news
Graphics: Rowhammer in GPUs and "Why Intel Merged Jay Into Mesa"
-
Bruce Schneier ☛ Rowhammer Attack Against NVIDIA Chips
The second paper is GeForge: Hammering GDDR Memory to Forge GPU Page Tables for Fun and Profit: [...]
-
GPU Memory Exploits ☛ GeForge: Hammering GDDR Memory to Forge GPU Page Tables for Fun and Profit [PDF]
Over the years, Rowhammer has been leveraged to mount a wide range of attacks against system main memory. While a recent study has revealed that GPU memory is similarly vulnerable, the security implications remain largely under-explored. To advance this line of research, we introduce GeForge, an end-to-end Rowhammer attack that exploits bit flips induced in GPU memory to achieve system-level compromise. At its core, GeForge corrupts GPU page tables to seize control of address translation, enabling arbitrary access to the entire GPU memory. Moreover, by exploiting a special mapping feature in the GPU page table, GeForge extends its reach to directly access host memory.
To make GeForge practical under default system settings, we develop novel techniques that eliminate restrictive assumptions in prior work. Our techniques include a method for aligning offline-profiled physical address mappings to runtime GPU allocations and a memory massaging strategy that steers target GPU page table structures into vulnerable locations via the stock driver allocator. In addition, we improve the hammering pattern to trigger many more bit flips than prior work. With these approaches, we successfully mount GeForge on widely deployed NVIDIA GPUs, including both workstation-class and consumer-grade ones. We show that GeForge allows an attacker to arbitrarily read and modify data across GPU contexts. More crucially, we demonstrate that GeForge can help the attacker escalate privileges to root on the host system.
-
Ars Technica ☛ New Rowhammer attacks give complete control of machines running Nvidia GPUs
The attacks exploit memory hardware’s increasing susceptibility to bit flips, in which 0s stored in memory switch to 1s and vice versa. In 2014, researchers first demonstrated that repeated, rapid access—or “hammering”—of memory hardware known as DRAM creates electrical disturbances that flip bits. A year later, a different research team showed that by targeting specific DRAM rows storing sensitive data, an attacker could exploit the phenomenon to escalate an unprivileged user to root or evade security sandbox protections. Both attacks targeted DDR3 generations of DRAM.
-
Hacker Noon ☛ The Future of Linux Gaming: Why Intel Merged Jay Into Mesa
Intel recently merged “Jay,” a clean-slate shader compiler backend, into Mesa. While Intel already has a mature compiler stack in the legacy BRW backend, Jay represents a fundamental shift in how Intel GPUs handle code on Linux. You can track the technical implementation in the official merge request here.