NVIDIA is urging clients to allow System-level Error Correction Codes (ECC) as a protection in opposition to a variant of a RowHammer assault demonstrated in opposition to its graphics processing items (GPUs).
“Danger of profitable exploitation from RowHammer assaults varies primarily based on DRAM system, platform, design specification, and system settings,” the GPU maker mentioned in an advisory launched this week.
Dubbed GPUHammer, the assaults mark the first-ever RowHammer exploit demonstrated in opposition to NVIDIA’s GPUs (e.g., NVIDIA A6000 GPU with GDDR6 Reminiscence), inflicting malicious GPU customers to tamper with different customers’ information by triggering bit flips in GPU reminiscence.
Essentially the most regarding consequence of this conduct, College of Toronto researchers discovered, is the degradation of a synthetic intelligence (AI) mannequin’s accuracy from 80% to lower than 1%.
RowHammer is to fashionable DRAMs identical to how Spectre and Meltdown are to modern CPUs. Whereas each are hardware-level safety vulnerabilities, RowHammer targets the bodily conduct of DRAM reminiscence, whereas Spectre exploits speculative execution in CPUs.
RowHammer causes bit flips in close by reminiscence cells as a result of electrical interference in DRAM stemming from repeated reminiscence entry, whereas Spectre and Meltdown permit attackers to get hold of privileged data from reminiscence by way of a side-channel assault, doubtlessly leaking delicate information.
In 2022, lecturers from the College of Michigan and Georgia Tech described a method referred to as SpecHammer that mixes RowHammer and Spectre to launch speculative assaults. The strategy primarily entails triggering a Spectre v1 assault through the use of Rowhammer bit-flips to insert malicious values into sufferer devices.
GPUHammer is the newest variant of RowHammer, however one which’s able to inducing bit flips in NVIDIA GPUs regardless of the presence of mitigations like goal refresh charge (TRR).
In a proof-of-concept developed by the researchers, utilizing a single-bit flip to tamper with a sufferer’s ImageNet deep neural community (DNN) fashions can degrade mannequin accuracy from 80% to 0.1%.
Exploits like GPUHammer threaten the integrity of AI fashions, that are more and more reliant on GPUs to carry out parallel processing and perform computationally demanding duties, to not point out open up a brand new assault floor for cloud platforms.
To mitigate the danger posed by GPUHammer, it is suggested to allow ECC by means of “nvidia-smi -e 1.” Newer NVIDIA GPUs like H100 or RTX 5090 should not affected as a result of them that includes on-die ECC, which helps detect and proper errors arising as a result of voltage fluctuations related to smaller, denser reminiscence chips.
“Enabling Error Correction Codes (ECC) can mitigate this danger, however ECC can introduce as much as a ten% slowdown for [machine learning] inference workloads on an A6000 GPU,” Chris (Shaopeng) Lin, Joyce Qu, and Gururaj Saileshwar, the lead authors of the research, mentioned, including it additionally reduces reminiscence capability by 6.25%.
The disclosure comes as researchers from NTT Social Informatics Laboratories and CentraleSupelec offered CrowHammer, a kind of RowHammer assault that allows a key restoration assault in opposition to the FALCON (FIPS 206) post-quantum signature scheme, which has been chosen by NIST for standardization.
“Utilizing RowHammer, we goal Falcon’s RCDT [reverse cumulative distribution table] to set off a really small variety of focused bit flips, and show that the ensuing distribution is sufficiently skewed to carry out a key restoration assault,” the research mentioned.
“We present {that a} single focused bit flip suffices to totally get well the signing key, given a couple of hundred million signatures, with extra bit flips enabling key restoration with fewer signatures.”
