MINT: Securely Mitigating Rowhammer with a Minimalist In-DRAM Tracker

TL;DR

Rowhammer remains a serious threat that worsens as DRAM TRH declines, and practical in-DRAM trackers must balance security with minimal SRAM and timing overhead. The paper introduces MINT, a future-centric, single-entry in-DRAM tracker that probabilistically selects a future activation within each refresh interval for mitigation, achieving strong security against single- and double-sided attacks with a MinTRH around $2.8\,\text{K}$ without reliance on large SRAM. It analyzes failure models and extends MINT with Delayed Mitigation Queue (DMQ) to handle DDR5 refresh postponement, boosting MinTRH to about $1.48\,\text{K}$ (with postprocessing) and up to $1.482\,\text{K}$ for realistic configurations, while adding negligible overhead. Co-design with DDR5 Refresh Management (RFM) further lowers MinTRH to as low as $356$ with modest slowdown (≈1.6%), demonstrating a practical pathway to secure, low-cost in-DRAM RH mitigation. Overall, MINT (and MINT+DMQ/RFM) narrows the gap to an ideal one-counter-per-row design, while keeping storage footprints tiny (≈4 bytes/bank for MINT plus DMQ) and maintaining near-baseline performance and energy.

Abstract

This paper investigates secure low-cost in-DRAM trackers for mitigating Rowhammer (RH). In-DRAM solutions have the advantage that they can solve the RH problem within the DRAM chip, without relying on other parts of the system. However, in-DRAM mitigation suffers from two key challenges: First, the mitigations are synchronized with refresh, which means we cannot mitigate at arbitrary times. Second, the SRAM area available for aggressor tracking is severely limited, to only a few bytes. Existing low-cost in-DRAM trackers (such as TRR) have been broken by well-crafted access patterns, whereas prior counter-based schemes require impractical overheads of hundreds or thousands of entries per bank. The goal of our paper is to develop an ultra low-cost secure in-DRAM tracker. Our solution is based on a simple observation: if only one row can be mitigated at refresh, then we should ideally need to track only one row. We propose a Minimalist In-DRAM Tracker (MINT), which provides secure mitigation with just a single entry. At each refresh, MINT probabilistically decides which activation in the upcoming interval will be selected for mitigation at the next refresh. MINT provides guaranteed protection against classic single and double-sided attacks. We also derive the minimum RH threshold (MinTRH) tolerated by MINT across all patterns. MINT has a MinTRH of 1482 which can be lowered to 356 with RFM. The MinTRH of MINT is lower than a prior counter-based design with 677 entries per bank, and is within 2x of the MinTRH of an idealized design that stores one-counter-per-row. We also analyze the impact of refresh postponement on the MinTRH of low-cost in-DRAM trackers, and propose an efficient solution to make such trackers compatible with refresh postponement.

Figures (21)

• Figure 1: (a) Our goal is to develop secure low-cost trackers. (b) In-DRAM RH mitigation is performed at REF and the tracker decides which row to mitigate. Trackers can be categorized into three types (1) past-centric, such as counter-based tracking (2) present-centric, such as selecting the currently activated row with some probability (3) future-centric, our design, which decides at each REF which row will be picked for mitigation in the upcoming interval.
• Figure 2: Design of InDRAM-PARA. Each activation is sampled with a probability p and stored in SAR. At REF the row in SAR (if valid) is mitigated.
• Figure 3: Highly Non-Uniform Survival Probability for InDRAM-PARA
• Figure 4: Design of InDRAM-PARA that avoids overwriting SAR. While this design has 100% survival probability, it has non-uniform sampling probability.
• Figure 5: Sampling Probability for InDRAM-PARA (No-Overwrite)