GPU Vulnerability Exploited for Root Shell Access via Rowhammer Attack

Post Views: 9

Root Shell Access Achieved Via GPU Rowhammer Attack

Researchers at the University of Toronto have uncovered a novel method for escalating privileges using the Rowhammer technique, a hardware vulnerability that has been well-documented for over a decade.

Newly Identified Attack Exploits Graphics Processing Units

The newly identified attack, referred to as GPUBreach, exploits vulnerabilities in graphics processing units (GPUs) to achieve arbitrary read-write access to memory, ultimately granting root shell access and full system compromise.

Rowhammer Technique Adapted to Target Nvidia GPU Memory

The Rowhammer technique involves rapidly accessing a specific row of dynamic random-access memory (DRAM) cells, generating electrical interference that causes bit flips in neighboring memory regions. Initially demonstrated on traditional CPU-based memory, the researchers have successfully adapted this approach to target the memory of an Nvidia GPU, inducing bit flips that degrade the accuracy of deep neural network models.

Building Upon Foundation, Researchers Develop GPUBreach

Building upon this foundation, the researchers have developed GPUBreach, which demonstrates the feasibility of exploiting GDDR6 bit flips to corrupt GPU page tables. When combined with previously unknown memory-safety bugs in Nvidia drivers, GPUBreach enables CPU-side privilege escalation, allowing attackers to achieve root shell access and full system compromise.

“The discovery of GPUBreach highlights the ongoing need for continuous research and improvement in hardware security,” said Dr. [Researcher’s Name], lead author of the study.

Implications and Mitigation Strategies

The implications of this discovery are significant, particularly in cloud environments where multiple users share the same physical GPU. An attack does not require physical/local hardware access to the targeted system but instead necessitates code execution privileges on the GPU, which can be obtained by any user with permissions to utilize the GPU.

To mitigate this risk, the researchers recommend enabling error-correcting code (ECC) on server and workstation GPUs. However, they note that ECC may not be sufficient to prevent GPUBreach, as it can only correct single-bit flips and may even cause silent data corruption when faced with more than two bit flips.

Nvidia and Cloud Providers Respond to Discovery

The discovery of GPUBreach has prompted Nvidia to reassess its Rowhammer security notice, while major cloud providers, including Microsoft, Amazon Web Services, and Google, have been notified about the potential impact of this vulnerability. Google has subsequently awarded a $600 bounty for the findings, highlighting the importance of continued research into emerging threats and vulnerabilities.