SpyHammer: Understanding and Exploiting RowHammer under Fine-Grained Temperature Variations

TL;DR

This work systematically characterizes RowHammer under fine-grained temperature variations and shows that BER is highly temperature-dependent. It then introduces SpyHammer, a practical attack that spies on DRAM temperature without modifying the victim system, using BR-based regression models and canary cells to infer relative or absolute temperatures. The evaluation across 12 DDR4 modules (120 chips) from four manufacturers demonstrates mean absolute-temperature errors below $2.5^{ ext{°}} ext{C}$ (90th percentile) and relative-temperature errors below $3.5^{ ext{°}} ext{C}$, with canary-cell optimization significantly reducing hammering. The findings expose a tangible threat to security and privacy in critical systems and underscore the need for robust, general RowHammer defenses that do not rely on temperature obfuscation. Overall, SpyHammer establishes a new class of temperature-spying RowHammer attacks and provides practical guidance for mitigations and future research.

Abstract

RowHammer is a DRAM vulnerability that can cause bit errors in a victim DRAM row solely by accessing its neighboring DRAM rows at a high-enough rate. Recent studies demonstrate that new DRAM devices are becoming increasingly vulnerable to RowHammer, and many works demonstrate system-level attacks for privilege escalation or information leakage. In this work, we perform the first rigorous fine-grained characterization and analysis of the correlation between RowHammer and temperature. We show that RowHammer is very sensitive to temperature variations, even if the variations are very small (e.g., $\pm 1$ °C). We leverage two key observations from our analysis to spy on DRAM temperature: 1) RowHammer-induced bit error rate consistently increases (or decreases) as the temperature increases, and 2) some DRAM cells that are vulnerable to RowHammer exhibit bit errors only at a particular temperature. Based on these observations, we propose a new RowHammer attack, called SpyHammer, that spies on the temperature of DRAM on critical systems such as industrial production lines, vehicles, and medical systems. SpyHammer is the first practical attack that can spy on DRAM temperature. Our evaluation in a controlled environment shows that SpyHammer can infer the temperature of the victim DRAM modules with an error of less than $\pm 2.5$ °C at the 90th percentile of all tested temperatures, for 12 real DRAM modules (120 DRAM chips) from four main manufacturers.

Figures (8)

• Figure 1: DRAM Bender Infrastructure: (a) temperature controller, (b) DRAM module clamped with heater pads, and (c) FPGA board programmed with DRAM Bender
• Figure 2: Correlation between RowHammer-induced bit flips per row () and temperature.
• Figure 3: Box plot of RowHammer-induced in 48 different 4MB memory regions from the same DRAM module.
• Figure 4: Number of canary DRAM cells at each temperature point.
• Figure 5: Error of the relative temperature change estimation obtained using a polynomial regression model from a DRAM module that is the same model as the victim DRAM module.