Researchers have proven lots of side channel vulnerabilities in CPUs that pose as security risks. However, this time, researchers have demonstrated a vulnerability in GPUs as well. Their work revolved around proving the possibility of a side-channel attack on Graphics Processing Units. From the results obtained, they concluded that GPU vulnerability to side channel attacks could lead to privacy and security breaches. This includes everything from spying on user activity to allowing hackers in to cloud services.
Researchers Proved GPU Vulnerability To Side Channel Attacks
A team of researchers from the University of California, Riverside, have discovered a GPU vulnerability based around a side-channel attack that could allow potential attackers to breach a users’ privacy. The Graphics Processing Unit (GPU) forms one of the core components in a computer. It is primarily responsible for handling graphical workloads and accelerating other computational processes.
The team conducting this study included four computer scientists who compiled their findings as part of a research paper presented in a conference. As reported, the researchers analyzed a range of Nvidia GPUs to find exploitable side channels.
“We demonstrate the vulnerability using two applications. First, we show that an OpenGL based spy can Fingerprint websites accurately, track user activities within the website, and even infer the keystroke timings for a password text box with high accuracy. The second application demonstrates how a CUDA spy application can derive the internal parameters of a neural network model being used by another CUDA application, illustrating these threats on the cloud.”
To validate these findings, the researchers considered three different attack vectors. These include,
- Graphics spy on a victim – an attack involving exploitation of graphics APIs, for instance, OpenGL, to track a co-located application.
- CUDA spying on a victim – requires an attacker to exploit CUDA for spying on cloud-based apps.
- CUDA spying with a graphics victim (Cross-Stack) – with user privileges, an attacker can attack graphics applications from CUDA.
For each of these scenarios, they reverse engineered the co-location properties to identify the co-location pattern and sources of the leaks.
In the light of their findings, researchers established that these attack scenarios could allow an attacker to perform various malicious activities. Some of these include website fingerprinting, tracking user activity, stealing passwords and other account based credentials
Nvidia Responds To The Study
Before revealing their report, the researchers informed Nvidia of the vulnerabilities in their GPUs. Moreover, they also shared their findings with AMD and Intel for possible evaluation for security risks to their GPUs.
Consequently, Nvidia has recently responded to this study in their security advisory. In it, they acknowledge their collaboration with the researchers over this software security issue in Nvidia GPUs.
Explaining the matter in their advisory, Nvidia stated,
“NVIDIA graphics driver contains a vulnerability that may allow access to application data processed on the GPU through a side channel exposed by the GPU performance counters. Local user access is required. This is not a network or remote attack vector.”
The reported vulnerability has received the CVE number CVE‑2018‑6260. Presently, Nvidia has identified this flaw as a low-severity level issue. Nonetheless, they confirm to release a patch for this flaw, alongside posting a security bulletin for it, soon.