NVIDIA is urging prospects to allow System-level Error Correction Codes (ECC) as a protection towards a variant of a RowHammer assault demonstrated towards its graphics processing items (GPUs).
“Danger of profitable exploitation from RowHammer assaults varies primarily based on DRAM machine, platform, design specification, and system settings,” the GPU maker mentioned in an advisory launched this week.
Dubbed GPUHammer, the assaults mark the first-ever RowHammer exploit demonstrated towards NVIDIA’s GPUs (e.g., NVIDIA A6000 GPU with GDDR6 Reminiscence), inflicting malicious GPU customers to tamper with different customers’ knowledge by triggering bit flips in GPU reminiscence.
Essentially the most regarding consequence of this habits, College of Toronto researchers discovered, is the degradation of a synthetic intelligence (AI) mannequin’s accuracy from 80% to lower than 1%.
RowHammer is to fashionable DRAMs similar to how Spectre and Meltdown are to up to date CPUs. Whereas each are hardware-level safety vulnerabilities, RowHammer targets the bodily habits of DRAM reminiscence, whereas Spectre exploits speculative execution in CPUs.
RowHammer causes bit flips in close by reminiscence cells resulting from electrical interference in DRAM stemming from repeated reminiscence entry, whereas Spectre and Meltdown permit attackers to get hold of privileged info from reminiscence through a side-channel assault, probably leaking delicate knowledge.
In 2022, lecturers from the College of Michigan and Georgia Tech described a way known as SpecHammer that mixes RowHammer and Spectre to launch speculative assaults. The method primarily entails triggering a Spectre v1 assault by utilizing Rowhammer bit-flips to insert malicious values into sufferer devices.
GPUHammer is the most recent variant of RowHammer, able to inducing bit flips in NVIDIA GPUs even with mitigations like goal refresh price (TRR) in place. Not like CPUs, which have benefited from years of side-channel protection analysis, GPUs usually lack parity checks and instruction-level entry controls, leaving their reminiscence integrity extra uncovered to low-level fault injection assaults.
In a proof-of-concept developed by the researchers, utilizing a single-bit flip to tamper with a sufferer’s ImageNet deep neural community (DNN) fashions can degrade mannequin accuracy from 80% to 0.1%. It is a clear signal that GPUHammer is not only a reminiscence glitch—it is a part of a broader wave of assaults focusing on the core of AI infrastructure, from GPU-level faults to knowledge poisoning and mannequin pipeline compromise
Exploits like GPUHammer threaten the integrity of AI fashions, that are more and more reliant on GPUs to carry out parallel processing and perform computationally demanding duties, to not point out open up a brand new assault floor for cloud platforms.
In shared GPU environments like cloud ML platforms or VDI setups, a malicious tenant might probably launch GPUHammer towards adjoining workloads, affecting inference accuracy or corrupting cached mannequin parameters with out direct entry. This creates a cross-tenant threat profile not sometimes accounted for in present GPU safety postures.
This growth ties into broader issues round AI mannequin reliability and adversarial ML, the place attackers exploit enter or reminiscence vulnerabilities to control outputs. GPUHammer represents a brand new class of assaults that function beneath the mannequin layer—altering inside weights as a substitute of exterior knowledge.
Its implications lengthen to edge AI deployments, autonomous techniques, and fraud detection engines, the place silent corruption might not be simply caught or reversed.
To mitigate the danger posed by GPUHammer, it is suggested to allow ECC by “nvidia-smi -e 1.” Customers can confirm ECC standing by operating nvidia-smi -q | grep ECC, which experiences whether or not ECC is supported and at the moment enabled.
To reduce influence whereas sustaining safety, some configurations permit ECC to be selectively enabled just for coaching nodes or high-risk workloads. It is also good apply to observe GPU error logs (/var/log/syslog or dmesg) for ECC-related corrections, which might sign ongoing bit-flip makes an attempt.
Newer NVIDIA GPUs like H100 or RTX 5090 aren’t affected resulting from them that includes on-die ECC, which helps detect and proper errors arising resulting from voltage fluctuations related to smaller, denser reminiscence chips.
“Enabling Error Correction Codes (ECC) can mitigate this threat, however ECC can introduce as much as a ten% slowdown for [machine learning] inference workloads on an A6000 GPU,” Chris (Shaopeng) Lin, Joyce Qu, and Gururaj Saileshwar, the lead authors of the examine, mentioned, including it additionally reduces reminiscence capability by 6.25%.
The disclosure comes as researchers from NTT Social Informatics Laboratories and CentraleSupelec offered CrowHammer, a sort of RowHammer assault that allows a key restoration assault towards the FALCON (FIPS 206) post-quantum signature scheme, which has been chosen by NIST for standardization.
“Utilizing RowHammer, we goal Falcon’s RCDT [reverse cumulative distribution table] to set off a really small variety of focused bit flips, and show that the ensuing distribution is sufficiently skewed to carry out a key restoration assault,” the examine mentioned.
“We present {that a} single focused bit flip suffices to totally get well the signing key, given just a few hundred million signatures, with extra bit flips enabling key restoration with fewer signatures.”
For industries ruled by strict compliance guidelines—akin to healthcare, finance, and autonomous techniques—the silent failure of AI resulting from bit-flip assaults introduces regulatory threat. Incorrect inferences attributable to corrupted fashions might violate security, explainability, or knowledge integrity mandates underneath frameworks like ISO/IEC 27001 or the EU AI Act. Organizations deploying GPU-intensive AI should embody GPU reminiscence integrity of their safety and audit scopes.
