@inproceedings{PrisonBreak,title={PrisonBreak: Jailbreaking Large Language Models with at Most Twenty-Five Targeted Bit-flips},author={Coalson, Zachary and Woo, Jeonghyun and Lin, Chris S. and Qu, Joyce and Sun, Yu and Chen, Shiyang and Yang, Lishan and Saileshwar, Gururaj and Nair, Prashant and Fang, Bo and Hong, Sanghyun},journal={arXiv preprint arXiv:2412.07192},year={2026},booktitle={Submission},}
Rowhammer is a read disturbance vulnerability in modern DRAM that causes bit-flips, compromising security and reliability. While extensively studied on Intel and AMD CPUs with DDR and LPDDR memories, its impact on GPUs using GDDR memories, critical for emerging machine learning applications, remains unexplored. Rowhammer attacks on GPUs face unique challenges: (1) proprietary mapping of physical memory to GDDR banks and rows, (2) high memory latency and faster refresh rates that hinder effective hammering, and (3) proprietary mitigations in GDDR memories, difficult to reverse-engineer without FPGA-based test platforms.We introduce GPUHammer, the first Rowhammer attack on NVIDIA GPUs with GDDR6 DRAM. GPUHammer proposes novel techniques to reverse-engineer GDDR DRAM row mappings, and employs GPU-specific memory access optimizations to amplify hammering intensity and bypass mitigations. Thus, we demonstrate the first successful Rowhammer attack on a discrete GPU, injecting up to 8 bit-flips across 4 DRAM banks on an NVIDIA A6000 with GDDR6 memory. We also show how an attacker can use these to tamper with ML models, causing significant accuracy drops (up to 80%).
@inproceedings{GPUHammer,author={Lin, Chris S. and Qu, Joyce and Saileshwar, Gururaj},booktitle={Proceedings of the 34th USENIX Conference on Security Symposium},title={GPUHammer: Rowhammer Attacks on GPU Memories are Practical},year={2025},isbn={978-1-939133-52-6},publisher={USENIX Association},address={USA},articleno={294},numpages={20},location={Seattle, WA, USA},series={SEC '25}}
@inproceedings{QRPAC,author={Woo, Jeonghyun and Lin, Shaopeng Chris and Nair, Prashant J. and Jaleel, Aamer and Saileshwar, Gururaj},booktitle={2025 IEEE International Symposium on High Performance Computer Architecture (HPCA)},title={QPRAC: Towards Secure and Practical PRAC-based Rowhammer Mitigation using Priority Queues},year={2025},volume={},number={},pages={1021-1037},keywords={Hands;Protocols;Prevention and mitigation;Random access memory;Computer architecture;Security;Proposals;Guidelines;dram;reliability;security;rowhammer;per row activation counting},doi={10.1109/HPCA61900.2025.00080},}
@inproceedings{CnC-PRAC,title={CnC-PRAC: Coalesce, not Cache, Per Row Activation Counts for an Efficient in-DRAM Rowhammer Mitigation},author={Lin, Chris S. and Woo, Jeonghyun and Nair, Prashant J. and Saileshwar, Gururaj},journal={arXiv preprint arXiv:2506.11970},year={2025},booktitle={DRAMSec},}
