GPuhammer: Researchers Prove Rowhammer Attacks Work on GPUs

Researchers have proven: Rowhammer attacks are now also working on graphics cards. Your “GPuhammer” method reduced the accuracy of AI models from 80 to 0.1 percent. But how do you protect yourself from it?

Rowhammer attack on GPU memory

Security researchers from the University of Toronto have uncovered a weak point in graphics card storage systems. Your method, Called “Gpuhammer”demonstrates that Rowhammer attacks, which originally arose for traditional RAM in 2014, can now also be transferred to modern GDDR6 graphics memory. In this type of attack, a dram memory line is repeatedly accessed -or “hammered” -, which can lead to bit flips in neighboring areas through electrical interference.

Proof-of-Concept

In a proof-of-Concept, the researchers showed how the accuracy of neuronal networks could be reduced from 80 to 0.1 percent-and this by a single bit flip. The researchers developed special techniques to use the unique properties of GPU storage systems. GDDR6 memory differs by higher clock rates and more complex timing parameters from traditional RAM. Attacks in cloud environments are particularly risky, where several users use a GPU together. A potential attacker could theoretically sabotage AI models or compromise sensitive data. However, manipulation requires precise control and specific attack conditions.

How does a Rowhammer attack work?

• 1. Attack method An attacker makes the system very often read in a row. This creates electrical disorders that lead to bits “tipping over” in neighboring lines (from 0 to 1 or vice versa).
• 2. Bit flips These targeted bit flips can be used to manipulate critical data such as access rights or cryptographic keys.
• 3. Software -based for the attack, no special hardware or physical access is usually necessary – a specially written program or even a prepared JavaScript on a website is often sufficient.
• 4. Privileges escalation attackers can obtain higher rights on a system through targeted bit flips, e.g. B. root or administrator rights.
• 5. Data manipulation It is possible to change or read data in the memory that the attacker should not have access to.
• 6. Rowhammer is particularly critical in cloud environments, where several users share the same physical memory. Here an attacker can even attack other VMS from a virtual machine.
• 7. Difficult to patch because it is a hardware problem, Rowhammer cannot simply be remedied by a software update. Many systems therefore remain vulnerable as long as they use affected memory chips.

Protective measures

NVIDIA now recommends activating System-Level Error-Correcting Code (ECC) as a countermeasure. This technology can recognize and correct bit flips, but comes with considerable performance losses of up to 50 percent. But the whole thing still has a problem: Not all graphics cards support ECC – while professional models such as the A6000 or H100 have the function, they are completely lacking in consumer graphics cards.

Joshua Bato