Phoenix - an attack on DDR5 chips that leads to memory corruption

Researchers from ETH Zurich together with engineers from Google have developed a new Rowhammer-class attack technique β€” Phoenix (CVE-2025-6202), which allows to bypass the TRR (Target Row Refresh) protection mechanisms used in DDR5 chips, which prevents memory cell corruption due to charge loss. A prototype of an exploit has been published, which allows changing the contents of a specific bit in RAM and achieving an increase in privileges in the system. The attack was demonstrated on a PC with an AMD processor based on the Zen 4 microarchitecture and SK Hynix DDR5 memory, on which typical desktop tasks were performed.

RowHammer attack allows to distort the contents of individual bits of DRAM memory by cyclically reading data from neighboring memory cells. Since DRAM memory is a two-dimensional array of cells, each of which consists of a capacitor and a transistor, performing continuous reading of the same memory area leads to voltage fluctuations and anomalies, causing a small loss of charge of neighboring cells. If the reading intensity is high, then the neighboring cell can lose a large enough amount of charge that the next refresh cycle will not have time to restore its original state, which will lead to a change in the value of the data stored in the cell.

The Rowhammer attack method was proposed in 2014, after which a game of "cat and mouse" began between security researchers and hardware manufacturers - memory chip manufacturers tried to block the vulnerability, and researchers found new ways to bypass it. For example, to protect against RowHammer, chip manufacturers added the TRR (Target Row Refresh) mechanism, but it turned out that it only blocks cell corruption in special cases, but does not protect against all possible attack variants. Attack methods were developed for DDR3, DDR4 and DDR5 chips on systems with Intel, AMD and ARM processors, as well as for video memory used in NVIDIA video cards. Moreover, ways to bypass ECC error correction were found and options for carrying out an attack over the network and through the execution of JavaScript code in the browser were proposed.

The key to bypassing DRAM memory cell corruption protection is understanding the logic of the TRR mechanism, which relies heavily on hiding implementation details and the security by obscurity principle. To determine the logic and perform reverse engineering, researchers created special boards based on the FGPA Arty-A7 and ZCU104, which allow testing DDR5 SO-DIMM and RDIMM memory modules, identifying memory cell access patterns, determining which low-level DDR commands are transmitted after software memory operations, and analyzing the response to them.


Phoenix - an attack on DDR5 chips that leads to memory corruption

It turned out that the protection in the analyzed DDR5 chips is implemented without additional commands to control the memory refresh rate and relies on schemes with a variable cell recharge rate. To successfully conduct a Rowhammer attack in these conditions, precise tracking of thousands of cell refresh operations is required. In such conditions, previously existing Rowhammer attack methods were inapplicable, and the researchers developed a new method that self-corrects access patterns as missed memory refresh operations are detected during the attack.

The method proved effective and during testing allowed to achieve controlled memory bit distortion on all of the 15 tested DDR5 chips from SK Hynix (36% of the DRAM market), manufactured from late 2021 to late 2024. Distortion of one bit was enough to create an exploit that allowed to gain root access to the system when attacking a system with an AMD Ryzen 7 7700X CPU and SK Hynix DDR5 memory for 109 seconds. To block the proposed attack method, it is recommended to increase the memory refresh rate by three times.

The following techniques are considered as exploitation methods that allow one to obtain root rights by distorting a single bit: changing the contents of entries in the memory page table entry (PTE) to obtain kernel privileges; damaging the public RSA-2048 key stored in memory in OpenSSH (it is possible to bring the public key into someone else's virtual machine (This is a direct translation of the original text to the attacker's private key for connecting to the victim's VM). Bypassing privilege checking by modifying the memory of the sudo process. The PTE method worked for all 15 chips tested; the RSA attack was successful for 11 chips, and the sudo attack was successful for 5.


Phoenix - an attack on DDR5 chips that leads to memory corruption

The exploit utilizes the Rubicon technique, which was discovered simultaneously with the Phoenix attack, to place memory page tables in selected DRAM cells. Rubicon manipulates optimizations in the kernel's memory allocation system. Linux and allows memory allocation in areas with a different "migratetype" value, reserved for privileged operations. The issue has been confirmed in kernels. Linux starting from 5.4 and ending with 6.8, but theoretically the vulnerability affects all kernels with the Zoned Buddy Allocator memory allocation mechanism.

In addition to simplifying Rowhammer attacks, Rubicon can also be used to improve the efficiency of microarchitectural attacks such as Spectre and to simplify the identification of the memory location of sensitive data that needs to be extracted through leaks during speculative execution of instructions. Rubicon eliminates the time-consuming stage of memory scanning and file identification such as /etc/shadow. Instead, microarchitectural vulnerabilities can be exploited immediately due to the predetermined file location at a known physical address. For example, using Rubicon, data leakage on a system with an Intel i7-8700K CPU was accelerated from 2698 to 9.5 seconds (284 times), and on an AMD EPYC 7252 CPU, from 189 to 27.9 seconds (6.8 times).

Play Video

Meanwhile, another group of researchers from George Mason University demonstrated the applicability of Rowhammer-class attacks to compromising AI systems. The researchers proposed a method called OneFlip, which allows for targeted modification of AI models' behavior by corrupting a single bit of memory. Sample code for inserting a Trojanized change into a neural network is available. They demonstrated how a single-bit change can be used to distort the operation of a self-driving model, changing its interpretation of a "Stop" sign to a "Speed ​​Limit" sign. The method's use for bypassing facial recognition systems is also discussed. For models storing weights as 32-bit integers, the attack's success rate is estimated at 99.9% without affecting the original characteristics of the model.


Phoenix - an attack on DDR5 chips that leads to memory corruption


Source: opennet.ru
Buy reliable hosting for sites with DDoS protection, VPS VDS servers πŸ”₯ Buy reliable website hosting with DDoS protection, VPS VDS servers | ProHoster