Nvidia has issued a security reminder to application developers, computer manufacturers, and IT leaders that modern memory chips in graphic processors are potentially susceptible to so-called Rowhammer exploits after Canadian university researchers proved that an Nvidia A6000 GPU could be successfully compromised with a similar attack.
A Rowhammer attack is a software-based fault-injection attack that allows the attacker to infer information about certain victim secrets stored in memory cells and to alter values in memory. Vulnerable memory, Nvidia said in its warning, doesn’t have system level ECC (error correction code) enabled.
“For enterprise customer environments that require enhanced levels of assurance and integrity, Nvidia recommends using professional and data center products (instead of consumer-grade graphics hardware) and ensuring that ECC is enabled to prevent Rowhammer-style attacks” the caution said. ECC is enabled by default on the company’s Hopper and Blackwell data center class of GPUs.
Single versus multi-tenant GPU tenancy should also be considered when assessing the risk, Nvidia adds, noting that simultaneous access to the GPU is required to execute a Rowhammer attack between tenants.
“This is not easily exploitable, and will likely only be exploited in very specific targeted attacks,” said Johannes Ullrich, dean of research at the SANS Institute. “So you have time, and should focus on shared systems that run code provided by untrusted entities. For the most part, this will affect cloud systems, and mitigation will be up to the cloud provider.”
Rowhammer is a vulnerability in DDR (double data rate) memory architecture, he noted. “Any system using modern DDR memory is potentially vulnerable to Rowhammer.”
An attacker exploiting GPUhammer will quickly flip bits to which they have access to in order to affect other memory bits to which they do not have access, Ullrich explained. Nvidia recommends enabling ECC error correction, which will detect and possibly prevent these unauthorized changes to memory content. ECC isn’t perfect, he said, but if enabled will likely make the exploit less practical.
The attack also requires the attacker to execute specific code, he pointed out. This is more of a threat to systems that are shared between users and allow different users to affect each other’s data than single user systems, he said.
The researchers’ paper states that some of the abstractions of graphics cards make it a bit more difficult to access memory to trigger the Rowhammer exploit, he added. Unlike DDR memory connected to normal CPU buses, GPUs have a more controlled access to memory. “But in the end,” he said, “all Rowhammer needs is to quickly flip specific bits on and off, which is still possible for GPUs. It just takes more work to figure out which bits to flip, which is the main contribution of the paper.”
A Rowhammer attack on Intel and AMD CPUs with DDR and LPDDR memories enables an attacker to induce bit-flips in memory cells by rapidly accessing neighboring rows of memory. In theory, GPUs should be harder to exploit because they have proprietary mapping of physical memory to GDDR banks and rows, and have high memory latency, faster refresh rates, and DDR memory that hinders effective hammering.
The security researchers created a technique called GPUhammer by reverse-engineering GDDR DRAM row mappings that use GPU-specific memory access optimizations to amplify hammering intensity and bypass mitigations.
“The implications are pretty serious,” Gururaj Saileshwar, a member of the University of Toronto’s computer science faculty and co-author of the research paper, said in an interview. Not only can data be poisoned, an attack on GPUs could interfere with AI data models, he explained.
While the attack was demonstrated on Nvidia GPUs with GDDR6 DRAM, it could work on any GPU, he said.
Saileshwar, who focuses on researching hardware vulnerabilities, and his team had been working on an attack since last summer.
IT pros have known about the possibility of Rowhammer attacks on CPUs since 2015. In 2018, the vulnerabilities were given names: Spectre and Meltdown. By 2020, IT pros were being warned to expect a major Rowhammer exploit to be released within a year. The paper has shown that GPUs are also at risk.
Asked about the research, an Nvidia spokesperson said, “NVIDIA recommends users follow security best practices by following existing DRAM mitigations to prevent or lessen the likelihood of a Rowhammer attack.”
No Responses