16 C
Canberra
Friday, October 24, 2025

Supporting Rowhammer analysis to guard the DRAM ecosystem


To handle this hole and assist the ecosystem with deploying sturdy defenses, Google has supported tutorial analysis and developed take a look at platforms to investigate DDR5 reminiscence. Our effort has led to the invention of recent assaults and a deeper understanding of Rowhammer on the present DRAM modules, serving to to forge the best way for additional, stronger mitigations.

What’s Rowhammer? 

Rowhammer exploits a vulnerability in DRAM. DRAM cells retailer knowledge as electrical fees, however these electrical fees leak over time, inflicting knowledge corruption. To forestall knowledge loss, the reminiscence controller periodically refreshes the cells. Nonetheless, if a cell discharges earlier than the refresh cycle, its saved bit could corrupt. Initially thought of a reliability concern, it has been leveraged by safety researchers to show privilege escalation assaults. By repeatedly accessing a reminiscence row, an attacker could cause bit flips in neighboring rows. An adversary can exploit Rowhammer through:

  1. Reliably trigger bit flips by repeatedly accessing adjoining DRAM rows.

  2. Coerce different purposes or the OS into utilizing these weak reminiscence pages.

  3. Goal security-sensitive code or knowledge to attain privilege escalation.

  4. Or just corrupt system’s reminiscence to trigger denial of service. 

Earlier work has repeatedly demonstrated the potential of such assaults from software program [Revisiting rowhammer, Are we susceptible to rowhammer?, Drammer,  Flip feng shui, Jolt]. Consequently, defending in opposition to Rowhammer is required for safe isolation in multi-tenant environments just like the cloud. 

Rowhammer Mitigations 

The first strategy to mitigate Rowhammer is to detect which reminiscence rows are being aggressively accessed and refreshing close by rows earlier than a bit flip happens. TRR is a standard instance, which makes use of quite a few counters to trace accesses to a small variety of rows adjoining to a possible sufferer row. If the entry rely for these aggressor rows reaches a sure threshold, the system points a refresh to the sufferer row. TRR will be included throughout the DRAM or within the host CPU.

Nonetheless, this mitigation isn’t foolproof. For instance, the TRRespass assault confirmed that by concurrently hammering a number of, non-adjacent rows, TRR will be bypassed. Over the previous couple of years, extra subtle assaults [Half-Double, Blacksmith] have emerged, introducing extra environment friendly assault patterns. 

In response, one in all our efforts was to collaborate with JEDEC, exterior researchers, and consultants to outline the PRAC as a brand new mitigation that deterministically detects Rowhammer by monitoring all reminiscence rows. 

Nonetheless, present techniques geared up with DDR5 lack help for PRAC or different sturdy mitigations. Consequently, they depend on probabilistic approaches equivalent to ECC and enhanced TRR to scale back the danger. Whereas these measures have mitigated older assaults, their total effectiveness in opposition to new methods was not absolutely understood till our latest findings.

Challenges with Rowhammer Evaluation 

Mitigating Rowhammer assaults includes making it troublesome for an attacker to reliably trigger bit flips from software program. Subsequently, for an efficient mitigation, we have now to know how a decided adversary introduces reminiscence accesses that bypass present mitigations. Three key info elements will help with such an evaluation:

  1. How the improved TRR and in-DRAM ECC work.

  2. How reminiscence entry patterns from software program translate into low-level DDR instructions.

  3. (Optionally) How any mitigations (e.g., ECC or TRR) within the host processor work.

Step one is especially difficult and includes reverse-engineering the proprietary in-DRAM TRR mechanism, which varies considerably between completely different producers and gadget fashions. This course of requires the flexibility to concern exact DDR instructions to DRAM and analyze its responses, which is troublesome on an off-the-shelf system. Subsequently, specialised take a look at platforms are important.

The second and third steps contain analyzing the DDR visitors between the host processor and the DRAM. This may be completed utilizing an off-the-shelf interposer, a instrument that sits between the processor and DRAM. A vital a part of this evaluation is knowing how a dwell system interprets software-level reminiscence accesses into the DDR protocol.

The third step, which includes analyzing host-side mitigations, is typically elective. For instance, host-side ECC (Error Correcting Code) is enabled by default on servers, whereas host-side TRR has solely been applied in some CPUs. 

