arxiv: 2605.03812 · v1 · submitted 2026-05-05 · 💻 cs.CR

Recognition: unknown

GPUBreach: Privilege Escalation Attacks on GPUs using Rowhammer

Chris S. Lin , Yuqin Yan , Guozhen Ding , Joyce Qu , Joseph Zhu , David Lie , Gururaj Saileshwar

Authors on Pith no claims yet

Pith reviewed 2026-05-07 04:00 UTC · model grok-4.3

classification 💻 cs.CR

keywords RowHammerGPU securityprivilege escalationpage tablesCUDAmemory attacksIOMMU

0 comments

The pith

An unprivileged CUDA kernel can exploit RowHammer on GPU page tables to access other processes' memory and escalate to CPU root.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This paper establishes that RowHammer attacks on GPUs are capable of privilege escalation rather than mere data corruption. The key step is using a user CUDA kernel to detect the creation of new page tables in GPU memory. Once detected, RowHammer can be directed to flip specific bits in those tables. This tampering breaks memory isolation, letting one process read secrets or modify code belonging to others. The attack extends to the host CPU, bypassing IOMMU to gain full system privileges.

Core claim

By exploiting the GPU page table management to identify when and where new page tables are allocated, an unprivileged user CUDA kernel of one process can use RowHammer bit-flips to gain access to the GPU memory of other processes or co-tenants via targeted tampering of such page-tables resident on the GPU memory. Using this primitive, secret data such as cryptographic keys can be leaked from cuPQC libraries, and model GPU assembly code can be tampered with to degrade models stealthily. GPU-side privilege escalation can further lead to CPU-side privilege escalation, defeating IOMMU protections.

What carries the argument

Detection of GPU page table allocation events by an unprivileged CUDA kernel, followed by targeted RowHammer bit-flips on the allocated tables.

If this is right

Leakage of cryptographic keys from GPU libraries like cuPQC is possible.
Tampering with ML model assembly code allows stealthier degradation than prior methods.
GPU attacks can be chained to obtain root shell on the host CPU despite IOMMU.
System-wide control is achievable from a user-level program with GPU access in non-multi-tenant setups.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Shared GPU instances in cloud environments may require additional isolation hardware to prevent such cross-process attacks.
Developers of GPU drivers could add monitoring for anomalous page table access patterns to detect RowHammer attempts.
Similar techniques might reveal vulnerabilities in other types of accelerators that use similar memory management.
This work implies that assumptions about GPU memory isolation need updating in the same way CPU RowHammer did for DRAM.

Load-bearing premise

The timing and locations of GPU page table allocations can be observed and used for targeting by an unprivileged CUDA kernel.

What would settle it

An experiment where RowHammer is attempted on GPU memory but no bit-flips are observed in page table regions, or where allocation timing cannot be determined from user-level code.

Figures

Figures reproduced from arXiv: 2605.03812 by Chris S. Lin, David Lie, Guozhen Ding, Gururaj Saileshwar, Joseph Zhu, Joyce Qu, Yuqin Yan.

**Figure 1.** Figure 1: NVIDIA GPU Page Table. It has 4 or 5 levels, view at source ↗

**Figure 2.** Figure 2: Format of GPU Page Table Entries. The bottom view at source ↗

**Figure 3.** Figure 3: Overview of the GPUBreach attack. Steps to tamper GPU page tables with Rowhammer bit-flips to achieve GPU privilege escalation. inactive GPU-resident pages back to host memory to make room for newly accessed data. The evictions of GPU resident pages occur in Least-Recently-Used (LRU) order. 2.4. Rowhammer Modern DRAM stores data in cells, with one cell per bit, stored as electrical charge in capacitors ar… view at source ↗

**Figure 4.** Figure 4: Page Table Filling Techniques. Prior techniques view at source ↗

**Figure 5.** Figure 5: Page types used as UVM allocation size vary. view at source ↗

**Figure 7.** Figure 7: Spike in access latency when UVM memory allocation exceeds GPU DRAM capacity (48GB), due to page evictions from GPU to CPU. 200 400 600 800 4KB Page Tables Allocated 0.1 0.2 0.3 Latency (ms) Leave 2MB Free Leave 4MB Free view at source ↗

**Figure 8.** Figure 8: Spike in access latency when memory allocation view at source ↗

**Figure 9.** Figure 9: Workflow for the end-to-end attack on page tables to achieve GPU privilege escalation. view at source ↗

**Figure 10.** Figure 10: Access times after memory allocations of 4KB view at source ↗

**Figure 11.** Figure 11: Timeline of attack on cuPQC placement of variables is largely reproducible across runs of the workload, and freed regions are zeroed by the runtime. Thus, to locate secret-resident pages, the attacker pre-fills the user pool with a non-zero pattern (e.g., 0xFF). When the runtime later allocates, then zeroes freed regions, the zeroed pages stand out and form a short candidate list to search for the secrets… view at source ↗

