{"id":13876,"date":"2025-10-14T20:00:30","date_gmt":"2025-10-14T17:00:30","guid":{"rendered":"https:\/\/www.kaspersky.com.tr\/blog\/?p=13876"},"modified":"2025-10-14T20:07:23","modified_gmt":"2025-10-14T17:07:23","slug":"phoenix-rowhammer-attack","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.tr\/blog\/phoenix-rowhammer-attack\/13876\/","title":{"rendered":"Phoenix: DDR5 belle\u011fe kar\u015f\u0131 Rowhammer sald\u0131r\u0131s\u0131"},"content":{"rendered":"

2025 y\u0131l\u0131n\u0131n Eyl\u00fcl ay\u0131nda, ETH Z\u00fcrih (\u0130svi\u00e7re Federal Teknoloji Enstit\u00fcs\u00fc) ara\u015ft\u0131rmac\u0131lar\u0131 taraf\u0131ndan, DDR5 bellek mod\u00fclleri \u00fczerinde \u00e7al\u0131\u015fan Rowhammer sald\u0131r\u0131s\u0131n\u0131n bir modifikasyonu olan Phoenix\u2019i tan\u0131tan bir makale yay\u0131nland\u0131<\/a>. Yazarlar, yeni sald\u0131r\u0131n\u0131n test edilen 15 mod\u00fcle kar\u015f\u0131 etkinli\u011fini g\u00f6stermekle kalmad\u0131, ayn\u0131 zamanda; bellekten veri okuma ve yazma, bellekte depolanan \u00f6zel \u015fifreleme anahtar\u0131n\u0131 \u00e7alma ve Linux\u2019un sudo yard\u0131mc\u0131 program\u0131 korumalar\u0131n\u0131 atlatarak ayr\u0131cal\u0131klar\u0131 y\u00fckseltme olmak \u00fczere, \u00fc\u00e7 pratik kullan\u0131m \u00f6rne\u011fi de \u00f6nerdi.<\/p>\n

Rowhammer sald\u0131r\u0131s\u0131: K\u0131sa bir tarih\u00e7e<\/h2>\n

Bu olduk\u00e7a karma\u015f\u0131k \u00e7al\u0131\u015fmay\u0131 anlamak i\u00e7in, \u00f6nce Rowhammer\u2019\u0131n tarih\u00e7esini k\u0131saca g\u00f6zden ge\u00e7irmemiz gerekir. Rowhammer sald\u0131r\u0131s\u0131 ilk olarak 2014 y\u0131l\u0131nda yay\u0131nlanan bir ara\u015ft\u0131rma makalesinde<\/a> tan\u0131mlanm\u0131\u015ft\u0131r. O zamanlar, Carnegie Mellon \u00dcniversitesi ve Intel\u2019den ara\u015ft\u0131rmac\u0131lar, bellek h\u00fccrelerinin s\u0131ralar\u0131na tekrar tekrar eri\u015fmenin, biti\u015fik bellek h\u00fccrelerinin de\u011ferinin de\u011fi\u015fmesine neden olabilece\u011fini g\u00f6stermi\u015flerdi. Bu kom\u015fu h\u00fccreler kritik veriler i\u00e7erebilir ve bu verilerin de\u011fi\u015ftirilmesi ciddi sonu\u00e7lara (\u00f6rne\u011fin ayr\u0131cal\u0131k y\u00fckseltme) yol a\u00e7abilir.<\/p>\n

Bunun nedeni, bellek yongas\u0131ndaki her h\u00fccrenin esasen bir kondansat\u00f6r (elektrik y\u00fck\u00fcn\u00fc sadece k\u0131sa bir s\u00fcre tutabilen basit bir bile\u015fen) olmas\u0131d\u0131r. Bu nedenle bu bellekler ge\u00e7icidir; bilgisayar veya sunucu kapat\u0131ld\u0131\u011f\u0131nda veriler kaybolur. Ayn\u0131 nedenden dolay\u0131, h\u00fccrelerdeki y\u00fck s\u0131k s\u0131k yenilenmelidir, o bellek b\u00f6lgesine kimse eri\u015fmiyor olsa bile<\/em>.<\/p>\n

