NVIDIA is warning users to activate the system level error-reforming code mitigation to protect the rowhammer attacks on graphical processors with GDDR6 memory.
The company is strengthening the recommendation New research An NVIDIA A6000 published by the University of Toronto reflects the practicality of the Rowhammer attacks against the A6000 GPU (graphical processing unit).
Researchers describe, “We ran the GPUhammer at NVIDIA RTX A6000 (48 GB GDDR6) in four DRAM banks and saw 8 different single-bit flips and bit-flips in all tested banks,” describe researchers.
“The minimum activation calculation (TRH) to inspire flip was ~ 12K, which was in line with the former DDR4 conclusions.”
“Using these flips, we first demonstrated the ML accuracy decline attack using Rowhammer on GPU.”
Rowhammer is a hardware mistake that can be triggered through software procedures and can be very close to each other stems from memory cells. The attack on DRAM cells was demonstrated, but it can also affect GPU memory.
It works by reaching a memory row with adequate reed-light operations, which causes the value of adjacent data bits to flip from one to one and vice versa, which changes in-memory information.
The effect may increase a refusal-service condition, data corruption, or even privilege.
System level error-right code (ECC) can preserve the integrity of data by adding fruitless bits and correcting single-bit errors to maintain data reliability and accuracy.
In the Workstation and Data Center GPU where VRAM handles the exact calculation related to large dataset and AI workload, ECC must be able to prevent important errors in their operation.
NVIDIA security notices notices that researchers at the University of Toronto showed “a potential Rohemmer attack against a NVidia A6000 GPU with GDDR6 memory, where the system-level ECC was not able to show.
Academic researchers developed GPUhammer, which is an attack method for flipping bits on GPU memories.
Although harmning on GDDR6 is difficult due to high delays and rapid refreshing than CPU-based DDR4, researchers were able to display it. Rowhammer attacks GPU Memory bank is possible.
Researcher Gururaj Seleshwar highlighted the Blapping computer that the AI model with single flip on GPUhammer A6000 GPU can make the AI model accuracy below 80% below 1%.
In addition to RTX A6000, GPU manufacturer also recommended Enabling system-level ECC for the following products:
Data Center GPUS:
- Ampere: A100, A40, A30, A16, A10, A2, A800
- ADA: L40S, L40, L4
- Hopper: H100, H200, GH200, H20, H800
- Blackwell: GB200, B200, B100
- Turing: T1000, T600, T400, T4
- Volta: Tesla V100, Tesla V100s
Workstation GPU:
- Ampere RTX: A6000, A5000, A4500, A4000, A2000, A1000, A400
- ADA RTX: 6000, 5000, 4500, 4000, 4000 SFF, 2000
- Blackwell RTX Pro (Latest Workstation Line)
- Turing RTX: 8000, 6000, 5000, 4000
- Volta: Quadro GV100
Embedded / Industrial:
- Jetson AGX Oin Industrial
- IGX Oin
The GPU manufacturer notes that the Blackwell RTX 50 series (GEFORCE), Blackwell data centers GB200, B200, B100, and Hopper Data Centers H100, H200, H20 and GH200 like new GPU, underlying on-dye ECC protection come with new GPU, which does not require intervention from user.
Whether the system level ECC is capable or not is a way to check an out-of-band method that uses the BMC (Basboard Management Controller) and Hardware Interface Software of the system, such as the system, such as the system, such Redfish APITo examine the situation “eccmodeenabled”.
Tools such as NSM Type 3 and NVIDIA SMBPBI can also be used for configuration, although they require access to Nvidia partner portal.
A second in-band method is also present, where the system is supported to check and enable ECC using NVDia-SMI command-line utility from the CPU.
Cellswar estimates that these recommendations are for 10% recession for ML entrance and 6.5% of memory capacity loss in all workloads.
Rowhammer represents a real safety concern that can cause data corruption or enable attacks in multi-relative environments such as cloud servers where weak GPU can be deployed.
However, the actual risk is reference-dependent, and exploiting Rohmar is firmly complicated, requiring specific conditions, high reach rates, and accurate control, making it difficult to execute.
Update 7/12 – Links were added for research and details provided by researchers.
While cloud attacks can be more sophisticated, the attackers still succeed with surprisingly simple techniques.
Drawing by the detection of Vij in thousands of organizations, this report reveals the 8 major techniques used by Claude-Floid danger actors.
