A new variation of the Rowhammer attack, named Phoenix, breaks through the built-in defenses of modern DDR5 memory modules.
Researchers reverse-engineered the in-DRAM protections on SK Hynix chips and found blind spots that let them flip bits despite the most advanced hardware safeguards.
Their work shows that every tested DDR5 module from the world’s largest DRAM maker remains vulnerable to carefully designed hammering patterns.
Discovering Gaps in DDR5 Defenses
SK Hynix added Target Row Refresh (TRR) to fight Rowhammer by refreshing rows that see heavy use.
Earlier patterns could not fool these mitigations, so the research team used FPGA-based tests to map when and how TRR refreshes happened.
By increasing the length of their hammer patterns, they saw that the protection repeats every 128 refresh intervals—eight times longer than assumed by existing attacks.
They then drilled into the first and last 64 intervals. In the early part, they found no consistent sampling, while the later part showed refreshes skipping two out of every four intervals. These lightly sampled intervals became the entry point for new attack patterns.
Using their findings, the team built two fresh Rowhammer patterns. The shorter pattern spans 128 refresh intervals, avoiding the first inconsistent segment and hammering only the lightly sampled windows.
Repeating this segment sixteen times lets it run across thousands of intervals without triggering built-in defenses. The longer pattern covers 2,608 intervals and exploits the same blind spots with even finer timing control.
Tested on fifteen SK Hynix DIMMs made between 2021 and 2024, the short pattern succeeded on eight modules, while the long one worked on the rest.
Both patterns can trigger thousands of bit flips—on average nearly 5,000 per run—and each module was vulnerable to at least one of them.
A critical hurdle was staying in sync with the DRAM refresh commands over such long periods. Current methods like Zenhammer lose alignment too quickly.
Phoenix introduces a self-correcting sync that tracks refresh periodicity and realigns the pattern whenever a refresh is missed.
This ensures reliable hammering across thousands of intervals. With this method, the team built the first public Rowhammer privilege escalation exploit on a default PC setup, achieving full root access in as little as 109 seconds.
The researchers also demonstrated attacks on real-world targets. Every tested DDR5 module allowed manipulation of page-table entries to gain arbitrary memory read/write.
Most DIMMs (73 percent) exposed RSA-2048 keys in co-located virtual machines, risking SSH breaks. A third of the modules let attackers overwrite the sudo binary to escalate local privileges.
By reproducing the Rubicon sudo exploit on DDR5, they showed average exploitation times of just over five minutes.
Phoenix proves that even the latest DDR5 defenses can be outsmarted with precise timing and pattern design. The findings call for new in-DRAM strategies to truly stop future Rowhammer attacks.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