Bellek h\u00fccreleri izole de\u011fildir; sat\u0131r ve s\u00fctunlar halinde d\u00fczenlenmi\u015ftir ve birbirleriyle etkile\u015fime girerek parazite neden olabilirler. Bir sat\u0131ra eri\u015fim, kom\u015fu sat\u0131r\u0131 etkileyebilir; \u00f6rne\u011fin, bir sat\u0131r\u0131 yenilemek ba\u015fka bir sat\u0131rdaki verileri bozabilir. Y\u0131llar boyunca, bu etki yaln\u0131zca bellek \u00fcreticileri taraf\u0131ndan biliniyordu, onlar da g\u00fcvenilirli\u011fi art\u0131rmak ad\u0131na bu etkiyi en aza indirgemek i\u00e7in ellerinden geleni yapt\u0131lar. Ancak h\u00fccreler k\u00fc\u00e7\u00fcl\u00fcp birbirine daha s\u0131k\u0131 bir \u015fekilde yerle\u015ftirildik\u00e7e, \u201cs\u0131ral\u0131 \u00e7eki\u00e7leme\u201d etkisi ger\u00e7ek d\u00fcnyadaki sald\u0131r\u0131larda kullan\u0131labilir hale geldi.<\/p>\n

Rowhammer sald\u0131r\u0131s\u0131 g\u00f6sterildikten sonra, bellek geli\u015ftiricileri savunma mekanizmalar\u0131 geli\u015ftirmeye ba\u015flad\u0131 ve bunun sonucunda Target Row Refresh (TRR) donan\u0131m teknolojisi ortaya \u00e7\u0131kt\u0131. TRR teoride basittir; sat\u0131rlara agresif eri\u015fimi izler ve tespit edildi\u011finde, biti\u015fik sat\u0131rlar\u0131 zorla yeniler. Uygulamada bu, pek etkili olmad\u0131. 2021 y\u0131l\u0131nda ara\u015ft\u0131rmac\u0131lar, daha sofistike bellek h\u00fccresi eri\u015fim modelleri kullanarak TRR\u2019yi atlatan Blacksmith sald\u0131r\u0131s\u0131n\u0131<\/a> tan\u0131mlad\u0131lar.<\/p>\n

Geli\u015ftiriciler yeniden uyum sa\u011flad\u0131lar; DDR5 mod\u00fcllerinde Rowhammer benzeri sald\u0131r\u0131lara kar\u015f\u0131 daha da geli\u015fmi\u015f savunma mekanizmalar\u0131 eklediler ve zorunlu yenileme h\u0131z\u0131n\u0131 art\u0131rd\u0131lar. Yeni sald\u0131r\u0131lar\u0131n \u00f6nlenmesi i\u00e7in \u00fcreticiler, hangi \u00f6nlemlerin al\u0131nd\u0131\u011f\u0131n\u0131 a\u00e7\u0131klamaktan ka\u00e7\u0131nd\u0131lar. Bu, bir\u00e7ok ki\u015finin DDR5\u2019in Rowhammer sorununu etkili bir \u015fekilde \u00e7\u00f6zd\u00fc\u011f\u00fcne inanmas\u0131na neden oldu. Ancak, ge\u00e7en y\u0131l, ayn\u0131 ETH Z\u00fcrih\u2019ten ara\u015ft\u0131rmac\u0131lar DDR5 mod\u00fcllerine ba\u015far\u0131l\u0131 bir \u015fekilde sald\u0131rmay\u0131<\/a> ba\u015fard\u0131lar. Ancak belirli ko\u015fullar gerekliydi: Bellek, AMD Zen 2 veya Zen 3 i\u015flemcilerle e\u015fle\u015ftirilmeliydi ve bu durumda bile baz\u0131 mod\u00fcller etkilenmedi.<\/p>\n

