Understanding and Mitigating Covert Channel and Side Channel Vulnerabilities Introduced by RowHammer Defenses

---

Review Form

Reviewer: The Guardian (Adversarial Skeptic)

Summary

This paper introduces "LeakyHammer," a purported new class of timing channels that exploit the observable latency variations caused by RowHammer defenses. The authors construct two covert channels based on the PRAC and RFM defense mechanisms, reporting capacities of 39.0 Kbps and 48.7 Kbps, respectively. They also present a proof-of-concept website fingerprinting side-channel attack. To address these vulnerabilities, three countermeasures are proposed and evaluated: Fixed-Rate RFM (FR-RFM), Randomly Initialized Activation Counters (RIAC), and Bank-Level PRAC. The central thesis is that the very mechanisms designed to secure DRAM introduce new, exploitable timing vulnerabilities.

While the premise—that security mechanisms can have unintended side effects—is plausible, the work as presented relies exclusively on a heavily idealized simulation environment. This raises significant questions about the external validity and practical relevance of the claimed attacks and the true cost-benefit analysis of the proposed mitigations.

Strengths

1. Plausible Core Idea: The fundamental observation that RowHammer defenses' preventive actions (e.g., back-offs, managed refreshes) introduce deterministic, high-latency events is sound and worthy of investigation.
2. Systematic Analysis of Defenses: The paper provides a structured analysis of two emerging industry-standard defenses (PRAC and RFM), examining their operational parameters and how they can be triggered to create a timing signal.
3. Exploration of Security-Performance Trade-offs: The evaluation of countermeasures, particularly the data presented in Figure 13 (page 13), highlights the critical and often severe performance overhead required to fundamentally mitigate these timing channels, which is an important data point for the community.

Weaknesses

1. Complete Lack of Real-World Validation: The entire study is conducted within the gem5/Ramulator 2.0 simulation framework. Claims of building high-capacity covert channels are not substantiated by any proof-of-concept on real hardware. Real systems exhibit numerous sources of non-deterministic noise (e.g., OS scheduler jitter, interrupts, complex memory controller interactions, thermal throttling) that are not adequately modeled by the paper's synthetic noise generation (Section 6.3, page 6). The statement in Section 5.1 that the authors "faithfully and rigorously model various noise sources" is a strong and unsupported claim. Without a demonstration on a physical system, the reported channel capacities are speculative at best.
2. Flawed Website Fingerprinting Methodology: The side-channel attack (Section 8, page 8) does not involve running a real web browser within the simulated environment. Instead, the authors use an external tool (Intel Pin) to generate memory traces, which are then used to drive the simulation. This methodology is fundamentally flawed as it decouples the application's behavior from the system's response. The timing of the simulated memory system has no feedback effect on the execution of the traced application. This is not a faithful representation of a real attack and calls the entire side-channel result (Figure 10, page 9) into question.
3. Insufficient Novelty and Questionable Efficacy of Countermeasures:
   • FR-RFM: The concept of performing security-critical operations at a fixed rate, independent of application behavior, is a standard principle for eliminating timing channels (i.e., a constant-time approach). This is not a novel contribution. Furthermore, the authors' own results (Figure 13) show this approach incurs a prohibitive 18.2x performance overhead for highly vulnerable DRAM (NRH=64), rendering it impractical in the very scenarios where it is most needed.
   • RIAC: Randomizing activation counters (Section 11.2, page 12) is a form of noise injection. It does not eliminate the channel but merely reduces its capacity and reliability. The paper quantifies this as an 86% reduction (Section 11.4), not 100%. From a security perspective, a noisy channel is still a channel. An attacker could employ more sophisticated signal processing or error-correcting codes to recover the signal. This is a mitigation, not a solution.
   • Bank-Level PRAC: This proposal only reduces the attack's scope from the channel level to the bank level. It does not eliminate the vulnerability but rather constrains it, effectively reverting it to a threat model similar to existing same-bank channels like DRAMA [162]. To present this as a countermeasure against the fundamental LeakyHammer vulnerability is an overstatement.

Questions to Address In Rebuttal

1. The primary weakness of this work is its sole reliance on simulation. Please justify why a demonstration on real hardware, even one with a lower channel capacity, was not performed. What specific, insurmountable challenges prevent a real-world proof-of-concept?
2. Regarding the website fingerprinting attack (Section 8): Please address the methodological disconnect of using externally generated traces to drive a simulation. How can the results be considered valid when the application's execution path is not influenced by the memory latency events it is supposedly generating?
3. The RIAC countermeasure reduces channel capacity but does not eliminate it. Can you provide a more formal argument for why this should be considered a secure mitigation? Is it not plausible that an attacker could overcome this added noise with a longer observation window or more robust encoding schemes?
4. Given that your own evaluation shows FR-RFM incurs a catastrophic 18.2x performance overhead at NRH=64 (Figure 13), in what practical scenario do you envision this being a viable solution for the future, highly-vulnerable systems the paper purports to protect?

