Whispering Pixels: Exploiting Uninitialized Register Accesses in Modern GPUs

TL;DR

This paper reveals a new GPU vulnerability where uninitialized registers leak sensitive data, demonstrated across multiple vendors and capable of exposing neural network and LLM intermediate data.

Contribution

It uncovers a novel class of GPU vulnerabilities caused by uninitialized registers, with practical attack demonstrations on various workloads and hardware.

Findings

Leakage of pixel data from fragment shaders

Information extraction from CNN intermediate states

Reconstruction of LLM outputs

Abstract

Graphic Processing Units (GPUs) have transcended their traditional use-case of rendering graphics and nowadays also serve as a powerful platform for accelerating ubiquitous, non-graphical rendering tasks. One prominent task is inference of neural networks, which process vast amounts of personal data, such as audio, text or images. Thus, GPUs became integral components for handling vast amounts of potentially confidential data, which has awakened the interest of security researchers. This lead to the discovery of various vulnerabilities in GPUs in recent years. In this paper, we uncover yet another vulnerability class in GPUs: We found that some GPU implementations lack proper register initialization routines before shader execution, leading to unintended register content leakage of previously executed shader kernels. We showcase the existence of the aforementioned vulnerability on products of 3 major vendors - Apple, NVIDIA and Qualcomm. The vulnerability poses unique challenges to an adversary due to opaque scheduling and register remapping algorithms present in the GPU firmware, complicating the reconstruction of leaked data. In order to illustrate the real-world impact of this flaw, we showcase how these challenges can be solved for attacking various workloads on the GPU. First, we showcase how uninitialized registers leak arbitrary pixel data processed by fragment shaders. We further implement information leakage attacks on intermediate data of Convolutional Neural Networks (CNNs) and present the attack's capability to leak and reconstruct the output of Large Language Models (LLMs).