Jul 12, 2025Ravie LakshmananAI Safety / Vulnerability
NVIDIA is urging clients to allow System-level Error Correction Codes (ECC) as a protection towards a variant of a RowHammer assault demonstrated towards its graphics processing models (GPUs).
“Threat of profitable exploitation from RowHammer assaults varies primarily based on DRAM gadget, platform, design specification, and system settings,” the GPU maker mentioned in an advisory launched this week.
Dubbed GPUHammer, the assaults mark the first-ever RowHammer exploit demonstrated towards NVIDIA’s GPUs (e.g., NVIDIA A6000 GPU with GDDR6 Reminiscence), inflicting malicious GPU customers to tamper with different customers’ information by triggering bit flips in GPU reminiscence.
Essentially the most regarding consequence of this conduct, College of Toronto researchers discovered, is the degradation of a synthetic intelligence (AI) mannequin’s accuracy from 80% to lower than 1%.
RowHammer is to fashionable DRAMs similar to how Spectre and Meltdown are to up to date CPUs. Whereas each are hardware-level safety vulnerabilities, RowHammer targets the bodily conduct of DRAM reminiscence, whereas Spectre exploits speculative execution in CPUs.
RowHammer causes bit flips in close by reminiscence cells because of electrical interference in DRAM stemming from repeated reminiscence entry, whereas Spectre and Meltdown permit attackers to acquire privileged info from reminiscence through a side-channel assault, doubtlessly leaking delicate information.
In 2022, teachers from the College of Michigan and Georgia Tech described a method referred to as SpecHammer that mixes RowHammer and Spectre to launch speculative assaults. The strategy basically entails triggering a Spectre v1 assault through the use of Rowhammer bit-flips to insert malicious values into sufferer devices.
GPUHammer is the newest variant of RowHammer, however one which’s able to inducing bit flips in NVIDIA GPUs regardless of the presence of mitigations like goal refresh price (TRR).
In a proof-of-concept developed by the researchers, utilizing a single-bit flip to tamper with a sufferer’s ImageNet deep neural community (DNN) fashions can degrade mannequin accuracy from 80% to 0.1%.
Exploits like GPUHammer threaten the integrity of AI fashions, that are more and more reliant on GPUs to carry out parallel processing and perform computationally demanding duties, to not point out open up a brand new assault floor for cloud platforms.
To mitigate the danger posed by GPUHammer, it is suggested to allow ECC by way of “nvidia-smi -e 1.” Newer NVIDIA GPUs like H100 or RTX 5090 should not affected because of them that includes on-die ECC, which helps detect and proper errors arising because of voltage fluctuations related to smaller, denser reminiscence chips.
“Enabling Error Correction Codes (ECC) can mitigate this threat, however ECC can introduce as much as a ten% slowdown for [machine learning] inference workloads on an A6000 GPU,” Chris (Shaopeng) Lin, Joyce Qu, and Gururaj Saileshwar, the lead authors of the research, mentioned, including it additionally reduces reminiscence capability by 6.25%.
The disclosure comes as researchers from NTT Social Informatics Laboratories and CentraleSupelec offered CrowHammer, a kind of RowHammer assault that allows a key restoration assault towards the FALCON (FIPS 206) post-quantum signature scheme, which has been chosen by NIST for standardization.
“Utilizing RowHammer, we goal Falcon’s RCDT [reverse cumulative distribution table] to set off a really small variety of focused bit flips, and show that the ensuing distribution is sufficiently skewed to carry out a key restoration assault,” the research mentioned.
“We present {that a} single focused bit flip suffices to completely recuperate the signing key, given a number of hundred million signatures, with extra bit flips enabling key restoration with fewer signatures.”
Discovered this text attention-grabbing? Comply with us on Twitter and LinkedIn to learn extra unique content material we publish.
