Memory Security: Rowhammer, Side-Channel Attacks, and Mitigations
Memory security encompasses the attack vectors that exploit physical and architectural properties of memory hardware to breach isolation boundaries, leak sensitive data, or escalate privileges — and the technical mitigations designed to counter them. This page covers two major threat classes — Rowhammer bit-flip attacks and side-channel attacks targeting memory subsystems — along with the classification framework, hardware and software mitigations, and known tradeoffs that security engineers and system architects navigate. The subject sits at the intersection of computer architecture, operating system design, and hardware engineering, and is governed by public research from bodies including NIST and the academic security community.
- Definition and scope
- Core mechanics or structure
- Causal relationships or drivers
- Classification boundaries
- Tradeoffs and tensions
- Common misconceptions
- Checklist or steps (non-advisory)
- Reference table or matrix
Definition and scope
Memory security refers to the set of mechanisms — hardware, firmware, and software — that enforce confidentiality, integrity, and isolation properties on data held in or transiting through memory subsystems. The field addresses threats that operate below the application layer: attacks that manipulate DRAM cell physics, infer secrets from timing signals, or exploit shared hardware structures rather than exploiting logical software bugs.
The NIST Computer Security Resource Center classifies hardware-based memory attacks under the broader category of physical and architectural side-channel threats, distinct from software memory safety issues such as buffer overflows. The scope of memory security spans:
- DRAM-level attacks — physical bit manipulation without memory access permission
- Cache side-channels — timing inference across shared cache hierarchies
- DRAM bus and rank-level side-channels — contention signals that leak access patterns
- Secure enclave threats — attacks against hardware-isolated execution environments such as Intel SGX
Memory security is directly relevant to memory isolation techniques, memory error detection and correction, and the broader memory systems security and protection landscape.
Core mechanics or structure
Rowhammer
DRAM cells are organized into rows. When a row is activated (hammered) at high frequency, charge leaks into adjacent rows, flipping bits in cells the attacker never directly addresses. This phenomenon, documented publicly by Google Project Zero in 2015, demonstrated privilege escalation on commodity DDR3 hardware by flipping a single bit in a page table entry.
The attack requires achieving approximately 139,000 row activations within a 64-millisecond DRAM refresh interval — a figure established in the original Kim et al. 2014 paper (ISCA 2014, "Flipping Bits in Memory Without Accessing Them"). Modern variants include:
- Double-sided Rowhammer — hammering both adjacent rows simultaneously, increasing flip probability
- One-location Hammering — effective on some DDR4 modules without requiring two aggressor rows
- TRRespass — bypasses Target Row Refresh (TRR) defenses on DDR4 by using non-uniform access patterns (VUSec, 2020)
- Half-Double — exploits charge propagation two rows beyond the aggressor, disclosed by Google in 2021
Cache Side-Channel Attacks
Side-channel attacks targeting cache hierarchies infer secrets by measuring timing differences caused by cache state changes. The canonical attack classes are:
- Flush+Reload — attacker flushes a shared cache line, waits for victim activity, then measures reload time to determine whether the victim accessed that line
- Prime+Probe — attacker fills a cache set, waits, then re-reads to detect evictions caused by victim accesses; requires no shared memory
- Spectre — exploits speculative execution to transiently access out-of-bounds memory and exfiltrate data through a cache-timing covert channel (NIST NVD CVE-2017-5753)
- Meltdown — exploits a race between memory access and privilege checking during speculative execution (NIST NVD CVE-2017-5754)
Causal relationships or drivers
The root causes of memory security vulnerabilities are structural rather than incidental.
DRAM cell density drives Rowhammer susceptibility. As process nodes have shrunk — from 50 nm in DDR3 to sub-20 nm geometries in modern DDR4 — inter-cell capacitive coupling has increased, making charge leakage between adjacent rows physically inevitable at accessible activation rates.
Shared hardware resources enable side-channel attacks. Cache hierarchies, TLBs, DRAM row buffers, and memory buses are shared across security boundaries in virtually all commodity processors. The performance advantages of sharing — reduced latency, higher bandwidth utilization — are inseparable from the information leakage the sharing creates.
Speculative and out-of-order execution amplifies side-channel exposure. Modern CPUs execute instructions ahead of permission checks to sustain throughput. Spectre-class attacks exploit the window between speculative memory access and architectural rollback; the CPU undoes architectural state but not cache state, creating a persistent covert channel.
