ECC.fail: Mounting Rowhammer Attacks on DDR4 Servers with ECC Memory
Nureddin Kamadan
34th USENIX Security Symposium (USENIX Security '25) · Day 3 · Hardware Security 3: Side-Channel and Fault Injection Attacks
The "ECC.fail" talk presented at USENIX Security unveils a groundbreaking **Rowhammer** attack targeting DDR4 servers equipped with **Error Correction Code (ECC)** memory. Historically, ECC memory has been considered a robust defense against Rowhammer-induced bit flips, either correcting single-bit errors transparently or crashing the system upon detecting multi-bit errors, thereby preventing malicious exploitation. This research, however, demonstrates the first successful Rowhammer attack on DDR4 server DIMMs, effectively bypassing ECC protections to achieve arbitrary bit flips and even forge cryptographic signatures.
AI review
This is the real thing: original, difficult hardware security research that breaks a long-standing assumption the industry has been leaning on for years. Bypassing ECC on DDR4 server DIMMs via a combination of biased TRR exploitation, ECC matrix reverse engineering, a timing side-channel for stealthy flip detection, and abuse of Intel's CHPQ feature is not a talk — it's a multi-year research program compressed into a single session. The end-to-end RSA signature forgery demo seals it.