Mechanised operational semantics of Rowhammer

📅 2026-07-11
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This work addresses the absence of a formal framework linking Rowhammer-induced hardware faults to program semantics, a gap that undermines guarantees for memory and information-flow security. We present the first probabilistic small-step operational semantics for an idealized imperative language under Rowhammer effects, modeling bit-flip faults via a probability monad to propagate state distributions. Building on this semantics, we mechanize in Lean a proof that physically isolated defenses satisfy non-interference under any admissible fault model, and establish a distribution-agnostic semantic collapse theorem. By integrating probabilistic operational semantics, hyperproperty modeling, and formal verification, our approach provides the first verifiable theoretical foundation for information-flow security in the presence of hardware faults.
📝 Abstract
Rowhammer is a hardware vulnerability in dynamic random-access memory (DRAM) in which repeated accesses to aggressor rows can induce bit-flips in victim rows. This phenomenon violates a core assumption of conventional programming language semantics: reading or writing one memory location does not modify others. Despite the security importance of this phenomenon, there is no formal framework connecting Rowhammer faults with program behaviour. We present a probabilistic small-step operational semantics for an idealised imperative language subject to Rowhammer-style faults. The semantics abstracts from DRAM internals and semiconductor physics. A general probabilistic fault model parameterises the semantics, representing Rowhammer-style faults by assigning probabilities to bit-flips during read or write operations. The resulting distributions are propagated through programs using the standard monadic structure of probabilistic computation. As a case study, we formalise a well-known defence that places program variables sufficiently far apart in physical memory that an access to one variable cannot disturb another. We prove a distribution-independent semantic collapse theorem: for every finite execution, including prefixes of terminating and non-terminating executions, the protected projection of the probabilistic Rowhammer semantics is the Dirac distribution of the corresponding Rowhammer-free execution. We develop an observation-parametric account of secure information flow. Non-interference is expressed as a hyperproperty comparing the distributions of low observations from low-equivalent initial memories. Consequently, physical separation preserves non-interference for every admissible fault model, while every Rowhammer non-interference violation reflects a violation already present in the Rowhammer-free semantics. The development is fully mechanised in Lean using mathlib.
Problem

Research questions and friction points this paper is trying to address.

Rowhammer
operational semantics
probabilistic faults
memory safety
information flow
Innovation

Methods, ideas, or system contributions that make the work stand out.

Rowhammer
probabilistic operational semantics
mechanised formalisation
non-interference
memory isolation
🔎 Similar Papers
No similar papers found.