Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
149 tokens/sec
GPT-4o
9 tokens/sec
Gemini 2.5 Pro Pro
47 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Whispering Pixels: Exploiting Uninitialized Register Accesses in Modern GPUs (2401.08881v1)

Published 16 Jan 2024 in cs.CR

Abstract: Graphic Processing Units (GPUs) have transcended their traditional use-case of rendering graphics and nowadays also serve as a powerful platform for accelerating ubiquitous, non-graphical rendering tasks. One prominent task is inference of neural networks, which process vast amounts of personal data, such as audio, text or images. Thus, GPUs became integral components for handling vast amounts of potentially confidential data, which has awakened the interest of security researchers. This lead to the discovery of various vulnerabilities in GPUs in recent years. In this paper, we uncover yet another vulnerability class in GPUs: We found that some GPU implementations lack proper register initialization routines before shader execution, leading to unintended register content leakage of previously executed shader kernels. We showcase the existence of the aforementioned vulnerability on products of 3 major vendors - Apple, NVIDIA and Qualcomm. The vulnerability poses unique challenges to an adversary due to opaque scheduling and register remapping algorithms present in the GPU firmware, complicating the reconstruction of leaked data. In order to illustrate the real-world impact of this flaw, we showcase how these challenges can be solved for attacking various workloads on the GPU. First, we showcase how uninitialized registers leak arbitrary pixel data processed by fragment shaders. We further implement information leakage attacks on intermediate data of Convolutional Neural Networks (CNNs) and present the attack's capability to leak and reconstruct the output of LLMs.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (46)
  1. Gpu accelerated ml training. https://learn.microsoft.com/en-us/windows/ai/directml/gpu-accelerated-training, 2023.
  2. Qualcomm neural processing sdk. https://developer.qualcomm.com/software/qualcomm-neural-processing-sdk, 2023.
  3. Time-sharing gpus on gke. https://cloud.google.com/kubernetes-engine/docs/concepts/timesharing-gpus, 2023.
  4. tinygrad: For something between pytorch and karpathy/micrograd. https://github.com/tinygrad/tinygrad, 2023.
  5. Trident: A hybrid correlation-collision gpu cache timing attack for aes key recovery. In 2021 IEEE International Symposium on High-Performance Computer Architecture (HPCA), pages 332–344. IEEE, 2021.
  6. Network-on-chip microarchitecture-based covert channel in gpus. In MICRO-54: 54th Annual IEEE/ACM International Symposium on Microarchitecture, pages 565–577, 2021.
  7. Exploiting parallel memory write requests for covert channel attacks in integrated cpu-gpu systems. arXiv preprint arXiv:2307.16123, 2023.
  8. Ginn: Fast gpu-tee based integrity for neural network training. In Proceedings of the Twelfth ACM Conference on Data and Application Security and Privacy, pages 4–15, 2022.
  9. {{\{{ÆPIC}}\}} leak: Architecturally leaking uninitialized data from the microarchitecture. In 31st USENIX Security Symposium (USENIX Security 22), pages 3917–3934, 2022.
  10. Strongbox: A gpu tee on arm endpoints. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, pages 769–783, 2022.
  11. Cuda leaks: Information leakage in gpu architectures. arXiv preprint arXiv:1305.7383, 2013.
  12. Leaky buddies: Cross-component covert channels on integrated cpu-gpu systems. In 2021 ACM/IEEE 48th Annual International Symposium on Computer Architecture (ISCA), pages 972–984. IEEE, 2021.
  13. Spy in the gpu-box: Covert and side channel attacks on multi-gpu systems. In Proceedings of the 50th Annual International Symposium on Computer Architecture, pages 1–13, 2023.
  14. Investigating floating-point implementations in a softcore gpu under radiation-induced faults. In 2020 27th IEEE International Conference on Electronics, Circuits and Systems (ICECS), pages 1–4. IEEE, 2020.
  15. The first concept and real-world deployment of a gpu-based thermal covert channel: Attack and countermeasures. In 2023 Design, Automation & Test in Europe Conference & Exhibition (DATE), pages 1–6. IEEE, 2023.
