An attacker may be able to steal a significant amount of data from a GPU’s memory due to a flaw known as LeftoverLocals that affects several popular GPU brands and models, including AMD, Apple, and Qualcomm.
Machine learning (ML) models and large language models (LLMs) operating on affected GPU platforms are especially affected by LeftoverLocals, which negatively impacts GPU apps’ security posture.
It is also found that while Arm, Intel, and Nvidia products are unaffected, the GPUs manufactured by Imagination Technologies are also impacted.
Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.
Details of the ‘LeftoverLocals’ Attack
Researchers Tyler Sorensen and Heidy Khlaaf of Trail of Bits found the vulnerability, which they named LeftoverLocals and tracked as CVE-2023-4969.
LeftoverLocals allows data recovery from GPU local memory created by another process on Apple, Qualcomm, AMD, and Imagination GPUs.
Hackers can leverage the issue to gain access to data that they should not have access to, such as requests and responses created by LLMs, as well as the weights that drive the response.
Researchers demonstrated how they could conduct an attack on an interactive LLM chat session using LeftoverLocals. A co-resident attacker can hear the LLM’s response when the LLM user asks a query of the LLM.
“LeftoverLocals can leak ~5.5 MB per GPU invocation on an AMD Radeon RX 7900 XT when running a 7B model on the llama.cpp, adds up to ~181 MB for each LLM query”, researchers said.
The vulnerability makes clear how many ML development stack parts lack sufficient security expert assessment and contain unidentified security risks.
Regarding Apple, it seems that the issue exists with the MacBook Air (M2). Additionally, it doesn’t appear to affect the newly released Apple iPhone 15, unlike previous versions. Apple has acknowledged that fixes are available for the A17 and M3 series processors.
AMD devices are still affected despite ongoing investigations into potential mitigating strategies.
For certain devices, a patch to Qualcomm firmware v2.07 fixes LeftoverLocals. But at this point, other devices might still be affected.
In December 2023, Imagination released a patch in DDK v23.3. However, Google cautioned in January 2024 that certain of the vendor’s GPUs remain compromised.
“The attacker only requires the ability to run GPU compute applications, e.g., through OpenCL, Vulkan, or Metal,” researchers said.
“Using these, the attacker can read data that the victim has left in the GPU local memory simply by writing a GPU kernel that dumps uninitialized local memory”
Finally, users should ensure that the compiler does not eliminate these memory-clearing instructions (for example, by marking their local memory as volatile), because the compiler may identify that the cleared memory is not utilized later in the kernel.
Try Kelltron’s cost-effective penetration testing services to evaluate digital systems security. Free demo available.