Nvidia chips hacked, fall victim to Rowhammer bit-flip attacks; here’s how to secure the AI GPUs
Canadian researchers have discovered a vulnerability, named GPU Hammer, in Nvidia A6000 GPUs, enabling Rowhammer bit-flip attacks. This attack allows malicious users to sabotage AI models by tampering with data, potentially degrading model accurac...
By Global Desk |
Reuters
A team of Canadian researchers has proved and demonstrated that Nvidia A6000 GPUs are vulnerable to Rowhammer bit-flip attacks, which can easily allow attackers to sabotage artificial intelligence models running on the widely used hardware of the tech giant. The attack, called GPU Hammer, was created by University of Toronto researchers Chris Lin, Joyce Qu, and Gururaj Saileshwar, and it may pose significant risks to AI usage. It is the first attack to show Rowhammer bit flips on GPU memories, specifically on a GDDR6 memory in an NVIDIA A6000 GPU.
According to the researchers, the attacks induce bit flips across all tested DRAM banks, despite in-DRAM defenses like TRR, using user-level CUDA code. These bit flips allow a malicious GPU user to tamper with another user’s data on the GPU in shared, time-sliced environments. In a proof-of-concept, we use these bit flips to tamper with a victim’s DNN models and degrade model accuracy from 80% to 0.1%, using a single bit flip.
Rowhammer lets attackers alter or corrupt memory data by rapidly and repeatedly accessing a specific row of memory cells. This repeated hammering of selected rows causes bit flips in adjacent rows, turning digital zeros into ones or vice versa. So far, Rowhammer attacks have only been shown on memory chips used in CPUs for general-purpose computing.
Nvidia issues security warning
Reacting to the new research, Nvidia released a security notice saying that the fix is simple. The users just need to enable System-Level ECC, or error-correcting code. This simple setting creates a redundancy in the bits, so if one gets flipped, the system can automatically correct it before anything goes wrong.
“For enterprise customer environments that require enhanced levels of assurance and integrity, NVIDIA recommends using professional and data center products (instead of consumer-grade graphics hardware) and ensuring that ECC is enabled to prevent Rowhammer-style attacks. This is enabled by default on the Hopper and Blackwell Data Center class of GPUs,” Nvidia said in a statement.
According to the researchers, the attacks induce bit flips across all tested DRAM banks, despite in-DRAM defenses like TRR, using user-level CUDA code. These bit flips allow a malicious GPU user to tamper with another user’s data on the GPU in shared, time-sliced environments. In a proof-of-concept, we use these bit flips to tamper with a victim’s DNN models and degrade model accuracy from 80% to 0.1%, using a single bit flip.
Rowhammer lets attackers alter or corrupt memory data by rapidly and repeatedly accessing a specific row of memory cells. This repeated hammering of selected rows causes bit flips in adjacent rows, turning digital zeros into ones or vice versa. So far, Rowhammer attacks have only been shown on memory chips used in CPUs for general-purpose computing.
Nvidia issues security warning
Reacting to the new research, Nvidia released a security notice saying that the fix is simple. The users just need to enable System-Level ECC, or error-correcting code. This simple setting creates a redundancy in the bits, so if one gets flipped, the system can automatically correct it before anything goes wrong.
“For enterprise customer environments that require enhanced levels of assurance and integrity, NVIDIA recommends using professional and data center products (instead of consumer-grade graphics hardware) and ensuring that ECC is enabled to prevent Rowhammer-style attacks. This is enabled by default on the Hopper and Blackwell Data Center class of GPUs,” Nvidia said in a statement.
ADVERTISEMENT
When evaluating the risk, it's important to consider whether the GPU setup is single-tenant or multi-tenant. A Rowhammer attack between tenants can only be carried out if they access the GPU simultaneously.Download
The Economic Times Business News App for the Latest News in Business, Sensex, Stock Market Updates & More.
The Economic Times Business News App for the Latest News in Business, Sensex, Stock Market Updates & More.
Download
The Economic Times News App for Quarterly Results, Latest News in ITR, Business, Share Market, Live Sensex News & More.
The Economic Times News App for Quarterly Results, Latest News in ITR, Business, Share Market, Live Sensex News & More.
Related Articles
What is Rowhammer bit-flip attack which forced Nvidia to issue security alertADVERTISEMENT
