Rowhammer remains one of the more stubborn hardware-level security problems in the industry. The vulnerability, rooted in how DRAM cells store electrical charges, allows an attacker to cause bit flips in memory rows adjacent to ones being repeatedly accessed. Those bit flips can be weaponized for privilege escalation, unauthorized data access, or denial of service. Google’s Security team has published new details on its ongoing effort to understand the limits of current DDR5 mitigations and support the development of stronger defenses.
Why Existing Mitigations Fall Short
Hardware vendors have deployed mitigations such as Error Correcting Code (ECC) and Target Row Refresh (TRR) in DDR5 memory to reduce Rowhammer risk. TRR works by tracking access counts on aggressor rows and issuing targeted refreshes before a bit flip can occur. However, prior research has shown this approach is bypassable. The TRRespass attack demonstrated that hammering multiple non-adjacent rows simultaneously can exhaust TRR’s limited counter resources. Later work, including the Half-Double and Blacksmith attacks, introduced more sophisticated patterns that further undermined probabilistic defenses.
Google notes that while it has collaborated with JEDEC and external researchers to define a new mitigation called PRAC (Per-Row Activation Counting), which deterministically tracks all memory rows, current DDR5 systems do not yet support it. Those systems continue to rely on ECC and enhanced TRR, whose resilience against advanced techniques was not fully characterized until Google’s recent research.
Custom Test Platforms for DDR5 Analysis
A core obstacle in Rowhammer research is the difficulty of issuing precise, low-level DDR commands to real memory modules on standard hardware. To address this, Google partnered with Antmicro to design and manufacture two open-source FPGA-based test platforms specifically for DDR5 analysis.
- DDR5 RDIMM Platform: A new tester board targeting Registered DIMM memory, the form factor common in server environments.
- SO-DIMM Platform: A variant supporting the standard SO-DIMM pinout used in workstations and consumer devices.
Both platforms are open-source and were developed in close collaboration with researchers from ETH Zurich, who used them to analyze off-the-shelf DDR5 modules in both form factors. Understanding how software-level memory accesses translate to DDR protocol commands, and how in-DRAM TRR mechanisms operate internally, required this kind of specialized instrumentation. An off-the-shelf interposer was used alongside the FPGA platforms to monitor DDR traffic between a host processor and DRAM.
Phoenix Attacks and New Findings
Working with the ETH Zurich team, Google applied these platforms to analyze current DDR5 modules, leading to the discovery of new attack techniques the collaboration has named Phoenix. The research demonstrates that even the improved TRR implementations present in current DDR5 hardware can be circumvented by a determined adversary using carefully crafted access patterns.
The findings are intended to inform stronger mitigations across the DRAM ecosystem. For cloud and multi-tenant environments in particular, where hardware is shared across untrusted workloads, robust Rowhammer defenses are a prerequisite for meaningful isolation guarantees.
