🤖 AI Summary
This work addresses the absence of a formal framework linking Rowhammer-induced hardware faults to program semantics, a gap that undermines guarantees for memory and information-flow security. We present the first probabilistic small-step operational semantics for an idealized imperative language under Rowhammer effects, modeling bit-flip faults via a probability monad to propagate state distributions. Building on this semantics, we mechanize in Lean a proof that physically isolated defenses satisfy non-interference under any admissible fault model, and establish a distribution-agnostic semantic collapse theorem. By integrating probabilistic operational semantics, hyperproperty modeling, and formal verification, our approach provides the first verifiable theoretical foundation for information-flow security in the presence of hardware faults.
📝 Abstract
Rowhammer is a hardware vulnerability in dynamic random-access memory (DRAM) in which repeated accesses to aggressor rows can induce bit-flips in victim rows. This phenomenon violates a core assumption of conventional programming language semantics: reading or writing one memory location does not modify others. Despite the security importance of this phenomenon, there is no formal framework connecting Rowhammer faults with program behaviour. We present a probabilistic small-step operational semantics for an idealised imperative language subject to Rowhammer-style faults. The semantics abstracts from DRAM internals and semiconductor physics. A general probabilistic fault model parameterises the semantics, representing Rowhammer-style faults by assigning probabilities to bit-flips during read or write operations. The resulting distributions are propagated through programs using the standard monadic structure of probabilistic computation. As a case study, we formalise a well-known defence that places program variables sufficiently far apart in physical memory that an access to one variable cannot disturb another. We prove a distribution-independent semantic collapse theorem: for every finite execution, including prefixes of terminating and non-terminating executions, the protected projection of the probabilistic Rowhammer semantics is the Dirac distribution of the corresponding Rowhammer-free execution. We develop an observation-parametric account of secure information flow. Non-interference is expressed as a hyperproperty comparing the distributions of low observations from low-equivalent initial memories. Consequently, physical separation preserves non-interference for every admissible fault model, while every Rowhammer non-interference violation reflects a violation already present in the Rowhammer-free semantics. The development is fully mechanised in Lean using mathlib.