SoK: Rowhammer on Commodity Operating Systems
Zhi Zhang, Decheng Chen, Jiahao Qi, Yueqiang Cheng, Shijie Jiang, Yiyang Lin, Yansong Gao, Surya Nepal, Yi Zou, Jiliang Zhang, Yang Xiang
TL;DR
This SoK synthesizes rowhammer research on commodity DRAM within a unified framework that links attack origins, propagation through CPU, memory, and DMA channels, and attacker objectives (DoS, privilege escalation, leakage, and DNN degradation). It systematically categorizes attacks and defenses into software and production defenses, highlighting the limitations of each approach and the persistent arms race between attackers and defenders. A key contribution is the discovery that the cache-flush instruction clwb can be used effectively for hammering, expanding the viable toolkit for attacker implementations. The work also maps future threats in cloud and hardware-assisted environments and proposes practical defense directions, such as DRAM-aware isolation in hypervisors and broader RH-triggered detection using power, row-buffer, and performance counters. Overall, the paper provides a comprehensive, framework-driven view of rowhammer on commodity systems and actionable insights for researchers and practitioners.
Abstract
Rowhammer has drawn much attention from both academia and industry in the past years as rowhammer exploitation poses severe consequences to system security. Since the first comprehensive study of rowhammer in 2014, a number of rowhammer attacks have been demonstrated against dynamic random access memory (DRAM)-based commodity systems to break software confidentiality, integrity and availability. Accordingly, numerous software defenses have been proposed to mitigate rowhammer attacks on commodity systems of either legacy (e.g., DDR3) or recent DRAM (e.g., DDR4). Besides, multiple hardware defenses (e.g., Target Row Refresh) from the industry have been deployed into recent DRAM to eliminate rowhammer, which we categorize as production defenses. In this paper, we systematize rowhammer attacks and defenses with a focus on DRAM-based commodity systems. Particularly, we have established a unified framework demonstrating how a rowhammer attack affects a commodity system. With the framework, we characterize existing attacks, shedding light on new attack vectors that have not yet been explored. We further leverage the framework to categorize software and production defenses, generalize their key defense strategies and summarize their key limitations, from which potential defense strategies are identified.
