Get ready for ASPLOS and EuroSys 2025! Our research group will be making a significant contribution this year, presenting a total of three papers at the collocated conferences in Rotterdam, the Netherlands. We’re excited to share our work on “Marionette” and “M5” at ASPLOS 2025, and “PET” at EuroSys 2025.
I’m also looking forward to participating in SAFE-AI, where I will be presenting my latest research on accelerating homomorphic encryption (HE). Furthermore, I’m honored to be chairing Session 1D: Homomorphic Encryption at ASPLOS 2025.
One of our key presentations at ASPLOS will be “Marionette: A RowHammer Attack via Row Coupling” (Session 4B), presented by the talented Seungmin Baek from our group. This paper uncovers a security vulnerability in certain DDR4 ×4 DRAM chips. We’ve discovered a “row-coupling” phenomenon, where hammering one row in a DRAM bank can unexpectedly flip bits in a different, paired row within the same bank — even if they aren't physically adjacent!
While we provided an initial glimpse of this behavior in our “DRAMScope” paper at ISCA 2024, our “Marionette” paper offers an in-depth exploration of its implications for DRAM security, along with potential defense mechanisms. Importantly, we‘ve been working closely with the affected DRAM manufacturers on this issue, and our findings were under an embargo until today,
Marionette: A RowHammer Attack via Row Coupling
Seungmin Baek, Minbok Wi, Seonyong Park, Hwayong Nam, Michael Jaemin Kim, Nam Sung Kim, and Jung Ho Ahn
A body of recent work has revealed that two different rows in a DRAM bank, from the perspective of a processor-memory interface, are connected to the same wordline but two separate row buffers (bitline sense amplifiers) in certain DRAM chips. Such a pair of rows is referred to as a “coupled-row pair.” Coupled-row pairs pose a substantial security threat as RowHammer bitflips can be caused not only by the conventional, adjacent aggressor rows but also by their coupled rows that are distant in physical address.
We investigate the impact of a coupled row on both FPGA-based infrastructure and server systems. In RowHammer attacks, coupled rows have hammering strength nearly identical to aggressor rows, with these attacks invisible to conventional, processor-side mitigation solutions. By exploiting these observations, we present Marionette, a new type of RowHammer attack that exploits coupled rows to extend the existing RowHammer attack surface.
First, coupled rows enable an attacker to evade two types of existing software-based RowHammer defenses: tracking- and isolation-based defenses. We induce RowHammer bitflips successfully against tracking-based RowHammer defenses by silently hammering coupled rows. We also identify the feasibility of RowHammer bitflips in an isolation-based inter-VM RowHammer defense by breaking DRAM-subarray-level isolation. Second, we successfully conduct an existing RowHammer exploit in a server under the tracking-based RowHammer defense. In a native server system, Marionette enhances the success rate of the RowHammer exploit by up to 1.66×. Lastly, we explore lightweight mitigation schemes for Marionette by exposing the coupled-row relationship to systems.