As the development of artificial intelligence (AI) systems continues to thrive, companies are relying heavily on graphics processing unit (GPU) chips to provide the necessary computing power for running large language models (LLMs) and processing data on a massive scale. The demand for GPUs has reached unprecedented levels due to their usage in video game processing and AI applications, prompting chipmakers to focus on strengthening the supply of these chips.
Recent research reveals a concerning vulnerability in various brands and models of mainstream GPUs, including those developed by Apple, Qualcomm, and AMD. This vulnerability allows potential attackers to steal substantial amounts of data from a GPU’s memory. While the security of central processing units (CPUs) has been refined over the years to prevent data leaks, GPUs, which were originally designed for graphics processing, haven’t received the same level of emphasis on data privacy. However, as the use of GPUs expands into generative AI and other machine learning applications, the vulnerability in GPUs becomes a pressing concern.
Dubbed LeftoverLocals, the vulnerability can be exploited by attackers who have already gained access to the target device’s operating system. Modern computers and servers are specifically designed to compartmentalize data, enabling multiple users to share processing resources without breaching one another’s data. However, the LeftoverLocals attack breaks down these barriers, allowing hackers to extract data from the local memory of vulnerable GPUs. This exposed data can include queries and responses generated by LLMs, as well as the weights that drive the responses.
In their proof of concept, the researchers illustrate an attack scenario where a target asks an open source LLM for details about WIRED magazine. Within seconds, the attacker’s device collects a substantial portion of the LLM’s response by executing a LeftoverLocals attack on the vulnerable GPU memory. Remarkably, the researchers developed the attack program using less than 10 lines of code.
Through extensive testing of 11 chips from seven GPU manufacturers, the researchers have identified the LeftoverLocals vulnerability in GPUs from Apple, AMD, and Qualcomm. To address this issue, a coordinated disclosure of the vulnerability took place in collaboration with the US-CERT Coordination Center and the Khronos Group, a standards body focused on 3D graphics, machine learning, and virtual and augmented reality. On the other hand, Nvidia, Intel, and Arm GPUs were found to be free of the LeftoverLocals vulnerability.
Although Nvidia, Intel, and Arm GPUs were clear from the flaw, Apple, Qualcomm, and AMD confirmed their vulnerability. The AMD Radeon RX 7900 XT, as well as popular devices like Apple’s iPhone 12 Pro and M2 MacBook Air, are among the affected products. While the researchers didn’t discover the flaw in the tested Imagination GPUs, it’s possible that other models from the same manufacturer may be vulnerable.
Apple has acknowledged the LeftoverLocals vulnerability and addressed it in their latest M3 and A17 processors introduced in 2023. However, millions of existing iPhones, iPads, and MacBooks still rely on previous generations of Apple silicon, making them susceptible to the vulnerability.
In a recent retest of the vulnerability, the Trail of Bits researchers found that Apple’s M2 MacBook Air remained vulnerable, while the iPad Air 3rd generation A12 appeared to have received a patch. As the AI industry continues to rely on GPUs for their computing needs, the vulnerabilities in these chips pose a significant risk to data privacy and security.
To mitigate these concerns, chipmakers need to prioritize the development and implementation of security measures specific to GPUs. The focus on speed and processing power should not come at the expense of data protection. Proactive measures such as regular security audits, vulnerability testing, and collaboration with security firms can help address such issues. Moreover, ongoing software updates and patches should be promptly released to close any identified vulnerabilities.
As the reliance on GPUs in AI development grows, it is crucial to ensure that the hardware and software supporting these technologies are secure and resilient against potential attacks. By addressing these vulnerabilities head-on, the AI industry can continue to innovate and push the boundaries of what is possible while safeguarding sensitive data from exploitation.
Leave a Reply