Scalable and Secure Row-Swap: Efficient and Safe Row Hammer Mitigation in Memory Systems

TL;DR

The paper addresses the growing vulnerability of DRAM to Row Hammer as technology scales. It shows that the prevailing aggressor-focused defense, Randomized Row-Swap (RRS), is insecure against the Juggernaut attack, which exploits latent activations from swap operations to break RH defenses in under a day. To counter this, the authors propose Secure Row-Swap (SRS), which eliminates unswap-induced latent activations, and extend it with attack-detection to future-proof protection. They further introduce Scale-SRS, a scalable variant that reduces swap rates using LLC-based outlier pinning, achieving years of protection with about 0.7% average slowdown and 3.3× lower on-chip storage than RRS. Overall, Scale-SRS offers secure, scalable, and efficient RH mitigation suitable for present and future DRAM generations.

Abstract

As Dynamic Random Access Memories (DRAM) scale, they are becoming increasingly susceptible to Row Hammer. By rapidly activating rows of DRAM cells (aggressor rows), attackers can exploit inter-cell interference through Row Hammer to flip bits in neighboring rows (victim rows). A recent work, called Randomized Row-Swap (RRS), proposed proactively swapping aggressor rows with randomly selected rows before an aggressor row can cause Row Hammer. Our paper observes that RRS is neither secure nor scalable. We first propose the `Juggernaut attack pattern' that breaks RRS in under 1 day. Juggernaut exploits the fact that the mitigative action of RRS, a swap operation, can itself induce additional target row activations, defeating such a defense. Second, this paper proposes a new defense Secure Row-Swap mechanism that avoids the additional activations from swap (and unswap) operations and protects against Juggernaut. Furthermore, this paper extends Secure Row-Swap with attack detection to defend against even future attacks. While this provides better security, it also allows for securely reducing the frequency of swaps, thereby enabling Scalable and Secure Row-Swap. The Scalable and Secure Row-Swap mechanism provides years of Row Hammer protection with 3.3X lower storage overheads as compared to the RRS design. It incurs only a 0.7% slowdown as compared to a not-secure baseline for a Row Hammer threshold of 1200.

Figures (16)

• Figure 1: (a) Time-to-break (in days) Randomized Row-Swap (RRS) with varying Swap Rate and Row Hammer Thresholds ($T_{RH}$). Our goal is to break RRS in under 1 day. (b) The normalized performance of RRS as values of $T_{RH}$ vary. Our goal is to minimize the performance overheads of RRS at lower values of $T_{RH}$ and enhance security; thereby making it scalable and secure.
• Figure 2: The latent activation on the aggressor row caused by a swap operation. This is primarily due to the fact that it takes five steps to activate two different rows (Row$_{aggr}$ and Row$_{rand}$) and thereby exchange their data contents.
• Figure 3: Latent activations on the aggressor row caused by an unswap followed by a swap operation. These operations result in two additional activations.
• Figure 4: The normalized performance of RRS, with and without immediate unswap operations, with respect to a baseline that does not mitigate against Row Hammer (RH). On average, not employing immediate unswap operations causes an additional slowdown of 3% to 7% at any given T$_{RH}$.
• Figure 5: The high-level flow of the Juggernaut attack pattern. It consists of two parts. The first part biases an aggressor row with latent activations. The second part employs a random-guess attack.