RowHammer is a DRAM vulnerability that can cause bit errors in a victim DRAM row solely by accessing its neighboring DRAM rows at a high-enough rate. Recent studies demonstrate that new DRAM devices are becoming increasingly vulnerable to RowHammer, and many works demonstrate system-level attacks for privilege escalation or information leakage. In this work, we perform the first rigorous fine-grained characterization and analysis of the correlation between RowHammer and temperature. We show that RowHammer is very sensitive to temperature variations, even if the variations are very small (e.g., $\pm 1$ {\deg}C). We leverage two key observations from our analysis to spy on DRAM temperature: 1) RowHammer-induced bit error rate consistently increases (or decreases) as the temperature increases, and 2) some DRAM cells that are vulnerable to RowHammer exhibit bit errors only at a particular temperature. Based on these observations, we propose a new RowHammer attack, called SpyHammer, that spies on the temperature of DRAM on critical systems such as industrial production lines, vehicles, and medical systems. SpyHammer is the first practical attack that can spy on DRAM temperature. Our evaluation in a controlled environment shows that SpyHammer can infer the temperature of the victim DRAM modules with an error of less than $\pm 2.5$ {\deg}C at the 90th percentile of all tested temperatures, for 12 real DRAM modules (120 DRAM chips) from four main manufacturers.

翻译：RowHammer是一种DRAM漏洞，仅通过以足够高的频率访问相邻DRAM行即可导致目标DRAM行发生位错误。近期研究表明，新型DRAM器件对RowHammer的脆弱性日益增加，许多工作已展示出用于权限提升或信息泄露的系统级攻击。本研究首次对RowHammer与温度之间的相关性进行了严格的细粒度表征与分析。我们发现RowHammer对温度变化极为敏感，即使变化幅度极小（例如±1°C）。基于分析中获得的两个关键观察，我们实现了对DRAM温度的窥探：1）RowHammer引发的位错误率随温度升高持续增加（或降低）；2）部分对RowHammer敏感的DRAM单元仅在特定温度下出现位错误。基于这些发现，我们提出了一种新型RowHammer攻击——SpyHammer，可对关键系统（如工业生产线、车辆及医疗系统）中的DRAM温度进行监控。SpyHammer是首个能够实际窥探DRAM温度的攻击方法。在受控环境中的评估表明，针对来自四大主流制造商的12个实际DRAM模块（120个DRAM芯片），SpyHammer在90%的测试温度范围内对目标DRAM模块的温度推断误差小于±2.5°C。