A critical vulnerability (CVE-2023-4969) has been discovered in general-purpose graphics processing unit (GPGPU) platforms from almost all the major manufacturers, including AMD, Apple, and Qualcomm. The flaw lies in the adequate isolation of process memory, potentially allowing a hacker to read memory from other processes.
The vulnerability, discovered by Trail of Bits, is named LeftoverLocals and involves a GPU kernel’s ability to observe memory values from a different kernel, even when isolated between applications, processes, or users. Originally designed to accelerate computer graphics, GPUs have evolved into essential hardware accelerators for scientific computing, artificial intelligence, and machine learning (AI/ML) applications.
GPGPU platforms, such as those by AMD, Apple and Qualcomm, enable the copying of CPU memory to the GPU for high-performance computing tasks. The vulnerability involves a GPU kernel’s ability to take values from different kernels, even when isolated from different applications, processes and users.
Trail of Bits researchers discovered that a GPU kernel could access memory expected to be isolated from other users and processes. This vulnerability affects the local memory of the GPGPU. The local memory is cache managed by the software and is similar to the L1 cache in CPUs. Its size might change depending on the GPU.
The vulnerability can be exploited in a two-stage attack:
- Fingerprinting the model: Through repetitive readings of local memory, hackers can clandestinely extract critical data from LLM execution. This pilfered information enables the attacker to identify the open-source model being run by the victim.
- Listening to outputs: Hackers then focus on harvesting bits of data from the output layer. The attacker can replicate LLM’s output by intercepting data from this layer.
The researchers systematically tested GPUs from major vendors, including Apple, AMD, and Qualcomm. Notably, Nvidia, Intel and ARM are safe from this vulnerability.
“We encourage end users to apply security updates as they become available from their device makers,” a Qualcomm spokesperson told Wired.
Additionally, Google’s Imagination GPUs are likely to be affected, although Trail of Bits has not observed this vulnerability directly.
“Google is aware of this vulnerability impacting AMD, Apple, and Qualcomm GPUs. Google has released fixes for ChromeOS devices with impacted AMD and Qualcomm GPUs,” said a Google spokesperson.
This vulnerability could have a far-reaching effect on AI security. Although hackers may use LeftoverLocals to listen to chatbots, any application that uses local memory will be at risk of exploitation.
In the News: Health product scams exploiting cheap domains are on the rise
