By rssfeeds-admin 
Researchers at ETH Zurich’s Communication Security Group reverse-engineered the Target Row Refresh (TRR) mechanisms on SK Hynix chips and uncovered timing blind spots that allow bit-flips despite built-in defenses.
Their experiments reveal that every tested DDR5 module from the world’s second-largest DRAM manufacturer remains vulnerable to carefully crafted hammering patterns.
class="wp-block-heading" id="mapping-the-gaps-in-ddr5-defenses">Mapping the Gaps in DDR5 Defenses
SK Hynix introduced TRR to counter traditional Rowhammer techniques by autonomously refreshing rows that experience high activation frequencies.
Previous attacks failed to evade these mitigations because they did not account for the precise scheduling of TRR refreshes.
To pinpoint weaknesses, the research team leveraged an FPGA testbench to monitor when and how often each row refresh occurred.
By extending their memory-activation sequences across 128 consecutive refresh intervals—eight times longer than earlier Rowhammer patterns—they observed a periodic refresh schedule that repeated every 128 intervals.
Drilling deeper, the team divided this window into two halves of 64 intervals each. In the first half, refresh sampling proved erratic and unpredictable.
The second half, however, exhibited a stable but incomplete refresh pattern, with two out of every four intervals skipped.
These under-sampled periods emerged as ideal windows to initiate targeted hammering patterns without triggering TRR defenses.
Armed with this timing insight, researchers devised two novel attack sequences.
The short pattern occupies a single 128-interval cycle but avoids the unpredictable early segment, focusing solely on the lightly sampled second half.
Repeating this 64-interval hammer segment sixteen times enables sustained bit-flipping across thousands of intervals.
The long pattern spans 2,608 intervals, leveraging the same weak windows with even finer timing resolution.
When tested on fifteen SK Hynix DDR5 DIMMs produced between 2021 and 2024, the short pattern succeeded on eight modules, while the long pattern compromised all remaining units.
A crucial advancement in Phoenix is its self-correcting synchronization mechanism, which continuously tracks DRAM refresh periodicity and realigns the hammer sequence after any missed refresh.
Traditional methods like Zenhammer quickly lose alignment over long runs, but Phoenix maintains precise timing across thousands of intervals, ensuring reliable exploitation.
Demonstrating practical impact, the team built the first public Rowhammer privilege-escalation exploit on a stock PC running default settings.
By manipulating page-table entries, they achieved full root access in as little as 109 seconds.
In real-world tests, 73 percent of modules exposed RSA-2048 private keys within co-located virtual machines, risking silent SSH key theft.
One-third of the DIMMs allowed direct overwrite of the sudo binary, enabling local privilege escalation; the reproduced “Rubicon” sudo exploit completed in just over five minutes on average.
Phoenix underscores that the latest DDR5 mitigations can be outmaneuvered through meticulous timing and pattern design.
The researchers call for a new generation of in-DRAM defense strategies—potentially combining randomized refresh scheduling and enhanced row-tracking—to thwart future Rowhammer variants once and for all.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates
The post New “Phoenix” Rowhammer Variant Circumvents DDR5 Protections, Researchers Warn appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.