TRRespass: Exploiting the many sides of target row refresh

Pietro Frigo, Emanuele Vannacci, Hasan Hassan, Victor Van Der Veen, Onur Mutlu, Cristiano Giuffrida, Herbert Bos, Kaveh Razavi

Research output: Chapter in Book / Report / Conference proceedingConference contributionAcademicpeer-review

26 Downloads (Pure)


After a plethora of high-profile RowHammer attacks, CPU and DRAM vendors scrambled to deliver what was meant to be the definitive hardware solution against the RowHammer problem: Target Row Refresh (TRR). A common belief among practitioners is that, for the latest generation of DDR4 systems that are protected by TRR, RowHammer is no longer an issue in practice. However, in reality, very little is known about TRR. How does TRR exactly prevent RowHammer? Which parts of a system are responsible for operating the TRR mechanism? Does TRR completely solve the RowHammer problem or does it have weaknesses? In this paper, we demystify the inner workings of TRR and debunk its security guarantees. We show that what is advertised as a single mitigation mechanism is actually a series of different solutions coalesced under the umbrella term Target Row Refresh. We inspect and disclose, via a deep analysis, different existing TRR solutions and demonstrate that modern implementations operate entirely inside DRAM chips. Despite the difficulties of analyzing in-DRAM mitigations, we describe novel techniques for gaining insights into the operation of these mitigation mechanisms. These insights allow us to build TRRespass, a scalable black-box RowHammer fuzzer that we evaluate on 42 recent DDR4 modules. TRRespass shows that even the latest generation DDR4 chips with in-DRAM TRR, immune to all known RowHammer attacks, are often still vulnerable to new TRR-aware variants of RowHammer that we develop. In particular, TRRespass finds that, on present-day DDR4 modules, RowHammer is still possible when many aggressor rows are used (as many as 19 in some cases), with a method we generally refer to as Many-sided RowHammer. Overall, our analysis shows that 13 out of the 42 modules from all three major DRAM vendors (i.e., Samsung, Micron, and Hynix) are vulnerable to our TRR-aware RowHammer access patterns, and thus one can still mount existing state-of-the-art system-level RowHammer attacks. In addition to DDR4, we also experiment with LPDDR4(X)1 chips and show that they are susceptible to RowHammer bit flips too. Our results provide concrete evidence that the pursuit of better RowHammer mitigations must continue.

Original languageEnglish
Title of host publication2020 IEEE Symposium on Security and Privacy (SP)
Subtitle of host publication[Proceedings]
PublisherInstitute of Electrical and Electronics Engineers Inc.
Number of pages16
ISBN (Electronic)9781728134970
ISBN (Print)9781728134987
Publication statusPublished - 30 Jul 2020
Event41st IEEE Symposium on Security and Privacy, SP 2020 - San Francisco, United States
Duration: 18 May 202021 May 2020

Publication series

NameProceedings - IEEE Symposium on Security and Privacy
ISSN (Print)1081-6011


Conference41st IEEE Symposium on Security and Privacy, SP 2020
Country/TerritoryUnited States
CitySan Francisco


ACKNOWLEDGMENTS We would like to thank the anonymous reviewers for their valuable feedback and Robin Webbers for helping us in our analysis of LPDDR4(X) systems. This work was supported by the European Union’s Horizon 2020 research and innovation programme under grant agreements No. 786669 (ReAct) and No. 825377 (UNICORE), by Intel Corporation through the Side Channel Vulnerability ISRA, and by the Netherlands Organisation for Scientific Research through grants NWO 639.023.309 VICI “Dowsing”, NWO 639.021.753 VENI “Pan-taRhei”, and NWO 016.Veni.192.262. This paper reflects only the authors’ view. The funding agencies are not responsible for any use that may be made of the information it contains.

FundersFunder number
European Union s Horizon 2020 research and innovation programme
Intel Corporation
Horizon 2020 Framework Programme825377, 786669
Nederlandse Organisatie voor Wetenschappelijk Onderzoek639.023.309


    Dive into the research topics of 'TRRespass: Exploiting the many sides of target row refresh'. Together they form a unique fingerprint.

    Cite this