**Figure 12.** Figure 12: Filtering pipeline to locate vulnerable branches view at source ↗

**Figure 13.** Figure 13: CPU memory accessible by a compromised GPU. view at source ↗

**Figure 14.** Figure 14: CPU-side privilege escalation. The compromised view at source ↗

read the original abstract

NVIDIA GPUs with GDDR memories have been shown susceptible to Rowhammer-based bit-flips, similar to CPUs. However, Rowhammer exploits on GPUs have been limited to injecting untargeted bit-flips in victim data like weights of machine learning models, to degrade model accuracy, unlike CPU exploits shown capable of privilege escalation. In this paper, we demonstrate that GPU Rowhammer exploits can be as potent as CPU Rowhammer attacks. By exploiting the GPU page table management to identify when and where new page tables are allocated, we enable an unprivileged user CUDA kernel of one process to use RowHammer bit-flips to gain access to the GPU memory of other processes or co-tenants via targeted tampering of such page-tables resident on the GPU memory. Using this newly found primitive, we demonstrate the first GPU-side privilege escalation attacks, leaking secret data such as cryptographic keys from cuPQC libraries, and even tampering with the model's GPU assembly code to degrade models more stealthily than previous attacks. We further demonstrate that GPU-side privilege escalation can lead to CPU-side privilege escalation, defeating the protections provided by the IOMMU, enabling a malicious user-level program with GPU access to gain root shell and system-wide control, even in a non-multi-tenant setting.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

The paper claims the first targeted Rowhammer attacks on GPU page tables from unprivileged CUDA code, enabling cross-process access and IOMMU bypass, but the detection of page table allocations is the fragile core step.

read the letter

The main point is that this work moves GPU Rowhammer from untargeted flips that degrade models to a primitive that lets one process tamper with another process's page tables on the same GPU. From there they show key extraction from cuPQC, stealthier model tampering by hitting assembly code, and escalation to CPU root by defeating IOMMU. That escalation path is the clearest new angle over prior GPU Rowhammer papers.

Referee Report

3 major / 2 minor

Summary. The manuscript presents GPUBreach, a Rowhammer attack on NVIDIA GPUs that exploits GPU page table management. An unprivileged CUDA kernel identifies the timing and locations of new page table allocations performed by the driver, then uses targeted RowHammer bit-flips on those tables to obtain cross-process access to GPU memory. The authors demonstrate this primitive for leaking cryptographic keys from cuPQC libraries, stealthily tampering with ML model assembly code, and bypassing IOMMU protections to achieve CPU-side privilege escalation and root access.

Significance. If the core primitive and experimental results hold, the work is significant: it shows that GPU Rowhammer can achieve targeted privilege escalation rather than only untargeted data corruption, directly challenging the security of GPU memory isolation and IOMMU in both multi-tenant and single-user settings. The bridge from GPU-side tampering to CPU root access is a notable escalation of prior GPU Rowhammer results.

major comments (3)

[§4 (Attack Primitive: Page Table Tampering)] §4 (Attack Primitive: Page Table Tampering): The central claim that an unprivileged CUDA kernel can reliably detect both the timing and physical addresses of GPU page table allocations is load-bearing for every subsequent attack (key leakage, model tampering, IOMMU bypass). The manuscript must supply a concrete description of the detection technique (timing side-channel, memory mapping, or probing method) together with success rates, false-positive analysis, and evidence that the method survives driver randomization or protections.
[§5 (Experimental Evaluation)] §5 (Experimental Evaluation): The abstract and introduction assert successful demonstrations of cuPQC key leakage and IOMMU bypass, yet the evaluation lacks reported success rates, trial counts, error analysis, controls, or discussion of interference from the GPU driver and hardware. Without these quantitative results it is impossible to assess whether the attacks are practical or reproducible.
[§3.3 (RowHammer Targeting on GDDR)] §3.3 (RowHammer Targeting on GDDR): The paper must clarify how physical addresses of page tables are mapped to hammerable rows with sufficient precision, including any assumptions about memory layout, driver allocation behavior, or the effect of GPU memory management on RowHammer reliability.

minor comments (2)

[Abstract] Abstract: The phrase 'first GPU-side privilege escalation attacks' should be qualified with a citation or explicit statement of novelty relative to prior GPU RowHammer literature.
[Throughout] Figures showing attack timelines or memory layouts should include clear legends, axis labels, and explicit textual references.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the thorough and constructive review. The comments identify key areas where additional detail will improve clarity and reproducibility. We address each major comment below and will revise the manuscript accordingly to strengthen the presentation of the attack primitive and evaluation.

read point-by-point responses

Referee: §4 (Attack Primitive: Page Table Tampering): The central claim that an unprivileged CUDA kernel can reliably detect both the timing and physical addresses of GPU page table allocations is load-bearing for every subsequent attack (key leakage, model tampering, IOMMU bypass). The manuscript must supply a concrete description of the detection technique (timing side-channel, memory mapping, or probing method) together with success rates, false-positive analysis, and evidence that the method survives driver randomization or protections.

Authors: We agree that a more explicit description of the detection mechanism is required. In the revised manuscript we will expand Section 4 with a concrete account of the timing side-channel used to identify both the timing and physical addresses of driver-allocated page tables. The expanded text will include the specific timing measurements performed by the unprivileged CUDA kernel, empirical success rates obtained across repeated trials, false-positive rates, and an analysis of robustness against driver randomization and other protections. Supporting experimental data and pseudocode will be added to the section and appendix. revision: yes
Referee: §5 (Experimental Evaluation): The abstract and introduction assert successful demonstrations of cuPQC key leakage and IOMMU bypass, yet the evaluation lacks reported success rates, trial counts, error analysis, controls, or discussion of interference from the GPU driver and hardware. Without these quantitative results it is impossible to assess whether the attacks are practical or reproducible.

