Marionette: A RowHammer Attack via Row Coupling

Seungmin Baek; Minbok Wi; Seonyong Park; Hwayong Nam; Michael Jaemin Kim; Nam Sung Kim; Jung Ho Ahn

doi:10.1145/3669940.3707242

Marionette: A RowHammer Attack via Row Coupling

Seungmin Baek, Minbok Wi, Seonyong Park, Hwayong Nam, Michael Jaemin Kim, Nam Sung Kim, Jung Ho Ahn

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

A body of recent work has revealed that two different rows in a DRAM bank, from the perspective of a processor-memory interface, are connected to the same wordline but two separate row buffers (bitline sense amplifiers) in certain DRAM chips. Such a pair of rows is referred to as a ''coupled-row pair.'' Coupled-row pairs pose a substantial security threat as RowHammer bitflips can be caused not only by the conventional, adjacent aggressor rows but also by their coupled rows that are distant in physical address We investigate the impact of a coupled row on both FPGA-based infrastructure and server systems. In RowHammer attacks, coupled rows have hammering strength nearly identical to aggressor rows, with these attacks invisible to conventional, processor-side mitigation solutions. By exploiting these observations, we present Marionette, a new type of RowHammer attack that exploits coupled rows to extend the existing RowHammer attack surface. First, coupled rows enable an attacker to evade two types of existing software-based RowHammer defenses: tracking- and isolation-based defenses. We induce RowHammer bitflips successfully against tracking-based RowHammer defenses by silently hammering coupled rows. We also identify the feasibility of RowHammer bitflips in an isolation-based inter-VM RowHammer defense by breaking DRAM-subarray-level isolation. Second, we successfully conduct an existing RowHammer exploit in a server under the tracking-based RowHammer defense. In a native server system, Marionette enhances the success rate of the RowHammer exploit by up to 1.66x. Lastly, we explore lightweight mitigation schemes for Marionette by exposing the coupled-row relationship to systems.

Original language	English (US)
Title of host publication	ASPLOS 2025 - Proceedings of the 30th ACM International Conference on Architectural Support for Programming Languages and Operating Systems
Publisher	Association for Computing Machinery
Pages	637-652
Number of pages	16
ISBN (Electronic)	9798400706981
DOIs	https://doi.org/10.1145/3669940.3707242
State	Published - Mar 30 2025
Event	30th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2025 - Rotterdam, Netherlands Duration: Mar 30 2025 → Apr 3 2025

Publication series

Name	International Conference on Architectural Support for Programming Languages and Operating Systems - ASPLOS
Volume	1

Conference

Conference	30th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2025
Country/Territory	Netherlands
City	Rotterdam
Period	3/30/25 → 4/3/25

Keywords

coupled row
dram
reliability
rowhammer
rowpress
security

ASJC Scopus subject areas

Software
Information Systems
Hardware and Architecture

Online availability

10.1145/3669940.3707242

Library availability

Discover UIUC Full Text

Cite this

Baek, S., Wi, M., Park, S., Nam, H., Kim, M. J., Kim, N. S., & Ahn, J. H. (2025). Marionette: A RowHammer Attack via Row Coupling. In ASPLOS 2025 - Proceedings of the 30th ACM International Conference on Architectural Support for Programming Languages and Operating Systems (pp. 637-652). (International Conference on Architectural Support for Programming Languages and Operating Systems - ASPLOS; Vol. 1). Association for Computing Machinery. https://doi.org/10.1145/3669940.3707242

Marionette: A RowHammer Attack via Row Coupling. / Baek, Seungmin; Wi, Minbok; Park, Seonyong et al.
ASPLOS 2025 - Proceedings of the 30th ACM International Conference on Architectural Support for Programming Languages and Operating Systems. Association for Computing Machinery, 2025. p. 637-652 (International Conference on Architectural Support for Programming Languages and Operating Systems - ASPLOS; Vol. 1).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Baek, S, Wi, M, Park, S, Nam, H, Kim, MJ, Kim, NS & Ahn, JH 2025, Marionette: A RowHammer Attack via Row Coupling. in ASPLOS 2025 - Proceedings of the 30th ACM International Conference on Architectural Support for Programming Languages and Operating Systems. International Conference on Architectural Support for Programming Languages and Operating Systems - ASPLOS, vol. 1, Association for Computing Machinery, pp. 637-652, 30th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2025, Rotterdam, Netherlands, 3/30/25. https://doi.org/10.1145/3669940.3707242