  16. Telekine: Secure computing with cloud {{\{{GPUs}}\}}. In 17th USENIX Symposium on Networked Systems Design and Implementation (NSDI 20), pages 817–833, 2020.
  17. Pytorch. Programming with TensorFlow: Solution for Edge Computing Applications, pages 87–104, 2021.
  18. A complete key recovery timing attack on a gpu. In 2016 IEEE International symposium on high performance computer architecture (HPCA), pages 394–405. IEEE, 2016.
  19. A novel side-channel timing attack on gpus. In Proceedings of the on Great Lakes Symposium on VLSI 2017, pages 167–172, 2017.
  20. Radiation effects and fault tolerance techniques for fpgas and gpus. In FPGAs and Parallel Architectures for Aerospace Applications: Soft Errors and Fault-Tolerant Design, pages 3–17. Springer, 2016.
  21. Side-channel power analysis of a gpu aes implementation. In 2015 33rd IEEE International Conference on Computer Design (ICCD), pages 281–288. IEEE, 2015.
  22. Honeycomb: Secure and efficient {{\{{GPU}}\}} executions via static validation. In 17th USENIX Symposium on Operating Systems Design and Implementation (OSDI 23), pages 155–172, 2023.
  23. Can one hear the shape of a neural network?: Snooping the gpu via magnetic side channel. arXiv preprint arXiv:2109.07395, 2021.
  24. Confidentiality issues on a gpu in a virtualized environment. In Financial Cryptography and Data Security: 18th International Conference, FC 2014, Christ Church, Barbados, March 3-7, 2014, Revised Selected Papers 18, pages 119–135. Springer, 2014.
  25. Covert channels on gpgpus. IEEE Computer Architecture Letters, 16(1):22–25, 2016.
  26. Constructing and characterizing covert channels on gpgpus. In Proceedings of the 50th Annual IEEE/ACM International Symposium on Microarchitecture, pages 354–366, 2017.
  27. Rendered insecure: Gpu side channel attacks are practical. In Proceedings of the 2018 ACM SIGSAC conference on computer and communications security, pages 2139–2153, 2018.
  28. (mis) managed: A novel tlb-based covert channel on gpus. In Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security, pages 872–885, 2021.
  29. Goten: Gpu-outsourcing trusted execution of neural network training. In Proceedings of the AAAI Conference on Artificial Intelligence, volume 35, pages 14876–14883, 2021.
  30. NVIDIA. Confidential compute on nvidia hopper h100 - whitepaper. https://images.nvidia.com/aem-dam/en-zz/Solutions/data-center/HCC-Whitepaper-v1.0.pdf, 2023.
  31. NVIDIA. Cuda llvm compiler. https://developer.nvidia.com/cuda-llvm-compiler, 2023.
  32. OpenAI. Gpt-4 technical report, 2023.
  33. An introduction to convolutional neural networks. arXiv preprint arXiv:1511.08458, 2015.
  34. A fully automated greedy square jigsaw puzzle solver. In CVPR 2011, pages 9–16. IEEE, 2011.
  35. Overcoming the pitfalls of hpc-based cryptojacking detection in presence of gpus. In Proceedings of the Thirnth ACM Conference on Data and Application Security and Privacy, pages 177–188, 2023.
  36. Language models are unsupervised multitask learners. OpenAI blog, 1(8):9, 2019.
  37. A novel gpu overdrive fault attack. In 2020 57th ACM/IEEE Design Automation Conference (DAC), pages 1–6. IEEE, 2020.
  38. An automatic solver for very large jigsaw puzzles using genetic algorithms. Genetic Programming and Evolvable Machines, 17:291–313, 2016.
  39. Lightning: Striking the secure isolation on gpu clouds with transient hardware faults. arXiv preprint arXiv:2112.03662, 2021.
  40. Hot pixels: Frequency, power, and temperature attacks on gpus and arm socs. arXiv preprint arXiv:2305.12784, 2023.
  41. Llama: Open and efficient foundation language models. arXiv preprint arXiv:2302.13971, 2023.
  42. Attention is all you need. Advances in neural information processing systems, 30, 2017.
  43. Frauke Gräter Vedran Miletić, Szilárd Páll. Llvm amdgpu for high performance computing: are we competitive yet? European LLVM Developers’ Meeting, 2017.
  44. Gpu.zip: On the side-channel implications of hardware-based graphical data compression. In 2024 IEEE Symposium on Security and Privacy (SP), pages 84–84. IEEE Computer Society, 2023.
  45. Emergent abilities of large language models. arXiv preprint arXiv:2206.07682, 2022.
  46. Lite: a low-cost practical inter-operable gpu tee. In Proceedings of the 36th ACM International Conference on Supercomputing, pages 1–13, 2022.

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now