banks has been defined correctly (which I checked is correct).