How Rowhammer Attacks Compromise NVIDIA GPUs: A Step-by-Step Breakdown of the Exploit Process
What You Need
- Vulnerable Hardware: NVIDIA Ampere-generation GPUs (RTX 3060, RTX 6000, A6000) with GDDR6 memory.
- Disabled IOMMU: Input/Output Memory Management Unit must be turned off in BIOS (default on many systems). Note: Some newer attacks work even with IOMMU enabled.
- Knowledge of Memory Addressing: Understanding of DRAM row/column organization and how GPUs map memory.
- Custom Hammering Patterns: Attack-specific memory access sequences to induce bit flips.
- Software Tools: Proof-of-concept code from research papers (GDDRHammer or GeForge) – for educational testing only.
Step-by-Step Guide
Step 1: Understand Rowhammer Fundamentals
Rowhammer is a hardware vulnerability in DRAM where repeated accesses to specific memory rows ("aggressor" rows) cause electrical interference, leading to bit flips in adjacent rows ("victim" rows). In GPUs, GDDR6 memory uses similar cell structures, making them susceptible. This step lays the groundwork: without this core concept, the exploit is meaningless.
Step 2: Identify Target GPU and Verify Vulnerable Conditions
Select an NVIDIA Ampere card (e.g., RTX 3060, RTX 6000, or A6000). Ensure IOMMU is disabled (except for advanced variants like the third attack that bypass IOMMU). Use GPU-Z or similar tools to confirm memory type (GDDR6) and driver version. The research shows that older drivers are more vulnerable, while modern patches have limited residual risk.
Step 3: Set Up Attack Environment
Install the necessary libraries (CUDA, OpenCL, or Vulkan, depending on the exploit). Obtain the GDDRHammer or GeForge source code from the respective paper repositories. Compile with appropriate flags for your GPU architecture. Run initial diagnostic scripts to confirm that the GPU can read/write memory addresses.
Step 4: Perform Memory Massage and Row Activation
Use specialized GPU kernel codes that repeatedly activate aggressor rows at high frequency. The pattern must be carefully crafted to maximize disturbance. For example, GDDRHammer uses a triple-row hammering pattern that alternates between rows to sidestep ECC mechanisms. The objective is to induce bit flips – changes in data values stored in GDDR6 memory cells.
Step 5: Exploit Page Table Manipulation
- GDDRHammer approach: Corrupt the last-level GPU page table entries. By flipping specific bits, the attacker redirects memory mappings to point to privileged CPU memory regions.
- GeForge approach: Instead of page tables, target the last-level page directory. The result is similar: gaining read/write access to the GPU’s full memory space.
Both techniques rely on the induced bit flips to forge or alter page table entries. Step 5.5: Monitor for successful bit flips using error detection (e.g., compare original vs. readback values).
Step 6: Escalate Privileges to CPU Memory
Once the GPU page tables are hijacked, the attacker can issue memory operations that bypass normal isolation. The GPU now has arbitrary read/write over the host CPU’s physical memory. This includes kernel memory, page tables, and process credentials.
Step 7: Achieve Full System Compromise
With control over CPU memory, the attacker can inject shellcode, overwrite system call handlers, or directly modify the kernel’s data structures. In proofs of concept, this leads to a root shell on the host machine – complete control over the entire system.
Tips for Protection and Awareness
- Enable IOMMU: Most consumer BIOS defaults disable it. Turn it on to mitigate many Rowhammer attacks – though note that the third variant (RTX A6000) still works with IOMMU enabled. Firmware updates may address this.
- Update GPU Firmware/Drivers: NVIDIA has issued patches for Ampere cards; ensure your system is up to date.
- Use ECC Memory: GDDR6 with error correction reduces but does not eliminate Rowhammer risk (some bit flips still occur).
- Monitor for Unusual GPU Activity: High memory bandwidth usage without clear cause could indicate a Rowhammer exploit in progress.
- Apply Kernel Hardening: Linux kernel patches (e.g., GDS) reduce the impact of GPU-escaped attacks. Stay current with security advisories.
- Restrict GPU Access: In multi-tenant environments, limit who can run arbitrary GPU code – especially on shared hardware.
This guide is for educational purposes only. Understanding these attacks helps in developing defenses.