Baek S, Wi M, Park S, Nam H, Kim MJ, Kim NS et al. Marionette: A RowHammer Attack via Row Coupling. In ASPLOS 2025 - Proceedings of the 30th ACM International Conference on Architectural Support for Programming Languages and Operating Systems. Association for Computing Machinery. 2025. p. 637-652. (International Conference on Architectural Support for Programming Languages and Operating Systems - ASPLOS). Epub 2025 Mar 30. doi: 10.1145/3669940.3707242

Baek, Seungmin ; Wi, Minbok ; Park, Seonyong et al. / Marionette : A RowHammer Attack via Row Coupling. ASPLOS 2025 - Proceedings of the 30th ACM International Conference on Architectural Support for Programming Languages and Operating Systems. Association for Computing Machinery, 2025. pp. 637-652 (International Conference on Architectural Support for Programming Languages and Operating Systems - ASPLOS).

@inproceedings{7ba977636a36471880190e49407a736e,

title = "Marionette: A RowHammer Attack via Row Coupling",

abstract = "A body of recent work has revealed that two different rows in a DRAM bank, from the perspective of a processor-memory interface, are connected to the same wordline but two separate row buffers (bitline sense amplifiers) in certain DRAM chips. Such a pair of rows is referred to as a ''coupled-row pair.'' Coupled-row pairs pose a substantial security threat as RowHammer bitflips can be caused not only by the conventional, adjacent aggressor rows but also by their coupled rows that are distant in physical address We investigate the impact of a coupled row on both FPGA-based infrastructure and server systems. In RowHammer attacks, coupled rows have hammering strength nearly identical to aggressor rows, with these attacks invisible to conventional, processor-side mitigation solutions. By exploiting these observations, we present Marionette, a new type of RowHammer attack that exploits coupled rows to extend the existing RowHammer attack surface. First, coupled rows enable an attacker to evade two types of existing software-based RowHammer defenses: tracking- and isolation-based defenses. We induce RowHammer bitflips successfully against tracking-based RowHammer defenses by silently hammering coupled rows. We also identify the feasibility of RowHammer bitflips in an isolation-based inter-VM RowHammer defense by breaking DRAM-subarray-level isolation. Second, we successfully conduct an existing RowHammer exploit in a server under the tracking-based RowHammer defense. In a native server system, Marionette enhances the success rate of the RowHammer exploit by up to 1.66x. Lastly, we explore lightweight mitigation schemes for Marionette by exposing the coupled-row relationship to systems.",

keywords = "coupled row, dram, reliability, rowhammer, rowpress, security",

author = "Seungmin Baek and Minbok Wi and Seonyong Park and Hwayong Nam and Kim, \{Michael Jaemin\} and Kim, \{Nam Sung\} and Ahn, \{Jung Ho\}",

note = "Publisher Copyright: {\textcopyright} 2025 ACM.; 30th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2025 ; Conference date: 30-03-2025 Through 03-04-2025",

year = "2025",

month = mar,

day = "30",

doi = "10.1145/3669940.3707242",

language = "English (US)",

series = "International Conference on Architectural Support for Programming Languages and Operating Systems - ASPLOS",

publisher = "Association for Computing Machinery",

pages = "637--652",

booktitle = "ASPLOS 2025 - Proceedings of the 30th ACM International Conference on Architectural Support for Programming Languages and Operating Systems",

