Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

DAPPER: A Performance-Attack-Resilient Tracker for RowHammer Defense

Jeonghyun Woo, Prashant J. Nair

TL;DR

This work tackles RowHammer threats in DRAM by showing that existing host-side RH trackers are vulnerable to Perf-Attacks that drain DRAM bandwidth. It proposes DAPPER, a low-cost tracker built on secure hashing, with two implementations: DAPPER-S (single hash) and DAPPER-H (double-hashing with per-bank bit-vectors and selective refresh). The results demonstrate that DAPPER-H dramatically reduces performance impact under Perf-Attacks (≤0.9\% slowdown at $N_{RH}=500$) while using only 96 KB of SRAM per 32 GB memory and providing strong resilience to both mapping-capturing and mapping-agnostic attacks. The approach outperforms BlockHammer and probabilistic mitigations in benign scenarios and under adversarial workloads, highlighting its practicality for scalable RH defense in modern DRAM systems.

Abstract

RowHammer vulnerabilities pose a significant threat to modern DRAM-based systems, where rapid activation of DRAM rows can induce bit-flips in neighboring rows. To mitigate this, state-of-the-art host-side RowHammer mitigations typically rely on shared counters or tracking structures. While these optimizations benefit benign applications, they are vulnerable to Performance Attacks (Perf-Attacks), where adversaries exploit shared structures to reduce DRAM bandwidth for co-running benign applications by increasing DRAM accesses for RowHammer counters or triggering repetitive refreshes required for the early reset of structures, significantly degrading performance. In this paper, we propose secure hashing mechanisms to thwart adversarial attempts to capture the mapping of shared structures. We propose DAPPER, a novel low-cost tracker resilient to Perf-Attacks even at ultra-low RowHammer thresholds. We first present a secure hashing template in the form of DAPPER-S. We then develop DAPPER-H, an enhanced version of DAPPER-S, incorporating double-hashing, novel reset strategies, and mitigative refresh techniques. Our security analysis demonstrates the effectiveness of DAPPER-H against both RowHammer and Perf-Attacks. Experiments with 57 workloads from SPEC2006, SPEC2017, TPC, Hadoop, MediaBench, and YCSB show that, even at an ultra-low RowHammer threshold of 500, DAPPER-H incurs only a 0.9% slowdown in the presence of Perf-Attacks while using only 96KB of SRAM per 32GB of DRAM memory.

DAPPER: A Performance-Attack-Resilient Tracker for RowHammer Defense

TL;DR

This work tackles RowHammer threats in DRAM by showing that existing host-side RH trackers are vulnerable to Perf-Attacks that drain DRAM bandwidth. It proposes DAPPER, a low-cost tracker built on secure hashing, with two implementations: DAPPER-S (single hash) and DAPPER-H (double-hashing with per-bank bit-vectors and selective refresh). The results demonstrate that DAPPER-H dramatically reduces performance impact under Perf-Attacks (≤0.9\% slowdown at ) while using only 96 KB of SRAM per 32 GB memory and providing strong resilience to both mapping-capturing and mapping-agnostic attacks. The approach outperforms BlockHammer and probabilistic mitigations in benign scenarios and under adversarial workloads, highlighting its practicality for scalable RH defense in modern DRAM systems.

