Rowhammer has drawn much attention from both academia and industry in the past years as rowhammer exploitation poses severe consequences to system security. Since the first comprehensive study of rowhammer in 2014, a number of rowhammer attacks have been demonstrated against dynamic random access memory (DRAM)-based commodity systems to break software confidentiality, integrity and availability. Accordingly, numerous software defenses have been proposed to mitigate rowhammer attacks on commodity systems of either legacy (e.g., DDR3) or recent DRAM (e.g., DDR4). Besides, multiple hardware defenses (e.g., Target Row Refresh) from the industry have been deployed into recent DRAM to eliminate rowhammer, which we categorize as production defenses. In this paper, we systematize rowhammer attacks and defenses with a focus on DRAM-based commodity systems. Particularly, we have established a unified framework demonstrating how a rowhammer attack affects a commodity system. With the framework, we characterize existing attacks, shedding light on new attack vectors that have not yet been explored. We further leverage the framework to categorize software and production defenses, generalize their key defense strategies and summarize their key limitations, from which potential defense strategies are identified.

翻译：Rowhammer技术近年来引起了学术界和工业界的广泛关注，因其利用方式对系统安全造成严重威胁。自2014年首次系统性研究开展以来，针对基于动态随机存取存储器（DRAM）的商用系统已展示出多种Rowhammer攻击手段，旨在破坏软件机密性、完整性和可用性。相应地，针对采用旧式DRAM（如DDR3）或新型DRAM（如DDR4）的商用系统，学界提出了大量软件防御方案。同时，业界已将目标行刷新等多项硬件防御机制部署到新型DRAM中，我们将其归类为生产级防御。本文系统化梳理了针对DRAM商用系统的Rowhammer攻击与防御技术。特别地，我们构建了一个统一框架以阐明Rowhammer攻击对商用系统的影响机制。基于该框架，我们对现有攻击进行特征化分析，揭示了尚未被探索的新型攻击向量。进一步地，我们运用该框架对软件防御与生产级防御进行分类，归纳其核心防御策略并总结关键局限性，据此识别出具有潜力的防御方案设计方向。