This work uncovers a novel timing side-channel vulnerability in PRAC-class RowHammer mitigation mechanisms, arising from the interaction between Alert Backoff (ABO) protocols and Refresh Management (RFM) commands. We propose PRACLeak—a practical attack that exploits memory access latency variations to extract AES keys. To jointly address RowHammer resilience and timing security, we design TPRAC: the first lightweight, DRAM-embedded defense that eliminates timing leakage via a single-entry queue and periodic, timing-decoupled RFM scheduling. TPRAC fully complies with JEDEC standards, incurs only 3.4% performance overhead under a RowHammer threshold of 1024, and imposes minimal hardware resource overhead. It is the first DRAM-integrated solution to simultaneously satisfy stringent RowHammer mitigation requirements and strong timing-side-channel resistance.

Per Row Activation Counting (PRAC) has emerged as a robust framework for mitigating RowHammer (RH) vulnerabilities in modern DRAM systems. However, we uncover a critical vulnerability: a timing channel introduced by the Alert Back-Off (ABO) protocol and Refresh Management (RFM) commands. We present PRACLeak, a novel attack that exploits these timing differences to leak sensitive information, such as secret keys from vulnerable AES implementations, by monitoring memory access latencies. To counter this, we propose Timing-Safe PRAC (TPRAC), a defense that eliminates PRAC-induced timing channels without compromising RH mitigation efficacy. TPRAC uses Timing-Based RFMs, issued periodically and independent of memory activity. It requires only a single-entry in-DRAM mitigation queue per DRAM bank and is compatible with existing DRAM standards. Our evaluations demonstrate that TPRAC closes timing channels while incurring only 3.4% performance overhead at the RH threshold of 1024.