Remote Rowhammer Attack using Adversarial Observations on Federated Learning Clients

TL;DR

This paper demonstrates a novel remote rowhammer attack on federated learning servers, exploiting adversarial client observations to induce memory bit flips without server backdoors, highlighting security vulnerabilities.

Contribution

It introduces a reinforcement learning-based method to manipulate client updates, causing repeated memory access that triggers rowhammer attacks on server DRAM in federated learning.

Findings

Achieved around 70% repeated update rate in targeted server models.

Successfully induced bit flips in server DRAM using adversarial observations.

First demonstration of remote rowhammer attack exploiting federated learning client behavior.

Abstract

Federated Learning (FL) has the potential for simultaneous global learning amongst a large number of parallel agents, enabling emerging AI such as LLMs to be trained across demographically diverse data. Central to this being efficient is the ability for FL to perform sparse gradient updates and remote direct memory access at the central server. Most of the research in FL security focuses on protecting data privacy at the edge client or in the communication channels between the client and server. Client-facing attacks on the server are less well investigated as the assumption is that a large collective of clients offer resilience. Here, we show that by attacking certain clients that lead to a high frequency repetitive memory update in the server, we can remote initiate a rowhammer attack on the server memory. For the first time, we do not need backdoor access to the server, and a reinforcement learning (RL) attacker can learn how to maximize server repetitive memory updates by manipulating the client's sensor observation. The consequence of the remote rowhammer attack is that we are able to achieve bit flips, which can corrupt the server memory. We demonstrate the feasibility of our attack using a large-scale FL automatic speech recognition (ASR) systems with sparse updates, our adversarial attacking agent can achieve around 70% repeated update rate (RUR) in the targeted server model, effectively inducing bit flips on server DRAM. The security implications are that can cause disruptions to learning or may inadvertently cause elevated privilege. This paves the way for further research on practical mitigation strategies in FL and hardware design.