Yeni sald\u0131r\u0131n\u0131n \u00f6zellikleri<\/h2>\n

Phoenix\u2019i geli\u015ftirmek i\u00e7in ara\u015ft\u0131rmac\u0131lar TRR mekanizmas\u0131nda tersine m\u00fchendislik uygulad\u0131lar. \u00c7e\u015fitli bellek sat\u0131r\u0131 eri\u015fim modellerindeki davran\u0131\u015f\u0131n\u0131 analiz ettiler ve biti\u015fik sat\u0131rlar i\u00e7in koruman\u0131n tetiklenip tetiklenmedi\u011fini kontrol ettiler. TRR\u2019nin \u00f6nemli \u00f6l\u00e7\u00fcde daha karma\u015f\u0131k hale geldi\u011fi ve \u00f6nceden bilinen eri\u015fim modellerinin art\u0131k i\u015fe yaramad\u0131\u011f\u0131 ortaya \u00e7\u0131kt\u0131. Koruma art\u0131k bu modelleri potansiyel olarak tehlikeli ibaresiyle do\u011fru bir \u015fekilde i\u015faretliyor ve biti\u015fik sat\u0131rlar\u0131 zorla yeniliyor. Sonu\u00e7 olarak, ara\u015ft\u0131rmac\u0131lar 128 TRR izlemeli bellek eri\u015fiminden sonra, savunmalar\u0131n daha zay\u0131f oldu\u011fu 64 eri\u015fimlik bir \u201cf\u0131rsat penceresi\u201d ortaya \u00e7\u0131kt\u0131\u011f\u0131n\u0131 ke\u015ffettiler. Koruma sistemi tamamen ba\u015far\u0131s\u0131z oldu\u011fu i\u00e7in de\u011fil, ancak hedef bellek h\u00fccresindeki de\u011fer de\u011fi\u015fikli\u011fini \u00f6nlemek i\u00e7in verdi\u011fi yan\u0131tlar yetersiz oldu\u011fu i\u00e7in. \u0130kinci pencere, 2608 yenileme aral\u0131\u011f\u0131 boyunca bellek h\u00fccrelerine eri\u015fildikten sonra g\u00f6r\u00fcn\u00fcr.<\/p>\n

Ara\u015ft\u0131rmac\u0131lar daha sonra bu savunmas\u0131z noktalar\u0131 ayr\u0131nt\u0131l\u0131 olarak inceleyerek, savunma mekanizmalar\u0131n\u0131 devre d\u0131\u015f\u0131 b\u0131rak\u0131rken bellek h\u00fccrelerine son derece hedefli bir sald\u0131r\u0131 ger\u00e7ekle\u015ftirdiler. Basit\u00e7e s\u00f6ylemek gerekirse, sald\u0131r\u0131 \u015fu \u015fekilde i\u015fler: K\u00f6t\u00fc ama\u00e7l\u0131 kod, TRR mekanizmas\u0131n\u0131 yanl\u0131\u015f bir g\u00fcvenlik hissine kap\u0131lmaya y\u00f6nlendiren bir dizi sahte eri\u015fim ger\u00e7ekle\u015ftirir. Ard\u0131ndan sald\u0131r\u0131n\u0131n aktif a\u015famas\u0131 ger\u00e7ekle\u015fir ve bu a\u015fama sonunda hedef h\u00fccre de\u011ferini de\u011fi\u015ftirir. Sonu\u00e7 olarak, ekip, sald\u0131r\u0131n\u0131n pazar liderlerinden biri olan SK Hynix taraf\u0131ndan \u00fcretilen test edilmi\u015f 15 DDR5 mod\u00fcl\u00fcn\u00fcn t\u00fcm\u00fcnde g\u00fcvenilir bir \u015fekilde i\u015fe yarad\u0131\u011f\u0131n\u0131 do\u011frulad\u0131.<\/p>\n

\u00dc\u00e7 ger\u00e7ek d\u00fcnya sald\u0131r\u0131 senaryosu<\/h2>\n

Ger\u00e7ek\u00e7i bir sald\u0131r\u0131, kesin olarak tan\u0131mlanm\u0131\u015f bir bellek b\u00f6lgesindeki bir de\u011feri de\u011fi\u015ftirmelidir ki bu zor bir g\u00f6revdir. \u0130lk olarak, sald\u0131rgan\u0131n hedef yaz\u0131l\u0131m hakk\u0131nda ayr\u0131nt\u0131l\u0131 bilgiye sahip olmas\u0131 gerekir. Birden fazla geleneksel g\u00fcvenlik kontrol\u00fcn\u00fc atlatmalar\u0131 gerekir ve hedefi sadece bir veya iki bit ka\u00e7\u0131rmak ba\u015far\u0131l\u0131 bir sald\u0131r\u0131 yerine sistemin \u00e7\u00f6kmesine neden olabilir.<\/p>\n

