January 17, 2024 at 10:36AM
The ‘LeftoverLocals’ vulnerability affects GPUs from AMD, Apple, Qualcomm, and Imagination Technologies, allowing data retrieval from local memory. Discovered by Trail of Bits researchers Tyler Sorensen and Heidy Khlaaf, it exploits incomplete memory isolation in GPU frameworks, enabling unauthorized data access. Mitigation efforts are underway, including patching and recommending automatic local memory clearing between kernel calls.
Based on the meeting notes, the new vulnerability called “LeftoverLocals” affects GPUs from AMD, Apple, Qualcomm, and Imagination Technologies, allowing attackers to retrieve data from the local memory space. The security flaw arises from the lack of complete memory isolation in some GPU frameworks, enabling one kernel to read values from the local memory written by another kernel. This vulnerability poses a significant security risk, particularly in the context of large language models (LLMs) and machine learning (ML) processes.
The researchers who discovered the vulnerability, Tyler Sorensen and Heidy Khlaaf from Trail of Bits, privately reported the issue to the vendors before publishing a technical overview. They revealed that an adversary can exploit this vulnerability by running a GPU compute application to read data left in the GPU local memory. Attackers can launch a ‘listener’ GPU kernel to retrieve data from the local memory and dump it in a persistent location, potentially exposing sensitive information such as model inputs, outputs, and intermediate computations.
To address the vulnerability, Trail of Bits suggests that GPU vendors implement an automatic local memory clearing mechanism between kernel calls to ensure the isolation of sensitive data written by one process. While this approach may introduce performance overhead, the researchers argue that the trade-off is justified given the severity of the security implications. Other potential mitigations include avoiding multi-tenant GPU environments in security-critical scenarios and implementing user-level mitigations.
Mitigation efforts are underway, with some vendors already issuing fixes while others continue to work on developing and implementing defense mechanisms. However, it’s noted that the latest iPhone 15 from Apple is unaffected by the vulnerability, and fixes have been made available for certain processors, but the issue persists on M2-powered computers. Additionally, some GPU models from AMD, Qualcomm, and Imagination Technologies remain vulnerable, and work is ongoing to address the issue. It’s also highlighted that Intel, NVIDIA, and ARM GPUs have reported that the data leak problem does not impact their devices.
Overall, the LeftoverLocals vulnerability presents a critical security concern for GPU users, and ongoing efforts are being made by researchers and vendors to address and mitigate the impact of the security flaw.