The Rowhammer vulnerability continues to get worse, with the Rowhammer Threshold (TRH) reducing from 139K activations to 4.8K activations over the last decade. Typical Rowhammer mitigations rely on tracking aggressor rows. The number of possible aggressors increases with lowering thresholds, making it difficult to reliably track such rows in a storage-efficient manner. At lower thresholds, academic trackers such as Graphene require prohibitive SRAM overheads (hundreds of KBs to MB). Recent in-DRAM trackers from industry, such as DSAC-TRR, perform approximate tracking, sacrificing guaranteed protection for reduced storage overheads, leaving DRAM vulnerable to Rowhammer attacks. Ideally, we seek a scalable tracker that tracks securely and precisely, and incurs negligible dedicated SRAM and performance overheads, while still being able to track arbitrarily low thresholds. To that end, we propose START - a Scalable Tracker for Any Rowhammer Threshold. Rather than relying on dedicated SRAM structures, START dynamically repurposes a small fraction the Last-Level Cache (LLC) to store tracking metadata. START is based on the observation that while the memory contains millions of rows, typical workloads touch only a small subset of rows within a refresh period of 64ms, so allocating tracking entries on demand significantly reduces storage. If the application does not access many rows in memory, START does not reserve any LLC capacity. Otherwise, START dynamically uses 1-way, 2-way, or 8-way of the cache set based on demand. START consumes, on average, 9.4% of the LLC capacity to store metadata, which is 5x lower compared to dedicating a counter in LLC for each row in memory. We also propose START-M, a memory-mapped START for large-memory systems. Our designs require only 4KB SRAM for newly added structures and perform within 1% of idealized tracking even at TRH of less than 100.

翻译：行锤漏洞持续恶化，行锤阈值（TRH）在过去十年间从139K次激活降至4.8K次激活。典型行锤缓解方案依赖对攻击者行的追踪。随着阈值降低，潜在攻击者数量增加，使得以存储高效方式可靠追踪这些行变得困难。在较低阈值下，Graphene等学术追踪器需要高昂的SRAM开销（数百KB至MB）。DSAC-TRR等业界近期推出的DRAM内追踪器采用近似追踪策略，以牺牲安全保障换取更低的存储开销，导致DRAM易受行锤攻击。理想情况下，我们需要一种既能实现安全精确追踪，又仅产生可忽略的专用SRAM与性能开销，且能追踪任意低阈值的可扩展追踪器。为此，我们提出START——面向任意行锤阈值的可扩展追踪器。START不依赖专用SRAM结构，而是动态复用末级缓存（LLC）的一小部分来存储追踪元数据。其设计基于以下观察：尽管内存包含数百万行，但典型工作负载在64ms刷新周期内仅访问其中极小子集，因此按需分配追踪条目可大幅降低存储需求。若应用未访问大量内存行，START不预留任何LLC容量；否则根据需求动态使用缓存集的1路、2路或8路。START平均占用9.4%的LLC容量存储元数据，相比在LLC中为每行内存单独设置计数器的方式降低5倍开销。我们还提出面向大内存系统的内存映射版本START-M。我们的设计仅需为新增结构提供4KB SRAM，即使在TRH低于100时，性能偏差仍控制在理想追踪方案的1%以内。