Researchers from four US universities have developed a new GPU side-channel attack that exploits data compression to exfiltrate sensitive visual data in modern graphics cards when accessing web pages.
Researchers demonstrated the effectiveness of this "GPU.zip" attack by performing a cross-origin SVG filter pixel stealing attack via the Chrome browser.
Researchers disclosed the vulnerability to affected graphics card manufacturers in March 2023. However, as of September 2023, no affected GPU vendors (AMD, Apple, Arm, NVIDIA, Qualcomm) or Google (Chrome) have released a patch to address the issue.
Researchers from the University of Texas at Austin, Carnegie Mellon University, the University of Washington, and the University of Illinois at Urbana-Champaign outline the new flaw in a paper that will be presented at the 45th IEEE Security & Presented at the Privacy Symposium .
Leakage through compression
In general, data compression creates different data-related DRAM traffic and cache utilization, which can be abused to leak secrets, so software turns off compression when handling sensitive data.
GPU.zip researchers explain that all modern graphics processor units, especially integrated Intel and AMD chips, perform software-visible data compression even when not explicitly required to do so.
Modern GPUs follow this risky approach as an optimization strategy as it helps save memory bandwidth and improve performance without the need for software.
This compression is often undocumented and vendor-specific, and researchers have found a way to exploit it to leak GPU vision data.
Specifically, they demonstrated an attack that extracts single pixel data via a web browser on a variety of devices and GPU architectures, as shown below.
Test results on various systems
The proof-of-concept attack demonstrates the process of stealing usernames from a Wikipedia iframe and can be completed in 30 minutes on Ryzen and 215 minutes on an Intel GPU, with accuracy rates of 97% and 98.3% respectively.
Retrieve username
An iframe hosts a cross-origin web page whose pixels are isolated and converted to binary, meaning they are converted into two possible colors.
Next, these pixels are upscaled and specialized SVG filter stacks are applied to create compressible or incompressible textures. By measuring the time it takes for a texture to render, researchers can infer the original color/state of a target pixel.
GPU.zip attack concept
We've recently seen SVG filters applied to induce data-dependent execution, and JavaScript used to measure computation time and frequency to discern pixel color in "hot pixel" attacks.
Hot Pixels takes advantage of data-dependent computation time on modern processors, while GPU.zip relies on undocumented GPU data compression to achieve similar results.
GPU.zip Severity
GPU.zip affects nearly all major GPU manufacturers, including AMD, Apple, Arm, Intel, Qualcomm, and NVIDIA, but not all cards are affected equally.
The fact that none of the affected vendors decided to address the issue by optimizing their data compression methods and limiting their operations to non-sensitive situations further increases the risk.
While GPU.zip potentially affects the vast majority of laptops, smartphones, tablets, and desktop computers worldwide, the direct impact on users is affected by the complexity and time required to execute the attack.
Additionally, websites that deny cross-origin iframe embedding cannot be used to exfiltrate user data through this or similar side-channel attacks.
"Most sensitive websites have denied being embedded by cross-origin websites. Therefore, they are not vulnerable to the pixel stealing attack we launched using GPU.zip," the researchers explained in an FAQ on the team's website.
Finally, the researchers noted that Firefox and Safari do not meet all the criteria required for GPU.zip to work, such as allowing cross-origin iframe loading of cookies, rendering SVG filters on iframes, and delegating rendering tasks to the GPU.