When Mitigations Backfire: Timing Channel Attacks and Defense for PRAC-Based RowHammer Mitigations

TL;DR

This paper identifies a timing channel vulnerability in PRAC-based RowHammer mitigation, introduces PRACLeak attack exploiting it, and proposes TPRAC, a timing-safe mitigation with minimal performance impact.

Contribution

It uncovers a new timing channel in PRAC, develops PRACLeak attack, and proposes TPRAC, a timing-safe mitigation compatible with existing standards.

Findings

PRACLeak successfully leaks AES keys via timing differences.

TPRAC eliminates timing channels with only 3.4% performance overhead.

TPRAC maintains effective RowHammer mitigation.

Abstract

Per Row Activation Counting (PRAC) has emerged as a robust framework for mitigating RowHammer (RH) vulnerabilities in modern DRAM systems. However, we uncover a critical vulnerability: a timing channel introduced by the Alert Back-Off (ABO) protocol and Refresh Management (RFM) commands. We present PRACLeak, a novel attack that exploits these timing differences to leak sensitive information, such as secret keys from vulnerable AES implementations, by monitoring memory access latencies. To counter this, we propose Timing-Safe PRAC (TPRAC), a defense that eliminates PRAC-induced timing channels without compromising RH mitigation efficacy. TPRAC uses Timing-Based RFMs, issued periodically and independent of memory activity. It requires only a single-entry in-DRAM mitigation queue per DRAM bank and is compatible with existing DRAM standards. Our evaluations demonstrate that TPRAC closes timing channels while incurring only 3.4% performance overhead at the RH threshold of 1024.