Scalable and Configurable Tracking for Any Rowhammer Threshold

The Rowhammer vulnerability continues to get worse, with the Rowhammer Threshold (TRH) reducing from 139K activations to 4.8K activations over the last decade. Typical Rowhammer mitigations rely on tracking aggressor rows. The number of possible aggressors increases with lowering thresholds, making it difficult to reliably track such rows in a storage-efficient manner. At lower thresholds, academic trackers such as Graphene require prohibitive SRAM overheads (hundreds of KBs to MB). Recent in-DRAM trackers from industry, such as DSAC-TRR, perform approximate tracking, sacrificing guaranteed protection for reduced storage overheads, leaving DRAM vulnerable to Rowhammer attacks. Ideally, we seek a scalable tracker that tracks securely and precisely, and incurs negligible dedicated SRAM and performance overheads, while still being able to track arbitrarily low thresholds. To that end, we propose START - a Scalable Tracker for Any Rowhammer Threshold. Rather than relying on dedicated SRAM structures, START dynamically repurposes a small fraction the Last-Level Cache (LLC) to store tracking metadata. START is based on the observation that while the memory contains millions of rows, typical workloads touch only a small subset of rows within a refresh period of 64ms, so allocating tracking entries on demand significantly reduces storage. If the application does not access many rows in memory, START does not reserve any LLC capacity. Otherwise, START dynamically uses 1-way, 2-way, or 8-way of the cache set based on demand. START consumes, on average, 9.4% of the LLC capacity to store metadata, which is 5X lower compared to dedicating a counter in LLC for each row in memory. We also propose START-M, a memory-mapped START for large-memory systems. Our designs require only 4KB SRAM for newly added structures and perform within 1% of idealized tracking even at TRH of less than 100.

[1]  Kaveh Razavi,et al.  REGA: Scalable Rowhammer Mitigation with Refresh-Generating Activations , 2023, 2023 IEEE Symposium on Security and Privacy (SP).

[2]  Sangil Park,et al.  A 1.1V 16Gb DDR5 DRAM with Probabilistic-Aggressor Tracking, Refresh-Management Functionality, Per-Row Hammer Tracking, a Multi-Step Precharge, and Core-Bias Modulation for Security and Reliability Enhancement , 2023, 2023 IEEE International Solid- State Circuits Conference (ISSCC).

[3]  Dongho Kim,et al.  DSAC: Low-Cost Rowhammer Mitigation Using In-DRAM Stochastic and Approximate Counting Algorithm , 2023, ArXiv.

[4]  Jung Ho Ahn,et al.  SHADOW: Preventing Row Hammer in DRAM with Intra-Subarray Row Shuffling , 2023, 2023 IEEE International Symposium on High-Performance Computer Architecture (HPCA).

[5]  Seth H. Pugsley,et al.  The Championship Simulator: Architectural Simulation for Education and Competition , 2022, ArXiv.

[6]  Moinuddin K. Qureshi,et al.  AQUA: Scalable Rowhammer Mitigation by Quarantining Aggressor Rows at Runtime , 2022, 2022 55th IEEE/ACM International Symposium on Microarchitecture (MICRO).

[7]  O. Mutlu,et al.  HiRA: Hidden Row Activation for Reducing Refresh Latency of Off-the-Shelf DRAM Chips , 2022, 2022 55th IEEE/ACM International Symposium on Microarchitecture (MICRO).

[8]  Moinuddin K. Qureshi,et al.  Hydra: enabling low-overhead mitigation of row-hammer at ultra-low thresholds via hybrid tracking , 2022, ISCA.

[9]  Moinuddin K. Qureshi,et al.  Randomized row-swap: mitigating Row Hammer by breaking spatial correlation between aggressor and victim rows , 2022, ASPLOS.

[10]  Jung Ho Ahn,et al.  Mithril: Cooperative Row Hammer Protection on Commodity DRAM Leveraging Managed Refresh , 2021, 2022 IEEE International Symposium on High-Performance Computer Architecture (HPCA).

