AMD, Apple & Qualcomm GPUs Reportedly Faced With a New Vulnerability Which Listens to LLM Responses

It looks like consumer GPUs from AMD, Apple & Qualcomm aren't safe from vulnerabilities, as experts have reportedly discovered a threat known as "LeftoverLocals" that can extract data from the GPU's memory.

The emergence of a vulnerability in any piece of hardware is something that the tech industry witnesses quite often, and usually the scale of it is pretty high when it comes the the number of people affected by it. A leading example of this is the recently disclosed Intel's Downfall vulnerability, which had put thousands of the company's CPU users at stake. However, this time, GPU consumers, those across all platforms such as mobile and desktop, should proceed with caution, as the security researcher Trail of Bits has discovered a vulnerability that has the potential to take away "key data" from your onboard memory.

The vulnerability is named "LeftoverLocals", and rather than targeting consumer applications, it does the job by penetrating the GPUs being utilized in LLMs and ML models, which is an area where extracting data holds a greater significance since model training involves the utilization of sensitive data. LeftoverLocals is being tracked by experts from Carnegie Mellon University, and it is said that the information is already shared by major GPU vendors affected by it, with the likes of Apple, AMD, Intel, Qualcomm, and Imagination.

It was discovered that LeftoverLocals can leak around 5.5 MB per GPU invocation of data on AMD's Radeon RX 7900 XT when running a seven-billion parameter model. According to Trail of Bits, the rate of data leak is sufficient enough to even recreate the complete model, which is why the vulnerability poses a high risk in the field of artificial intelligence since it could prove to be devastating for individual firms, especially those who revolve around training LLMs. Exploiters can potentially leverage the vast developments in AI, potentially leading to a much larger impact.

LeftoverLocals depends upon a single thing, which is how a GPU isolates its memory, which is completely different from a CPU framework. Thus an exploiter, who has obtained shared access to a GPU through a programmable interface can steal memory data inside a GPU which has several security consequences. LeftoverLocals is divided into two different processes, a Listener and a Writer, and here is how both of them work:

Overall, this vulnerability can be illustrated using two simple programs: a Listener and a Writer, where the writer stores canary values in local memory, while a listener reads uninitialized local memory to check for the canary values. The Listener repeatedly launches a GPU kernel that reads from uninitialized local memory. The Writer repeatedly launches a GPU kernel that writes canary values to local memory.

For an average consumer, LeftoverLocals probably isn't something to worry about however for those associated with industries such as cloud computing or inferencing, the vulnerability could prove fatal, especially in terms of the security of LLMs and ML frameworks.

News Source: Trail of Bits