Since Spectre and Meltdown were demonstrated at the beginning of 2018, researchers have been discovering many variants of side-channel vulnerabilities affecting both Intel and AMD CPUs. GPUs seemed instead to be immune to such attacks. Until now, that is.
Researchers from UC Riverside demonstrated that, in fact, GPU side-channel attacks are practical. They used three primary attack vectors to show how a malicious program using either the graphics or the CUDA stack can spy on a victim program using either of the two stacks. In all three cases the researchers exploited aggregate measures of contention based on existing resource tracking APIs such as:
- The memory allocation API, which exposed the amount of available memory.
- The GPU performance counters, which includes memory read/write throughput and transactions; instruction count for several categories of instructions; cache hit rate and throughput, etc.
- Timing operations when both the victim and the spy are running concurrently to detect contention.
Several kind of attacks were demonstrated, including website fingerprinting; user activity tracking and keystroke monitoring; neural network model recovery, and others. The team also investigates possible mitigations. Besides removing the memory allocation API and performance counters altogether, which might not be entirely desirable, they showed that limiting the rate at which a program can query the memory allocation API or the granularity of measurements both are effective countermeasures to reduce the risk of an attack succeeding.
The team reverse-engineered a GPU from Nvidia, but the vulnerability could affect other manufacturers’ GPUs as well. Specifically this includes AMD CPUs, the researchers write, since they share two vectors of attack, i.e., the memory allocation API and and performance counters.
On a related note, a systematic evaluation of transient execution attacks for CPUs carried through by researchers at Graz University and others uncovered seven new attacks that affect CPUs from Intel, AMD, and ARM.