Refresh interval constraints bound Rowhammer defenses. DRAM refresh cycles are standardized at 64 ms by JEDEC standards (JEDEC JESD79-4B), creating a fixed exploitation window that hardware mitigations must outrun without degrading performance.
Classification boundaries
Memory security threats divide along two primary axes: attack target (DRAM vs. cache vs. speculative execution path) and attacker privilege level (unprivileged user process, co-tenant virtual machine, remote JavaScript execution).
| Threat Class | Attack Target | Minimum Attacker Privilege | Key Defense Class |
|---|---|---|---|
| Rowhammer (basic) | DRAM row adjacency | Unprivileged process | pTRR, ECC, LPDDR5 Refresh Management |
| Rowhammer (TRRespass) | DDR4 TRR bypass | Unprivileged process | JEDEC PRAC (DDR5) |
| Flush+Reload | L3 cache | Shared memory access | Cache partitioning (Intel CAT) |
| Prime+Probe | L1/L2/L3 cache | Unprivileged process | Cache randomization |
| Spectre v1 | Speculative load | JavaScript in browser | Compiler barriers, site isolation |
| Spectre v2 | Branch predictor | Unprivileged process | Retpoline, IBRS, microcode patches |
| Meltdown | Out-of-order load | Unprivileged process | KPTI (Kernel Page Table Isolation) |
| Rowhammer via network | DRAM row adjacency | Remote (DMA/network) | Physical memory isolation |
Attacks against Intel SGX enclaves occupy a separate subcategory: the attacker has hypervisor or OS privileges, which inverts the typical threat model — the enclave is the victim of a privileged attacker rather than an unprivileged one exploiting shared resources.
Tradeoffs and tensions
Every major mitigation class introduces performance or compatibility costs that create contested engineering decisions.
ECC DRAM corrects single-bit errors and detects double-bit errors (SECDED coding), reducing Rowhammer exploitability but not eliminating it — flipping 2 bits in the same word defeats SECDED. ECC memory carries a roughly 12.5% DRAM capacity overhead and requires chipset and platform support absent from most consumer systems.
KPTI (Kernel Page Table Isolation), the primary Meltdown mitigation, separates user-space and kernel-space page tables, eliminating the shared mapping that Meltdown exploits. Benchmarks published by Red Hat in 2018 showed workload-dependent performance regressions of 2–19% depending on syscall intensity, with I/O-heavy workloads most affected.
Retpoline (return trampoline) mitigates Spectre v2 indirect branch injection without requiring hardware changes but imposes a throughput penalty on indirect-call-heavy code paths, particularly in virtual machine hypervisors and JIT-compiled runtimes.
Cache partitioning via Intel Cache Allocation Technology (CAT) enforces isolation between LLC (Last-Level Cache) partitions, defeating cross-tenant Prime+Probe attacks in cloud environments. However, CAT reduces effective cache utilization by preventing tenants from using idle capacity in adjacent partitions.
JEDEC DDR5 Probabilistic Adjacent Row Activation (PRAC) represents the current hardware-level response to TRRespass-class attacks — the standard mandates that DDR5 modules track aggressor row activation counts and trigger preventive refresh. PRAC was incorporated into the JEDEC DDR5 standard (JESD79-5) and addresses TRR bypass patterns, though researchers continue evaluating its coverage against multi-aggressor patterns.
Common misconceptions
Misconception: ECC memory prevents Rowhammer attacks.
ECC SECDED corrects 1-bit errors and detects 2-bit errors per memory word but cannot correct them. Rowhammer attacks that induce 2 or more bit flips in the same ECC word remain viable. The TRRespass paper documented successful bit flips on ECC-enabled DDR4 modules under specific access patterns.
Misconception: Spectre and Meltdown are the same vulnerability.
Meltdown (CVE-2017-5754) exploits a race condition between out-of-order execution and privilege checks, allowing unprivileged reading of kernel memory. Spectre (CVE-2017-5753, CVE-2017-5715) exploits speculative execution to leak data from the victim's own address space using a crafted access pattern. Meltdown is mitigated by KPTI; Spectre requires a broader set of defenses including compiler barriers and hardware microcode updates.
Misconception: Virtual machines are isolated from Rowhammer attacks.
