ShadowScope+ GPU Monitoring

• ShadowScope+ is a hardware-assisted framework that uses composable side-channel event models to ensure GPU kernel integrity.
• It integrates lightweight PMUs and on-chip validators to achieve high detection rates (up to 100%) with negligible area (<0.03%) and runtime (4.6%) overhead.
• The framework is applicable in security-critical domains like machine learning, HPC, and confidential computing by robustly detecting kernel anomalies.

ShadowScope+ is a hardware-assisted GPU kernel monitoring and validation framework designed to ensure the integrity of GPU computation through composable side-channel observability. Building on the earlier software-only ShadowScope framework, ShadowScope+ tightly integrates lightweight performance monitors and an on-chip validation module into the GPU pipeline. This design enables robust real-time validation of kernel behaviors—across varied workloads and in the presence of system noise—by comparing hardware event traces to trusted, modular “golden” execution models. Evaluations demonstrate high attack detection rates with low runtime and area overhead, establishing ShadowScope+ as a practical solution for enforcing execution correctness in GPU-accelerated environments (Almusaddar et al., 30 Aug 2025).

1. Hardware-Assisted Validation via Composable Models

ShadowScope+ is anchored in the observation that GPU kernel integrity can be assessed using side-channel signals—precisely, low-level hardware events such as atomic operations, instruction counts, and cache activity. Unlike traditional golden model validation, which attempts to match global, monolithic traces and fails to scale under variable kernel scheduling or in the presence of noise, ShadowScope+ decomposes a kernel’s trusted execution model into a set of composable, repeatable functions.

Each GPU kernel is instrumented with lightweight markers (“composable functions” [Editor's term]) that delineate semantically meaningful segments of computation (e.g., thread blocks or grid launches). During execution, on-chip Performance Monitoring Units (PMUs) appended to each Streaming Multiprocessor (SM) capture one-bit, cycle-wide signals for various event classes, storing the results in local up-counters. At defined boundaries—either at kernel end or at fixed sampling windows—these event vectors are aggregated and transferred to an on-chip Validator module. The Validator then compares the observed event metrics ("M_sample") against the corresponding precomputed golden models ("M_golden"):

$d = \| M_{\text{sample}} - M_{\text{golden}} \|$

An anomaly is flagged if $d$ exceeds a dynamically configured threshold.

This local, segment-wise approach dramatically improves resilience to input-dependent variability, scheduling differences, and system-level interference.

2. Technical Architecture and Operation

The implementation of ShadowScope+ modifies both the GPU software stack and hardware pipeline:

• Software Instrumentation: Kernels are statically instrumented to emit event markers using atomic operations (e.g., global_atom_cas), which register as unique signatures in the PMU event stream. These markers embed relevant metadata (e.g., grid/block dimensions), which the validation logic uses to segment the trace in real time.
• Hardware Integration: At the hardware level, each SM contains a dedicated set of 32-bit up-counters—one per monitored event. Counters are freeze-captured and reset at defined points, then relayed via an internal network to the Validator. The Validator, incorporated into the GPU's interconnect fabric, receives PMU samples from all SMs and executes vector comparisons with the golden signatures via efficient, parallel logic (norm, distance, or cross-correlation).
• Minimal Overhead: The entire PMU and Validator subsystem incurs less than 0.03% area overhead on the GPU, as assessed in synthesis experiments.

The workflow is summarized in the table below:

Component	Role in ShadowScope+	Data Collected
Composable SW	Markers for segmentation	Kernel boundary events
PMU (per SM)	Event counting, sampling	Instruction, memory, atomic counters
Validator (HW)	Aggregation, comparison	Vector matching to golden models

3. Security, Detection Accuracy, and Runtime Performance

ShadowScope+ targets a broad spectrum of threat models. These include classical memory errors (such as buffer overflows or "mind control" attacks), microarchitectural attacks (notably Rowhammer), and DoS/slowdown attacks affecting GPU kernels. Evaluation on a suite of adversarial workloads reveals:

• Detection Rate: True positive rates reach up to 100% over evaluated attacks, with false positive rates consistently below 5% and typically 0% under representative noise and concurrency scenarios.
• Robustness: Composable matching of event segments reduces sensitivity to variability in execution ordering, input data, and background workload interference—an area where monolithic golden models fail.
• Performance Overhead: The average runtime overhead introduced by ShadowScope+ is 4.6% across benchmarks, since PMU sampling and validation logic operate independently of the instruction stream and with minimal contention for internal communication bandwidth.
• Hardware Complexity: Area and power overhead are negligible (<0.03% of total GPU logic area), ensuring practical deployability in both consumer and HPC accelerator environments.

4. Comparison with Golden Model and Software-Only Approaches

Traditional CPU-based or software-only side-channel monitoring tools rely on performance counters or runtime traces gathered from the host system. These approaches suffer from:

• High overhead due to fine-grained sampling,
• Poor scalability and sensitivity to kernel scheduling and system-level interference,
• Fragility under variable workload mixes and input sizes.

ShadowScope+ overcomes these limitations via:

• On-chip sampling, which isolates kernel-level behaviors from OS noise,
• Composable segment models that allow dynamic, granular matching, and
• Hardware-accelerated event aggregation and comparison, maintaining scalability and low overhead.

The key architectural distinction is the decomposition of trusted execution into modular segments, combined with fine-grained, always-on in-hardware observability—enabling real-time, cross-kernel, and cross-workload integrity assurance.

5. Practical Applications

ShadowScope+ is suitable for security-critical and correctness-critical use cases in modern GPU computing, including:

• Machine Learning: Detection of kernel or memory tampering during model training and inference, especially in DNN architectures such as AlexNet, ResNet, or SqueezeNet.
• High-Performance Computing: Verification of scientific computations or HPC kernels, such as those in dense/sparse linear algebra or simulation pipelines.
• Confidential Computing: In-GPU attestation for trusted execution of sensitive or adversarially provided GPU code, enabling secure outsourcing.
• Microarchitecture Security: Detection of Rowhammer, kernel-level DoS, or resource contention-based attacks in multi-tenant GPU accelerator infrastructure.

For all these domains, the built-in, low-latency validation path of ShadowScope+ ensures that integrity checks are performed with minimal performance penalty and can scale to high-throughput deployment.

6. Prospects for Future Enhancement

The authors outline several avenues for further development:

• Increasing the flexibility of composable model integration, to support more dynamic input parameterizations and runtime adaptation.
• Enhancing PMU resolution and event grouping, enabling the detection of even shorter-lived attacks or fast-executing kernels.
• Developing point-to-point communication paths between PMUs and the Validator to further mitigate contention and maintain linear scalability.
• Incorporating hybrid validation techniques, for example by augmenting event vector comparison with on-chip ML classifiers for anomaly detection under extreme concurrency or system noise.
• Enabling run-time reconfiguration and threshold adjustment to dynamically tailor detection sensitivity to workload properties and security requirements.

Such enhancements would further improve resilience, coverage, and usability of ShadowScope+ in increasingly complex and heterogeneous computing environments.

---

ShadowScope+ thus represents a hardware/software co-designed framework for secure and efficient GPU kernel monitoring, validation, and anomaly detection using composable side-channel event models and lightweight on-chip integration (Almusaddar et al., 30 Aug 2025).