New Rowhammer Attacks on NVIDIA GPUs Allow Full Host System Takeover

Breaking: GPU Memory Flaws Enable Complete CPU Compromise

Two independent research teams have demonstrated a new class of Rowhammer attacks targeting NVIDIA's Ampere-generation GPUs. These attacks exploit bit flips in GDDR6 memory to gain full control over the host CPU's memory, potentially allowing attackers to take over the entire system.

New Rowhammer Attacks on NVIDIA GPUs Allow Full Host System Takeover — Source: www.schneier.com

On Thursday, researchers from the University of Virginia and other institutions presented their findings. They showed that carefully crafted memory access patterns can corrupt GPU page tables, granting unauthorized read/write access to CPU memory. This represents a significant escalation from prior Rowhammer attacks, which were limited to CPU memory.

How the Attack Works

The attacks, named GDDRHammer and GeForge, target NVIDIA RTX 3060 and RTX A6000 cards. They exploit the Rowhammer effect in GDDR6 memory, which is physically separate from the GPU's compute cores.

In GDDRHammer, the researchers triggered bit flips in the last-level page table of the GPU's memory controller. This allowed them to remap GPU memory to include areas reserved for the CPU, giving unfettered access to the host's memory space.

GeForge uses a similar approach but manipulates the last-level page directory instead. The team induced 1,171 bit flips on an RTX 3060 and 202 on an RTX 6000. The proof-of-concept exploit on the RTX 3060 ultimately opened a root shell, giving the attacker privileged command execution on the host machine.

Background: Rowhammer Comes to GPUs

Rowhammer is a well-known vulnerability in dynamic random-access memory (DRAM). By repeatedly accessing (hammering) a row of memory cells, an attacker can cause bit flips in adjacent rows. These flips can corrupt data or even change program behavior.

Until now, Rowhammer attacks were largely confined to CPU memory. However, as GPUs increasingly handle sensitive data and run complex workloads, researchers have turned their attention to GPU memory. The GDDR6 memory used in NVIDIA's Ampere cards is also susceptible to this effect.

The attacks require that the Input-Output Memory Management Unit (IOMMU) be disabled, which is the default in many BIOS settings. A third attack, revealed on Friday, showed that privilege escalation to a root shell is possible even when IOMMU is enabled on the RTX A6000.

Expert Commentary

Andrew Kwong, co-author of GDDRHammer, stated: "Our work shows that Rowhammer, which is well-studied on CPUs, is a serious threat on GPUs as well. With our work, we show how an attacker can induce bit flips on the GPU to gain arbitrary read/write access to all of the CPU's memory, resulting in complete compromise of the machine."

The researchers behind GeForge noted that their attack uses novel hammering patterns and memory massaging to corrupt GPU page table mappings in GDDR6 memory. They said, "We demonstrate that GPU memory can be used as a stepping stone to full system compromise."

What This Means

System administrators and security teams should treat GPU memory attacks as a serious threat. The ability to escalate from GPU access to CPU root privileges undermines traditional security boundaries between components.

For end users, the risk is currently limited because the attack requires local access and specific hardware configurations. However, cloud providers using NVIDIA GPUs for compute workloads, such as machine learning or rendering, should examine their IOMMU settings and consider isolation measures.

The discovery highlights that GPU security is no longer just about preventing direct attacks on graphics workloads. As GPUs become more powerful and integrated with host memory, vulnerabilities in video memory can have far-reaching consequences.

Next Steps and Mitigations

NVIDIA has been notified of these findings. The company has not yet issued a formal statement, but recommended mitigations include enabling IOMMU where possible and employing enhanced memory error correction (ECC) on GDDR6.

Researchers stress that the attacks are still difficult to execute in real-world scenarios, but the techniques are likely to improve. "This is a wake-up call for the industry," said one expert close to the study.

Tags: