- The paper demonstrates that temporal asymmetry in aggressor row open times significantly lowers ACmin, achieving up to a 63% reduction in activation counts for inducing bitflips.
- It employs a custom FPGA-based platform across 196 DDR4 and 3 HBM2 chips to systematically characterize DRAM vulnerabilities under varied temporal patterns.
- The study proposes TeACUp, a dynamic counter update mechanism that mitigates premature threshold triggers inherent to asymmetric DRAM access patterns.
ScaleDisturb: Temporal Asymmetry as a New Axis for Amplifying Read Disturbance in DRAM
Introduction and Motivation
This paper introduces "ScaleDisturb," a DRAM access pattern that leverages temporal asymmetry—intentional, asymmetric distribution of row open times between two aggressor rows—to amplify read disturbance-induced bitflips in adjacent victim rows. Unlike prior RowHammer and RowPress patterns, which assume symmetric aggressor behavior or only vary row open duration without explicit asymmetry, ScaleDisturb systematically demonstrates that keeping two aggressor rows open for different durations (while preserving the total open time) results in substantially lower activation counts required to induce bitflips (lower ACmin) in victim rows. This experimentally exposes a fundamental and previously uncharacterized vulnerability in modern DRAM architecture, with broad implications for both characterization of DRAM reliability and the security of existing mitigation mechanisms.
The work delivers a rigorous experimental analysis using 196 DDR4 and 3 HBM2 commercial DRAM chips spanning all major vendors and technology generations, coupled with a practical demonstration of attack feasibility on a real system equipped with in-DRAM mitigations.
Figure 1: Hierarchical organization of modern DRAM, showing banks, subarrays, wordlines, and bitlines—the basis for disturbance coupling.
Background: DRAM Read Disturbance and Patterns
RowHammer and RowPress are canonical read disturbance phenomena: RowHammer exploits repeated activation-precharge cycles on an aggressor to induce charge leakage in neighboring rows, while RowPress extends the aggressor's row open duration to intensify electrical field effects. Both have motivated defensive counter architectures in commodity DRAM, including activation counting, targeted refresh, and ECC.
Prior studies focused almost exclusively on symmetric or single-sided patterns; the design space of temporal asymmetry in aggressor open times remained unexplored. The underlying physics—involving electric field interactions and device-level charge trap dynamics—hint that asymmetric timing may alter disturbance coupling pathways in a manner unexploited by previous techniques.
Experimental Methodology and Infrastructure
The authors deploy a custom FPGA-based platform (DRAMBender/SoftMC) to exercise fine-grained, low-level control over DRAM row accesses, explicitly varying aggressor open times to cover both symmetric and asymmetric regimes. The experimental design eliminates confounders such as TRR mitigation, ECC, or temperature variation. Victim and aggressor rows are chosen post reverse-engineering of DRAM internal address layout to ensure adjacency and exclude coupled-row artifacts.
Empirical Characterization of ScaleDisturb
The key contribution is a meticulous empirical characterization of how temporal asymmetry in aggressor open times (for a fixed total budget) directly reduces ACmin—the minimum number of aggressor activations needed to induce a bitflip—in victim rows. This effect is consistently observed across all vendors and technology nodes tested.
- Average ACmin reduction across victim rows is 9.6% and up to 63% for specific configurations. On a module level, minimum ACmin drops by an average of 16.1% (up to 52.4%).
- The phenomenon is robust across 196 DDR4 and 3 HBM2 chips of diverse die revisions and densities. As DRAM technology scales (higher density, smaller node), vulnerability to temporal asymmetry increases, indicating exacerbation of the effect with scaling.
Figure 2: Normalized ACmin distribution shows dramatic widening of vulnerability under ScaleDisturb, compared to prior state-of-the-art patterns.
Figure 3: ACmin reduction for ScaleDisturb is present across Samsung, SK Hynix, and Micron chips, highlighting cross-manufacturer prevalence.
Figure 4: Vulnerability trend vs. technology scaling, with newer nodes showing greater ACmin reduction due to ScaleDisturb.
Distinct behavioral patterns are identified (L-type, R-type, Flat) in how ACmin responds to open time asymmetry, implying device-level sensitivity variations and layout dependencies.
Figure 5: Observed ACmin reduction patterns in victim rows, illustrating the prevalence of L/R asymmetry and inherent device heterogeneity.
Physical and Device-Level Hypotheses
The effect's underlying mechanism is postulated to stem from enhanced electric field interactions arising when aggressor timing is unbalanced. Asymmetry in open times disrupts mutual field cancellation between symmetric wordlines observed in double-sided patterns, raising net field-induced migration and trap-assisted leakage in vulnerable cells. The work calls for future device-level studies to elucidate the precise field and charge-flow dynamics governing this phenomenon.
Comparative Security Analysis: Effectiveness Against Mitigations
A comprehensive assessment of the impact on mitigation is presented:
- ECC is shown to be inadequate: ScaleDisturb can induce up to 40 bitflips in a 64-bit word, far exceeding correction capacity (SECDED/Chipkill).
- Safety margin approaches—lowering activation thresholds by 10–60%—incur substantial overhead (~28.6% performance and ~58.8% energy in PARA at 60% margin), but even smaller margins leave devices with worst-case low ACmin vulnerable.
- Adaptive RowPress policies (tMRO limits, ImPress) struggle with temporal asymmetry: counters for long-open aggressors can prematurely trigger mitigations, degrading system bandwidth.
Figure 6: System-level performance under various mitigation mechanisms with scaled safety margins, highlighting prohibitive costs of secure margining.
Figure 7: Energy overheads for heightened mitigation, further illustrating the trade-off in DRAM protection.
Novel Mitigation: TeACUp
To counter the deficiencies exposed by ScaleDisturb, the authors propose TeACUp—a counter update strategy that dynamically scales the increment of aggressor counters according to their relative aggregate open times, using the minimum-to-maximum ratio (DSR). This correction delays the premature threshold crossing otherwise induced by asymmetric patterns and eliminates unnecessary preventive refreshes, restoring appropriate timing between logical counter growth and actual disturbance risk.
Figure 8: Overview of TeACUp's dynamic scaling mechanism to balance counter progression under asymmetric open-time patterns.
TeACUp evaluation demonstrates:
Real-System Attack Demonstration
The paper validates practical feasibility of the attack by inducing ScaleDisturb bitflips on a real Intel DDR4 system with TRR-enabled DRAM. The asymmetric access pattern, realized in software, circumvents TRR by employing dummy row activations to saturate tracking capacity. Empirically, ScaleDisturb triggers bitflips where RowPress fails and in greater numbers when both succeed.
Figure 10: Bitflip counts for multiple NUM_AGGR_ACTS, highlighting ScaleDisturb's uniquely expanded vulnerability window (blue).
Figure 11: Bitflip comparison: ScaleDisturb (blue) far exceeds RowHammer (yellow) and RowPress (red), confirming heightened attack potency.
Sensitivity Analysis: Data, Temperature, and Device Diversity
The amplification effect is observed to be dependent on device fabrication, temperature, and data pattern. At high temperatures, sensitivity to asymmetry is increased, particularly for certain data patterns (Rowstripe1), while chip vendor and die revision influence both baseline ACmin and relative reduction.
Implications and Future Directions
The discovery of the ScaleDisturb pattern—temporal asymmetry as a critical untapped variable in read disturbance—redefines the threat landscape for DRAM reliability:
- Existing profiling and mitigation protocols may significantly underestimate actual device vulnerability, creating security and reliability blind spots.
- As DRAM scaling proceeds, immunity to read disturbance may decrease further, potentially making even conservative mitigation strategies less effective.
The work bridges a crucial gap in the access-pattern versus vulnerability matrix, directly motivating new lines of hardware design (wordline coupling, field compensation), device-level physics investigation, and cross-layer security engineering (including coordinated controller and OS policies).
Conclusion
This paper provides a rigorous, large-scale, and deeply integrated study of the ScaleDisturb access pattern, exposing the impact of temporal asymmetry in aggressor row open times as a potent amplifier of DRAM read disturbance. Both its experimental methodology and mitigation proposal, TeACUp, significantly advance understanding and management of disturbance-induced reliability threats, demonstrating that the DRAM community must revisit assumptions about vulnerability characterization and defense, especially as commodity DRAM continues to scale and diversify in architecture and use.