---

Review Form

Reviewer: The Synthesizer (Contextual Analyst)

Summary

This paper introduces "LeakyHammer," a novel and compelling class of timing attacks that exploit the very mechanisms designed to defend against RowHammer. The core insight is that the preventive actions taken by state-of-the-art RowHammer defenses—specifically PRAC and RFM—introduce large, predictable, and easily measurable latency variations into the memory subsystem. The authors demonstrate that these defense-induced latencies can be intentionally triggered by an attacker to create high-throughput covert channels and information-leaking side channels.

The work presents two concrete covert channel attacks exploiting PRAC and RFM, achieving capacities of 39.0 Kbps and 48.7 Kbps, respectively. Furthermore, it demonstrates a proof-of-concept website fingerprinting side channel attack. Crucially, the paper does not stop at identifying the vulnerability; it proposes and evaluates three countermeasures (FR-RFM, RIAC, and Bank-Level PRAC), providing a thoughtful analysis of the inherent trade-off between security and performance in mitigating this new threat.

Strengths

1. Fundamental and Conceptually Significant Contribution: The primary strength of this paper is its core thesis: that security mechanisms themselves can become a new attack surface. This is a fundamentally important observation in the field of systems security. By demonstrating that RowHammer defenses create new vulnerabilities, the authors force the community to adopt a more holistic view of security design, considering not just the problem being solved but also the potential side effects of the solution. This work is an excellent case study in the complex interplay of security, performance, and system architecture.

2. Excellent Contextualization and Positioning: The authors do a superb job of placing their work within the broader landscape of DRAM-based timing channels. The comparison against DRAMA [162] in Section 9 (page 10) is particularly insightful. They correctly identify that LeakyHammer's attack scope (channel-level for PRAC, bank-group for RFM) makes it fundamentally more difficult to mitigate with conventional isolation techniques like bank partitioning, which are effective against prior bank-local attacks. This demonstrates a deep understanding of the field and clearly articulates the novelty and increased threat posed by their findings.

3. Comprehensive and Rigorous Evaluation: The paper is impressively thorough. The authors don't just propose a theoretical attack; they implement and evaluate it rigorously. They build two distinct attacks on two different, highly relevant industry defense standards. They analyze the channel capacity under varying levels of application-induced and synthetic noise (as shown in Figures 4 and 7 on pages 6 and 8), demonstrating the robustness of the channels. The inclusion of a concrete side-channel attack (website fingerprinting) makes the threat tangible and relatable.

4. Forward-Looking Analysis of Countermeasures: A major strength is the exploration of the solution space in Section 11 (page 12). Proposing and evaluating FR-RFM, RIAC, and Bank-Level PRAC moves the paper from simply "problem finding" to "solution-oriented research." The conclusion that completely eliminating the channel (via FR-RFM) incurs significant performance penalties in highly vulnerable systems (i.e., at very low Nʀʜ) is a key, sobering takeaway for the architecture community. It highlights that there is no easy fix and sets the stage for future research in this area.

Weaknesses

My criticisms are less about flaws and more about opportunities to further broaden the paper's impact.

1. Potential for Broader Side-Channel Implications: The website fingerprinting attack (Section 8, page 8) serves as an effective proof-of-concept, but it feels like the tip of the iceberg. The signal generated by LeakyHammer—a large, deterministic, channel-wide latency spike—is remarkably clean. This could be a powerful primitive for leaking far more sensitive information. For example, could this channel be used to infer control flow or data-dependent access patterns within secure enclaves (like SGX or SEV) where other channels might be noisy or mitigated? A broader discussion on the potential reach of this side channel would strengthen the paper's impact.

2. Reliance on a Simulated Environment: The work is conducted within the gem5/Ramulator 2.0 simulation framework. While this is a standard and accepted methodology for architectural research, the claims would be undeniably amplified by a demonstration on a real hardware prototype, perhaps an FPGA-based system or an early-access platform supporting PRAC/RFM. This is, of course, a high bar, but it represents the next logical step in validating this important line of inquiry. This is not a reason to reject the paper, but rather a point to consider for future work.

Questions to Address In Rebuttal

1. Robustness of FR-RFM: The Fixed-Rate RFM (FR-RFM) countermeasure (Section 11.1, page 12) is elegant because it decouples preventive actions from application behavior. However, its security rests on the precision of its timing. In a real system with OS scheduler jitter, interrupts, and other microarchitectural noise, how perfectly periodic can the RFM commands truly be? Could a sophisticated attacker, by carefully observing minor deviations from the expected fixed interval, still infer information about system load or the memory access patterns of other processes that might delay an RFM command?

2. Generality of LeakyHammer: You focus on PRAC and RFM, which are the most relevant industry standards. However, you position LeakyHammer as a "new class of attacks." To strengthen this claim, could you briefly speculate on how these principles might apply to other proposed RowHammer defenses from the academic literature? For example, defenses that rely on throttling (e.g., BlockHammer [233]) or dynamic row remapping also introduce observable, pattern-dependent, high-latency events. Would they be similarly vulnerable, and would the resulting channel characteristics be different?

