University of Toronto researchers have successfully demonstrated “GPUHammer” - the first Rowhammer attack specifically targeting NVIDIA GPUs with GDDR6 memory. The attack can completely destroy AI model performance with just a single strategically placed bit flip.
What They Found:
Successfully tested on NVIDIA RTX A6000 (48GB GDDR6) across four DRAM banks Achieved 8 distinct single-bit flips with ~12,300 minimum activations per flip AI model accuracy dropped from 80% to as low as 0.02% with a single targeted bit flip Attack works by targeting the most significant bit (MSB) of the exponent in FP16 weights Tested across multiple AI models: AlexNet, VGG16, ResNet50, DenseNet161, and InceptionV3
Technical Breakthrough:
The researchers overcame three major challenges that previously made GPU Rowhammer attacks impossible:
Address Mapping: Reverse-engineered proprietary GDDR6 memory bank mappings without access to physical addresses Activation Rates: Developed multi-warp hammering techniques achieving 620K activations per 23ms refresh period (7× faster than single-thread) Synchronization: Created synchronized attack patterns that bypass Target Row Refresh (TRR) mitigations
Key Technical Details:
GDDR6 refresh period: 23ms (vs 32ms for DDR4/5) TRR sampler tracks 16 rows per bank - attacks need 17+ aggressors to succeed Attack uses distance-4 aggressor patterns (hammering rows Ri+4, Ri+8, etc.) Most effective bit-flips target rows at distance ±2 from victim
The Cloud Security Problem:
This is particularly concerning for cloud environments where GPUs are shared among multiple users. The attack requires:
Multi-tenant GPU time-slicing (common in cloud ML platforms) Memory massaging via RAPIDS Memory Manager ECC disabled (default on many workstation GPUs)
NVIDIA’s Response:
NVIDIA acknowledged the research on January 15, 2025, and recommends:
Enable System-Level ECC using nvidia-smi -e 1 Trade-offs: ~10% ML inference slowdown, 6.5% memory capacity loss Newer GPUs (H100, RTX 5090) have built-in on-die ECC protection
Why This Matters:
This represents the first systematic demonstration that GPU memory is vulnerable to hardware-level attacks. Key implications:
GPU-accelerated AI infrastructure has significant security gaps Hardware-level attacks can operate below traditional security controls Silent corruption of AI models could lead to undetected failures Affects millions of systems given NVIDIA’s ~90% GPU market share
Affected Hardware:
Vulnerable: RTX A6000, and potentially other GDDR6-based GPUs Protected: A100 (HBM2e), H100/H200 (HBM3 with on-die ECC), RTX 5090 (GDDR7 with on-die ECC)
Bottom Line: GPUHammer demonstrates that the security assumptions around GPU memory integrity are fundamentally flawed. As AI workloads become more critical, this research highlights the urgent need for both hardware mitigations and software resilience against bit-flip attacks in machine learning systems.
Source: ArXiv paper 2507.08166 by Chris S. Lin, Joyce Qu, and Gururaj Saileshwar from University of Toronto
💬 Discussion r/OpenAI (16 points, 0 commentaires)