Tutorial researchers have devised a brand new variant of Rowhammer assaults that bypass the most recent safety mechanisms on DDR5 reminiscence chips from SK Hynix.
A Rowhammer assault works by repeatedly accessing particular rows of reminiscence cells at high-speed learn/write operations to trigger sufficient electrical interference to change the worth of the close by bits from one to zero and vice-versa (bit flipping).
An attacker may potentialluy corrupt information, improve their privileges on the system, execute malicious code, or acquire entry to delicate information.
One protection mechanism towards Rowhammer assaults known as Goal Row Refresh (TRR), which prevents bit flips by issuing an additional refresh command when detecting frequent accesses to a selected row.
Hammering DDR5 for privilege escalation
A group of researchers within the Pc Safety Group (COMSEC) at ETH Zurich College in Switzerland and Google created a brand new DDR5 Rowhammer assault they name Phoenix, which may flip bits in reminiscence chips to allow malicious exercise.
The checks had been carried out on DDR5 merchandise from Hynix, one of many largest reminiscence chip makers with an estimated 36% of the market, however the safety threat could prolong to merchandise from different distributors as effectively.
After reverse-engineering the complicated protections that Hynix applied towards Rowhammer and studying how they labored, the researchers found that sure refresh intervals weren’t sampled by the mitigation, which may very well be exploited.
In addition they developed a technique for Phoenix to trace and synchronize with 1000’s of refresh operations by self-correcting when it detects a missed one.
To evade TRR protections, the Rowhammer patterns within the Phoenix assault cowl 128 and 2608 refresh intervals and hammer particular activation slots solely at exact moments.
Utilizing their mannequin, the researchers had been capable of flip bits on all 15 DDR5 reminiscence chips within the take a look at pool and created the primary Rowhammer privilege escalation exploit.
Throughout checks, it took them lower than two minutes to get a shell with root privileges “on a commodity DDR5 system with default settings.”
Moreover, the researchers additionally explored the potential for sensible exploitation utilizing the Phoenix assault technique to take management of a goal system.
When focusing on page-table entries (PTEs) to craft an arbitrary reminiscence learn/write primitive, they discovered that every one merchandise within the take a look at are susceptible.
In one other take a look at, they focused RSA-2048 keys of a co-located VM to interrupt SSH authentication and found that 73% of the DIMMs are uncovered.
In a 3rd analysis, the researchers discovered that they may alter the sudo binary to extend their native privileges to root degree on 33% of the examined chips.
supply: COMSEC ETH Zurich
The desk above exhibits that every one reminiscence chips examined are susceptible to one of many Rowhammer patterns used within the Phoenix assault. The shorter one with 128 refresh intervals is more practical, although, producing extra bit flips on common.
Phoenix is at present tracked as CVE-2025-6202 and obtained a high-severity rating. It impacts all DIMM RAM modules produced between January 2021 and December 2024.
Though Rowhammer is an industry-wide safety drawback that can’t be corrected for present reminiscence modules, customers can cease Phoenix assaults by tripling the DRAM refresh interval (tREFI).
Nonetheless, this type of stress could trigger errors or information corruption and render the system unstable.
A technical paper titled “Phoenix: Rowhammer Assaults on DDR5 with Self-Correcting Synchronization” has been printed and also will be offered on the IEEE Symposium on Safety and Privateness subsequent 12 months.
The researchers additionally shared a repository with sources to breed the Phoenix assault, which incorporates experiments based mostly on Subject-Programmable Gate Array (FPGA) to reverse-engineer TRR implementations, and the code for the proof-of-concept exploits.
46% of environments had passwords cracked, almost doubling from 25% final 12 months.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and information exfiltration developments.
