Stefan Gloor, Patrick Jattke, Kaveh Razavi

REFault: A Fault Injection Platform for Rowhammer Research on DDR5 Memory

Introduction

Refault: a fault injection platform for rowhammer research on ddr5 memory. Discover REFault, a low-cost fault injection platform for DDR5 Rowhammer research. It disables refresh commands to determine HCmin, revealing DDR5's substrate susceptibility is unchanged from DDR4.

Abstract

DDR5 is showing increased resistance to Rowhammer attacks compared to previous generations. The minimum hammer count (HCmin) is a metric to assess the susceptibility of the DRAM substrate to Rowhammer. Due to the lack of a generic platform that allows disabling refresh commands, there is currently no way to determine the HCmin of DDR5 UDIMMs. We address this gap with REFault, a low-cost fault injection system that allows altering DDR5 commands on-the-fly. REFault is made from a configurable DRAM fault injection interposer and a custom-designed injection controller. We leverage REFault to temporarily disable refresh commands on a commodity system, and determine, for the first time, the HC min of two DDR5 devices from major DRAM manufacturers. We show that the HC min is as low as 16 k activations, which has not improved compared to DDR4 devices. We conclude that the increased resistance to Rowhammer in DDR5 devices comes from improved mitigations rather than the DRAM substrate itself.

Review

This paper presents REFault, a novel and timely fault injection platform designed to address a critical gap in Rowhammer research on DDR5 memory. The authors effectively highlight the current challenge: while DDR5 exhibits greater resistance to Rowhammer attacks, the lack of a suitable platform for disabling refresh commands has made it impossible to determine the minimum hammer count (HCmin), a fundamental metric for assessing DRAM substrate susceptibility. REFault directly tackles this problem by providing a low-cost, on-the-fly command alteration capability for DDR5, marking a significant step forward in understanding the true security posture of modern memory technologies. The work is highly relevant to the memory security and hardware security communities. The core of the contribution lies in REFault itself, which comprises a configurable DRAM fault injection interposer and a custom-designed injection controller. This ingenious design allows researchers to temporarily disable refresh commands on commodity DDR5 systems, a capability previously unavailable. Leveraging REFault, the authors were able to conduct groundbreaking experiments, determining for the first time the HCmin for two prominent DDR5 devices. The key finding that HCmin is as low as 16k activations, and crucially, has not improved compared to DDR4 devices, provides concrete evidence that the increased resistance observed in DDR5 is not due to inherent improvements in the DRAM substrate but rather attributable to enhanced mitigation strategies. The implications of this research are substantial. By definitively showing that the underlying DDR5 substrate remains as vulnerable to Rowhammer as its predecessors, the authors challenge assumptions about intrinsic hardware security and underscore the ongoing necessity of robust, active mitigations. This work provides invaluable data for both academic researchers and industry practitioners, guiding future efforts in memory security, exploit development, and the design of more effective hardware-level defenses. REFault itself is a powerful new tool that promises to enable further in-depth investigations into the vulnerabilities of modern DRAM, making this a highly impactful and commendable contribution to the field.

Full Text

Comments

You need to be logged in to post a comment.