Finn de Ridder, Patrick Jattke, and Kaveh Razavi, ETH Zurich
Rowhammer attacks are pervasive in client systems when launched natively. The biggest Rowhammer threat for such systems, however, lies in the browser. Our large-scale evaluation of browser-based Rowhammer attacks shows that they can only trigger bit flips on a small fraction of DRAM devices. Postponing refresh commands that trigger in-DRAM mitigations can boost the performance of Rowhammer attacks, but it has never been demonstrated in practice.
We introduce Posthammer, a new Rowhammer attack in JavaScript that forces the CPU's memory controller to postpone refresh commands by creating long durations of intense Rowhammer activity followed by sufficiently long delay windows to allow the memory controller to batch refresh commands. Posthammer features a new abstraction called lane, which enables a subset of addresses in a Rowhammer pattern to be accessed more often. Lanes enable Posthammer to support effective refresh-postponed non-uniform patterns in the browser for the first time. Our evaluation shows that Posthammer is 2.8× more effective than the state of the art, triggering bit flips on 86% of our 28 DDR4 test devices.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
author = {Finn de Ridder and Patrick Jattke and Kaveh Razavi},
title = {Posthammer: Pervasive Browser-based Rowhammer Attacks with Postponed Refresh Commands},
booktitle = {34th USENIX Security Symposium (USENIX Security 25)},
year = {2025},
isbn = {978-1-939133-52-6},
address = {Seattle, WA},
pages = {5661--5678},
url = {https://www.usenix.org/conference/usenixsecurity25/presentation/de-ridder},
publisher = {USENIX Association},
month = aug
}
