NVIDIA is warning customers to activate System Degree Error-Correcting Code mitigation to guard in opposition to Rowhammer assaults on graphical processors with GDDR6 reminiscence.
The corporate is reinforcing the advice as new analysis revealed by the College of Toronto demonstrates the practicallity of Rowhammer assaults in opposition to an NVIDIA A6000 GPU (graphical processing unit).
“We ran GPUHammer on an NVIDIA RTX A6000 (48 GB GDDR6) throughout 4 DRAM banks and noticed 8 distinct single-bit flips, and bit-flips throughout all examined banks,” describe the researchers.
“The minimal activation rely ( TRH) to induce a flip was ~12K, per prior DDR4 findings.”
“Utilizing these flips, we carried out the primary ML accuracy degradation assault utilizing Rowhammer on a GPU.”
Rowhammer is a {hardware} fault that may be triggered by way of software program processes and stems from reminiscence cells being too shut to one another. The assault was demonstrated on DRAM cells however it could actually have an effect on GPU reminiscence, too.
It really works by accessing a reminiscence row with sufficient read-write operations, which causes the worth of adjoining information bits to flip from one to zero and vice-versa, inflicting the in-memory info to vary.
The impact might be a denial-of-service situation, information corruption, and even privilege escalation.
System Degree Error-Correcting Codes (ECC) can protect the integrity of the info by including redundant bits and correcting single-bit errors to take care of information reliability and accuracy.
In workstation and information heart GPUs the place VRAM handles giant datasets and exact calculations associated to AI workloads, ECC should be enabled to stop essential errors of their operation.
NVIDIA’s safety discover notes that researchers on the College of Toronto confirmed “a possible Rowhammer assault in opposition to an NVIDIA A6000 GPU with GDDR6 Reminiscence” the place System-Degree ECC was not enabled.
The tutorial researchers developed GPUHammer, an assault methodology to flip bits on GPU reminiscences.
Though hammering is more durable on GDDR6 due to larger latency and sooner refresh in contrast with CPU-based DDR4, the researchers have been capable of reveal that Rowhammer assaults on GPU reminiscence banks is feasible.
Researcher Gururaj Saileshwar highlighted to BleepingComputer that GPUHammer can degrade AI mannequin accuracy from 80% to under 1% with a single flip on an A6000 GPU.
Other than the RTX A6000, the GPU maker additionally recommends enabling System-Degree ECC for the next merchandise:
Knowledge Heart GPUs:
- Ampere: A100, A40, A30, A16, A10, A2, A800
- Ada: L40S, L40, L4
- Hopper: H100, H200, GH200, H20, H800
- Blackwell: GB200, B200, B100
- Turing: T1000, T600, T400, T4
- Volta: Tesla V100, Tesla V100S
Workstation GPUs:
- Ampere RTX: A6000, A5000, A4500, A4000, A2000, A1000, A400
- Ada RTX: 6000, 5000, 4500, 4000, 4000 SFF, 2000
- Blackwell RTX PRO (latest workstation line)
- Turing RTX: 8000, 6000, 5000, 4000
- Volta: Quadro GV100
Embedded / Industrial:
- Jetson AGX Orin Industrial
- IGX Orin
The GPU maker notes that newer GPUs like Blackwell RTX 50 Collection (GeForce), Blackwell Knowledge Heart GB200, B200, B100, and Hopper Knowledge Heart H100, H200, H20, and GH200, include built-in on-die ECC safety, which doesn’t require an intervention from the consumer.
One solution to examine if System Degree ECC is enabled is to make use of an out-of-band methodology that makes use of the system’s BMC (Baseboard Administration Controller) and {hardware} interface software program, just like the Redfish API, to examine the “ECCModeEnabled” standing.
Instruments like NSM Kind 3 and NVIDIA SMBPBI can be used for configuration, although they require entry to the NVIDIA Accomplice Portal.
A second In-Band methodology additionally exists, utilizing the nvidia-smi command-line utility from the system’s CPU to examine and allow ECC the place supported.
Sailshwar estimates that these suggestions incur as much as 10% slowdown for ML inference and 6.5% reminiscence capability loss throughout all workloads.
Rowhammer represents an actual safety concern that might trigger information corruption or allow assaults in multi-tenant environments like cloud servers the place susceptible GPUs could also be deployed.
Nonetheless, the actual danger is context-dependent, and exploiting Rowhammer reliably is sophisticated, requiring particular circumstances, excessive entry charges, and exact management, making it an assault troublesome to execute.
Replace 7/12 – Added hyperlinks to the analysis and particulars offered by the researchers.
Whereas cloud assaults could also be rising extra refined, attackers nonetheless succeed with surprisingly easy strategies.
Drawing from Wiz’s detections throughout 1000’s of organizations, this report reveals 8 key strategies utilized by cloud-fluent menace actors.
