arXiv: AutoPRAC: Automating Attack Discovery for PRAC-Based Rowhammer Defenses using Model Checkers

This publication, titled AutoPRAC, presents a new automated method for discovering attack patterns that can bypass PRAC-based Rowhammer defenses in computer memory hardware. Rowhammer is a vulnerability where repeated access to one memory row can corrupt data in adjacent rows, and PRAC is a proposed mitigation standard. The paper demonstrates that model checkers can systematically find previously unknown attack sequences that defeat these defenses, meaning current hardware protections may be insufficient against sophisticated adversaries.

This regulatory change directly affects organizations that manufacture, deploy, or certify memory hardware and cloud infrastructure, particularly in the EU under the Cyber Resilience Act and the NIS2 Directive. Sectors including data centers, cloud service providers, semiconductor manufacturers, and critical infrastructure operators should take note. Any entity relying on PRAC-based Rowhammer protections in their hardware supply chain or internal systems is potentially exposed to new attack vectors that could compromise data integrity and system reliability.

Compliance teams should immediately review their hardware security assessments to determine if PRAC-based defenses are used in their supply chain or deployed systems. They should engage with hardware vendors to request updated vulnerability disclosures and mitigation timelines. Teams should also update their risk registers to reflect this newly demonstrated attack surface and prepare for potential regulatory guidance from ENISA or national cybersecurity authorities. Proactive monitoring of hardware security patches and firmware updates will be essential in the coming months.