Researchers from Trail of Bits, a security firm based in New York, have discovered a vulnerability in the graphics processing units (GPUs) of Apple, AMD and Qualcomm, which could allow an attacker to access sensitive data from other processes or applications running on the same device.
The vulnerability, dubbed LeftoverLocals, affects millions of devices that use these GPUs for general-purpose computing, such as artificial intelligence, machine learning and scientific computing.
GPUs are specialized chips that are designed to perform complex calculations and graphics rendering at high speed and efficiency. They are widely used in gaming, video editing, virtual reality and other applications that require high-performance graphics.
However, GPUs are also increasingly used for general-purpose computing, such as running large language models (LLMs) and other machine learning tasks that require massive parallelism and high memory bandwidth.
To perform these tasks, GPUs use a programming model that allows users to write custom programs, called kernels, that execute on the GPU. These kernels can access different types of memory, such as global memory, shared memory and local memory.
Global memory is the main memory of the GPU, which can be accessed by all kernels and processes. Shared memory is a fast and small memory that can be accessed by kernels within the same thread block. Local memory is a software-managed cache that can be accessed by individual kernels.
The researchers found that local memory is not properly isolated between different kernels, processes and users, and that it can leak data from previous executions. This means that an attacker who can run a malicious kernel on the same GPU as a target process or application can potentially read the data that was left behind in the local memory by the target.
This data could include queries and responses generated by LLMs, weights and parameters of neural networks, encryption keys, passwords and other sensitive information.
The researchers tested the vulnerability on various platforms, including Appleās Metal, Vulkan and OpenCL, which are frameworks that enable low-level programming of GPUs. They found that the vulnerability affects GPUs from Apple, AMD and Qualcomm, which are used in devices such as iPhones, iPads, Macs, PCs, laptops, tablets and smartphones. They did not find evidence that GPUs from Nvidia, Intel or Arm are affected by the vulnerability.
The researchers notified the affected vendors and disclosed the vulnerability to the public on January 17, 2024. They also released a proof-of-concept code that demonstrates the exploit on GitHub.
They recommended that users update their GPU drivers and operating systems to the latest versions, and that developers use secure coding practices and tools to prevent data leakage from their GPU kernels.
The vulnerability highlights the need for more security awareness and research on GPUs, as they become more widely used for general-purpose computing and machine learning.
The researchers said that GPUs are not as secure as CPUs, which have been designed with more data privacy and isolation features. They also said that GPUs pose new challenges and opportunities for security analysis and testing, as they have different architectures and programming models than CPUs.