[11]  Jeremie S. Kim,et al.  BlockHammer: Preventing RowHammer at Low Cost by Blacklisting Rapidly-Accessed DRAM Rows , 2021, 2021 IEEE International Symposium on High-Performance Computer Architecture (HPCA).

[12]  Jung Ho Ahn,et al.  Graphene: Strong yet Lightweight Row Hammer Protection , 2020, 2020 53rd Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[13]  Zhi Zhang,et al.  PThammer: Cross-User-Kernel-Boundary Rowhammer through Implicit Accesses , 2020, 2020 53rd Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[14]  Bruce Jacob,et al.  DRAMsim3: A Cycle-Accurate, Thermal-Capable DRAM Simulator , 2020, IEEE Computer Architecture Letters.

[15]  Yuval Yarom,et al.  RAMBleed: Reading Bits in Memory Without Accessing Them , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[16]  Onur Mutlu,et al.  Revisiting RowHammer: An Experimental Analysis of Modern DRAM Devices and Mitigation Techniques , 2020, 2020 ACM/IEEE 47th Annual International Symposium on Computer Architecture (ISCA).

[17]  Cristiano Giuffrida,et al.  TRRespass: Exploiting the Many Sides of Target Row Refresh , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[18]  Jung Min You,et al.  MRLoc: Mitigating Row-hammering based on memory Locality , 2019, 2019 56th ACM/IEEE Design Automation Conference (DAC).

[19]  G. Edward Suh,et al.  TWiCe: Preventing Row-hammering by Exploiting Time Window Counters , 2019, 2019 ACM/IEEE 46th Annual International Symposium on Computer Architecture (ISCA).

[20]  Herbert Bos,et al.  Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[21]  Rami G. Melhem,et al.  Mitigating Wordline Crosstalk Using Adaptive Trees of Counters , 2018, 2018 ACM/IEEE 45th Annual International Symposium on Computer Architecture (ISCA).

[22]  Benjamin C. Lee,et al.  MAPS: Understanding Metadata Access Patterns in Secure Memory , 2018, 2018 IEEE International Symposium on Performance Analysis of Systems and Software (ISPASS).

[23]  Taesoo Kim,et al.  SGX-Bomb: Locking Down the Processor via Rowhammer Attack , 2017, SysTEX@SOSP.

[24]  Yuval Yarom,et al.  Another Flip in the Wall of Rowhammer Defenses , 2017, 2018 IEEE Symposium on Security and Privacy (SP).

[25]  Sungjoo Yoo,et al.  Making DRAM stronger against row hammering , 2017, 2017 54th ACM/EDAC/IEEE Design Automation Conference (DAC).

[26]  Yanick Fratantonio,et al.  Drammer: Deterministic Rowhammer Attacks on Mobile Platforms , 2016, CCS.

[27]  Reetuparna Das,et al.  ANVIL: Software-Based Protection Against Next-Generation Rowhammer Attacks , 2016, ASPLOS.

[28]  Stefan Mangard,et al.  Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript , 2015, DIMVA.

[29]  Chris Fallin,et al.  Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[30]  Guy E. Blelloch,et al.  Ligra: a lightweight graph processing framework for shared memory , 2013, PPoPP '13.

[31]  Kevin M. Lepak,et al.  Cache Hierarchy and Memory Subsystem of the AMD Opteron Processor , 2010, IEEE Micro.

[32]  Ioana Burcea,et al.  Phantom-BTB: a virtualized branch target buffer design , 2009, ASPLOS.

[33]  Kai Li,et al.  The PARSEC benchmark suite: Characterization and architectural implications , 2008, 2008 International Conference on Parallel Architectures and Compilation Techniques (PACT).

[34]  Babak Falsafi,et al.  Predictor virtualization , 2008, ASPLOS.

[35]  Microsoft,et al.  How to Configure Row-Sampling-Based Rowhammer Defenses , 2022 .

[36]  Microsoft,et al.  Panopticon: A Complete In-DRAM Rowhammer Mitigation , 2021 .

[37]  Dae-Hyun Kim,et al.  Architectural Support for Mitigating Row Hammering in DRAM Memories , 2015, IEEE Computer Architecture Letters.