Security researchers have demonstrated that Rowhammer's physical vulnerability poses a severe threat for modern graphics processing units, featuring two complete attack chains called GeForce and GDDRHammerUnlike preliminary research that barely managed to induce a minimal amount of bit alterations to degrade the inference of neural networks, these new types of attack achieve absolute compromise at the system level.
When running standard, unprivileged code on an NVIDIA GPU, a An attacker can corrupt the device's internal memory structures to gain arbitrary read and write access across the entire physical memory of the host CPU. This cross-manipulation allows the attacker to escalate privileges and gain a superuser console on the core operating system.
Evasion of mitigations and patterns
The success of these attacks depends on unprecedented techniques. to circumvent the target row refresh (TRR) mitigations implemented in GDDR6 memory. The GeForge research introduces non-uniform patterns that span multiple update intervals, varying the intensity and order of the activations of the memory rows to avoid hardware detection.
To apply physical address maps obtained through offline profiling to dynamic memory allocations, They developed a page anchoring technique that exploits nonlinear assignment from the physical addresses to the L2 cache sets.
Simultaneously, The GDDRHammer team discovered that the rows of DRAM memory on graphics cards They follow a non-monotonous geometric arrangementThis allowed them to construct highly effective double-sided patterns even though the physical addresses appeared distant. By assigning individual memory bank tasks to different streaming multiprocessors and partially synchronizing execution, they were able to maximize activation performance while circumventing safety sampling.
These approaches generated massive results; The GeForge method induced 1,171 bit alterations in a consumer RTX 3060 and 202 in a professional RTX A6000, while GDDRHammer reached an average of 1,032 alterations per gigabyte, representing a 64-fold increase over previous attempts.
Manipulating page tables and memory massage
To weaponize these electrical disturbances, the Attackers are targeting the hierarchical page tables managed by the GPU's memory management unit.Because the controller normally allocates these structures in protected or unpredictable regions, exploits rely on memory massaging techniques to force the placement of page table entries in physical locations that the attacker knows are vulnerable.
El ataque GDDRHammer uses shared memory mappings to flood the allocator, shortening the gap between page table regions and user-controlled memory. GeForge focuses specifically on corrupting entries in the Pages Directory 0 (PD0).
By carefully allocating and freeing fragments of Unified Virtual Memory, the attacker directs the creation of new PD0 structures directly to a specific 4-kilobyte subpage. Once in position, the process alters a bit within the entry's physical address pointer, redirecting it to a forged page table entirely controlled by the malicious code.
Privilege escalation via the PCIe bus
El Control over the graphics card's page table translates directly into control over the computer's central processor.NVIDIA page table entries contain a specific opening field that dictates whether the associated physical address resides in the device's local memory or in the host system's memory. By altering this field in the forged entry, any operation later reading or writing The data generated by the GPU is routed through the PCIe bus directly to the physical RAM. of the host.
This direct access to memory bypasses the CPU's own memory management unit and the operating system's write copy protections. In its practical demonstration, the researchers They used this capability to overwrite the C standard library code segment directly into the host's memory. Specifically, they injected machine code into the log closing function, which was subsequently executed by a legitimate program with elevated privileges, immediately granting the attacker absolute access to the system.
Hardware prevalence and mitigation measures
LaExtensive testing confirmed that this vulnerability is widespread in current hardware.The GDDRHammer study evaluated 25 high-end graphics cards, finding that 16 of the 17 RTX A6000 models based on the Ampere architecture were susceptible to these attacks. Although error-correcting code (ECC) memory can mitigate the attack's reliability by correcting single-bit errors, this feature is disabled by default on many workstation cards due to the performance penalty and is completely absent in mass-market models.
The most effective immediate defense against host compromise is the application of an Input-Output Memory Management Unit (IOMMU). When enabled, IOMMU restricts direct GPU access to explicitly authorized host page frames, neutralizing the forged open mapping. However, both research teams note that IOMMU is frequently disabled by default on commercial Linux systems for compatibility reasons, leaving a significant number of machines vulnerable to this attack vector.
Finally, if you are interested in learning more about it, you can check the details in the following link