NVIDIA GPUs found vulnerable to side channel attacks

Security researchers at University of California, Riverside discovered that side channel attacks aren't limited to processors, the same techniques used to attack processors can also be applied to GPUs. In a new paper, the scientists demonstrate three attacks that can be used to steal passwords, monitor web activity, and break into cloud-based services.

For consumers, the implications here are limited as all three attack are only possible after the PC is already compromised by malware. For datacenters and cloud providers the implications may be more severe.

The first attack tracks user activity on the web. When the victim opens the malicious app, it uses OpenGL to create a spy to infer the behavior of the browser as it uses the GPU. Every website has a unique trace in terms of GPU memory utilization due to the different number of objects and different sizes of objects being rendered. This signal is consistent across loading the same website several times and is unaffected by caching.

The researchers monitored either GPU memory allocations over time or GPU performance counters and fed these features to a machine learning based classifier, achieving website fingerprinting with high accuracy. The spy can reliably obtain all allocation events to see what the user has been doing on the web.

In the second attack, the authors extracted user passwords. Each time the user types a character, the whole password textbox is uploaded to GPU as a texture to be rendered. Monitoring the interval time of consecutive memory allocation events leaked the number of password characters and inter-keystroke timing, well-established techniques for learning passwords.

The third attack targets a computational application in the cloud. The attacker launches a malicious computational workload on the GPU which operates alongside the victim’s application. Depending on neural network parameters, the intensity and pattern of contention on the cache, memory and functional units differ over time, creating measurable leakage. The attacker uses machine learning-based classification on performance counter traces to extract the victim’s secret neural network structure, such as number of neurons in a specific layer of a deep neural network.

Full details at ucRiverside.

NVIDIA was informed of the findings and is working on a patch that offers admins the option to disable access to performance counters from user-level processes. At the moment, it's unknown whether AMD GPUs have the same or similar weaknesses.