LeftoverLocals: Listening to LLM responses through leaked GPU local memory (opens in new tab)

(blog.trailofbits.com)

136 pointsks6g102y ago39 comments

39 comments

32 comments · 8 top-level

Veserv2y ago· 12 in thread

tl;dr GPU drivers made by various vendors do not sanitize compute unit hardware scratch memory between uses, so you can just freely read whatever the last user left laying around when they stopped.

Literally too incompetent to follow even basic security 101 practices. A time shared device must be sanitized between users to prevent state leakage. There is no reason to believe that a security culture that clueless when developing a universally shared, high criticality device can be believed if they claim to do better elsewhere. Their process is either so incompetent or so inconsistent that their claims can not be believed without external audits.

In this case: Apple, Qualcomm, AMD, Imagination.

Edit: Added Imagination as noted by reply.

bee_rider2y ago

These designs all come out of the consumer and gaming space. They correctly trade security away for performance. Blame whoever started running untrustworthy code on them.

These vulnerabilities will continue happening. What I don’t understand is how anybody can be surprised at this point. If anyone out there missed the first dozen instances of this: workloads on modern hardware can’t be isolated.

pjmlp2y ago

They incorrectly trade security for performance, in the days of money transactions in games, esports, and server dependencies.

1 more reply

kridsdale12y ago

Yeah it’s pretty insane that the entire AI hype and crypto hype industry waves are actually just getting really specific pixel shaders to sparkle in extremely specific ways.

The gear was made to frag noobs in Counterstrike at 300 FPS.

vlovich1232y ago

And Imagination.

Notably Intel and Nvidia were not impacted. I wonder if the security hardening that Google worked on with Nvidia for Stadia helped prevent this

Veserv2y ago

Jeez, I hope it did not require “security hardening” for Nvidia to do something this basic. If these other vendors missed some tiny corner resulting in state leakage, that would be understandable. But, forgetting to clear local memory is just inexcusable.

Imagine a OS forgetting to replace your general purpose registers across context switches. Only a rank incompetent and useless security process would let something like that get all the way through to deployment.

1 more reply

ks6g10OP2y ago

Could probably be that the shared memory (at least in the past) also was used for cache, so the same mechanism that probably sanitizer the cache is/was in play here.

jmgao2y ago

Google used AMD GPUs for Stadia, not NVIDIA.

1 more reply

kevingadd2y ago

Could imagine it being related to CUDA as well. Memory being consistently zero-initialized helps prevent application bugs.

1 more reply

kevingadd2y ago

Wasn't too long ago that stray texture data would be left lying around from other processes, too. You could exploit that to read the contents of the user's banking tabs and stuff like that.

dist-epoch2y ago

It's not so simple.

For example Windows takes over GPU memory control, it virtualizes it, and allocates it to various applications, zeros it, etc...

ks6g10OP2y ago

This is specific to local/scratch memory which is not exposed for allocation in the same way dram is.

throwitaway2222y ago

Man so this has been an issue for 20 years, we suddenly invent LLMs and you want your money back on Nvidia.

ComputerGuru2y ago· 4 in thread

At this point, I assume this is the default and don’t expect data recovery to not be provide on the same physical machine (even across virtualization barriers).

If your data is that sensitive, run it on dedicated hardware. Papering over this with mitigation over mitigation is a fool’s errand: both a genuine waste of compute resources and guaranteed to be a game of cat and mouse.

Retr0id2y ago

This is certainly the pragmatic approach to GPU memory in 2024, but I don't think it's a fool's errand. It's a solved problem on the CPU side of things, and I don't see any reason why we can't solve it in the GPU domain too.

Notably:

> NVIDIA: confirmed that their devices are not currently impacted

> ARM: also confirmed that their devices are not currently impacted.

malf2y ago

> It's a solved problem on the CPU side of things

Is it? gestures at pile of cpu bugs

ks6g10OP2y ago

The reason why arm is not affected is that their "local" memory is non existent and they just spill everything to cache.

htrp2y ago

TIL that ARM has GPUs

declaredapple2y ago· 3 in thread

GPU memory isolation is generally really bad, from between processes and entire virtual machines.

Does anyone know if nvidia's virtual gpus improve the isolation at all?

jeroenhd2y ago

This is one of my main concerns with technologies like WebGPU. Luckily, WebGPU seems to sacrifice some performance to keep attacks like these from working: https://github.com/trailofbits/LeftoverLocalsRelease/tree/ma...

hhh2y ago

IIRC it only improves if you use MIG.

declaredapple2y ago

So I guess only the A30/A100/H100 then?

dmvdoug2y ago· 3 in thread

Is this the Golden Age of hardware vulnerabilities?

formerly_proven2y ago

At some point in the last ~20 years a lot of people started interpreting "this system is meant to protect against programming errors crashing the whole system" as "this is a watertight security boundary and I can rely on zero information leaking across". The results are, uh, roughly what you'd expect.

ngneer2y ago

Kind of. However, I would venture most real world attack scenarios do not leverage HW vulnerabilities. But wait, how do we know what is happening invisibly? And what about state actors? The answer is we do not know, but the economics do not change based on whether an attack is made visible or not. Attacks tend to follow and reveal the path of least impedance. If software attacks are working fine for most, why would anyone spend more on weaponizing a HW exploit?

dmvdoug2y ago

I just feel like maybe 20 years ago people thought the hardware was the hardware and all the security issues were inevitably to be found in software. I mean, I know that people who work with hardware for a living always say that hardware has always been shit, but it really does feel now like everything is a security vulnerability, in a way that people weren’t looking for previously. Then again, maybe they were, and I just wasn’t paying attention. Ah, to be young and carefree again.