Abstract

RowHammer vulnerabilities pose a significant threat to modern DRAM-based systems, where rapid activation of DRAM rows can induce bit-flips in neighboring rows. To mitigate this, state-of-the-art host-side RowHammer mitigations typically rely on shared counters or tracking structures. While these optimizations benefit benign applications, they are vulnerable to Performance Attacks (Perf-Attacks), where adversaries exploit shared structures to reduce DRAM bandwidth for co-running benign applications by increasing DRAM accesses for RowHammer counters or triggering repetitive refreshes required for the early reset of structures, significantly degrading performance. In this paper, we propose secure hashing mechanisms to thwart adversarial attempts to capture the mapping of shared structures. We propose DAPPER, a novel low-cost tracker resilient to Perf-Attacks even at ultra-low RowHammer thresholds. We first present a secure hashing template in the form of DAPPER-S. We then develop DAPPER-H, an enhanced version of DAPPER-S, incorporating double-hashing, novel reset strategies, and mitigative refresh techniques. Our security analysis demonstrates the effectiveness of DAPPER-H against both RowHammer and Perf-Attacks. Experiments with 57 workloads from SPEC2006, SPEC2017, TPC, Hadoop, MediaBench, and YCSB show that, even at an ultra-low RowHammer threshold of 500, DAPPER-H incurs only a 0.9% slowdown in the presence of Perf-Attacks while using only 96KB of SRAM per 32GB of DRAM memory.

Paper Structure

This paper contains 42 sections, 7 equations, 17 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Memory Organization and Timing Parameters
  4. The RowHammer Vulnerability
  5. Threat Model
  6. Motivation
  7. Scalable RowHammer Mitigations
  8. Performance Attacks on Scalable RH Mitigations
  9. Attack Sensitivity to RowHammer Thresholds
  10. Attack Sensitivity to LLC Capacity and Memory Channels
  11. Attack Potency Without Internal Knowledge
  12. Evaluation Methodology
  13. Designing the DAPPER Tracker
  14. The Need for a Secure Hash-Based Mapping
  15. DAPPER-S: Using a Dynamic Secure Hash
  16. ...and 27 more sections

Figures (17)

  • Figure 1: Normalized performance of state-of-the-art host-side RowHammer (RH) mitigationshydracometstart_hpca24olgun2023abacus at the RH threshold of 500, evaluated under RH-Tracker-based Performance Attacks (Perf-Attack) and cache thrashing attacks on a dual-channel, dual-rank, DDR5 64GB system. Our experiments with 57 workloads demonstrate that a single tailored RH-Tracker-basedPerf-Attack application can reduce the performance of co-running applications by up to 90%, while cache thrashing attacks degrade them by 40% on average. This paper aims to develop a cost-effective Perf-Attack-resistant RH tracker.
  • Figure 2: An overview of the RH-Tracker-based Performance Attacks (Perf-Attack) tailored for state-of-the-art host-side low-cost RowHammer tracking mechanisms: Hydrahydra, CoMeTcomet, STARTstart_hpca24, and ABACUSolgun2023abacus. These attacks induce additional memory accesses or repetitive mitigative refreshes.
  • Figure 3: The performance impact of state-of-the-art RowHammer (RH) trakcers: Hydrahydra, CoMeTcomet, STARTstart_hpca24, and ABACUSolgun2023abacus under cache thrashing and tailored RH-Tracker-basedPerf-Attacks. The performance of three benign applications is normalized to a baseline with no RH mitigation. On average, we notice a performance drop of 60% to 90% performance loss under Perf-Attacks and a 40% performance drop under the cache thrashing attack.
  • Figure 4: Normalized performance of scalable RowHammer (RH) mitigations under cache thrashing and RH-Tracker-basedPerf-Attacks as the RH threshold ($\text{N}_{\text{RH}}$) varies. Even at $\text{N}_{\text{RH}}$ of 4K, scalable mitigations exhibit significant slowdowns of 46% to 71% under RH-Tracker-basedPerf-Attacks, which is 5% to 30% higher than the slowdowns caused by cache thrashing attacks.
  • Figure 5: Normalized performance of scalable RowHammer (RH) mitigations under cache thrashing and RH-Tracker-basedPerf-Attacks with eight memory channels and the RH threshold ($\text{N}_{\text{RH}}$) of 500, as the per-core LLC size varies. Even with a 5MB per-core LLC, scalable mitigations exhibit slowdowns of 30% to 79%, which is 10% to 59% more severe than cache thrashing attacks.
  • ...and 12 more figures