GPUHammer: Rowhammer attacks on GPU memories are practical

Summary

GPUHammer: Rowhammer Attacks on GPU Memories are Practical # Chris (Shaopeng) Lin†, Joyce Qu†, Gururaj Saileshwar, from University of Toronto Published at USENIX Security 2025 (link to paper). Artifact available on GitHub and Zenodo. † equal contribution TL;DR # GPUHammer is the first attack to show Rowhammer bit flips on GPU memories, specifically on a GDDR6 memory in an NVIDIA A6000 GPU. Our attacks induce bit flips across all tested DRAM banks, despite in-DRAM defenses like TRR, using user-level CUDA code. These bit flips allow a malicious GPU user to tamper with another user’s data on the GPU in shared, time-sliced environments. In a proof-of-concept, we use these bit flips to tamper with a victim’s DNN models and degrade model accuracy from 80% to 0.1%, using a single bit flip. Enabling Error Correction Codes (ECC) can mitigate this risk, but ECC can introduce up to a 10% slowdown for ML inference workloads on an A6000 GPU. 🔍 What’s New in Rowhammer for GPUs? # Rowhammer is a hardware vulnerability where rapidly activating a memory row introduces bit flips in adjacent memory rows. Since 2014, this vulnerability has been widely studied in CPUs and in CPU-based memories like DDR3, DDR4, and LPDDR4. However, with critical AI and ML workloads now running on discrete GPUs in the cloud, it is vital to assess the vulnerability of GPU memories to Rowhammer attacks. Rowhammer is uniquely more challenging on GPU-based GDDR memories for the following reasons: ⏱️ GDDR6 has higher latency and faster refresh than CPU-based DDR4, making hammering harder. 🧩 Unknown DRAM address mappings in GDDR memories complicate crafting effective patterns. 🛡️ In-DRAM mitigations in GDDR are opaque and undocumented. Despite this, GPUHammer overcomes these barriers and launches successful attacks on GDDR6. Step 1: Reverse Engineering GPU DRAM Mappings # To craft effective Rowhammer attacks, we first need to identify memory addresses that map to the same DRAM bank on an NVIDIA GPU. Unlike CPUs...