Authors: We acknowledge the need for more quantitative reporting. Section 5 will be augmented with success rates and trial counts for the cuPQC key-leakage and IOMMU-bypass demonstrations, together with error analysis, control experiments that isolate the effect of our RowHammer-induced tampering from normal driver activity, and a discussion of observed interference from the GPU driver and hardware variations. These additions will allow readers to evaluate practicality and reproducibility directly from the reported data. revision: yes
Referee: §3.3 (RowHammer Targeting on GDDR): The paper must clarify how physical addresses of page tables are mapped to hammerable rows with sufficient precision, including any assumptions about memory layout, driver allocation behavior, or the effect of GPU memory management on RowHammer reliability.

Authors: We will revise Section 3.3 to provide a clearer description of the address-to-row mapping process. The updated text will detail the assumptions made about GPU memory layout, the observed patterns of driver page-table allocation, and how GPU memory-management operations affect RowHammer reliability. Additional figures illustrating the mapping and any model-specific variations will be included to make the targeting procedure fully reproducible. revision: yes

Circularity Check

0 steps flagged

Empirical attack paper with no derivations or self-referential logic

full rationale

This is an empirical security paper demonstrating GPU Rowhammer attacks via page table tampering. Claims rest on experimental construction and observed bit-flips rather than any mathematical derivation chain, fitted parameters, or predictions. No equations, ansatzes, uniqueness theorems, or self-citations reduce the central primitive (observing page table allocations) to its own inputs by construction. The attack success is validated externally through demonstrated leaks and IOMMU bypass, not by redefinition. This matches the default case of a non-circular empirical result.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

This is an empirical security demonstration paper with no mathematical derivations or fitted parameters. The central claims rest on assumptions about observable GPU page table behavior and the feasibility of precise Rowhammer targeting on NVIDIA hardware.

axioms (1)

domain assumption GPU page table management is observable and manipulable by an unprivileged CUDA kernel in a way that allows identification of allocation times and locations.
This assumption is central to locating target page tables for Rowhammer as described in the abstract.

pith-pipeline@v0.9.0 · 5539 in / 1445 out tokens · 90450 ms · 2026-05-07T04:00:53.787655+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

106 extracted references · 14 canonical work pages · 1 internal anchor

[1]

Flipping bits in memory without accessing them: an experimental study of DRAM disturbance errors,

Y . Kim, R. Daly, J. Kim, C. Fallin, J. H. Lee, D. Lee, C. Wilkerson, K. Lai, and O. Mutlu, “Flipping bits in memory without accessing them: an experimental study of DRAM disturbance errors,” inPro- ceedings of the 41st Annual International Symposium on Computer Architecture (ISCA), 2014, p. 361–372

2014
[2]

TRRespass: Exploiting the many sides of target row refresh,

P. Frigo, E. Vannacci, H. Hassan, V . v. der Veen, O. Mutlu, C. Giuf- frida, H. Bos, and K. Razavi, “TRRespass: Exploiting the many sides of target row refresh,” in2020 IEEE Symposium on Security and Privacy (SP), 2020, pp. 747–762

2020
[3]

SMASH: Synchronized many-sided rowhammer attacks from JavaScript,

F. de Ridder, P. Frigo, E. Vannacci, H. Bos, C. Giuffrida, and K. Razavi, “SMASH: Synchronized many-sided rowhammer attacks from JavaScript,” in30th USENIX Security Symposium (USENIX Security 21). USENIX Association, Aug. 2021, pp. 1001–1018. [Online]. Available: https://www.usenix.org/conference/ usenixsecurity21/presentation/ridder

2021
[4]

Blacksmith: Scalable rowhammering in the frequency domain,

P. Jattke, V . Van Der Veen, P. Frigo, S. Gunter, and K. Razavi, “Blacksmith: Scalable rowhammering in the frequency domain,” in 2022 IEEE Symposium on Security and Privacy (SP), 2022, pp. 716–734

2022
[5]

Half-Double: Hammering from the next row over,

A. Kogler, J. Juffinger, S. Qazi, Y . Kim, M. Lipp, N. Boichat, E. Shiu, M. Nissler, and D. Gruss, “Half-Double: Hammering from the next row over,” in31st USENIX Security Symposium (USENIX Security 22). Boston, MA: USENIX Association, Aug. 2022, pp. 3807–3824. [Online]. Available: https://www.usenix.org/conference/ usenixsecurity22/presentation/kogler-half-double

2022
[6]

Exploiting correct- ing codes: On the effectiveness of ECC memory against Rowhammer attacks,

L. Cojocar, K. Razavi, C. Giuffrida, and H. Bos, “Exploiting correct- ing codes: On the effectiveness of ECC memory against Rowhammer attacks,” in2019 IEEE Symposium on Security and Privacy (SP), 2019, pp. 55–71

2019
[7]

ZenHammer: Rowhammer attacks on AMD Zen-based platforms,

P. Jattke, M. Wipfli, F. Solt, M. Marazzi, M. B ¨olcskei, and K. Razavi, “ZenHammer: Rowhammer attacks on AMD Zen-based platforms,” in33rd USENIX Security Symposium (USENIX Security 24). Philadelphia, PA: USENIX Association, Aug. 2024, pp. 1615–1633. [Online]. Available: https://www.usenix.org/conference/ usenixsecurity24/presentation/jattke

2024
[8]

ECC. fail: Mounting Rowhammer attacks on DDR4 servers with ECC memory,

N. Kamadan, W. Wang, S. van Schaik, C. Garman, D. Genkin, and Y . Yarom, “ECC. fail: Mounting Rowhammer attacks on DDR4 servers with ECC memory,” in34th USENIX Security Symposium (USENIX Security 25), 2025, pp. 5679–5698

2025
[9]

