Rowhammer: TRR on DDR5 DRAM has been broken
9 hours ago
- #DDR5
- #Rowhammer
- #Security
- Phoenix demonstrates vulnerabilities in SK Hynix DDR5 devices to new Rowhammer attack variants.
- Reverse engineering reveals sophisticated in-DRAM Rowhammer mitigations with blind spots in refresh intervals.
- Two novel Rowhammer patterns bypass mitigations, requiring precise synchronization with refresh operations.
- Self-correcting refresh synchronization in Phoenix ensures alignment during attacks, enabling exploitation.
- All 15 tested SK Hynix DDR5 DIMMs are vulnerable, with bit flips exploitable in as little as 109 seconds.
- New Rowhammer patterns exploit lightly sampled intervals, with effectiveness varying by device.
- Self-correcting synchronization method overcomes challenges of long pattern execution on commodity systems.
- Practical exploits demonstrated include privilege escalation, RSA key compromise, and sudo binary attacks.
- Mitigation recommendations include tripling the refresh rate, though future devices need more robust solutions.
- Responsible disclosure coordinated through Swiss NCSC, with findings tracked under CVE-2025-6202.