Rowhammer in the Wild: Large-Scale Insights from FlippyR.AM

Day 3 23:00 One en Security
Dec. 29, 2025 23:00-23:40
Fahrplan__event__banner_image_alt Rowhammer in the Wild: Large-Scale Insights from FlippyR.AM
Last year at 38c3, we gave a talk titled "Ten Years of Rowhammer: A Retrospect (and Path to the Future)." In this talk, we summarized 10 years of Rowhammer research and highlighted gaps in our understanding. For instance, although nearly all DRAM generations from DDR3 to DDR5 are vulnerable to the Rowhammer effect, we still do not know its real-world prevalence. For that reason, we invited everyone at 38c3 last year to participate in our large-scale Rowhammer prevalence study. In this year's talk, we will first provide an update on Rowhammer research and present our results from that study. A lot has happened in Rowhammer research in 2025. We have evidence that DDR5 is as vulnerable to Rowhammer as previous generations. Other research shows that not only can adversaries target rows, but columns can also be addressed and used for bit flips. Browser-based Rowhammer attacks are back on the table with Posthammer and with ECC. fail, we can mount Rowhammer attacks on DDR4 with ECC memory. In our large-scale study, we measure Rowhammer prevalence in a fully automated cross-platform framework, FlippyR.AM, using the available state-of-the-art software-based DRAM and Rowhammer tools. Our framework automatically gathers information about the DRAM and uses 5 tools to reverse-engineer the DRAM addressing functions, and based on the reverse-engineered functions, uses 7 tools to mount Rowhammer. We distributed the framework online and via USB thumb drives to thousands of participants from December 30, 2024, to June 30, 2025. Overall, we collected 1006 datasets from 822 systems with various CPUs, DRAM generations, and vendors. Our study reveals that out of 1006 datasets, 453 (371 of the 822 unique systems) succeeded in the first stage of reverse-engineering the DRAM addressing functions, indicating that successfully and reliably recovering DRAM addressing functions remains a significant open problem. In the second stage, 126 (12.5 % of all datasets) exhibited bit flips in our fully automated Rowhammer attacks. Our results show that fully automated, i.e., weaponizable, Rowhammer attacks work on a lower share of systems than FPGA-based and lab experiments indicated, but at 12.5%, are still a practical vector for threat actors. Furthermore, our results highlight that the two most pressing research challenges around Rowhammer exploitability are more reliable reverse-engineering tools for DRAM addressing functions, as 50 % of datasets without bit flips failed in the DRAM reverse-engineering stage, and reliable Rowhammer attacks across diverse processor microarchitectures, as only 12.5 % of datasets contained bit flips. Addressing each of these challenges could double the number of systems susceptible to Rowhammer and make Rowhammer a more pressing threat in real-world scenarios.

This will be a followup talk after our talk "Ten Years of Rowhammer: A Retrospect (and Path to the Future)" at 38C3. In the talk last year we gave an overview of the current state of Rowhammer and highlighted that there are no large-scale prevalence studies. We wanted to change that and asked the audience to participate in our large-scale study on Rowhammer prevalence.

We performed the large-scale study on Rowhammer prevalence thanks to many volunteers supporting our study by measuring their systems. In total, we collected 1006 datasets on 822 different systems (some systems were measured multiple times). We show that 126 of them (12.5%) are affected by Rowhammer with our fully-automated setup. This should be seen as a lower bound, since the preconditions required for effective tools failed on ~50% of the systems. Among many other insights, we learned that the fully-automated reverse-engineering of DRAM addressing functions is still an open problem and we assume the actual number of affected systems to be higher as the 12.5% we measured in our study.

Now, one year after our talk at the 38C3, we want to give an update on the current state of Rowhammer, since multiple new insights were published in the last year: The first reliable Rowhammer exploit on DDR5, a JavaScript implementation of Rowhammer that works on current DDR4 systems, and an ECC bypass on DDR4, just to name a few. Additionally, we want to present the results of our large-scale study on Rowhammer prevalence which was supported by the audience from last year's talk.

Speakers of this event

Avatar of Martin Heckel
Martin Heckel
Die vortragende Person hat noch keine Beschreibung zu sich zur Verfügung gestellt.
  • Rowhammer in the Wild: Large-Scale Insights from FlippyR.AM
Avatar of Florian Adamsky
Florian Adamsky

Florian Adamsky attended the first Chaos Communication Congress in 2000 (17C3). He co-founded Chaostreff Regensburg at some point, before becoming immersed in academia, from which he has not found his way out. As a result, he has been serving as a professor of IT security at Hof University of Applied Sciences since 2019. In 2020, he established his own small research group called System and Network Security (SNS), which focuses on phishing, anonymity networks, and hardware-based side-channel attacks, such as Rowhammer.

  • Rowhammer in the Wild: Large-Scale Insights from FlippyR.AM
Avatar of Daniel Gruss
Daniel Gruss

Daniel Gruss (@lavados) is a Professor at Graz University of Technology. He has been teaching undergraduate courses since 2010. Daniel's research focuses on side channels and transient execution attacks. He implemented the first remote fault attack running in a website, known as Rowhammer.js. His research team was one of the teams that found the Meltdown and Spectre bugs published in early 2018. He frequently speaks at top international venues.

  • Rowhammer in the Wild: Large-Scale Insights from FlippyR.AM