3. Signal-to-Noise Ratio in the Wild: Your noise analysis is well-structured. However, the signal from a PRAC back-off (~1400 ns) is an order of magnitude larger than typical memory latencies. This suggests an extremely high signal-to-noise ratio. In a worst-case scenario, such as a heavily oversubscribed multi-tenant cloud server running diverse, memory-intensive workloads, do you foresee any conditions where system noise could realistically drown out the LeakyHammer signal, or is the signal fundamentally too strong to hide?

---

Review Form

Reviewer: The Innovator (Novelty Specialist)

Summary

The authors present an analysis of timing vulnerabilities introduced by modern RowHammer defenses, specifically PRAC and RFM. They identify that the preventive actions of these defenses—which are high-latency and can be intentionally triggered by specific memory access patterns—create a new timing side channel. They formalize this vulnerability class as "LeakyHammer." The paper demonstrates the viability of this channel by constructing two covert channels with capacities of 39.0 Kbps and 48.7 Kbps, respectively, and a proof-of-concept website fingerprinting attack. Finally, they propose and evaluate three countermeasures: Fixed-Rate RFM (FR-RFM), Randomly Initialized Activation Counters (RIAC), and Bank-Level PRAC.

My primary task is to assess the novelty of this contribution. While the paper is well-executed, the core insight—that RowHammer mitigation mechanisms can be exploited for timing attacks—is not unique to this work. The authors themselves acknowledge concurrent discovery of this phenomenon, which significantly impacts the novelty claim.

Strengths

1. Conceptual Framing: The paper's core conceptual contribution is the framing of "LeakyHammer" as a distinct class of attacks based on two fundamental properties of RowHammer defenses: observable latency and deterministic triggerability (Section 4, page 3). This provides a useful abstraction for reasoning about vulnerabilities in future defenses, which is a novel conceptual synthesis.

2. Novelty in Countermeasures: The proposed countermeasures, while based on established security principles, represent a novel application of these principles to this newly highlighted problem domain.

   • FR-RFM (Section 11.1, page 12) applies the "constant-time" principle to decouple defense actions from application behavior.
   • RIAC (Section 11.2, page 12) applies the principle of randomization to inject noise and reduce channel reliability.
   • Bank-Level PRAC (Section 11.3, page 12) is a novel architectural refinement that proposes reducing the scope of the observable event, thereby limiting the attack's reach. This is a tangible, though incremental, novel design suggestion.

3. Comprehensive Scope: The paper analyzes two distinct, state-of-the-art industry defenses (PRAC and RFM) within a single framework. While the individual attacks on these mechanisms have been concurrently discovered, evaluating them together provides a breadth that is likely absent in the more narrowly focused concurrent works.

Weaknesses

1. Attenuated Novelty of the Core Discovery: The central weakness of this paper, from a novelty perspective, is that the core idea is not unique. The authors explicitly state in their Related Work section (Section 13, page 14): "The idea of exploiting industry solutions to RowHammer was developed independently and concurrently by three recent works [151, 199, 223]." This admission confirms that the fundamental vulnerability was discovered simultaneously by multiple independent research groups. Therefore, the claim of being the "first analysis" is contentious and hinges on publication timing, not on the originality of the discovery itself. The works they cite [223] and [151, 199] appear to cover the exploitation of PRAC and RFM, respectively, which are the exact mechanisms this paper builds its attacks upon.

2. Application of Existing Attack Paradigms: The specific attacks demonstrated—covert channels and website fingerprinting—are standard applications of a newly found timing primitive. The methodologies used to build the covert channel (window-based transmission) and the side channel (collecting a trace and applying ML classifiers, Section 8, page 8) are functionally identical to how countless other cache- and memory-based timing channels have been exploited in prior work. The novelty lies in the primitive, which as established above, is a concurrent discovery, not in the exploitation technique.

3. Countermeasure Principles are Not Fundamentally New: The intellectual underpinnings of the proposed countermeasures are well-established in the security community. Decoupling security triggers from program behavior (constant-time) and adding randomness to thresholds are standard tools in the side-channel defense playbook. While their application here is novel and the engineering evaluation is valuable, they do not represent a fundamentally new defense paradigm.

Questions to Address In Rebuttal

1. Given the acknowledged concurrent works [151, 199, 223], please articulate the precise technical novelty of your attack methodology on PRAC and RFM. What core technical insights or exploitation techniques does your work present that are demonstrably absent in the concurrent works? Simply stating that this paper covers both is an argument of scope, not of novel insight.

2. The proposed countermeasures FR-RFM and RIAC are direct applications of the established principles of constant-time design and randomization. Please clarify the novelty of these proposals beyond this application. Was there a non-obvious technical challenge in applying these principles to RowHammer defenses that required a novel solution, or is the contribution simply the suggestion to apply them?

3. The website fingerprinting attack appears to be a straightforward application of the discovered LeakyHammer timing primitive using standard trace-collection and classification methods. Could the authors elaborate on what, if anything, is novel about the fingerprinting methodology itself, as distinct from the novelty of the underlying channel?