This work exposes a security vulnerability in DDR5 memory’s Refresh Management (RFM) interface, stemming from cross-bank interference. We first identify and model RFM’s timing dependencies and unintended cross-bank side effects. Leveraging this insight, we design the first high-bandwidth RFM-based covert channel—achieving 31.3 KB/s—without requiring multi-bank control. Additionally, we devise a single-bank-triggered cross-bank denial-of-service attack that degrades system performance by up to 67% under realistic workloads. Our methodology combines DRAM timing analysis, reverse-engineering of the RFM interface, and cross-bank side-channel modeling. We validate both attacks across SPEC2017, PARSEC, and LIGRA benchmarks and demonstrate their efficacy even in bank-partitioned systems. This is the first systematic study to uncover and characterize RFM’s security risks, providing critical insights for secure DDR5 memory architecture design.

With lowering thresholds, transparently defending against Rowhammer within DRAM is challenging due to the lack of time to perform mitigation. Commercially deployed in-DRAM defenses like TRR that steal time from normal refreshes~(REF) to perform mitigation have been proven ineffective against Rowhammer. In response, a new Refresh Management (RFM) interface has been added to the DDR5 specifications. RFM provides dedicated time to an in-DRAM defense to perform mitigation. Several recent works have used RFM for the intended purpose - building better Rowhammer defenses. However, to the best of our knowledge, no prior study has looked at the potential security implications of this new feature if an attacker subjects it to intentional misuse. Our paper shows that RFM introduces new side effects in the system - the activity of one bank causes interference with the operation of the other banks. Thus, the latency of a bank becomes dependent on the activity of other banks. We use these side effects to build two new attacks. First, a novel memory-based covert channel, which has a bandwidth of up to 31.3 KB/s, and is also effective even in a bank-partitioned system. Second, a new Denial-of-Service (DOS) attack pattern that exploits the activity within a single bank to reduce the performance of the other banks. Our experiments on SPEC2017, PARSEC, and LIGRA workloads show a slowdown of up to 67% when running alongside our DOS pattern. We also discuss potential countermeasures for our attacks.