New Attack Shows Risks of Browsers Giving Websites Access to GPU 

New Attack Shows Risks of Browsers Giving Websites Access to GPU 

March 18, 2024 at 09:15AM

Researchers from Graz University of Technology in Austria and the University of Rennes in France discovered a new graphics processing unit (GPU) attack on popular browsers and graphics cards. By using the WebGPU API, they demonstrated an attack from within a web browser using JavaScript, showing potential risks and implications for security and privacy.

From the meeting notes, it is evident that a team of researchers from Graz University of Technology and University of Rennes has successfully demonstrated a new graphics processing unit (GPU) attack affecting several popular browsers and graphics cards. This attack leverages WebGPU, an API enabling high-performance computations in web browsers using the system’s GPU.

The researchers have showcased the first GPU cache side-channel attack from within a browser, emphasizing the significance of treating GPU access as a security and privacy-related resource by browser vendors. The attack can be executed remotely through JavaScript without requiring any user interaction, posing risks such as inter-keystroke timing attacks, obtaining encryption keys, and covert data exfiltration.

The targeted desktop graphics cards include products from AMD and NVIDIA, with affected browsers including Chrome, Chromium, Edge, and Firefox Nightly. Notably, the researchers have notified Mozilla, AMD, NVIDIA, and Chromium developers, with AMD publishing an advisory stating that they do not believe any exploit against their products has been demonstrated.

Despite the researchers suggesting a permission pop-up for GPU access, the response from the Chromium team indicates that such pop-ups could potentially annoy users and hence won’t be implemented.

In summary, the research underscores the significant security implications of granting web browsers access to the host system’s GPU and the potential risks associated with remote GPU-based attacks.

Full Article