address = "United States",

}

TY - GEN

T1 - Marionette

T2 - 30th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2025

AU - Baek, Seungmin

AU - Wi, Minbok

AU - Park, Seonyong

AU - Nam, Hwayong

AU - Kim, Michael Jaemin

AU - Kim, Nam Sung

AU - Ahn, Jung Ho

PY - 2025/3/30

Y1 - 2025/3/30

N2 - A body of recent work has revealed that two different rows in a DRAM bank, from the perspective of a processor-memory interface, are connected to the same wordline but two separate row buffers (bitline sense amplifiers) in certain DRAM chips. Such a pair of rows is referred to as a ''coupled-row pair.'' Coupled-row pairs pose a substantial security threat as RowHammer bitflips can be caused not only by the conventional, adjacent aggressor rows but also by their coupled rows that are distant in physical address We investigate the impact of a coupled row on both FPGA-based infrastructure and server systems. In RowHammer attacks, coupled rows have hammering strength nearly identical to aggressor rows, with these attacks invisible to conventional, processor-side mitigation solutions. By exploiting these observations, we present Marionette, a new type of RowHammer attack that exploits coupled rows to extend the existing RowHammer attack surface. First, coupled rows enable an attacker to evade two types of existing software-based RowHammer defenses: tracking- and isolation-based defenses. We induce RowHammer bitflips successfully against tracking-based RowHammer defenses by silently hammering coupled rows. We also identify the feasibility of RowHammer bitflips in an isolation-based inter-VM RowHammer defense by breaking DRAM-subarray-level isolation. Second, we successfully conduct an existing RowHammer exploit in a server under the tracking-based RowHammer defense. In a native server system, Marionette enhances the success rate of the RowHammer exploit by up to 1.66x. Lastly, we explore lightweight mitigation schemes for Marionette by exposing the coupled-row relationship to systems.

AB - A body of recent work has revealed that two different rows in a DRAM bank, from the perspective of a processor-memory interface, are connected to the same wordline but two separate row buffers (bitline sense amplifiers) in certain DRAM chips. Such a pair of rows is referred to as a ''coupled-row pair.'' Coupled-row pairs pose a substantial security threat as RowHammer bitflips can be caused not only by the conventional, adjacent aggressor rows but also by their coupled rows that are distant in physical address We investigate the impact of a coupled row on both FPGA-based infrastructure and server systems. In RowHammer attacks, coupled rows have hammering strength nearly identical to aggressor rows, with these attacks invisible to conventional, processor-side mitigation solutions. By exploiting these observations, we present Marionette, a new type of RowHammer attack that exploits coupled rows to extend the existing RowHammer attack surface. First, coupled rows enable an attacker to evade two types of existing software-based RowHammer defenses: tracking- and isolation-based defenses. We induce RowHammer bitflips successfully against tracking-based RowHammer defenses by silently hammering coupled rows. We also identify the feasibility of RowHammer bitflips in an isolation-based inter-VM RowHammer defense by breaking DRAM-subarray-level isolation. Second, we successfully conduct an existing RowHammer exploit in a server under the tracking-based RowHammer defense. In a native server system, Marionette enhances the success rate of the RowHammer exploit by up to 1.66x. Lastly, we explore lightweight mitigation schemes for Marionette by exposing the coupled-row relationship to systems.

KW - coupled row

KW - dram

KW - reliability

KW - rowhammer

KW - rowpress

KW - security

UR - http://www.scopus.com/inward/record.url?scp=105002386127&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=105002386127&partnerID=8YFLogxK

U2 - 10.1145/3669940.3707242

DO - 10.1145/3669940.3707242

M3 - Conference contribution

AN - SCOPUS:105002386127

T3 - International Conference on Architectural Support for Programming Languages and Operating Systems - ASPLOS

SP - 637

EP - 652

BT - ASPLOS 2025 - Proceedings of the 30th ACM International Conference on Architectural Support for Programming Languages and Operating Systems

PB - Association for Computing Machinery

Y2 - 30 March 2025 through 3 April 2025

ER -

Marionette: A RowHammer Attack via Row Coupling

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

Online availability

Library availability

Related links

Fingerprint

Cite this