DRAM physical row adjacency does not respect virtual machine boundaries. A malicious VM on a shared host can hammer DRAM rows backing another VM's memory if the hypervisor does not enforce physical memory isolation between tenants at the DRAM level, which most hypervisors do not by default.
Misconception: Rowhammer requires local hardware access.
Remote Rowhammer attacks have been demonstrated using JavaScript in browsers (via high-resolution timers) and, in research settings, via network-induced DMA operations. Browser mitigations — primarily timer precision reduction and SharedArrayBuffer restrictions — were deployed by major browser vendors beginning in 2018 to reduce the timer resolution available to JavaScript-based hammering.
Checklist or steps (non-advisory)
The following phases describe the standard technical assessment sequence for memory security exposure in a system or deployment environment, as structured in platform security review frameworks including those referenced by NIST SP 800-193 (Platform Firmware Resiliency Guidelines):
- DRAM generation identification — Determine DDR generation (DDR3, DDR4, DDR5, LPDDR4/5) and module TRR/PRAC support status; DDR5 with PRAC has qualitatively different Rowhammer exposure than DDR3.
- ECC support verification — Confirm whether platform chipset and memory modules support ECC and whether it is enabled in firmware/BIOS settings.
- Firmware and microcode patch level audit — Verify CPU microcode version against vendor security advisories for Spectre v1/v2, Meltdown, and descendant variants (MDS, TAA, SRBDS).
- OS kernel mitigation status — Check kernel boot parameters for KPTI, IBRS/IBPB/STIBP enablement, and retpoline compilation; on Linux,
/sys/devices/system/cpu/vulnerabilities/exposes current mitigation status per vulnerability. - Hypervisor isolation policy review — For multi-tenant deployments, audit hypervisor physical memory allocation policy for NUMA/rank-level separation between tenants.
- Cache partitioning configuration — Assess whether platform supports Intel CAT or AMD equivalent and whether cache partitioning policies are enforced for security-sensitive workloads.
- Browser and runtime timer restrictions — Confirm
SharedArrayBufferand high-resolution timer availability is restricted in untrusted JavaScript execution contexts (per W3C recommendations following the 2018 coordinated disclosure). - Ongoing CVE monitoring scope — Establish monitoring coverage for NIST NVD entries under the CWE-1037 (Processor Optimization Removal or Modification of Security-critical Code) and related hardware CWE categories.
Reference table or matrix
The following matrix maps major attack families to their discovery sources, primary mitigation, affected hardware scope, and residual risk posture after mitigation deployment.
| Attack | Discovery Source | Primary Mitigation | Affected Hardware | Residual Risk After Mitigation |
|---|---|---|---|---|
| Rowhammer (DDR3) | Kim et al., ISCA 2014 | Increased refresh rate, physical address randomization | DDR3 and most DDR4 | Low on DDR5 with PRAC; moderate on unpatched DDR4 |
| TRRespass | VUSec, IEEE S&P 2020 | JEDEC DDR5 PRAC | DDR4 with TRR | Low on PRAC-compliant DDR5; moderate on DDR4 |
| Half-Double | Google Project Zero, 2021 | No complete hardware fix at disclosure; PRAC partially covers | DDR4 | Moderate |
| Meltdown (CVE-2017-5754) | Gruss et al. / Google Project Zero, 2018 | KPTI | Intel pre-2019 CPUs; most AMD unaffected | Low with KPTI enabled |
| Spectre v1 (CVE-2017-5753) | Kocher et al., 2018 | Compiler barriers (lfence, array_index_mask_nospec) | All modern CPUs | Low-moderate; barrier placement is manual and incomplete |
| Spectre v2 (CVE-2017-5715) | Kocher et al., 2018 | Retpoline + IBRS/IBPB microcode | All modern CPUs | Low with microcode + retpoline; performance cost present |
| Flush+Reload | Yarom & Falkner, USENIX Security 2014 | Cache partitioning, page deduplication disablement | All x86 with shared LLC | Low with CAT and dedup disabled |
| Prime+Probe | Percival, 2005; Osvik et al., 2006 | Cache randomization, partitioning | All CPUs with shared cache | Moderate; full elimination requires hardware redesign |
The memory systems reference index provides structural context for how memory security topics relate to the broader memory systems knowledge domain, including volatile vs. nonvolatile memory properties that affect attack surface scope.