How to know whether a RAM module is vulnerable to rowhammer before buying?


How to know whether a RAM module is vulnerable to rowhammer before buying?

I'd like to know (or at least perform some reasonable guess) if a RAM is vulnerable to rowhammer attack. I haven't found any list of vulnerable or secure RAM modules. I've seen some general rules (DDR4 is OK, ECC is some mitigation factor), but I can apply none of these.
It is OK to buy a module, test it and return it if it is not OK. But I don't want to do that, say, ten times.


Answer 1:

For DDR4:

One DRAM manufacturer, Micron, indicated that they are putting rowhammer mitigations into some of their DDR4 DRAM (see this data sheet). Other manufacturers might be doing the same.

Note that it is not necessarily true that “DDR4 is OK”. There’s nothing in the DDR4 standard that makes DDR4 memory safer than DDR3 memory — the DDR4 standard does not contain any rowhammer mitigation features. If DDR4 memory is safer, that would only be because manufacturers are being more careful about their newer memory, such as by implementing rowhammer mitigations internally within the DRAM modules.

For DDR3:

As far as I know, there are no public lists, either official or unofficial, of which DDR3 DRAM parts have the rowhammer fault and which don’t. The DRAM manufacturers haven’t published any lists, and no-one has compiled any unofficial lists yet.

You could try asking DRAM manufacturers directly, but I don’t know how helpful they would be.

If you pick a DRAM module that you’re considering buying, you could try looking up the part number on the manufacturer’s web site. In some cases, you can get the SPD data for the module. There’s a “MAC” (Maximum Activation Count) field in the SPD data. If MAC=”Unlimited”, that’s supposed to mean “known to be rowhammer-free”. However, the status of this MAC field in the DDR standards is not really clear. (For some background, see this post.)