Nvidia A6000 GPUs flip memory bits if beaten by GPUHammer • The Register
The Rowhammer attack on computer memory is back, and for the first time, it’s able to mess with bits in Nvidia GPUs, despite defenses designed to protect against this kind of hacking.
Last week, Nvidia issued a security advisory, telling customers about the possible threat, which was disclosed to the company and cloud providers in January by researchers from Canada’s University of Toronto.
The researchers, Chris (Shaopeng) Lin, Joyce Qu, and Gururaj Saileshwar, describe their findings in a paper [PDF] titled “GPUHammer: Rowhammer Attacks on GPU Memories are Practical.”
Scheduled to be presented at USENIX Security 2025 shindig in August, the paper describes “the first Rowhammer attack on Nvidia GPUs with GDDR6 DRAM.” It focuses specifically on Nvidia A6000 GPUs with GDDR6 memory; newer GPUs like the H100 and RTX 5090 do not appear to be susceptible to this particular exploit.
In our exploit, we show for the first time that such an attack can be executed using our Rowhammer-induced bit-flips on GPUs
The Rowhammer attack dates back to 2014 when computer scientists from Carnegie Mellon University and Intel published a paper [PDF] describing how repeatedly accessing the same memory row in a DRAM chip could flip the stored electronic bits, resulting in data corruption and errors. Intel knew about the issue at least since 2012, when it began filing relevant patents to protect systems.
The attack generally requires the attacker and victim to be tenants on the same hardware, with enough privileges to run the attack code. There is, however, a variant that operates over the network under certain conditions.
In the eleven years since its public disclosure, the memory-smashing technique has been applied to many different devices and applications, including browsers, VMs, Android phones, flash storage, network devices that have remote direct memory access (RDMA) enabled, FPGAs, Arm chips, and AMD chips.
Now it’s Nvidia’s turn. GPUHammer presents a particularly concerning threat because it can be used to meddle with AI models, which rely heavily on GPUs. The researchers showed they can use GPUHammer to alter the weights of a deep neural network to make AI model inference (output) less accurate, an attack technique referred to as Terminal Brain Damage in a 2019 research paper.
“In our exploit, we show for the first time that such an attack can be executed using our Rowhammer-induced bit-flips on GPUs, and the resultant tampering of the DNN weights resident in the GPU memory can impact the DNN accuracy significantly,” the authors state in their paper.
They claim that in their proof-of-concept attack, they were able to degrade the accuracy of machine-learning models by up to 80 percent, despite the presence of a defense called Target Row Refresh in GDDR6 memory. Organizations running AI applications in a cloud environment with other tenants thus could find their models making significant mispredictions if subject to a GPUHammer beating.
Nvidia does have a mitigation: enabling Error Correction Codes (ECC), using the nvidia-smi -e 1 command and then rebooting. The consequence of doing so, however, is a performance hit of about 10 percent and a reduction in memory capacity of about 6.25 percent. ®