Rowhammer testing platforms

For the primary problem, we partnered with Antmicro to develop two specialised, open-source FPGA-based Rowhammer take a look at platforms. These platforms enable us to conduct in-depth testing on several types of DDR5 modules.

  • DDR5 RDIMM Platform: A brand new DDR5 Tester board to satisfy the {hardware} necessities of Registered DIMM (RDIMM) reminiscence, frequent in server computer systems.

  • SO-DIMM Platform: A model that helps the usual SO-DIMM pinout suitable with off-the-shelf DDR5 SO-DIMM reminiscence sticks, frequent in workstations and end-user units.

Antmicro designed and manufactured these open-source platforms and we labored intently with them, and researchers from ETH Zurich, to check the applicability of those platforms for analyzing off-the-shelf reminiscence modules in RDIMM and SO-DIMM kinds.

Antmicro DDR5 RDIMM FPGA take a look at platform in motion.

Phoenix Assaults on DDR5

In collaboration with researchers from ETH, we utilized the brand new Rowhammer take a look at platforms to guage the effectiveness of present in-DRAM DDR5 mitigations. Our findings, detailed within the not too long ago co-authored “Phoenix” analysis paper, reveal that we efficiently developed customized assault patterns able to bypassing enhanced TRR (Goal Row Refresh) protection on DDR5 reminiscence. We have been in a position to create a novel self-correcting refresh synchronization assault approach, which allowed us to carry out the first-ever Rowhammer privilege escalation exploit on an ordinary, production-grade desktop system geared up with DDR5 reminiscence. Whereas this experiment was performed on an off-the-shelf workstation geared up with latest AMD Zen processors and SK Hynix DDR5 reminiscence, we proceed to analyze the applicability of our findings to different {hardware} configurations.

Classes realized 

We confirmed that present mitigations for Rowhammer assaults will not be enough, and the difficulty stays a widespread drawback throughout the trade. They do make it harder “however not inconceivable” to hold out assaults, since an attacker wants an in-depth understanding of the particular reminiscence subsystem structure they want to goal.

Present mitigations based mostly on TRR and ECC depend on probabilistic countermeasures which have inadequate entropy. As soon as an analyst understands how TRR operates, they’ll craft particular reminiscence entry patterns to bypass it. Moreover, present ECC schemes weren’t designed as a safety measure and are due to this fact incapable of reliably detecting errors.

Reminiscence encryption is another countermeasure for Rowhammer. Nonetheless, our present evaluation is that with out cryptographic integrity, it presents no worthwhile protection in opposition to Rowhammer. Extra analysis is required to develop viable, sensible encryption and integrity options.

Path ahead

Google has been a pacesetter in JEDEC standardization efforts, as an example with PRAC, a completely accepted commonplace to be supported in upcoming variations of DDR5/LPDDR6. It really works by precisely counting the variety of occasions a DRAM wordline is activated and alerts the system if an extreme variety of activations is detected. This shut coordination between the DRAM and the system provides PRAC a dependable solution to deal with Rowhammer. 

Within the meantime, we proceed to guage and enhance different countermeasures to make sure our workloads are resilient in opposition to Rowhammer. We collaborate with our tutorial and trade companions to enhance evaluation methods and take a look at platforms, and to share our findings with the broader ecosystem.

Wish to be taught extra?

“Phoenix: Rowhammer Assaults on DDR5 with Self-Correcting Synchronization” will probably be introduced at IEEE Safety & Privateness 2026 in San Francisco, CA (MAY 18-21, 2026).

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

[td_block_social_counter facebook="tagdiv" twitter="tagdivofficial" youtube="tagdiv" style="style8 td-social-boxed td-social-font-icons" tdc_css="eyJhbGwiOnsibWFyZ2luLWJvdHRvbSI6IjM4IiwiZGlzcGxheSI6IiJ9LCJwb3J0cmFpdCI6eyJtYXJnaW4tYm90dG9tIjoiMzAiLCJkaXNwbGF5IjoiIn0sInBvcnRyYWl0X21heF93aWR0aCI6MTAxOCwicG9ydHJhaXRfbWluX3dpZHRoIjo3Njh9" custom_title="Stay Connected" block_template_id="td_block_template_8" f_header_font_family="712" f_header_font_transform="uppercase" f_header_font_weight="500" f_header_font_size="17" border_color="#dd3333"]
- Advertisement -spot_img

Latest Articles