Computer scientists at the University of California at Riverside have found that GPUs are vulnerable to side-channel attacks, the same kinds of exploits that have impacted Intel and AMD CPUs.

Two professors and two students, one a computer science doctoral student and a post-doctoral researcher, reverse-engineered a Nvidia GPU to demonstrate three attacks on both graphics and computational stacks, as well as across them. The researchers believe these are the first reported side-channel attacks on GPUs.

A side-channel attack is one where the attacker uses how a technology operates, in this case a GPU, rather than a bug or flaw in the code. It takes advantage of how the processor is designed and exploits it in ways the designers hadn’t thought of.

In this case, it exploits the user counters in the GPU, which are used for performance tracking and are available in user mode, so anyone has access to them.

3 types of GPU attacks

All three attacks require the victim to download a malicious program to spy on the victim’s computer.

The first attack tracks user activity on the web, since GPUs are used to render graphics in browsers. A malicious app uses OpenGL to create a spy program to infer the behavior of the browser as it uses the GPU. The spy program can reliably obtain all allocation events of each website visited to see what the user has been doing on the web and possibly extract login credentials.

In the second attack, the authors extracted user passwords because the GPU is used to render the login/password box. Monitoring the memory allocation events leaked allowed for keystroke logging.

The third attack is the one that hits the data center. It targets computational applications, using the same memory sniffing for grabbing passwords but this time on a neural network to learn the network’s structure. In short, malicious code could sniff out your neural network algorithms and steal them.

The researchers suggest turning off user mode access to the counters to defend against the third attack, but many existing applications depend on that functionality and would break, so it’s not a viable solution for many.

The researchers said they reported their findings to Nvidia, which said it intends to publish a patch that offers system administrators the option to disable access to performance counters from user-level processes. They also shared their findings with Intel and AMD, since they are also GPU makers.

You can read the researchers' paper, Rendered Insecure: GPU Side Channel Attacks are Practical, which was presented at the ACM SIGSAC conference last month.