A workforce of researchers from the College of Toronto has demonstrated that Rohammer assaults in opposition to GPUs are potential and sensible.
The assault technique, dubbed GPUHammer, has been confirmed to work in opposition to a GPU from Nvidia, with the researchers utilizing it to degrade the accuracy of machine studying fashions.
The Rowhammer assault technique has been identified for greater than a decade. It entails repeatedly accessing — or hammering — a DRAM reminiscence row, which may trigger electrical interference that results in bit flips in adjoining areas.
Researchers have demonstrated over time that Rowhammer assaults can result in privilege escalation, unauthorized entry to knowledge, knowledge corruption, and breaking reminiscence isolation (in virtualized environments).
Nevertheless, till now, Rowhammer assaults have targeted on CPUs and CPU-based reminiscences. The College of Toronto researchers wished to see if such assaults might be performed in opposition to GPUs, significantly in gentle of their growing use for synthetic intelligence and machine studying.
The researchers managed to efficiently conduct a Rowhammer assault in opposition to a GDDR6 reminiscence in an NVIDIA A6000 GPU. They noticed the influence of the GPUHammer assault on deep neural community (DNN) machine studying fashions, particularly ImageNet fashions used for visible object recognition.
Their checks confirmed {that a} single bit flip may consequence within the accuracy of the machine studying mannequin dropping from 80% to 0.1%.
In an advisory revealed this week, Nvidia confirmed the findings and knowledgeable clients that System-level ECC (error correcting code) — a identified Rowhammer mitigation — can stop assaults. The GPU big has shared particular directions for various merchandise.Commercial. Scroll to proceed studying.
Nevertheless, the researchers identified that enabling ECC can scale back efficiency and reminiscence capability.
The researchers stated their proof-of-concept (PoC) code is extensible to different GPUs based mostly on Nvidia’s Ampere structure.
As for why the assault hasn’t been examined in opposition to different GPUs, they argued that “not like CPUs, the place DRAM modules might be simply swapped out for testing, GPU DRAM is soldered in, making large-scale testing costly (GPUs can value 1000’s of {dollars}).”
The researchers have created a devoted GPUHammer web site and revealed a paper detailing their findings.
Associated: ZenHammer Assault Targets DRAM on Programs With AMD CPUs
Associated: Qualcomm Flags Exploitation of Adreno GPU Flaws, Urges OEMs to Patch Urgently
Associated: Intel TDX Join Bridges the CPU-GPU Safety Hole
