In a rapidly advancing era of artificial intelligence (AI), graphics processing units (GPUs) have become integral for running large language models and processing data at a massive scale. However, researchers from New York-based security firm Trail of Bits have unveiled a significant security vulnerability named LeftoverLocals in mainstream GPUs, affecting major brands such as Apple, Qualcomm, and AMD. This flaw could potentially allow attackers to extract substantial amounts of data from a GPU’s memory, posing a serious threat to the privacy and security of AI-generated information.
AI-Driven Concerns
While the silicon industry has meticulously refined the security of central processing units (CPUs) to prevent data leakage in memory, GPUs, designed primarily for raw graphics processing power, haven’t received the same level of attention regarding data privacy. With the increasing adoption of GPUs for generative AI and machine learning applications, vulnerabilities in these chips are becoming a growing concern.
Heidy Khlaaf Warns of GPU Security Gap
Heidy Khlaaf, Trail of Bits’ engineering director for AI and machine learning assurance, emphasizes the broader security issue surrounding GPUs, noting that these chips may leak a significant amount of data, ranging from 5 to 180 megabytes. This stands in stark contrast to the CPU world, where even a single bit of leaked information is considered a potential security risk.
LeftoverLocals Unleashed
The vulnerability, known as LeftoverLocals, necessitates attackers to have already established some level of operating system access on a target device. While modern computers and servers are designed to segregate data to ensure user privacy, a LeftoverLocals attack breaks down these barriers, allowing hackers to exfiltrate data from the local memory of vulnerable GPUs. This compromised data may include queries and responses generated by large language models, as well as the underlying weights driving these responses.
The proof of concept provided by researchers demonstrates the effectiveness of a LeftoverLocals attack. In the demonstration, a target requests information about WIRED magazine using the open-source large language model Llama.cpp. The attacker’s device swiftly collects the majority of the response provided by the language model, showcasing the potential impact of this vulnerability. The attack program created by the researchers consists of less than 10 lines of code, highlighting the ease with which this vulnerability could be exploited.
Security Updates in Progress
Trail of Bits tested 11 chips from seven GPU makers, including Apple, AMD, and Qualcomm, and identified the LeftoverLocals vulnerability. A coordinated disclosure in September involved collaboration with the US-CERT Coordination Center and the Khronos Group, a standards body focused on 3D graphics, machine learning, and virtual and augmented reality. Notably, Nvidia, Intel, and Arm GPUs were found to be free of the vulnerability.
Nvidia, Intel, and Arm GPUs Secure
While Apple, Qualcomm, and AMD confirmed the presence of LeftoverLocals in their GPUs, Nvidia, Intel, and Arm GPUs were deemed unaffected. An Apple spokesperson acknowledged the vulnerability and mentioned that fixes were implemented with the latest M3 and A17 processors, unveiled at the end of 2023. However, millions of existing iPhones, iPads, and MacBooks, relying on previous generations of Apple silicon, remain potentially vulnerable.
Qualcomm stated that it is “in the process” of providing security updates, urging end-users to apply these updates as they become available. AMD released a security advisory outlining plans to offer optional mitigations for LeftoverLocals in March. Google, in response to the vulnerability, released fixes for ChromeOS devices with impacted AMD and Qualcomm GPUs.
Also Read: Cybersecurity for Everyone: A Practical Guide to Protecting Your Digital Life
The researchers emphasize the challenge of ensuring widespread adoption of these fixes. While GPU makers may release patches, device manufacturers must then package and relay these protections to end-users, involving a complex coordination process within the global tech ecosystem. Despite the requirement for attackers to have some level of existing access to target devices, the potential implications of exploiting this vulnerability are significant. Highly motivated attackers often chain multiple vulnerabilities together, making it crucial to address each potential entry point for comprehensive cybersecurity.
Thanks for sharing. I read many of your blog posts, cool, your blog is very good.
Can you be more specific about the content of your article? After reading it, I still have some doubts. Hope you can help me.