Modern systems mitigate Rowhammer using victim refresh, which refreshes the two neighbours of an aggressor row when it encounters a specified number of activations. Unfortunately, complex attack patterns like Half-Double break victim-refresh, rendering current systems vulnerable. Instead, recently proposed secure Rowhammer mitigations rely on performing mitigative action on the aggressor rather than the victims. Such schemes employ mitigative actions such as row-migration or access-control and include AQUA, SRS, and Blockhammer. While these schemes incur only modest slowdowns at Rowhammer thresholds of few thousand, they incur prohibitive slowdowns (15%-600%) for lower thresholds that are likely in the near future. The goal of our paper is to make secure Rowhammer mitigations practical at such low thresholds. Our paper provides the key insights that benign application encounter thousands of hot rows (receiving more activations than the threshold) due to the memory mapping, which places spatially proximate lines in the same row to maximize row-buffer hitrate. Unfortunately, this causes row to receive activations for many frequently used lines. We propose Rubix, which breaks the spatial correlation in the line-to-row mapping by using an encrypted address to access the memory, reducing the likelihood of hot rows by 2 to 3 orders of magnitude. To aid row-buffer hits, Rubix randomizes a group of 1-4 lines. We also propose Rubix-D, which dynamically changes the line-to-row mapping. Rubix-D minimizes hot-rows and makes it much harder for an adversary to learn the spatial neighbourhood of a row. Rubix reduces the slowdown of AQUA (from 15% to 1%), SRS (from 60% to 2%), and Blockhammer (from 600% to 3%) while incurring a storage of less than 1 Kilobyte.

翻译：现代系统通过受害行刷新来缓解Rowhammer攻击，当攻击行达到指定激活次数时，系统会刷新其相邻的两个行。不幸的是，类似Half-Double的复杂攻击模式突破了受害行刷新机制，使当前系统面临安全风险。为此，最近提出的安全Rowhammer缓解方案不再针对受害行，而是对攻击行采取缓解措施。这类方案采用行迁移或访问控制等缓解手段，包括AQUA、SRS和Blockhammer。尽管这些方案在数千次Rowhammer阈值下仅产生适度性能下降，但在近期可能出现的更低阈值下会导致严重的性能下降（15%-600%）。本文的目标是使安全Rowhammer缓解方案在低阈值下具备实用性。本文的关键洞察在于：由于内存映射将空间邻近的缓存行置于同一行以最大化行缓冲区命中率，良性应用程序会遭遇数千个热行（接收的激活次数超过阈值）。这种映射方式导致大量频繁使用的缓存行集中激活同一行。我们提出Rubix方案，通过使用加密地址访问内存来打破行到行映射的空间相关性，将热行概率降低2到3个数量级。为提升行缓冲区命中率，Rubix对1-4行组成的组进行随机化处理。我们还提出Rubix-D方案，该方案可动态改变行到行映射。Rubix-D能最小化热行数量，并显著增加攻击者学习某行空间邻域的难度。Rubix将AQUA（从15%降至1%）、SRS（从60%降至2%）和Blockhammer（从600%降至3%）的性能下降控制在1%以下，同时存储开销不足1千字节。