LeftoverLocals, a vulnerability discovered in several AMD, Apple, Qualcomm and Imagination GPUs, could allow an attacker to steal data from local memory, including sensitive AI outputs.
The vulnerable GPUs fail to properly isolate memory, enabling users and applications to “listen” to the processes of other users on a shared GPU, according to researchers from Trail of Bits, who discovered the flaw.
The LeftoverLocals bug, tracked as CVE-2023-4969, affects a range of widely used devices, many of which remained unpatched by the time the researchers disclosed Tuesday.
The researchers published a proof-of-concept (PoC) exploit using LeftoverLocals to steal outputs from another user’s interactive session with a large language model (LLM).
GPU vulnerability exposes AI processes to surveillance
CVE-2023-4969 can be exploited by crafting GPU kernels that read information left by other GPU kernels in local memory. The Trail of Bits researchers demonstrated that this can be achieved with as little as 10 lines of OpenCL code.
This problem is due to GPUs not clearing the local memory between kernel calls, leaving the “leftovers” from the previous kernel exposed to surveillance by another kernel.
Notably, some devices that do clear local memory are still vulnerable if they use a separate kernel to perform the memory wipe, as the “listener” kernel could still pick up the leftovers prior to the wipe.
A proof-of-concept (PoC) exploit using a vulnerable AMD Radeon RX 7900 XT GPU demonstrated how an attacker could retrieve outputs from another user’s session with the llama.cpp large-language model (LLM).
The attacker can first “fingerprint” the model by scraping some of the model’s weights from local memory, then compare the fingerprint to open-source models to identify the full model being used.
The “listener” can then retrieve input vectors from the LLM, which are completely stored in local memory, and use them, in conjunction with full model information, to reconstruct the LLM’s outputs with high precision.
The amount of data leaked depends on the specific GPU framework and the size of its local memory. For example, the relatively large AMD Radeon RX 7900 XT leaks about 5.5 MB per kernel, or about 181 MB for each LLM query, according to the researchers.
With GPUs being increasingly used to accelerate AI and machine learning applications, the researchers warned flaws like LeftoverLocals could become a major target for data thieves.
“Generally, the introduction of ML poses new attack surfaces that traditional threat models do not account for, and that can lead to implicit and explicit access to data, model parameters, or resulting outputs, increasing the overall attack surface of the system,” the researchers wrote.
Trail of Bits noted that mitigation for users of unpatched GPUs is difficult as it requires altering the source code of all GPU kernels that use local memory to clear local memory by overwriting with zeroes before the kernel ends.
Is my GPU affected by LeftoverLocals?
Some GPUs from AMD, Apple, Qualcomm and Imagination Technologies are affected, while NVIDIA and ARM devices are confirmed to not be affected, according to the researchers.
Intel did not respond to the disclosure facilitated by the CERT Coordination Center starting on Sept. 11, but at least one Intel GPU was tested and found to not be impacted by LeftoverLocals, Trail of Bits stated.
AMD released an advisory on the vulnerability Tuesday, providing a full list of its affected devices and stating that mitigations would be available starting in March 2024.
Apple stated that its A17 and M3 series processors included fixes for LeftoverLocals but did not provide further details about patches across older devices. The researchers noted that a retest on Jan. 10 showed the bug was fixed in the A12 processor of an Apple iPad Air 3rd Generation, but that the Apple MacBook Air, which has an M2 processor, remained vulnerable upon retesting.
Qualcomm released a firmware update on Jan. 11 for GPUs in the Adreno 630 family, which fixes CVE-2023-4969 in devices using Snapdragon 845 chipsets. Trail of Bits stated that some other Qualcomm devices, such as the Snapdragon 835 and its Adreno 540 GPU, may still be affected.
A Qualcomm spokesperson told SC Media additional patches are in progress.
Imagination Technologies patched LeftoverLocals in its 23.3 driver development kit release, which was first made available to customers in December 2023. Trail of Bits noted that while they did not initially detect the vulnerability in Imagination GPUs, which are commonly used in Android-based devices, they were informed its processors were vulnerable by someone at Google.
While a complete list of GPUS affected by LeftoverLocals/CVE-2023-4969 across all vendors is not available, Trail of Bits published a GitHub repository, including code that can be used to test devices of various frameworks for LeftoverLocals.