Grand pwning unit: Accelerating microarchitectural attacks with the GPU,

P. Frigo, C. Giuffrida, H. Bos, and K. Razavi, “Grand pwning unit: Accelerating microarchitectural attacks with the GPU,” inIEEE Symposium on Security and Privacy (SP). IEEE, 2018, pp. 195– 210

2018
[10]

Phoenix: Rowhammer attacks on DDR5 with self- correcting synchronization,

D. Meyer, P. Jattke, M. Marazzi, S. Qazi, D. Moghimi, and K. Razavi, “Phoenix: Rowhammer attacks on DDR5 with self- correcting synchronization,” inS&P (Oakland), 2026

2026
[11]

GPUHammer: Rowhammer attacks on GPU memories are practical,

C. S. Lin, J. Qu, and G. Saileshwar, “GPUHammer: Rowhammer attacks on GPU memories are practical,” in34th USENIX Security Symposium (USENIX Security 25), 2025, pp. 5719–5738

2025
[12]

Crowhammer: full key recovery attack on falcon with a single rowhammer bit flip,

C. A. Haidar, Q. Payet, and M. Tibouchi, “Crowhammer: full key recovery attack on falcon with a single rowhammer bit flip,” in Annual International Cryptology Conference. Springer, 2025, pp. 103–135

2025
[13]

Pq-hammer: End-to-end key recovery attacks on post-quantum cryptography using rowhammer,

S. Amer, Y . Wang, H. Kippen, T. Dang, D. Genkin, A. Kwong, A. Nelson, and A. Yerukhimovich, “Pq-hammer: End-to-end key recovery attacks on post-quantum cryptography using rowhammer,” in2025 IEEE Symposium on Security and Privacy (SP). IEEE, 2025, pp. 3567–3582

2025
[14]

Flip Feng Shui: Hammering a needle in the software stack,

K. Razavi, B. Gras, E. Bosman, B. Preneel, C. Giuffrida, and H. Bos, “Flip Feng Shui: Hammering a needle in the software stack,” in25th USENIX Security Symposium (USENIX Security), 2016. [Online]. Available: https://www.usenix.org/ conference/usenixsecurity16/technical-sessions/presentation/razavi

2016
[15]

Another flip in the wall of rowhammer defenses,

D. Gruss, M. Lipp, M. Schwarz, D. Genkin, J. Juffinger, S. O’Connell, W. Schoechl, and Y . Yarom, “Another flip in the wall of rowhammer defenses,” in2018 IEEE Symposium on Security and Privacy (SP). IEEE, 2018, pp. 245–261

2018
[16]

Exploiting the DRAM rowhammer bug to gain kernel privileges,

M. Seaborn and T. Dullien, “Exploiting the DRAM rowhammer bug to gain kernel privileges,” Google Project Zero, Mar. 2015, accessed: 2025-11-05. [Online]. Available: https://googleprojectzero.blogspot. com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html

2015
[17]

Rowhammer. js: A re- mote software-induced fault attack in javascript,

D. Gruss, C. Maurice, and S. Mangard, “Rowhammer. js: A re- mote software-induced fault attack in javascript,” inDetection of Intrusions and Malware, and Vulnerability Assessment: 13th Inter- national Conference, DIMVA 2016, San Sebasti ´an, Spain, July 7-8, 2016, Proceedings 13. Springer, 2016, pp. 300–321

2016
[18]

PrisonBreak: Jail- breaking Large Language Models with at Most Twenty-Five Tar- geted Bit-flips,

Z. Coalson, J. Woo, C. S. Lin, J. Qu, Y . Sun, S. Chen, L. Yang, G. Saileshwar, P. Nair, B. Fang, and S. Hong, “PrisonBreak: Jail- breaking Large Language Models with at Most Twenty-Five Tar- geted Bit-flips,”arXiv preprint arXiv:2412.07192, 2025

work page arXiv 2025
[19]

Share GPUs across workloads with GPU time- sharing,

Google, “Share GPUs across workloads with GPU time- sharing,” https://cloud.google.com/kubernetes-engine/docs/how-to/ timesharing-gpus, Accessed: 2025-01-22

2025
[20]

Container Service for Kubernetes: GPU Sharing Overview,

Alibaba Cloud, “Container Service for Kubernetes: GPU Sharing Overview,” https://www.alibabacloud.com/help/en/ack/ack- managed-and-ack-dedicated/user-guide/cgpu-overview/, 2025, Accessed: 2025-11-05

2025
[21]

TunneLs for Bootlegging: Fully Reverse-Engineering GPU TLBs for Challenging Isolation Guarantees of NVIDIA MIG,

Z. Zhang, T. Allen, F. Yao, X. Gao, and R. Ge, “TunneLs for Bootlegging: Fully Reverse-Engineering GPU TLBs for Challenging Isolation Guarantees of NVIDIA MIG,” inProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, ser. CCS ’23, 2023. [Online]. Available: https://doi.org/10.1145/3576915.3616672

work page doi:10.1145/3576915.3616672 2023
[22]

Terminal brain damage: Exposing the graceless degradation in deep neural networks under hardware fault attacks,

S. Hong, P. Frigo, Y . Kaya, C. Giuffrida, and T. Dumitras, “Terminal brain damage: Exposing the graceless degradation in deep neural networks under hardware fault attacks,” in28th USENIX Security Symposium (USENIX Security 19). Santa Clara, CA: USENIX Association, Aug. 2019, pp. 497–514. [Online]. Available: https: //www.usenix.org/conference/usenixsecur...

