RogueRFM: Attacking Refresh Management for Covert-Channel and Denial-of-Service

TL;DR

This paper reveals security vulnerabilities in the DDR5 RFM interface, demonstrating how it can be exploited to create covert channels and cause denial-of-service attacks, impacting system performance and security.

Contribution

It uncovers new security risks associated with RFM, showing how its side effects can be exploited for covert channels and DoS attacks, which was not previously studied.

Findings

Developed a covert channel with 31.3 KB/s bandwidth.

Demonstrated a DoS attack causing up to 67% slowdown.

Identified system interference caused by RFM activity.

Abstract

With lowering thresholds, transparently defending against Rowhammer within DRAM is challenging due to the lack of time to perform mitigation. Commercially deployed in-DRAM defenses like TRR that steal time from normal refreshes~(REF) to perform mitigation have been proven ineffective against Rowhammer. In response, a new Refresh Management (RFM) interface has been added to the DDR5 specifications. RFM provides dedicated time to an in-DRAM defense to perform mitigation. Several recent works have used RFM for the intended purpose - building better Rowhammer defenses. However, to the best of our knowledge, no prior study has looked at the potential security implications of this new feature if an attacker subjects it to intentional misuse. Our paper shows that RFM introduces new side effects in the system - the activity of one bank causes interference with the operation of the other banks. Thus, the latency of a bank becomes dependent on the activity of other banks. We use these side effects to build two new attacks. First, a novel memory-based covert channel, which has a bandwidth of up to 31.3 KB/s, and is also effective even in a bank-partitioned system. Second, a new Denial-of-Service (DOS) attack pattern that exploits the activity within a single bank to reduce the performance of the other banks. Our experiments on SPEC2017, PARSEC, and LIGRA workloads show a slowdown of up to 67\% when running alongside our DOS pattern. We also discuss potential countermeasures for our attacks.