\u0130svi\u00e7reli ara\u015ft\u0131rmac\u0131lar, Phoenix\u2019in ger\u00e7ek d\u00fcnyada hasara yol a\u00e7abilece\u011fini kan\u0131tlamaya \u00e7al\u0131\u015ft\u0131lar. \u00dc\u00e7 sald\u0131r\u0131 senaryosunu de\u011ferlendirdiler. Birincisi (PTE), RAM verilerinin keyfi okuma\/yazma ko\u015fullar\u0131n\u0131 olu\u015fturmak i\u00e7in sayfa tablosuna eri\u015fmeyi i\u00e7eriyordu. \u0130kincisi (RSA), bellekten bir RSA-2048 \u00f6zel \u015fifreleme anahtar\u0131 \u00e7almay\u0131 ama\u00e7l\u0131yordu. \u00dc\u00e7\u00fcnc\u00fcs\u00fc (sudo), ayr\u0131cal\u0131k y\u00fckseltme amac\u0131yla standart Linux sudo yard\u0131mc\u0131 program\u0131n\u0131n korumalar\u0131n\u0131 atlatmay\u0131 i\u00e7eriyordu. \u00c7al\u0131\u015fman\u0131n nihai sonu\u00e7lar\u0131 bu tabloda g\u00f6sterilmi\u015ftir:<\/p>\n

\"Phoenix<\/a>

Phoenix sald\u0131r\u0131s\u0131n\u0131n etkinli\u011fi. Kaynak<\/a><\/p><\/div>\n

Baz\u0131 mod\u00fcllerde ilk sald\u0131r\u0131 varyant\u0131 (128 yenileme aral\u0131\u011f\u0131) etkili olurken, di\u011ferlerinde yaln\u0131zca ikinci y\u00f6ntem (2608 aral\u0131k) i\u015fe yarad\u0131. Baz\u0131 deneylerde RSA anahtar h\u0131rs\u0131zl\u0131\u011f\u0131 ve sudo istismarlar\u0131 ba\u015far\u0131l\u0131 olamad\u0131. Ancak, t\u00fcm mod\u00fcller i\u00e7in rastgele bellek okuma\/yazma y\u00f6ntemi bulundu ve bu t\u00fcr sald\u0131r\u0131lar i\u00e7in istismar s\u00fcresi yakla\u015f\u0131k be\u015f saniye ile yedi dakika aras\u0131nda olmak \u00fczere nispeten k\u0131sayd\u0131. Bu, Rowhammer sald\u0131r\u0131lar\u0131n\u0131n, son derece s\u0131n\u0131rl\u0131 bir dizi senaryoda da olsa, ger\u00e7ek bir risk olu\u015fturdu\u011funu g\u00f6stermek i\u00e7in yeterlidir.<\/p>\n

Alaka d\u00fczeyi ve kar\u015f\u0131 \u00f6nlemler<\/h2>\n

Phoenix sald\u0131r\u0131s\u0131, Rowhammer tarz\u0131 sald\u0131r\u0131lar\u0131n DDR4 ve DDR3\u2019te oldu\u011fu kadar DDR5 mod\u00fcllerine de ayn\u0131 derecede etkili bir \u015fekilde ger\u00e7ekle\u015ftirilebilece\u011fini g\u00f6stermektedir. Sadece tek bir tedarik\u00e7inin mod\u00fclleri test edilmi\u015f ve ara\u015ft\u0131rmac\u0131lar bu tedarik\u00e7inin TRR algoritmas\u0131nda d\u00fczeltilmesi kolay bir zay\u0131fl\u0131k ke\u015ffetmi\u015f olsa da bu, bellek mod\u00fcllerinin g\u00fcvenlik ara\u015ft\u0131rmalar\u0131nda \u00f6nemli bir ad\u0131md\u0131r.<\/p>\n