2019
[23]

DeepHammer: Depleting the intelligence of deep neural networks through targeted chain of bit flips,

F. Yao, A. S. Rakin, and D. Fan, “DeepHammer: Depleting the intelligence of deep neural networks through targeted chain of bit flips,” inUSENIX Security, 2020. [Online]. Available: https: //www.usenix.org/conference/usenixsecurity20/presentation/yao

2020
[24]

Bit-flip attack: Crushing neural net- work with progressive bit search,

A. S. Rakin, Z. He, and D. Fan, “Bit-flip attack: Crushing neural net- work with progressive bit search,” inProceedings of the IEEE/CVF International Conference on Computer Vision, 2019, pp. 1211–1220

2019
[25]

Understanding the iommu linux grub file configura- tion,

NVIDIA, “Understanding the iommu linux grub file configura- tion,” https://enterprise-support.nvidia.com/s/article/understanding- the-iommu-linux-grub-file-configuration, 2026, accessed: 2026-04- 17

2026
[26]

Input-output memory management unit (iommu),

AMD, “Input-output memory management unit (iommu),” https: //rocm.docs.amd.com/en/docs-6.3.1/conceptual/iommu.html, 2024, accessed: 2026-04-17

2024
[27]

Iommu-based gpu isolation,

Microsoft, “Iommu-based gpu isolation,” https://learn.microsoft. com/en-us/windows-hardware/drivers/display/iommu-based-gpu- isolation, 2024, accessed: 2026-04-17

2024
[28]

Security notice: Rowhammer – july 2025,

NVIDIA, “Security notice: Rowhammer – july 2025,” https://nvidia. custhelp.com/app/answers/detail/a id/5671, 2025

2025
[29]

(Mis)Managed: A novel TLB-based covert channel on GPUs,

A. Nayak, B. Pratheek, V . Ganapathy, and A. Basu, “(Mis)Managed: A novel TLB-based covert channel on GPUs,” inProceedings of the 2021 ACM Asia Conference on Computer and Communications Security, 2021, pp. 872–885

2021
[30]

Pascal MMU Format,

NVIDIA, “Pascal MMU Format,” https://nvidia.github.io/open-gpu- doc/pascal/gp100-mmu-format.pdf
[31]

Revisiting rowhammer: An experimental analysis of modern DRAM devices and mitigation techniques,

J. S. Kim, M. Patel, A. G. Ya ˘glıkc ¸ı, H. Hassan, R. Azizi, L. Orosa, and O. Mutlu, “Revisiting rowhammer: An experimental analysis of modern DRAM devices and mitigation techniques,” in2020 ACM/IEEE 47th Annual International Symposium on Computer Architecture (ISCA), 2020, pp. 638–651

2020
[32]

Rowpress: Amplifying read disturbance in modern dram chips,

H. Luo, A. Olgun, A. G. Ya ˘glıkc ¸ı, Y . C. Tu˘grul, S. Rhyner, M. B. Cavlak, J. Lindegger, M. Sadrosadati, and O. Mutlu, “Rowpress: Amplifying read disturbance in modern dram chips,” in50th Inter- national Symposium on Computer Architecture (ISCA), 2023

2023
[33]

Columndisturb: Understanding column-based read dis- turbance in real DRAM chips and implications for future systems,

I. E. Yuksel, A. Olgun, N. Bostanci, H. Luo, A. G. Yaglikci, and O. Mutlu, “Columndisturb: Understanding column-based read dis- turbance in real DRAM chips and implications for future systems,” inProceedings of the 58th IEEE/ACM International Symposium on Microarchitecture (MICRO), 2025, pp. 975–994

2025
[34]

Drammer: Deterministic Rowhammer Attacks on Mobile Platforms,

V . van der Veen, Y . Fratantonio, M. Lindorfer, D. Gruss, C. Maurice, G. Vigna, H. Bos, K. Razavi, and C. Giuffrida, “Drammer: Deterministic Rowhammer Attacks on Mobile Platforms,” in2016 ACM SIGSAC Conference on Computer and Communications Security (CCS), 2016. [Online]. Available: https://doi.org/10.1145/ 2976749.2978406

work page arXiv 2016
[35]

Uncovering In-DRAM RowHammer Protection Mechanisms:A New Methodology, Custom RowHammer Patterns, and Implications,

H. Hassan, Y . C. Tugrul, J. S. Kim, V . van der Veen, K. Razavi, and O. Mutlu, “Uncovering In-DRAM RowHammer Protection Mechanisms:A New Methodology, Custom RowHammer Patterns, and Implications,” in54th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO). New York, NY , USA: Association for Computing Machinery, 2021, p. 1198–1213. [Onlin...

work page doi:10.1145/3466752.3480110 2021
[36]

GPUHammer code repository - sith lab,

C. S. Lin, J. Qu, and G. Saileshwar, “GPUHammer code repository - sith lab,” https://github.com/sith-lab/gpuhammer, 2025, accessed: 2025-11-05

2025
[37]

Im- plicit memory tagging: No-overhead memory safety using alias-free tagged ecc,

M. B. Sullivan, M. T. I. Ziad, A. Jaleel, and S. W. Keckler, “Im- plicit memory tagging: No-overhead memory safety using alias-free tagged ecc,” in50th Annual International Symposium on Computer Architecture (ISCA), 2023

2023
[38]

Dgx b200 specifications,

NVIDIA, “Dgx b200 specifications,” https://www.nvidia.com/en-us/ data-center/dgx-b200/#specs, 2025, accessed: 2025-11-05

