AutoPRAC: Automating Attack Discovery for PRAC-Based Rowhammer Defenses using Model Checkers

📅 2026-06-22
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This work addresses the lack of formal verification and automated attack discovery in existing PRAC-based Rowhammer defense mechanisms, which are typically evaluated using manually crafted attacks. For the first time, the authors model a PRAC implementation as a bounded state machine and integrate model checking techniques to automatically verify security-critical properties under a worst-case oracle adversary model, simultaneously generating counterexample attack traces that violate these properties. Applying this approach, they uncover a previously unreported vulnerability in the MOAT defense scheme concerning its counter reset policy, which allows a Rowhammer attacker to activate hammering up to 34 times above the detection threshold without being caught. This significantly enhances the ability to identify subtle implementation flaws in Rowhammer mitigations.
📝 Abstract
Per-Row Activation Counting (PRAC) in DDR5 is a specification to mitigate Rowhammer attacks by tracking activations per row and triggering mitigative refreshes when needed. However, the security of PRAC designs is currently evaluated using human-crafted attack patterns and we lack formal verification of their security properties, or automated techniques to detect implementation flaws. In this work, we present AutoPRAC, the first automated technique to test the security of PRAC-based defenses using model checkers. AutoPRAC models PRAC implementations as bounded state machines and checks security-critical safety properties against a worst-case oracle attacker. If a property is violated, the framework produces a concrete counterexample trace corresponding to a successful attack. Using AutoPRAC, we uncover a previously unreported flaw in MOAT, a state-of-the-art PRAC defense, in its counter-reset policy that allows up to 34 activations to go undetected above the Rowhammer threshold. Our results demonstrate that AutoPRAC can automatically discover subtle security flaws in Rowhammer mitigations and serves as an early-stage design aid for attack discovery on PRAC designs.
Problem

Research questions and friction points this paper is trying to address.

PRAC
Rowhammer
security verification
automated attack discovery
formal verification
Innovation

Methods, ideas, or system contributions that make the work stand out.

AutoPRAC
Model Checking
Rowhammer Defense
PRAC
Formal Verification
🔎 Similar Papers
No similar papers found.