The Rowhammer vulnerability continues to get worse, with the Rowhammer Threshold (TRH) reducing from 139K activations to 4.8K activations over the last decade. Typical Rowhammer mitigations rely on tracking aggressor rows. The number of possible aggressors increases with lowering thresholds, making it difficult to reliably track such rows in a storage-efficient manner. At lower thresholds, academic trackers such as Graphene require prohibitive SRAM overheads (hundreds of KBs to MB). Recent in-DRAM trackers from industry, such as DSAC-TRR, perform approximate tracking, sacrificing guaranteed protection for reduced storage overheads, leaving DRAM vulnerable to Rowhammer attacks. Ideally, we seek a scalable tracker that tracks securely and precisely, and incurs negligible dedicated SRAM and performance overheads, while still being able to track arbitrarily low thresholds. To that end, we propose START - a Scalable Tracker for Any Rowhammer Threshold. Rather than relying on dedicated SRAM structures, START dynamically repurposes a small fraction the Last-Level Cache (LLC) to store tracking metadata. START is based on the observation that while the memory contains millions of rows, typical workloads touch only a small subset of rows within a refresh period of 64ms, so allocating tracking entries on demand significantly reduces storage. If the application does not access many rows in memory, START does not reserve any LLC capacity. Otherwise, START dynamically uses 1-way, 2-way, or 8-way of the cache set based on demand. START consumes, on average, 9.4% of the LLC capacity to store metadata, which is 5X lower compared to dedicating a counter in LLC for each row in memory. We also propose START-M, a memory-mapped START for large-memory systems. Our designs require only 4KB SRAM for newly added structures and perform within 1% of idealized tracking even at TRH of less than 100.

翻译：行锤漏洞持续恶化，在过去十年间，行锤阈值（TRH）已从139K次激活降至4.8K次激活。典型行锤缓解方案依赖于跟踪攻击行。随着阈值降低，潜在攻击行数量增加，使得以存储高效的方式可靠跟踪这些行变得困难。在较低阈值下，Graphene等学术跟踪器需要极高的SRAM开销（数百KB至MB）。工业界近期提出的DSAC-TRR等片内DRAM跟踪器采用近似跟踪，以牺牲保护确定性换取存储开销降低，导致DRAM易受行锤攻击。理想情况下，我们期望一种可扩展跟踪器，既能实现安全精确的跟踪，又仅产生可忽略的专用SRAM和性能开销，同时支持任意低阈值跟踪。为此，我们提出START——适用于任意行锤阈值的可扩展跟踪器。不同于依赖专用SRAM结构，START动态复用最后一级缓存（LLC）的小部分容量存储跟踪元数据。START基于以下观察：虽然内存包含数百万行，但典型工作负载在64ms刷新周期内仅访问其中少量行，因此按需分配跟踪条目可显著减少存储需求。若应用程序未访问大量内存行，START不保留任何LLC容量；反之则根据需求动态使用缓存集的1路、2路或8路。START平均消耗LLC容量的9.4%存储元数据，相比为内存每行分配独立计数器的方式降低5倍开销。我们还提出了针对大内存系统的内存映射START（START-M）。该设计仅需为新增结构提供4KB SRAM，即使在TRH低于100时，其性能与理想跟踪方案的差距仍保持在1%以内。