QPRAC: Towards Secure and Practical PRAC-based Rowhammer Mitigation using Priority Queues

TL;DR

QPRAC delivers a secure, scalable PRAC-based Rowhammer mitigation by introducing a small, per-bank Priority-Based Service Queue (PSQ) that tracks the top-activated rows and is resilient to the by-pass vulnerabilities of FIFO queues. Operating under the non-blocking ABO protocol, QPRAC employs opportunistic mitigation on All-Bank RFMs and proactive mitigation during REF, achieving a measured slowdown of around 0.8% for benign workloads and 0% with proactive mitigation, while securely defending against ultra-low RH thresholds ($T_{RH}$) as low as 71 with $N_{BO}$=32. The design requires modest storage (about 15 bytes per bank) and leverages a unified ABO policy, making it compatible with JEDEC PRAC while significantly improving security guarantees compared to Panopticon and UPRAC. The approach also explores energy-aware proactive mitigation to reduce energy overheads to about 1.9%, preserving performance benefits across a wide range of configurations. Overall, QPRAC demonstrates that a carefully sized PSQ, together with opportunistic and proactive strategies, can provide secure, practical Rowhammer mitigation at sub-100 $T_{RH}$ without modifying the PRAC interface.

Abstract

JEDEC has introduced the Per Row Activation Counting (PRAC) framework for DDR5 and future DRAMs to enable precise counting of DRAM row activations. PRAC enables a holistic mitigation of Rowhammer attacks even at ultra-low Rowhammer thresholds. PRAC uses an Alert Back-Off (ABO) protocol to request the memory controller to issue Rowhammer mitigation requests. However, recent PRAC implementations are either insecure or impractical. For example, Panopticon, the inspiration for PRAC, is rendered insecure if implemented per JEDEC's PRAC specification. On the other hand, the recent UPRAC proposal is impractical since it needs oracular knowledge of the `top-N' activated DRAM rows that require mitigation. This paper provides the first secure, scalable, and practical RowHammer solution using the PRAC framework. The crux of our proposal is the design of a priority-based service queue (PSQ) for mitigations that prioritizes pending mitigations based on activation counts to avoid the security risks of prior solutions. This provides principled security using the reactive ABO protocol. Furthermore, we co-design our PSQ, with opportunistic mitigation on Refresh Management (RFM) operations and proactive mitigation during refresh (REF), to limit the performance impact of ABO-based mitigations. QPRAC provides secure and practical RowHammer mitigation that scales to Rowhammer thresholds as low as 71 while incurring a 0.8% slowdown for benign workloads, which further reduces to 0% with proactive mitigations.

Figures (23)

• Figure 1: (a) With the PRAC framework, DRAM can request a time for mitigation when it needs it (based on per-row activation counters), using Alerts to service its mitigation queue. (b) Existing PRAC implementations are either insecure (Panopticon bennett2021panopticon) due to the usage of FIFO-based queues or impractical (UPRAC UPRAC) due to the lack of any queues. (c) We propose QPRAC, using a priority-based service queue (PSQ) for mitigations, which can be cleared on Alerts but also opportunistically when another bank requests an All-Bank RFM or proactively on REFs. We design QPRAC to be both secure and practical.
• Figure 2: The security vulnerability of Panopticon bennett2021panopticon due to t-bit toggling, i.e., maximum activations before the row receives a mitigation with Toggle+Forget Attack. For sub-100 $\text{T}_{\text{RH}}$, our attack can cause a DRAM row to receive even 100$\times$$\text{T}_{\text{RH}}$ activations without any mitigation. This vulnerability is independent of the mitigation threshold ($2^t$) used by Panopticon.
• Figure 3: The security vulnerability of Panopticon (with full counter comparisons) under the Fill+Escape Attack, which exploits filled FIFO-based service queues. Combined with non-blocking Alert, this allows at least 1283 unmitigated ACTs (at a mitigation threshold of 512), with the number increasing at lower thresholds.
• Figure 4: Overview of QPRAC design. It consists of three components: (1) PRAC-based in-DRAM activation counters, (2) a Priority-Based Service Queue (PSQ) to identify rows to be mitigated, and (3) a strategy that uses Alert-based, opportunistic, and proactive RH mitigations.
• Figure 5: Design of Priority-Based Service Queue (PSQ). Any activation can insert a row into PSQ based on priority (activation count) on misses and increment count on hits. PSQ raises an Alert if any count is at $\text{N}_{\text{BO}}$ or above.