Rowhammer in the Wild: Large-Scale Insights from FlippyR.AM
(en)
Martin Heckel, Florian Adamsky, Daniel Gruss
Last year at 38c3, we gave a talk titled "Ten Years of Rowhammer: A Retrospect (and Path to the Future)."
In this talk, we summarized 10 years of Rowhammer research and highlighted gaps in our understanding.
For instance, although nearly all DRAM generations from DDR3 to DDR5 are vulnerable to the Rowhammer effect, we still do not know its real-world prevalence.
For that reason, we invited everyone at 38c3 last year to participate in our large-scale Rowhammer prevalence study.
In this year's talk, we will first provide an update on Rowhammer research and present our results from that study.
A lot has happened in Rowhammer research in 2025.
We have evidence that DDR5 is as vulnerable to Rowhammer as previous generations.
Other research shows that not only can adversaries target rows, but columns can also be addressed and used for bit flips.
Browser-based Rowhammer attacks are back on the table with Posthammer and with ECC. fail, we can mount Rowhammer attacks on DDR4 with ECC memory.
In our large-scale study, we measure Rowhammer prevalence in a fully automated cross-platform framework, FlippyR.AM, using the available state-of-the-art software-based DRAM and Rowhammer tools.
Our framework automatically gathers information about the DRAM and uses 5 tools to reverse-engineer the DRAM addressing functions, and based on the reverse-engineered functions, uses 7 tools to mount Rowhammer.
We distributed the framework online and via USB thumb drives to thousands of participants from December 30, 2024, to June 30, 2025. Overall, we collected 1006 datasets from 822 systems with various CPUs, DRAM generations, and vendors.
Our study reveals that out of 1006 datasets, 453 (371 of the 822 unique systems) succeeded in the first stage of reverse-engineering the DRAM addressing functions, indicating that successfully and reliably recovering DRAM addressing functions remains a significant open problem.
In the second stage, 126 (12.5 % of all datasets) exhibited bit flips in our fully automated Rowhammer attacks.
Our results show that fully automated, i.e., weaponizable, Rowhammer attacks work on a lower share of systems than FPGA-based and lab experiments indicated, but at 12.5%, are still a practical vector for threat actors.
Furthermore, our results highlight that the two most pressing research challenges around Rowhammer exploitability are more reliable reverse-engineering tools for DRAM addressing functions, as 50 % of datasets without bit flips failed in the DRAM reverse-engineering stage, and reliable Rowhammer attacks across diverse processor microarchitectures, as only 12.5 % of datasets contained bit flips.
Addressing each of these challenges could double the number of systems susceptible to Rowhammer and make Rowhammer a more pressing threat in real-world scenarios.