Nvidia is urging customers to enable system-level error correction codes (ECCs) as a defense against proven Rowhammer attack variants against graphics processing units (GPUs).
“The risk of successful exploitation from a Rowhammer attack varies based on DRAM devices, platforms, design specifications and system settings,” GPU manufacturers said in an advisory released this week.
An attack called Gpuhammer tampers with other users’ data by marking the first Rowhammer Exploit demonstrated against Nvidia’s GPU (e.g., Nvidia A6000 GPU with GDDR6 memory) and triggering a bit flip in GPU memory.
Researchers at the University of Toronto say that the most concern about this behavior is the decline in accuracy of artificial intelligence (AI) models from 80% to less than 1%.
Rowhammer is directed towards modern drums, like Spectre and Meltdown against modern CPUs. Both are hardware-level security vulnerabilities, but Rowhammer targets the physical behavior of DRAM memory, while Specter exploits speculative execution on the CPU.
Rowhammer causes bit flips to nearby memory cells due to DRAM electrical interference caused by repeated memory accesses, but with Specter and Meltdown, attackers obtain privileged information from memory via side-channel attacks, potentially leaking sensitive data.
In 2022, academics from the University of Michigan and Georgia Tech discussed a technology called Specchammer, which combines Rowhammer and Specter to launch speculative attacks. This approach involves basically triggering a Specter V1 attack by using Rowhammer Bit-flips to insert malicious values into the victim gadget.
Gpuhammer is the latest variant of Rowhammer, but it can induce bit flips on Nvidia GPUs despite the presence of mitigation such as target refresh rate (TRR).
The researcher-developed proof of concept allows single bit flips to tamper with victims’ Imagenet Deep Neural Network (DNN) models to break down the accuracy of the model from 80% to 0.1%.
Exploits like Gpuhammer threaten the integrity of AI models. Rather than opening up a new attack surface for cloud platforms, AI models are increasingly relying on GPUs to perform parallel processing and perform computationally demanding tasks.
To mitigate the risk poses by Gpuhammer, we recommend enabling ECC via “Nvidia -Smi -e 1”. Newer Nvidia GPUs like the H100 and RTX 5090 are unaffected because they feature OnDai ECC.
“Enabling the Error Correction Code (ECC) reduces this risk, but ECC can introduce a 10% slowdown. [machine learning] “Inference Workload for A6000 GPUs”, Chris (Shaopeng) Lin, Joyce QU, and Gurraj Saileshwar, said they are the lead authors of the study, and could also reduce memory capacity by 6.25%.
This disclosure comes when NTT’s Institute of Social Informatics and Centralesupelec present Crowhammer. This is a kind of Rowhammer attack that allows for critical recovery attacks against the Falcon (FIPS 206) limb signature scheme selected by the NIST for standardization.
“We’re using Rowhammer to target Falcon’s RCDT. [reverse cumulative distribution table] “To trigger very few target bit flips and prove that the resulting distribution is skewed enough to carry out important recovery attacks,” the study said.
“With hundreds of millions of signatures, a target bit flip that is sufficient to fully recover the signature key is sufficient, and more bit flips allow for less signature key recovery.”
Source link
