If rowhammer only results in capacitor discharge, how can it flip 0 to 1?

Question

In rowhammer, why will changing the voltage on one row cause the other row to open/close? Is it related to induction?

How can it change bits from 0 to 1? I understand from 1 to 0 - voltage discharge, but how can it cause cells to charge?

EDIT: This what I understood reading the rowhammer research document:

1. Discharge of cells happen when turning the bitlines on and off many times.

2. So changing the voltage on the bitlines so many times, causes some electrical current on the next bit line (because of current induction)

3. Which will open a cell's transistor's gate,

4. making it connect to the ram buffer,

5. which will cause the cell to discharge (cells always discharge when reading)

They didn't specifically say that in the article, but that's what I understood.

If that so, how can cells be charged? Is it possible that the induction is so "strong" it can fully charge a cell, and not just open the transistor gate, or did I get it completely wrong?

Answer 1

Rowhammer only works by accelerating the discharge of capacitors.

Cells don't get charged by rowhammer, only discharged. The reason you may see a logical 0 change to a logical 1 is that modern DRAM memory uses a technique called scrambling, where a small 32-bit seed is used to power an LFSR stream cipher to encrypt memory. This encryption is not designed to be cryptographically secure. It is designed only to help reduce the electrical stress on a module if it experiences huge bursts of sequential 1s or 0s. The scrambling results in any physical bit having a roughly 50% chance of being represented as the inverse logical bit, so you see logical 0s become 1s.

It's not only memory scrambling which causes this disconnect between a physical bit and a logical bit. Some cells represent a logical 1 when they are charged, whereas others are the other way around. These are referred to as true-cells and anti-cells, respectively. The majority of DRAM is composed of true-cells. That is, capacitor discharge results in a 1 becoming a 0. It's only after memory scrambling, as described above, that this can result in seemingly random bitflips on the application level.

If rowhammer were capable of charging a discharged capacitor, we would be in a far worse situation than we are now. Because a DRAM refresh results in checking a capacitor's value and re-charging it if it was charged but leaving it alone if it is discharged, refresh-based mitigations can only protect from excessive rowhammer-induced discharge. Most extant mitigations currently rely on either increasing refresh rate (e.g. going from 64ms to 32ms intervals), or detecting excessive row activations and directly refreshing adjacent rows that may become unstable as a result (e.g. TRR and pTRR).^note

The original paper gave three different mechanisms of action:

1. Electromagnetic coupling - Each capacitor has its own access transistor. When this transistor is triggered, it discharges the capacitor and reads out the value to the row buffer. Changing the voltage of one wordline can induce noise in nearby wordlines, temporarily activating access transistors on that line for short periods of time, facilitating leakage of their capacitors.

2. Bridge formation - Conductive channels can be formed between unrelated wires or capacitors. Toggling a wordline rapidly can increase the rate of leakage between bridged cells, resulting in charged capacitors discharging more quickly, potentially fast enough to corrupt them.

3. Hot-carrier injection - While this is not particularly relevant for short-term rowhammer attacks, it has been found that toggling a wordline for hundreds of hours can permanently damage it. This can alter the characteristics of access transistors and capacitors to increase leakiness.