2025
[39]

proc meminfo(5) — Linux manual page,

Linux, “proc meminfo(5) — Linux manual page,” https://www. man7.org/linux/man-pages/man5/proc meminfo.5.html
[40]

DRAMA: Exploiting DRAM addressing for Cross-CPU attacks,

P. Pessl, D. Gruss, C. Maurice, M. Schwarz, and S. Mangard, “DRAMA: Exploiting DRAM addressing for Cross-CPU attacks,” in 25th USENIX Security Symposium (USENIX Security 16). Austin, TX: USENIX Association, Aug. 2016, pp. 565–581. [Online]. Avail- able: https://www.usenix.org/conference/usenixsecurity16/technical- sessions/presentation/pessl

2016
[41]

[Online]

NVIDIA Corporation,NVIDIA cuPQC: SDK for GPU-Accelerated Post-Quantum Cryptography, 2025, accessed: 2025-11-11. [Online]. Available: https://developer.nvidia.com/cupqc

2025
[42]

Post-quantum cryptography alliance brings accelerated computing to post quantum cryptography with NVIDIA cuPQC,

The Linux Foundation, “Post-quantum cryptography alliance brings accelerated computing to post quantum cryptography with NVIDIA cuPQC,” https://www.linuxfoundation.org/press/post- quantum-cryptography-alliance-brings-accelerated-computing-to- post-quantum-cryptography-with-nvidia-cupqc, Jan. 2025, accessed: 2025-11-11

2025
[43]

NeuroPots: Realtime proactive defense against Bit-Flip attacks in neural networks,

Q. Liu, J. Yin, W. Wen, C. Yang, and S. Sha, “NeuroPots: Realtime proactive defense against Bit-Flip attacks in neural networks,” in32nd USENIX Security Symposium (USENIX Security), 2023. [Online]. Available: https: //www.usenix.org/conference/usenixsecurity23/presentation/liu-qi

2023
[44]

Yes, One-Bit-Flip matters! Universal DNN model inference depletion with runtime code fault injection,

S. Li, X. Wang, M. Xue, H. Zhu, Z. Zhang, Y . Gao, W. Wu, and X. S. Shen, “Yes, One-Bit-Flip matters! Universal DNN model inference depletion with runtime code fault injection,” in33rd USENIX Security Symposium (USENIX Security 24). Philadelphia, PA: USENIX Association, Aug. 2024, pp. 1315–1330. [Online]. Available: https://www.usenix.org/conference/ usen...

2024
[45]

S., Berg, A

O. Russakovsky, J. Deng, H. Su, J. Krause, S. Satheesh, S. Ma, Z. Huang, A. Karpathy, A. Khosla, M. Bernstein, A. C. Berg, and L. Fei-Fei, “Imagenet large scale visual recognition challenge,” Int. J. Comput. Vision, vol. 115, no. 3, p. 211–252, Dec. 2015. [Online]. Available: https://doi.org/10.1007/s11263-015-0816-y

work page doi:10.1007/s11263-015-0816-y 2015
[46]

Breaking Thunderbolt Protocol Security: Vulnerability Report,

B. Ruytenberg, “Breaking Thunderbolt Protocol Security: Vulnerability Report,” 2020, public version. [Online]. Available: https://thunderspy.io/assets/reports/breaking-thunderbolt- security-bjorn-ruytenberg-20200417.pdf

2020
[47]

Entrybleed: A universal kaslr bypass against kpti on linux,

W. Liu, J. Ravichandran, and M. Yan, “Entrybleed: A universal kaslr bypass against kpti on linux,” inProceedings of the 12th International Workshop on Hardware and Architectural Support for Security and Privacy, 2023, pp. 10–18

2023
[48]

On kernel’s safety in the Spectre era (and KASLR is formally dead),

D. Davoli, M. Avanzini, and T. Rezk, “On kernel’s safety in the Spectre era (and KASLR is formally dead),” inProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communica- tions Security, 2024, pp. 1091–1105

2024
[49]

Prefetch side-channel attacks: Bypassing SMAP and kernel ASLR,

D. Gruss, C. Maurice, A. Fogh, M. Lipp, and S. Mangard, “Prefetch side-channel attacks: Bypassing SMAP and kernel ASLR,” inPro- ceedings of the 2016 ACM SIGSAC conference on computer and communications security, 2016, pp. 368–379

2016
[50]

Comprehensive knowledge base on vgpu features across hypervisors,

NVIDIA, “Comprehensive knowledge base on vgpu features across hypervisors,” 2025, accessed: 2025-11-11. [Online]. Available: https: //docs.nvidia.com/vgpu/knowledge-base/latest/vgpu-features.html

2025
[51]

Citadel: Rethinking memory allocation to safeguard against inter-domain rowhammer exploits,

A. Saxena, W. Wang, and A. Daglis, “Citadel: Rethinking memory allocation to safeguard against inter-domain rowhammer exploits,” inProceedings of the 58th IEEE/ACM International Symposium on Microarchitecture (MICRO), 2025, pp. 1117–1131

2025
[52]

Siloz: Leveraging DRAM isolation domains to prevent inter-vm rowhammer,

K. Loughlin, J. Rosenblum, S. Saroiu, A. Wolman, D. Skarlatos, and B. Kasikci, “Siloz: Leveraging DRAM isolation domains to prevent inter-vm rowhammer,” in29th Symposium on Operating Systems Principles (SOSP), 2023

2023
[53]

