The GPU.zip vulnerability, discovered by researchers from Carnegie Mellon Software and Societal Systems and detailed in their research paper titled “GPU.zip: On the Side-Channel Implications of Hardware-Based Graphical Data Compression,” jeopardizes the security of numerous graphics processing units (GPUs). This side-channel attack exploits an inherent weakness associated with graphical data compression in integrated GPUs (iGPUs). The vulnerability emanates from the data-dependent nature of the compression algorithms, which inadvertently leak sensitive information through observable patterns in DRAM traffic and cache occupancy. Exposure of this nature leaves a broad spectrum of GPUs, including those manufactured by industry giants like AMD, Apple, Arm, Intel, Nvidia, and Qualcomm, susceptible to unauthorized data access. Browsers like Google Chrome and Microsoft Edge are particularly vulnerable due to their specific architectural and security configurations.
A Vulnerability in iGPUs
A common feature in integrated GPUs (iGPUs) is graphical data compression. While it’s instrumental in enhancing memory efficiency and rendering performance, this feature isn’t without drawbacks. The compression process’s data-dependent nature can unintentionally create extremely exploitable security vulnerabilities. Research indicates that it can cause data-dependent traffic in DRAM and cache occupancy, leading to potential side-channel exploits. The GPU.zip vulnerability allows an attacker to exploit this iGPU-based compression channel. By manipulating SVG filters within web browsers, one can execute pixel stealing attacks, which are based on creating specific patterns influenced by a secretive pixel within a browser. When the iGPU processes these patterns, the compression output reveals details about the secret pixel.
Technical Implications of the Vulnerability
In real-world scenarios, this vulnerability can be exploited by malicious webpages to extract pixel values from another webpage, especially in browsers like Google Chrome, sidestepping security protocols like the same-origin policy (SOP). The exploitation pathway works in a simple, direct fashion in which attackers use the GPU data compression leakage channel to their advantage. By observing rendering time differences or using specific metrics, they can extract valuable information. Chrome and Microsoft Edge are particularly vulnerable to the GPU.zip attack; their architecture, which permits certain actions with iframes and delegates rendering to the GPU, makes them susceptible. However, it’s worth noting that the inherent issue isn’t with the Chromium engine itself, suggesting that browsers can potentially mitigate the risk.
GPU.zip Attack Example
In the research paper, the team presents a proof-of-concept, a real-world attack that extracts a username from Wikipedia. The results, as illustrated in the accompanying figure, highlight the attack’s potency on two distinct processors: an Intel i7-8700 (c) and an AMD Ryzen 7 4800U (b). While the assault on the AMD Ryzen was swift, clocking in at a mere 30 minutes and boasting a striking 97 percent accuracy, the Intel i7 variant took a more leisurely 215 minutes but delivered an even more precise accuracy rate of 98.3 percent. Both are terrifyingly close to the original ground truth (a).
In conclusion, the GPU.zip vulnerability shines a spotlight on the intricate challenges embedded within the very fabric of modern graphical processors. As researchers from Carnegie Mellon Software and Societal Systems have highlighted, the quest for optimization and efficiency in GPUs has inadvertently opened doors to potential security breaches. The demonstrated ability to extract sensitive information like usernames from platforms as ubiquitous as Wikipedia makes evident the pressing need for robust cybersecurity measures. Balancing performance enhancement and data protection is a necessary measure that needs to be taken into account when developing both hardware and software in our future.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –