Skip to content

Rowhammer Attacks Against NVIDIA GPUs Can Lead to Full Host ... #2209

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Rowhammer Attacks Against NVIDIA GPUs Can Lead to Full Host ... #2209

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 26 additions & 0 deletions src/hardware-physical-access/physical-attacks.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,27 @@ RAM retains data briefly after power is cut, usually for **1 to 2 minutes**. Thi

---

## GPU Rowhammer Against Page Tables

Modern GPU Rowhammer attacks become much more useful when they target **GPU virtual-memory metadata** instead of ordinary buffers. Recent work on **GDDR6 NVIDIA Ampere GPUs** shows that an attacker running unprivileged CUDA code can build GPU-specific hammering patterns, use **memory massaging** to place paging structures in vulnerable rows, and then flip bits in the **last-level page table** or an intermediate **page directory**. Once a single translation entry is corrupted, the attacker can bootstrap **arbitrary GPU memory read/write** and then pivot into host compromise.

### Exploitation Pattern

1. **Profile hammerable rows** in GDDR6 and build refresh-aware / non-uniform hammering patterns that bypass in-DRAM mitigations.
2. **Massage GPU allocations** so the driver places page-translation structures in hammerable physical locations instead of keeping them in the default protected pool. In practice this can mean exhausting the low-memory page-table region and spraying large sparse UVM mappings with controlled strides.
3. **Flip translation metadata** such as **PFN** or aperture-related bits inside a page-table / page-directory entry so the attacker-controlled virtual page resolves to page-table pages, arbitrary GPU memory, or host-visible system mappings.
4. Reuse the forged mapping to rewrite additional translation entries and escalate into **arbitrary GPU memory read/write** across GPU contexts.

### Host Pivot and Mitigations

- With **IOMMU disabled**, forged system-aperture mappings can expose arbitrary **host physical memory** to the GPU, turning the GPU primitive into full host compromise.
- **GDDRHammer** targets last-level page-table entries, while **GeForge** shows that corrupting a page-directory level can be easier because one bit flip can retarget a larger translation subtree. Do not treat only one paging layer as security-critical.
- **IOMMU** still matters because it blocks the direct arbitrary-host-memory path used by GDDRHammer/GeForge, but it is **not a complete mitigation**. **GPUBreach** shows a second-stage pivot where the attacker corrupts GPU-writable, driver-owned CPU buffers and then triggers NVIDIA driver memory-safety bugs to obtain a kernel write primitive and a **root shell** even with IOMMU enabled.
- **System-level ECC** is a practical hardening step on supported workstation/server GPUs. Consumer GPUs without ECC expose a weaker defense surface.
- These attacks are not purely theoretical: **GeForge** reported **1,171** bit flips on an RTX 3060 and **202** on an RTX A6000, which was enough to build a working host-privilege-escalation chain.

---

## Direct Memory Access (DMA) Attacks

**INCEPTION** is a tool designed for **physical memory manipulation** through DMA, compatible with interfaces like **FireWire** and **Thunderbolt**. It allows for bypassing login procedures by patching memory to accept any password. However, it's ineffective against **Windows 10** systems.
Expand Down Expand Up @@ -173,6 +194,11 @@ After the tenth cycle the EC sets a flag that instructs the BIOS to wipe NVRAM a

## References

- [Bruce Schneier - Rowhammer Attack Against NVIDIA Chips](https://www.schneier.com/blog/archives/2026/05/rowhammer-attack-against-nvidia-chips.html)
- [GDDRHammer: Greatly Disturbing DRAM Rows — Cross-Component Rowhammer Attacks from Modern GPUs](https://gddr.fail/files/gddrhammer.pdf)
- [GeForge: Hammering GDDR Memory to Forge GPU Page Tables for Fun and Profit](https://stefan1wan.github.io/files/GeForge.pdf)
- [GPUBreach: Privilege Escalation Attacks on GPUs using Rowhammer](https://gururaj-s.github.io/assets/pdf/SP26_GPUBreach.pdf)
- [NVIDIA - Security Notice: Rowhammer - July 2025](https://nvidia.custhelp.com/app/answers/detail/a_id/5671/~/security-notice%3A-rowhammer---july-2025)
- [Pentest Partners – “Framework 13. Press here to pwn”](https://www.pentestpartners.com/security-blog/framework-13-press-here-to-pwn/)
- [FrameWiki – Mainboard Reset Guide](https://framewiki.net/guides/mainboard-reset)
- [SensePost – “Noooooooo Touch! – Bypassing IR No-Touch Exit Sensors with a Covert IR Torch”](https://sensepost.com/blog/2025/noooooooooo-touch/)
Expand Down