Table of Contents
Fetching ...

Remote Rowhammer Attack using Adversarial Observations on Federated Learning Clients

Jinsheng Yuan, Yuhang Hao, Weisi Guo, Yun Wu, Chongyan Gu

TL;DR

The paper tackles the security risk posed by hardware-level Rowhammer attacks in Federated Learning (FL) systems by showing that adversarial perturbations at client sensors can indirectly trigger DRAM bit-flips on FL servers. It introduces a two-stage PPO-based reinforcement learning framework that crafts stealthy adversarial waveforms to induce clustered, repetitive server updates, leveraging FL efficiency features such as sparse updates and RDMA. Experimental evaluation across multiple autonomous speech recognition models demonstrates high repeated update rates and concentrated update clustering, with estimated row activations approaching or exceeding flip thresholds under realistic DRAM configurations. The work highlights a tangible security threat tied to performance-oriented FL optimizations and motivates cross-layer defenses, including adversarial input detection and hardware-level Rowhammer resilience, to secure large-scale FL deployments.

Abstract

Federated Learning (FL) has the potential for simultaneous global learning amongst a large number of parallel agents, enabling emerging AI such as LLMs to be trained across demographically diverse data. Central to this being efficient is the ability for FL to perform sparse gradient updates and remote direct memory access at the central server. Most of the research in FL security focuses on protecting data privacy at the edge client or in the communication channels between the client and server. Client-facing attacks on the server are less well investigated as the assumption is that a large collective of clients offer resilience. Here, we show that by attacking certain clients that lead to a high frequency repetitive memory update in the server, we can remote initiate a rowhammer attack on the server memory. For the first time, we do not need backdoor access to the server, and a reinforcement learning (RL) attacker can learn how to maximize server repetitive memory updates by manipulating the client's sensor observation. The consequence of the remote rowhammer attack is that we are able to achieve bit flips, which can corrupt the server memory. We demonstrate the feasibility of our attack using a large-scale FL automatic speech recognition (ASR) systems with sparse updates, our adversarial attacking agent can achieve around 70\% repeated update rate (RUR) in the targeted server model, effectively inducing bit flips on server DRAM. The security implications are that can cause disruptions to learning or may inadvertently cause elevated privilege. This paves the way for further research on practical mitigation strategies in FL and hardware design.

Remote Rowhammer Attack using Adversarial Observations on Federated Learning Clients

TL;DR

The paper tackles the security risk posed by hardware-level Rowhammer attacks in Federated Learning (FL) systems by showing that adversarial perturbations at client sensors can indirectly trigger DRAM bit-flips on FL servers. It introduces a two-stage PPO-based reinforcement learning framework that crafts stealthy adversarial waveforms to induce clustered, repetitive server updates, leveraging FL efficiency features such as sparse updates and RDMA. Experimental evaluation across multiple autonomous speech recognition models demonstrates high repeated update rates and concentrated update clustering, with estimated row activations approaching or exceeding flip thresholds under realistic DRAM configurations. The work highlights a tangible security threat tied to performance-oriented FL optimizations and motivates cross-layer defenses, including adversarial input detection and hardware-level Rowhammer resilience, to secure large-scale FL deployments.

Abstract

Federated Learning (FL) has the potential for simultaneous global learning amongst a large number of parallel agents, enabling emerging AI such as LLMs to be trained across demographically diverse data. Central to this being efficient is the ability for FL to perform sparse gradient updates and remote direct memory access at the central server. Most of the research in FL security focuses on protecting data privacy at the edge client or in the communication channels between the client and server. Client-facing attacks on the server are less well investigated as the assumption is that a large collective of clients offer resilience. Here, we show that by attacking certain clients that lead to a high frequency repetitive memory update in the server, we can remote initiate a rowhammer attack on the server memory. For the first time, we do not need backdoor access to the server, and a reinforcement learning (RL) attacker can learn how to maximize server repetitive memory updates by manipulating the client's sensor observation. The consequence of the remote rowhammer attack is that we are able to achieve bit flips, which can corrupt the server memory. We demonstrate the feasibility of our attack using a large-scale FL automatic speech recognition (ASR) systems with sparse updates, our adversarial attacking agent can achieve around 70\% repeated update rate (RUR) in the targeted server model, effectively inducing bit flips on server DRAM. The security implications are that can cause disruptions to learning or may inadvertently cause elevated privilege. This paves the way for further research on practical mitigation strategies in FL and hardware design.
Paper Structure (44 sections, 5 equations, 3 figures, 5 tables)

This paper contains 44 sections, 5 equations, 3 figures, 5 tables.

Figures (3)

  • Figure 1: Framework of our proposed threat vector. a) a PPO agent generates b) adversarial waveforms that interfere the inputs of c) client sensors of FL, resulting the clients to send d) clustered updates, which could trigger Rowhammer attack on e) server DRAM
  • Figure 2: Hierarchical organization of a DRAM system, depicting the structural composition from the memory controller and channel architecture through modules, ranks, and chips, down to individual bank-level components (row decoder, sense amplifier/row buffer) and the underlying DRAM cell structure (wordline, access transistor, capacitor). The schematic illustrates the multi-tiered interconnectivity and functional partitioning critical to DRAM operation, spanning system-level interfaces to transistor-level charge storage mechanisms.
  • Figure 3: DRAM access pathways and processes of FL. a) DRAM access pathways. For normal access, client updates go through network to the CPU of server before getting to the DRAM of the server, while RDMA allows clients to bypass the CPU; b) DRAM access processes. Normally, when mapping virtual addresses of applications to physical addresses on DRAM, the CPU lookup TLB, and walk through the page table if TLB miss. Using Huge Page reduces a level in page table walk, and DMA/RDMA bypass both TLB lookup and page table walk. Page-lock prevents variables from offloading from DRAM to disk.