A Practical Guide to the Rowhammer Attack on NVIDIA Ampere GPUs

Introduction

Rowhammer, a well-known vulnerability in DRAM, has primarily been studied on CPUs. However, recent research has demonstrated that it poses a serious threat to GPUs as well. This guide provides a step-by-step walkthrough of how two independent research teams successfully exploited Rowhammer on NVIDIA's Ampere generation GPUs (RTX 3060 and RTX A6000) to gain full control of host CPU memory. The attacks—dubbed GDDRHammer and GeForge—use novel hammering patterns and memory massaging to induce bit flips in GDDR6 memory, ultimately leading to a complete system compromise. This guide is intended for educational and research purposes only.

A Practical Guide to the Rowhammer Attack on NVIDIA Ampere GPUs — Source: www.schneier.com

What You Need

NVIDIA Ampere GPU: Specifically, a card from the RTX 30 series (e.g., RTX 3060) or the A6000 series. The attacks have been validated on these models.
Host machine: A PC or server with the target GPU installed, running a standard operating system (Linux recommended for research tools).
Disabled IOMMU: For GDDRHammer and GeForge (original variants), the Input-Output Memory Management Unit (IOMMU) must be disabled in the BIOS. Note: A third, updated attack works even with IOMMU enabled—see Tips.
Research exploit code: The proof-of-concept (PoC) scripts from the GDDRHammer and GeForge papers. These are typically available from the authors’ repositories.
Knowledge of GPU memory layout: Familiarity with GDDR6 memory rows, columns, and page tables is essential.
Root or administrative privileges: Required to disable IOMMU and run low-level memory access tools.

Step-by-Step Guide

Step 1: Prepare the Environment

Disable IOMMU: Reboot your system and enter the BIOS/UEFI settings. Locate the IOMMU option (often under Advanced > North Bridge or Memory Configuration) and disable it. Save and exit. This is critical for the original GDDRHammer and GeForge attacks.
Boot into a Linux environment: Use a distribution like Ubuntu with NVIDIA drivers installed. Ensure you have GCC, Python (for PoC scripts), and debugging tools like nvidia-smi.
Verify GPU model: Run lspci | grep NVIDIA to confirm your GPU is Ampere-based (e.g., RTX 3060 or RTX A6000).

Step 2: Understand GPU Rowhammering

Learn Rowhammer basics: Rowhammer exploits the electrical interference between adjacent DRAM rows. Rapidly accessing one row (the aggressor) can cause bit flips in neighboring rows (victim). On GPUs, the same principle applies to GDDR memory.
Study GDDRHammer technique: This attack targets the last-level page table in GPU memory. By hammering specific GDDR rows, the researchers induced bit flips that corrupted the page table entries, giving them arbitrary read/write access to all of the GPU's memory space.
Study GeForge technique: Instead of exploiting the page table, GeForge manipulates the last-level page directory. It uses a unique hammering pattern and memory massaging to corrupt page table mappings in GDDR6 memory, achieving the same privileges.

Step 3: Obtain and Compile Exploit Code

Download GDDRHammer PoC: From the research paper's repository (refer to the abstract for links).
Download GeForge PoC: Similarly, obtain the GeForge source code.
Compile the exploits: Follow the provided instructions. Typically, you’ll need to set up a custom kernel module or use CUDA programming. For GeForge, the PoC opens a root shell once successful.

Step 4: Execute the Attack

Run GDDRHammer: Launch the exploit with appropriate parameters (e.g., specify target GPU and memory region). The script will continuously hammer selected rows. Monitor for bit flips—these may appear as corrupted memory values.
Run GeForge: Similar execution, but focus on page directory corruption. The GeForge PoC against RTX 3060 specifically reported 1,171 bit flips; against RTX A6000 it induced 202 flips.
Escalate to CPU memory: Once the GPU memory space is compromised, the exploit leverages the corrupted page tables to gain read/write access to CPU memory. This step requires careful mapping of GPU-CPU memory bridges.

Step 5: Verify Compromise

Check for root shell: In GeForge’s PoC, a root shell window appears, allowing arbitrary commands on the host machine. Confirm by running id or whoami.
Test memory access: Use a custom program to read and write arbitrary CPU memory addresses. If successful, you have full control of the host.
Document findings: Record the number of bit flips, time to compromise, and any hardware variability (e.g., different A6000 units may behave differently).

Tips

IOMMU bypass: As of late updates, researchers demonstrated a third Rowhammer attack on the RTX A6000 that works even with IOMMU enabled by default. If your target has IOMMU on, consider seeking this updated payload.
Memory massaging: Both attacks rely on precise memory layout manipulation. Use tools like nvidia-smi -q -d MEMORY to understand GDDR row organization.
Repeatability: Bit flip rates vary between GPUs. Run multiple trials; success may require fine-tuning hammering patterns (e.g., frequency, access patterns).
Security implications: This attack demonstrates that GPU isolation mechanisms (like IOMMU) are not sufficient. For defensive purposes, keep firmware updated and consider disabling GPU compute on sensitive systems.
Legal and ethical note: Only perform these attacks on hardware you own or have explicit permission to test. Unauthorized access to systems is illegal.

Tags: