New Rowhammer Variants Exploit GPU Memory to Take Over Host Systems

Introduction: A New Frontier for Rowhammer Attacks

For years, the Rowhammer vulnerability has primarily been associated with central processing units (CPUs), where attackers exploit electrical interference between densely packed memory cells to flip bits and gain unauthorized access. Now, two independent research teams have demonstrated that this threat is equally potent on modern graphics processing units (GPUs), specifically targeting NVIDIA's Ampere architecture. Their findings reveal that malicious actors can leverage GPU memory to achieve full control over the host CPU's memory, leading to complete system compromise. This article delves into the details of these novel attacks, known as GDDRHammer and GeForge, and discusses their implications for cybersecurity.

Understanding Rowhammer on GPUs

Rowhammer is a hardware vulnerability that occurs in DRAM (Dynamic Random-Access Memory) modules. By rapidly accessing (hammering) a specific row of memory cells, an attacker can induce electrical disturbances that cause bit flips in adjacent rows. Traditionally, this technique has been used against CPU memory. However, GPUs—especially those used in high-performance computing, gaming, and machine learning—now incorporate large amounts of GDDR memory (Graphics Double Data Rate), which is equally susceptible to the same phenomenon.

The two research teams—one from the University of Maryland and another from a consortium of academic institutions—independently developed exploits that target GDDR6 memory found in NVIDIA's RTX 3060 and RTX 6000 (Ampere generation) cards. These attacks demonstrate that Rowhammer on GPUs can be used to corrupt page tables and page directories, ultimately granting the attacker read/write access to the host CPU's entire memory space. In both cases, the IOMMU (Input-Output Memory Management Unit) must be disabled—a default setting in many BIOS configurations—for the attack to succeed, though a third variant works even with IOMMU enabled.

The Two Principal Attacks

GDDRHammer: Disturbing DRAM Rows Across Components

The first attack, detailed in a paper titled GDDRHammer: Greatly Disturbing DRAM Rows—Cross-Component Rowhammer Attacks from Modern GPUs, was co-authored by Andrew Kwong and his team. Their approach exploits the last-level page table of the GPU memory. By inducing precisely timed bit flips in GDDR6 memory, they corrupted page table entries, allowing the GPU to access arbitrary physical memory addresses belonging to the CPU. This cross-component capability means that an attacker can read and write the host's memory as if they possessed kernel-level privileges. The researchers successfully demonstrated this on a system running an AMD CPU with an NVIDIA RTX 3060, bypassing standard security boundaries.

GeForge: Forging GPU Page Tables for Fun and Profit

The second paper, GeForge: Hammering GDDR Memory to Forge GPU Page Tables for Fun and Profit, achieved a similar goal but through a slightly different mechanism. Instead of manipulating page tables, GeForge targets the last-level page directory. Using novel hammering patterns and memory massaging techniques, the researchers induced bit flips that corrupted the directory mappings. This allowed them to rewrite GPU page table entries and subsequently gain read/write access to the host CPU's memory. In their proof-of-concept exploit against the RTX 3060, GeForge concluded by opening a root shell on the host machine, enabling the attacker to execute arbitrary commands with the highest privileges. The attack also worked against the RTX 6000, inducing 1,171 bit flips on the RTX 3060 and 202 bit flips on the RTX 6000.

Mitigation and the Role of IOMMU

The IOMMU (Input-Output Memory Management Unit) is a hardware component that isolates device memory access from the host CPU's memory, acting as a guard against such cross-component attacks. By default, many BIOS configurations disable IOMMU to improve performance, leaving systems vulnerable. However, a third attack, disclosed on April 3, demonstrated that even with IOMMU enabled, an RTX A6000 could be exploited to achieve privilege escalation to a root shell. This underscores the urgent need for both hardware and software mitigations, such as enabling IOMMU where possible and implementing stricter memory access controls at the driver level.

Implications for Security

These findings represent a significant escalation in the Rowhammer threat landscape. GPUs are now ubiquitous in servers, cloud computing, and artificial intelligence workloads, making them attractive targets for attackers seeking to pivot from a compromised GPU to a full host takeover. The ability to manipulate GPU memory cross-component could enable attacks such as data theft, ransomware deployment, or backdoor installation. System administrators and security professionals should not only ensure IOMMU is enabled but also monitor for abnormal memory access patterns that may indicate hammering activity. As GPU memory densities increase, Rowhammer attacks on GDDR and HBM (High Bandwidth Memory) will likely become more prevalent.

Conclusion

The research presented by these teams confirms that Rowhammer is a serious threat to modern GPU architectures, not just CPUs. While the current attacks require specific conditions—such as disabled IOMMU or targeted hardware—they prove that the barrier between GPU and CPU memory can be breached. The development of GDDRHammer, GeForge, and the third IOMMU-bypassing variant highlights the need for a holistic approach to hardware security. As NVIDIA and other GPU manufacturers continue to innovate, they must address these vulnerabilities through both architectural changes and robust defenses against Rowhammer.