Rowhammer Terminology Cheat Sheet
This is a list of terms commonly used to describe Rowhammer attacks and mitigations. Sometimes, some of these
terms have different meanings; in those cases, I will be describing
all meanings I am aware of.
If you spot any errors, inconsistencies, or can provide greater clarity, please
drop me an e-mail:
.
RH: Rowhammer. Sometimes also spelled as RowHammer.
Rowhammer mitigation: a scheme that prevents some, but not all, forms of Rowhammer attacks from succeeding.
Complete/Provable/Comprehensive Rowhammer mitigation: a scheme that prevents all forms of Rowhammer attacks from succeeding.
Often there is an accompanying proof of completeness under a set of assumptions. Sometimes, the completeness
guarantee is probabilistic (i.e., the probability of the scheme failing to stop a Rowhammer attack is ε, where ε
can be made arbitrarily small).
Disturbance error: the phenomenon by which one DRAM row interferes with another row
located in its vicinity. An error occurs when one or more cells revert their charge causing
a DRAM read to return different value than the one original stored.
Aggressor row: a row activated repeatedly with the goal of inducing bit flips on adjacent
(or nearby) rows in a bank. (In some older terminology, aggressor row is sometime called target row).
Victim row: a row exhibiting bit flips that is located nearby an aggressor row.
Adjacent rows: two rows located right next to each other inside a DRAM chip.
Distant rows: two rows that are not adjacent but "close enough" that one can disturb the other.
Row distance between row A and row B: the number of rows between A and B without counting A or B.
For example, the row distance between two adjacent rows is 0 and the row distance between two distant rows
is greater or equal to 1.
Single-sided Rowhammer (RH) attack: an attack where a row is activated repeatedly with the goal of inducing bit flips on adjacent
(or nearby) rows in a bank.
Double-sided RH attack: an attack with two aggressor rows located one row apart. The row located between the aggressors
is a victim row.
Diffused RH attack: an attack involving more than 3 aggressor rows, at least one of which is a distant row.
Maximum Activation Count (MAC): a per-DRAM device metric describing the minimum number of row activations required to mount a single-sided attack.
Hammer Count: The minimum number of times to activate each set of aggressor rows until the first bit occurs.
Blast Radius: the physical distance (i.e., the number of rows apart)
between an aggressor and a victim row.
A blast radius of 1 corresponds to the case when the aggressor and victim rows are adjacent. Distant rows
correspond to a blast radius greater than 1.
Note*: Some use the term "blast radius" incorrectly to refer to the width of the blast. For example, when the say "a blast radius of 4", they mean 4 victims rows, 2 on each side of the aggressor row.
Note*: Some use the term "blast radius" incorrectly to refer to the width of the blast. For example, when the say "a blast radius of 4", they mean 4 victims rows, 2 on each side of the aggressor row.
Attenuation Factor: a factor representing the reduction of disturbance errors as the blast radius
increases. This factor is assumed to directly correlate with the increase in the number of
activations an aggressor row requires to flip bits in victim rows located farther away.
For example, an attenuation factor of 10 means that a victim row requires 10 times more activates
to flip bits in a victim row located two rows away than an adjacent victim.
On-die ECC: a form of error correction performed inside of a DRAM chip. It is typically done in a transparent
manner -- no other component knows that an error occurred and was corrected. LPDDR4 and DDR5 incorporate on-die ECC
that can correct 1-bit data corruptions.
RFM (refresh management): a scheme by which a memory controller tracks the total number of
activations issued to a bank. If this number is higher than a vendor-specified threshold,
the memory controller issues additional RFM commands to a bank.
An RFM command is like a regular refresh command and carries no row or column addresses.
Upon receiving an RFM command, the DRAM performs RH mitigations.
Unfortunately, details about the remediation schemes are proprietary and confidential to the DRAM vendor.
DRFM (directed RFM): a DDR5 scheme by which a memory controller reports
the identity of an aggressor row and asks the DRAM device to refresh all victims affected
by the given aggressor row.
RH threshold: the maximum number of activations a row can sustain until a RH mitigation action
must be performed. With RFM, vendors specify a bank-wide RH threshold for their parts.