GPU Rowhammer Attacks: New Vulnerabilities Threaten NVIDIA Ampere Hardware

Introduction

The Rowhammer attack, a well-known hardware vulnerability in DRAM, has long been a concern for CPU security. In a significant development, researchers have now demonstrated that this exploit can be effectively applied to modern Graphics Processing Units (GPUs), specifically targeting NVIDIA's Ampere architecture. These attacks, disclosed in two independent research papers, reveal that adversaries can induce bitflips in GDDR memory, leading to complete compromise of the host system. This article delves into the details of these new threats and their implications for GPU security.

GPU Rowhammer Attacks: New Vulnerabilities Threaten NVIDIA Ampere Hardware — Source: www.schneier.com

The Threat: GDDRHammer and GeForge Attacks

On a recent Thursday, two research teams presented their findings on GPU Rowhammer attacks against NVIDIA's Ampere-generation cards. The first paper, titled GDDRHammer: Greatly Disturbing DRAM Rows—Cross-Component Rowhammer Attacks from Modern GPUs, demonstrates a method to gain arbitrary read/write access to all CPU memory by exploiting bitflips in the GPU's GDDR memory. The second paper, GeForge: Hammering GDDR Memory to Forge GPU Page Tables for Fun and Profit, achieves similar results by manipulating GPU page table mappings. Both attacks ultimately grant the attacker full control over the host machine.

GDDRHammer

GDDRHammer focuses on exploiting the last-level page table within the GPU's memory hierarchy. By inducing carefully orchestrated bitflips, the attack corrupts page table entries, allowing the attacker to access and modify CPU memory. According to co-author Andrew Kwong, this work shows that Rowhammer, which is well-studied on CPUs, poses a serious threat on GPUs as well. The attack requires that the IOMMU (Input-Output Memory Management Unit) be disabled, which is the default setting in many BIOS configurations.

GeForge

GeForge operates similarly but targets the last-level page directory instead of the page table. In tests against the RTX 3060 and RTX 6000, researchers induced 1,171 and 202 bitflips, respectively. Using novel hammering patterns and memory massaging, GeForge corrupts GPU page table mappings in GDDR6 memory, achieving read and write access to the GPU memory space. From there, it escalates privileges to control host CPU memory, culminating in a root shell. The proof-of-concept exploit against the RTX 3060 opens a root shell window, enabling arbitrary commands with unfettered privileges.

Attack Details: How the Exploits Work

Both attacks leverage the Rowhammer phenomenon, where repeated access to specific rows in a DRAM array causes bitflips in adjacent rows. On GPUs, the dense packing of GDDR memory makes them susceptible to this effect. The researchers developed specialized hammering patterns to maximize bitflip probability while avoiding detection. By corrupting page table structures, they can redirect memory accesses to arbitrary locations, ultimately gaining control over the CPU's memory address space.

An important distinction is the role of the IOMMU. The initial attacks (GDDRHammer and GeForge) require IOMMU to be disabled. However, in a subsequent update, a third attack was unveiled that works even with IOMMU enabled. This variant targets the RTX A6000 and achieves privilege escalation to a root shell, demonstrating that IOMMU alone is not a sufficient defense.

Mitigation and Implications

The discovery of GPU Rowhammer attacks has significant security implications. For enterprise environments where GPUs handle sensitive computations, such as in machine learning or scientific computing, these vulnerabilities could be exploited to bypass isolation mechanisms. Mitigation strategies include enabling IOMMU where possible, updating GPU firmware, and employing stronger row hammer mitigation techniques in GDDR memory controllers. However, as the third attack shows, IOMMU is not a complete solution. Hardware-level changes may be required to address the root cause.

Conclusion

The Rowhammer attack has now crossed from CPUs to GPUs, with demonstrated exploits against NVIDIA's Ampere architecture. GDDRHammer and GeForge show that adversaries can achieve full system compromise, even when operating from a GPU context. These findings underscore the need for robust hardware security research and proactive defense mechanisms in modern accelerators. As GPUs become increasingly central to computing, vulnerabilities like these must be taken seriously to prevent widespread exploitation.

Tags: