Rowhammer is a critical vulnerability in dynamic random access memory (DRAM) that continues to pose a significant threat to various systems. However, we find that conventional load-based attacks are becoming highly ineffective on the most recent architectures such as Intel Alder and Raptor Lake. In this paper, we present $\rho$Hammer, a new Rowhammer framework that systematically overcomes three core challenges impeding attacks on these new architectures. First, we design an efficient and generic DRAM address mapping reverse-engineering method that uses selective pairwise measurements and structured deduction, enabling recovery of complex mappings within seconds on the latest memory controllers. Second, to break through the activation rate bottleneck of load-based hammering, we introduce a novel prefetch-based hammering paradigm that leverages the asynchronous nature of x86 prefetch instructions and is further enhanced by multi-bank parallelism to maximize throughput. Third, recognizing that speculative execution causes more severe disorder issues for prefetching, which cannot be simply mitigated by memory barriers, we develop a counter-speculation hammering technique using control-flow obfuscation and optimized NOP-based pseudo-barriers to maintain prefetch order with minimal overhead. Evaluations across four latest Intel architectures demonstrate $\rho$Hammer's breakthrough effectiveness: it induces up to 200K+ additional bit flips within 2-hour attack pattern fuzzing processes and has a 112x higher flip rate than the load-based hammering baselines on Comet and Rocket Lake. Also, we are the first to revive Rowhammer attacks on the latest Raptor Lake architecture, where baselines completely fail, achieving stable flip rates of 2,291/min and fast end-to-end exploitation.

翻译：RowHammer是动态随机存取存储器（DRAM）中的一个关键漏洞，持续对各类系统构成重大威胁。然而，我们发现传统的基于负载的攻击在Intel Alder和Raptor Lake等最新架构上已变得极低效。本文提出ρHammer，一种新的RowHammer攻击框架，系统性地克服了阻碍在这些新架构上实施攻击的三个核心挑战。首先，我们设计了一种高效且通用的DRAM地址映射逆向工程方法，该方法利用选择性成对测量与结构化推导，能够在最新内存控制器上数秒内恢复复杂的地址映射。其次，为突破基于负载的锤击操作在激活速率上的瓶颈，我们引入了一种新颖的基于预取的锤击范式，该范式利用x86预取指令的异步特性，并通过多bank并行性进一步增强，以最大化吞吐量。第三，我们认识到推测执行会对预取操作造成更严重的乱序问题，而内存屏障无法简单缓解此问题，因此我们开发了一种反推测锤击技术，该技术利用控制流混淆和基于NOP的优化伪屏障，以最小开销维持预取顺序。在四种最新Intel架构上的评估证明了ρHammer的突破性效果：在2小时的攻击模式模糊测试过程中，它能诱发高达20万次以上的额外比特翻转，并且在Comet和Rocket Lake架构上的翻转率比基于负载的锤击基线高112倍。此外，我们首次在最新Raptor Lake架构上复兴了RowHammer攻击（基线方法在此架构上完全失效），实现了2,291次/分钟的稳定翻转率以及快速的端到端漏洞利用。