-: FOLLOW US :- @theinsaneapp
A new GPU vulnerability called 'LeftoverLocals' affects GPUs from AMD, Apple, Qualcomm, and Imagination Technologies, allowing unauthorized retrieval of data from the local memory space.
-: FOLLOW US :- @theinsaneapp
Tracked as CVE-2023-4969, the vulnerability, discovered by Trail of Bits researchers Tyler Sorensen and Heidy Khlaaf, particularly poses a threat to large language models (LLMs) and machine learning (ML) processes.
-: FOLLOW US :- @theinsaneapp
The security flaw arises because certain GPU frameworks lack complete memory isolation, enabling one kernel to read values in local memory written by another kernel.
-: FOLLOW US :- @theinsaneapp
Attackers can exploit LeftoverLocals by running a GPU compute application (e.g., OpenCL, Vulkan, Metal) to read data left in the GPU local memory by a user.
-: FOLLOW US :- @theinsaneapp
The vulnerability allows attackers to launch a 'listener,' a GPU kernel that reads from uninitialized local memory and can dump data in a persistent location, such as the global memory.
-: FOLLOW US :- @theinsaneapp
If local memory is not cleared, the listener can retrieve values left behind by the 'writer' program, exposing sensitive information about computations, model inputs, outputs, weights, and intermediate computations.
-: FOLLOW US :- @theinsaneapp
In a multi-tenant GPU context running LLMs, LeftoverLocals can be used to eavesdrop on other users' sessions and recover data from their "writer" processes in the GPU's local memory.
-: FOLLOW US :- @theinsaneapp
A proof of concept (PoC) by Trail of Bits demonstrates that an attacker can recover up to 5.5MB of data per GPU invocation, with potential for higher amounts depending on the GPU framework.
-: FOLLOW US :- @theinsaneapp
Trail of Bits discovered CVE-2023-4969 in September 2023 and reported it to CERT/CC for coordinated disclosure and patching efforts.
-: FOLLOW US :- @theinsaneapp
Some vendors have already released fixes, while others are still working on defense mechanisms. Apple's latest iPhone 15 is unaffected, but the issue persists on M2-powered computers.
-: FOLLOW US :- @theinsaneapp
AMD, Qualcomm, and Imagination Technologies have released patches for some models, but certain GPUs from Imagination are still impacted, according to a warning from Google.
-: FOLLOW US :- @theinsaneapp
Intel, NVIDIA, and ARM GPUs are reported not to be affected by the data leak problem.
-: FOLLOW US :- @theinsaneapp
Trail of Bits recommends GPU vendors implement an automatic local memory clearing mechanism between kernel calls to ensure isolation of sensitive data.
-: FOLLOW US :- @theinsaneapp
They acknowledge potential performance overhead but argue it is justified given the severity of security implications.
-: FOLLOW US :- @theinsaneapp
Other suggested mitigations include avoiding multi-tenant GPU environments in security-critical scenarios and implementing user-level mitigations.