Pthammer: Cross-user-kernel-boundary rowhammer through im- plicit accesses,

Z. Zhang, Y . Cheng, D. Liu, S. Nepal, Z. Wang, and Y . Yarom, “Pthammer: Cross-user-kernel-boundary rowhammer through im- plicit accesses,” in2020 53rd Annual IEEE/ACM International Symposium on Microarchitecture (MICRO). IEEE, 2020, pp. 28–41

2020
[54]

Unified virtual memory supercharges pandas with rapids cudf,

P. S. Gali and B. Zaitlen, “Unified virtual memory supercharges pandas with rapids cudf,” NVIDIA Technical Blog, Dec. 2024, https://developer.nvidia.com/blog/unified-virtual-memory- supercharges-pandas-with-rapids-cudf/

2024
[55]

Simplify system memory management with the latest nvidia gh200 nvl2 enterprise ra,

L. Engel, “Simplify system memory management with the latest nvidia gh200 nvl2 enterprise ra,” NVIDIA Technical Blog, Feb. 2025, https://developer.nvidia.com/blog/simplify-system-memory- management-with-the-latest-nvidia-gh200-nvl2-enterprise-ra

2025
[56]

Csi: Rowhammer–cryptographic security and integrity against rowhammer,

J. Juffinger, L. Lamster, A. Kogler, M. Eichlseder, M. Lipp, and D. Gruss, “Csi: Rowhammer–cryptographic security and integrity against rowhammer,” in2023 IEEE Symposium on Security and Privacy (SP). IEEE, 2023, pp. 1702–1718

2023
[57]

Pt-guard: Integrity-protected page tables to defend against breakthrough rowhammer attacks,

A. Saxena, G. Saileshwar, J. Juffinger, A. Kogler, D. Gruss, and M. Qureshi, “Pt-guard: Integrity-protected page tables to defend against breakthrough rowhammer attacks,” in2023 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), 2023, pp. 95–108

2023
[58]

Safeguard: Reducing the security risk from row-hammer via low- cost integrity protection,

A. Fakhrzadehgan, Y . N. Patt, P. J. Nair, and M. K. Qureshi, “Safeguard: Reducing the security risk from row-hammer via low- cost integrity protection,” in2022 IEEE International Symposium on High-Performance Computer Architecture (HPCA). IEEE, 2022, pp. 373–386

2022
[59]

Graphene: Strong yet lightweight row hammer protection,

Y . Park, W. Kwon, E. Lee, T. J. Ham, J. H. Ahn, and J. W. Lee, “Graphene: Strong yet lightweight row hammer protection,” in2020 53rd Annual IEEE/ACM International Symposium on Microarchitec- ture (MICRO). IEEE, 2020, pp. 1–13

2020
[60]

Pride: Achieving secure rowhammer mitigation with low-cost in-dram trackers,

A. Jaleel, G. Saileshwar, S. W. Keckler, and M. Qureshi, “Pride: Achieving secure rowhammer mitigation with low-cost in-dram trackers,” in2024 ACM/IEEE 51st Annual International Symposium on Computer Architecture (ISCA), 2024, pp. 1157–1172

2024
[61]

MINT: Securely Mitigating Rowhammer with a Minimalist in-DRAM Tracker ,

M. Qureshi, S. Qazi, and A. Jaleel, “ MINT: Securely Mitigating Rowhammer with a Minimalist in-DRAM Tracker ,” in2024 57th IEEE/ACM International Symposium on Microarchitecture (MICRO), 2024, pp. 899–914. [Online]. Available: https://doi. ieeecomputersociety.org/10.1109/MICRO61859.2024.00071

work page doi:10.1109/micro61859.2024.00071 2024
[62]

Protrr: Principled yet optimal in-dram target row refresh,

M. Marazzi, P. Jattke, F. Solt, and K. Razavi, “Protrr: Principled yet optimal in-dram target row refresh,” inIEEE Symposium on Security and Privacy (SP), 2022, pp. 735–753

2022
[63]

JESD79-5C,

JEDEC, “JESD79-5C,” https://www.jedec.org/document search? search api views fulltext=jesd79-5c, accessed: 2025-01-22

2025
[64]

Qprac: Towards secure and practical prac-based rowhammer mitigation using priority queues,

J. Woo, S. C. Lin, P. J. Nair, A. Jaleel, and G. Saileshwar, “Qprac: Towards secure and practical prac-based rowhammer mitigation using priority queues,” in2025 IEEE International Symposium on High Performance Computer Architecture (HPCA), 2025

2025
[65]

Moat: Securely mitigating rowhammer with per-row activation counters,

M. Qureshi and S. Qazi, “Moat: Securely mitigating rowhammer with per-row activation counters,” inProceedings of the 30th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 1, 2025, pp. 698–714

2025
[66]

Chronus: Under- standing and securing the cutting-edge industry solutions to DRAM read disturbance,

O. Canpolat, A. G. Ya ˘glıkc ¸ı, G. F. Oliveira, A. Olgun, N. Bostancı, I. E. Yuksel, H. Luo, O. Ergin, and O. Mutlu, “Chronus: Under- standing and securing the cutting-edge industry solutions to DRAM read disturbance,” in2025 IEEE International Symposium on High Performance Computer Architecture (HPCA), 2025

2025
[67]

MoPAC: Efficiently Mitigating Rowhammer with Probabilistic Activation Counting,

S. Vittal, S. Qazi, P. Das, and M. Qureshi, “MoPAC: Efficiently Mitigating Rowhammer with Probabilistic Activation Counting,” inProceedings of the 52nd Annual International Symposium on Computer Architecture (ISCA), 2025, p. 723–738. [Online]. Available: https://doi.org/10.1145/3695053.3730997

work page doi:10.1145/3695053.3730997 2025
[68]