1 more reply

frankjr2y ago· 2 in thread

> Since September 2023, we have been working with CERT (..)

> Apple: Despite multiple efforts to establish contact through CERT/CC, we only received a response from Apple on January 13, 2024.

> Apple did not respond or engage with us regarding the disclosure.

Well at least they are consistent at not giving a flying f*ck about working with bug reporters, no matter who you are. I have reported 5+ radars in the past and have never received any response, not even a confirmation.

kridsdale12y ago

My first job post college was a Radar triager for specific Apple frameworks. I was 23 or so, probably high the previous evening, and I did not give a FUCK about some external developer and their problems.

Sorry. That was a long time ago.

adr1an2y ago

At least you don't get sued or incarcerated /s

Kab1r2y ago

I've been told that historically performance has been prioritized over security in the GPU space. Mitigating things like this does incur a performance penalty.

geuis2y ago

I don't know if this is related, but I reported an issue back in September or October about conversations with ChatGPT 3.5 leaking into new sessions. I noticed that after having a semi long exchange, I could start a new session and ask a question about one of the previous sessions and the LLM would respond with details it could only obtain from one of the prior ones.

This was definitely happening with OpenAI's web interface. It might have been happening via API calls too but it's been a while and I don't remember.

Nothing ever came of the report as far as I know.

dang2y ago

Url changed from https://leftoverlocals.com/, which points to this and has more information.

j / k navigate · click thread line to collapse

39 comments

32 comments · 8 top-level

Veserv2y ago· 12 in thread

tl;dr GPU drivers made by various vendors do not sanitize compute unit hardware scratch memory between uses, so you can just freely read whatever the last user left laying around when they stopped.

In this case: Apple, Qualcomm, AMD, Imagination.

Edit: Added Imagination as noted by reply.

bee_rider2y ago

These designs all come out of the consumer and gaming space. They correctly trade security away for performance. Blame whoever started running untrustworthy code on them.

pjmlp2y ago

They incorrectly trade security for performance, in the days of money transactions in games, esports, and server dependencies.

1 more reply

kridsdale12y ago

Yeah it’s pretty insane that the entire AI hype and crypto hype industry waves are actually just getting really specific pixel shaders to sparkle in extremely specific ways.

The gear was made to frag noobs in Counterstrike at 300 FPS.

vlovich1232y ago

And Imagination.

Notably Intel and Nvidia were not impacted. I wonder if the security hardening that Google worked on with Nvidia for Stadia helped prevent this

Veserv2y ago

1 more reply

ks6g10OP2y ago

Could probably be that the shared memory (at least in the past) also was used for cache, so the same mechanism that probably sanitizer the cache is/was in play here.

jmgao2y ago

Google used AMD GPUs for Stadia, not NVIDIA.

1 more reply

kevingadd2y ago

Could imagine it being related to CUDA as well. Memory being consistently zero-initialized helps prevent application bugs.

1 more reply

kevingadd2y ago

Wasn't too long ago that stray texture data would be left lying around from other processes, too. You could exploit that to read the contents of the user's banking tabs and stuff like that.

dist-epoch2y ago

It's not so simple.

For example Windows takes over GPU memory control, it virtualizes it, and allocates it to various applications, zeros it, etc...

ks6g10OP2y ago

This is specific to local/scratch memory which is not exposed for allocation in the same way dram is.

throwitaway2222y ago

Man so this has been an issue for 20 years, we suddenly invent LLMs and you want your money back on Nvidia.

ComputerGuru2y ago· 4 in thread

At this point, I assume this is the default and don’t expect data recovery to not be provide on the same physical machine (even across virtualization barriers).

Retr0id2y ago

Notably:

> NVIDIA: confirmed that their devices are not currently impacted

> ARM: also confirmed that their devices are not currently impacted.

malf2y ago

> It's a solved problem on the CPU side of things

Is it? gestures at pile of cpu bugs

ks6g10OP2y ago

The reason why arm is not affected is that their "local" memory is non existent and they just spill everything to cache.

htrp2y ago

TIL that ARM has GPUs

declaredapple2y ago· 3 in thread

GPU memory isolation is generally really bad, from between processes and entire virtual machines.

Does anyone know if nvidia's virtual gpus improve the isolation at all?

jeroenhd2y ago

hhh2y ago

IIRC it only improves if you use MIG.

declaredapple2y ago

So I guess only the A30/A100/H100 then?

dmvdoug2y ago· 3 in thread

Is this the Golden Age of hardware vulnerabilities?

formerly_proven2y ago

ngneer2y ago

dmvdoug2y ago

1 more reply

frankjr2y ago· 2 in thread

> Since September 2023, we have been working with CERT (..)

> Apple: Despite multiple efforts to establish contact through CERT/CC, we only received a response from Apple on January 13, 2024.

> Apple did not respond or engage with us regarding the disclosure.

kridsdale12y ago

Sorry. That was a long time ago.

adr1an2y ago

At least you don't get sued or incarcerated /s

Kab1r2y ago

I've been told that historically performance has been prioritized over security in the GPU space. Mitigating things like this does incur a performance penalty.

geuis2y ago

This was definitely happening with OpenAI's web interface. It might have been happening via API calls too but it's been a while and I don't remember.

Nothing ever came of the report as far as I know.

dang2y ago

Url changed from https://leftoverlocals.com/, which points to this and has more information.

j / k navigate · click thread line to collapse