RogueRFM: Attacking Refresh Management for Covert-Channel and Denial-of-Service

TL;DR

This work shows that the DDR5 Refresh Management (RFM) interface, designed to grant explicit mitigation time for in-DRAM defenses, introduces cross-bank interference that enables new security channels. By exploiting RAACtr, RAAMMT, and the fixed 410 ns stall of $RFM_{ab}$, the authors demonstrate a memory-based covert channel with up to $31.3\,\mathrm{KB/s}$ per sub-channel and a Denial-of-Service pattern capable of slowing co-running workloads by up to $67\%$. They implement sender/receiver gadgets and evaluate under SPEC2017, PARSEC, and LIGRA workloads using ChampSim/DRAMSim3, revealing robustness in noisy environments and highlighting limitations of traditional memory isolation techniques. The paper additionally discusses countermeasures such as per-core activation limiting, which can significantly reduce the DOS impact while preserving benign performance, and outlines broader implications for secure DRAM protocol design and defense strategies. Overall, the work underscores the need to reassess RFM’s security implications and to develop mitigations that balance defense efficacy with system performance.

Abstract

With lowering thresholds, transparently defending against Rowhammer within DRAM is challenging due to the lack of time to perform mitigation. Commercially deployed in-DRAM defenses like TRR that steal time from normal refreshes~(REF) to perform mitigation have been proven ineffective against Rowhammer. In response, a new Refresh Management (RFM) interface has been added to the DDR5 specifications. RFM provides dedicated time to an in-DRAM defense to perform mitigation. Several recent works have used RFM for the intended purpose - building better Rowhammer defenses. However, to the best of our knowledge, no prior study has looked at the potential security implications of this new feature if an attacker subjects it to intentional misuse. Our paper shows that RFM introduces new side effects in the system - the activity of one bank causes interference with the operation of the other banks. Thus, the latency of a bank becomes dependent on the activity of other banks. We use these side effects to build two new attacks. First, a novel memory-based covert channel, which has a bandwidth of up to 31.3 KB/s, and is also effective even in a bank-partitioned system. Second, a new Denial-of-Service (DOS) attack pattern that exploits the activity within a single bank to reduce the performance of the other banks. Our experiments on SPEC2017, PARSEC, and LIGRA workloads show a slowdown of up to 67\% when running alongside our DOS pattern. We also discuss potential countermeasures for our attacks.

Figures (17)

• Figure 1: (a) Overview of RFM: RAACtr is incremented on activations, and when RAACtr=RAAMMT, the MC issues an RFMab command. (b) As RFMab blocks all banks for 410 ns, allowing one bank to impact the performance of others. (c) A sender can trigger RFMab to slow all banks, enabling a timing-based covert channel. (d) Continuous ACTs to one bank can cause frequent RFMab operations, leading to a DOS-like scenario.
• Figure 2: When an RFM command is launched, the memory controller is blocked from issuing activation for 410ns. During this period, the in-DRAM refreshes the victims of an attacker row that has breached $T_{RH}$.
• Figure 3: RFM Mechanism: Per-bank RAACtr is incremented on an activation. If the RAACtr of any bank reaches the threshold, the MC issues an RFM and reduces the RAACtr.
• Figure 4: In the presence of RFM, activations from only one bank can interfere with the operation of all the other banks.
• Figure 5: Two side effects of RFM. The latency of one bank is affected by the activity of other banks. One bank has the ability to slow down all the other banks.