Security
Rowhammer in the Wild: Large-Scale Insights from FlippyR.AM
29. Dezember 2025
23:00 – 23:40 In Kalender übernehmen
23:00 – 23:40 In Kalender übernehmen
One
Last year at 38c3, we gave a talk titled "Ten Years of Rowhammer: A Retrospect (and Path to the Future)."
In this talk, we summarized 10 years of Rowhammer research and highlighted gaps in our understanding.
For instance, although nearly all DRAM generations from DDR3 to DDR5 are vulnerable to the Rowhammer effect, we still do not know its real-world prevalence.
For that reason, we invited everyone at 38c3 last year to participate in our large-scale Rowhammer prevalence study.
In this year's talk, we will first provide an update on Rowhammer research and present our results from that study.
A lot has happened in Rowhammer research in 2025.
We have evidence that DDR5 is as vulnerable to Rowhammer as previous generations.
Other research shows that not only can adversaries target rows, but columns can also be addressed and used for bit flips.
Browser-based Rowhammer attacks are back on the table with Posthammer and with ECC. fail, we can mount Rowhammer attacks on DDR4 with ECC memory.
In our large-scale study, we measure Rowhammer prevalence in a fully automated cross-platform framework, FlippyR.AM, using the available state-of-the-art software-based DRAM and Rowhammer tools.
Our framework automatically gathers information about the DRAM and uses 5 tools to reverse-engineer the DRAM addressing functions, and based on the reverse-engineered functions, uses 7 tools to mount Rowhammer.
We distributed the framework online and via USB thumb drives to thousands of participants from December 30, 2024, to June 30, 2025. Overall, we collected 1006 datasets from 822 systems with various CPUs, DRAM generations, and vendors.
Our study reveals that out of 1006 datasets, 453 (371 of the 822 unique systems) succeeded in the first stage of reverse-engineering the DRAM addressing functions, indicating that successfully and reliably recovering DRAM addressing functions remains a significant open problem.
In the second stage, 126 (12.5 % of all datasets) exhibited bit flips in our fully automated Rowhammer attacks.
Our results show that fully automated, i.e., weaponizable, Rowhammer attacks work on a lower share of systems than FPGA-based and lab experiments indicated, but at 12.5%, are still a practical vector for threat actors.
Furthermore, our results highlight that the two most pressing research challenges around Rowhammer exploitability are more reliable reverse-engineering tools for DRAM addressing functions, as 50 % of datasets without bit flips failed in the DRAM reverse-engineering stage, and reliable Rowhammer attacks across diverse processor microarchitectures, as only 12.5 % of datasets contained bit flips.
Addressing each of these challenges could double the number of systems susceptible to Rowhammer and make Rowhammer a more pressing threat in real-world scenarios.
This will be a followup talk after our talk "Ten Years of Rowhammer: A Retrospect (and Path to the Future)" at 38C3.
In the talk last year we gave an overview of the current state of Rowhammer and highlighted that there are no large-scale prevalence studies.
We wanted to change that and asked the audience to participate in our large-scale study on Rowhammer prevalence.
We performed the large-scale study on Rowhammer prevalence thanks to many volunteers supporting our study by measuring their systems.
In total, we collected 1006 datasets on 822 different systems (some systems were measured multiple times).
We show that 126 of them (12.5%) are affected by Rowhammer with our fully-automated setup.
This should be seen as a lower bound, since the preconditions required for effective tools failed on ~50% of the systems.
Among many other insights, we learned that the fully-automated reverse-engineering of DRAM addressing functions is still an open problem and we assume the actual number of affected systems to be higher as the 12.5% we measured in our study.
Now, one year after our talk at the 38C3, we want to give an update on the current state of Rowhammer, since multiple new insights were published in the last year:
The first reliable Rowhammer exploit on DDR5, a JavaScript implementation of Rowhammer that works on current DDR4 systems, and an ECC bypass on DDR4, just to name a few.
Additionally, we want to present the results of our large-scale study on Rowhammer prevalence which was supported by the audience from last year's talk.
Weitere Infos
| Live Stream | https://streaming.media.ccc.de/39c3/one |
|---|---|
| Format | Talk |
| Sprache | Englisch |
Weitere Sessions
| 27.12.25 |
The Great Firewall of China (GFW) is one of, if not arguably the most advanced Internet censorship systems in the world. Because repressive governments generally do not simply publish their censorship rules, the task of determining exactly what is and isn’t allowed falls upon the censorship measurement community, who run experiments over censored networks. In this talk, we’ll discuss two ways censorship measurement has evolved from passive experimentation to active attacks against the Great ...
|
| 27.12.25 |
Reports of GNSS interference in the Baltic Sea have become almost routine — airplanes losing GPS, ships drifting off course, and timing systems failing. But what happens when a group of engineers decides to build a navigation system that simply *doesn’t care* about the jammer? Since 2017, we’ve been developing **R-Mode**, a terrestrial navigation system that uses existing radio beacons and maritime infrastructure to provide independent positioning — no satellites needed. In this talk, ...
|
| 27.12.25 |
Zwei Jahre nach dem ersten KIM-Vortrag auf dem 37C3: Die gezeigten Schwachstellen wurden inzwischen geschlossen. Weiterhin können mit dem aktuellen KIM 1.5+ nun große Dateien bis 500 MB übertragen werden, das Signaturhandling wurde für die Nutzenden vereinfacht, indem die Detailinformationen der Signatur nicht mehr einsehbar sind. Aber ist das System jetzt sicher oder gibt es neue Probleme?
|
| 27.12.25 |
While trying to apply fault injection to the AMD Platform Security Processor with unusual (self-imposed) requirements/restrictions, it were software bugs which stopped initial glitching attempts. Once discovered, the software bug was used as an entry to explore the target, which in turn lead to uncovering (and exploiting) more and more bugs, ending up in EL3 of the most secure core on the chip. This talk is about the story of trying to glitch the AMD Platform Security Processor, then ...
|
| 27.12.25 |
The Deutschlandticket was the flagship transport policy of the last government, rolled out in an impressive timescale for a political project; but this speed came with a cost - a system ripe for fraud at an industrial scale. German public transport is famously decentralised, with thousands of individual companies involved in ticketing and operations. Unifying all of these under one national, secure, system has proven a challenge too far for politicians. The end result: losses in the hundreds of ...
|
| 27.12.25 |
In August 2024, Raspberry Pi released their newest MCU: The RP2350. Alongside the chip, they also released the RP2350 Hacking Challenge: A public call to break the secure boot implementation of the RP2350. This challenge concluded in January 2025 and led to five exciting attacks discovered by different individuals. In this talk, we will provide a technical deep dive in the RP2350 security architecture and highlight the different attacks. Afterwards, we talk about two of the breaks in ...
|
| 27.12.25 |
FreeBSD’s jail mechanism promises strong isolation—but how strong is it really? In this talk, we explore what it takes to escape a compromised FreeBSD jail by auditing the kernel’s attack surface, identifying dozens of vulnerabilities across exposed subsystems, and developing practical proof-of-concept exploits. We’ll share our findings, demo some real escapes, and discuss what they reveal about the challenges of maintaining robust OS isolation.
|