Panopticon: A complete in-dram rowhammer mitigation,

T. Bennett, S. Saroiu, A. Wolman, and L. Cojocar, “Panopticon: A complete in-dram rowhammer mitigation,” inWorkshop on DRAM Security (DRAMSec), vol. 22, 2021, p. 110

2021
[69]

Stealing webpages rendered on your browser by exploiting gpu vulnerabilities,

S. Lee, Y . Kim, J. Kim, and J. Kim, “Stealing webpages rendered on your browser by exploiting gpu vulnerabilities,” in2014 IEEE Symposium on Security and Privacy, 2014, pp. 19–33

2014
[70]

Vulnerable gpu memory management: Towards recovering raw data from gpu,

Z. Zhou, W. Diao, X. Liu, Z. Li, K. Zhang, and R. Liu, “Vulnerable gpu memory management: Towards recovering raw data from gpu,” inarXiv preprint arXiv:1605.06610, 2016. [Online]. Available: https://arxiv.org/abs/1605.06610

work page arXiv 2016
[71]

LeftoverLocals: Listening to LLM responses through leaked GPU local memory,

T. Sorensen and H. Khlaaf, “Leftoverlocals: Listening to llm responses through leaked gpu local memory,” inarXiv preprint arXiv:2401.16603, 2024. [Online]. Available: https://arxiv.org/abs/ 2401.16603

work page arXiv 2024
[72]

GPU.zip: On the side-channel implications of hardware-based graphical data compression,

Y . Wang, R. Paccagnella, Z. Gang, W. R. Vasquez, D. Kohlbrenner, H. Shacham, and C. W. Fletcher, “GPU.zip: On the side-channel implications of hardware-based graphical data compression,” in2024 IEEE Symposium on Security and Privacy (SP), 2024, pp. 3716– 3734

2024
[73]

Pixnapping: Bringing pixel stealing out of the stone age,

A. Wang, P. Gopalkrishnan, Y . Wang, C. W. Fletcher, H. Shacham, D. Kohlbrenner, and R. Paccagnella, “Pixnapping: Bringing pixel stealing out of the stone age,” inProceedings of the ACM Conference on Computer and Communications Security (CCS), 2025

2025
[74]

Nvbleed: Covert and side-channel attacks on nvidia multi-gpu interconnect,

Y . Zhang, R. Nazaraliyev, S. B. Dutta, A. Marquez, K. Barker, and N. Abu-Ghazaleh, “NVBleed: Covert and side-channel at- tacks on NVIDIA multi-GPU interconnect,”arXiv preprint arXiv:2503.17847, 2025

work page arXiv 2025
[75]

Spy in the GPU-box: Covert and side channel attacks on multi-GPU systems,

S. B. Dutta, H. Naghibijouybari, A. Gupta, N. Abu-Ghazaleh, A. Marquez, and K. Barker, “Spy in the GPU-box: Covert and side channel attacks on multi-GPU systems,” inProceedings of the 50th Annual International Symposium on Computer Architecture, ser. ISCA ’23. New York, NY , USA: Association for Computing Machinery, 2023. [Online]. Available: https: //doi...

work page doi:10.1145/3579371.3589080 2023
[76]

Leaky DNN: Stealing deep-learning model secret with GPU context- switching side-channel,

J. Wei, Y . Zhang, Z. Zhou, Z. Li, and M. A. Al Faruque, “Leaky DNN: Stealing deep-learning model secret with GPU context- switching side-channel,” in2020 50th Annual IEEE/IFIP Interna- tional Conference on Dependable Systems and Networks (DSN), 2020, pp. 125–137

2020
[77]

Not so refreshing: attacking GPUs using RFM rowhammer mitigation,

R. Nazaraliyev, Y . Zhang, S. B. Dutta, A. Marquez, K. Barker, and N. Abu-Ghazaleh, “Not so refreshing: attacking GPUs using RFM rowhammer mitigation,” inProceedings of the 34th USENIX Conference on Security Symposium (SEC), 2025

2025
[78]

Cucatch: A debugging tool for efficiently catching memory safety violations in cuda applications,

M. Tarek Ibn Ziad, S. Damani, A. Jaleel, S. W. Keckler, and M. Stephenson, “Cucatch: A debugging tool for efficiently catching memory safety violations in cuda applications,”Proceedings of the ACM on Programming Languages, vol. 7, no. PLDI, pp. 124–147, 2023

2023
[79]

Springer Dordrecht, 1988.doi:10.1007/978- 94-009-2871-8

B. Di, J. Sun, and H. Chen, “A study of overflow vulnerabilities on GPUs,” inNetwork and Parallel Computing: 13th IFIP WG 10.3 International Conference, NPC 2016, Xi’an, China, October 28-29, 2016, Proceedings. Berlin, Heidelberg: Springer-Verlag, 2016, p. 103–115. [Online]. Available: https://doi.org/10.1007/978- 3-319-47099-3 9

work page doi:10.1007/978- 2016
[80]

GPU memory exploitation for fun and profit,

Y . Guo, Z. Zhang, and J. Yang, “GPU memory exploitation for fun and profit,” in33rd USENIX Security Symposium (USENIX Security 24). Philadelphia, PA: USENIX Association, Aug. 2024, pp. 4033–4050. [Online]. Available: https://www.usenix.org/conference/ usenixsecurity24/presentation/guo-yanan

2024

Showing first 80 references.