Yazarlar, Rowhammer tipi sald\u0131r\u0131lara kar\u015f\u0131 \u00e7e\u015fitli \u00f6nlemler \u00f6nerdiler. \u0130lk olarak, t\u00fcm h\u00fccrelerde zorunlu yenileme aral\u0131\u011f\u0131n\u0131 azaltmak sald\u0131r\u0131y\u0131 \u00f6nemli \u00f6l\u00e7\u00fcde engelleyebilir. Bu, g\u00fc\u00e7 t\u00fcketimini ve \u00e7ip s\u0131cakl\u0131\u011f\u0131n\u0131 art\u0131rabilir, ancak basit bir \u00e7\u00f6z\u00fcmd\u00fcr. \u0130kincisi, hata d\u00fczeltme kodu (ECC) i\u00e7eren bellek kullan\u0131labilir. Bu, Rowhammer sald\u0131r\u0131lar\u0131n\u0131 karma\u015f\u0131kla\u015ft\u0131r\u0131r, ancak, biraz da paradoksal bir \u015fekilde, bunlar\u0131 tamamen imkans\u0131z hale getirmez<\/a>.<\/p>\n

Bu bariz \u00f6nlemlerin \u00f6tesinde, yazarlar iki \u00f6nlem daha belirtmektedir. \u0130lki, halihaz\u0131rda uygulanmakta olan Hassas Yenileme Modu koruma y\u00f6ntemidir. \u0130\u015flemcinin bellek denetleyicisine entegre edilmi\u015f olan bu \u00f6zellik, Rowhammer sald\u0131r\u0131lar\u0131na kar\u015f\u0131 diren\u00e7 sa\u011flamak i\u00e7in bellek h\u00fccresi yenileme davran\u0131\u015f\u0131n\u0131 de\u011fi\u015ftirir. \u0130kincisi ise, ara\u015ft\u0131rmac\u0131lar bellek mod\u00fcl\u00fc ve \u00e7ip geli\u015ftiricilerini, \u00f6zel g\u00fcvenlik \u00f6nlemlerine (\u201cbelirsizlik yoluyla g\u00fcvenlik\u201d) g\u00fcvenmekten vazge\u00e7meye \u00e7a\u011f\u0131r\u0131rlar. Bunun yerine, kriptografide yayg\u0131n olarak kullan\u0131lan bir yakla\u015f\u0131m\u0131 benimsemeyi \u00f6nerirler. Bu yakla\u015f\u0131mda g\u00fcvenlik algoritmalar\u0131 kamuya a\u00e7\u0131kt\u0131r ve ba\u011f\u0131ms\u0131z testlere tabi tutulur.<\/p>\n\n","protected":false},"excerpt":{"rendered":"

\u0130svi\u00e7re’deki ara\u015ft\u0131rmac\u0131lar, DDR5 bellek mod\u00fcllerine sald\u0131rman\u0131n bir yolunu buldu.<\/p>\n","protected":false},"author":665,"featured_media":13877,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1726,1194,1727],"tags":[2812,754,790],"class_list":{"0":"post-13876","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-enterprise","8":"category-business","9":"category-smb","10":"tag-bellek","11":"tag-donanim","12":"tag-guvenlik-aciklari"},"hreflang":[{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/phoenix-rowhammer-attack\/13876\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/phoenix-rowhammer-attack\/29700\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/phoenix-rowhammer-attack\/24771\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/phoenix-rowhammer-attack\/29588\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/phoenix-rowhammer-attack\/28647\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/phoenix-rowhammer-attack\/31534\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/phoenix-rowhammer-attack\/30189\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/phoenix-rowhammer-attack\/40627\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/phoenix-rowhammer-attack\/54528\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/phoenix-rowhammer-attack\/23285\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/phoenix-rowhammer-attack\/24389\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/phoenix-rowhammer-attack\/32786\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/phoenix-rowhammer-attack\/29803\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/phoenix-rowhammer-attack\/35532\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/phoenix-rowhammer-attack\/35156\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.tr\/blog\/tag\/donanim\/","name":"donan\u0131m"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/13876","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/users\/665"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/comments?post=13876"}],"version-history":[{"count":4,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/13876\/revisions"}],"predecessor-version":[{"id":13882,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/13876\/revisions\/13882"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media\/13877"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media?parent=13876"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/categories?post=13876"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/tags?post=13876"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}