Researchers at Trail of Bits Inc., a New York-based cybersecurity company, have disclosed a vulnerability that may affect millions of graphics processing units.

Wired reported the discovery on Tuesday. The vulnerability, which Trail of Bits’ researchers have named LeftoverLocals, can be used by hackers to access the output of artificial intelligence models. 

The cybersecurity company discovered LeftoverLocals last summer during an evaluation of 11 tech firms’ GPUs. It found the flaw in chips from Advanced Micro Devices Inc., Apple Inc. and Qualcomm Inc. Some of the affected GPUs are standalone graphics cards while others are integrated into smartphone systems-on-chip. 

The most advanced central processing units on the market have 100 to 200 cores. The fastest GPUs, meanwhile, contain upwards of thousands. Graphics cards’ high core counts allow them to carry out a large number of calculations in parallel, which helps speed up machine learning workloads.

AI models run computations on GPUs using specialized programs called kernels. A kernel can spread out a calculation across a large number of graphics card cores to improve performance. LeftoverLocals, the vulnerability detailed this week, allows hackers to access an AI model’s output by eavesdropping on the kernels it uses to process user queries.

“This is a co-resident exploit, meaning that a threat actor’s avenue of attack could be implemented as another application, app, or user on a shared machine,” Trail of Bits’ researchers detailed in a blog post. “The attacker only requires the ability to run GPU compute applications, e.g., through OpenCL, Vulkan, or Metal. These frameworks are well-supported and typically do not require escalated privileges.”

GPUs include a large amount of onboard RAM to support calculations. When an AI model starts running on a graphics card, it receives a portion of the onboard memory. This memory segment, which stores the data the AI model processes, is usually inaccessible to other programs.

LeftoverLocals allows a malicious program to access the GPU memory assigned to a neural network and steal the data it contains. According to Trail of Bits, the vulnerability enables hackers to exfiltrate the queries that users send to an AI model. Malicious programs can also extract a neural network’s weights, configuration settings that determine how it processes data. 

After obtaining the user input sent to an AI model and its weights, hackers can reconstruct the model’s output. Trail of Bits simulated such a scenario on a machine equipped with AMD’s Radeon RX 7900 XT graphics card, one of the products affected by LeftoverLocals. The company determined that hackers can use the vulnerability to steal up to 181 megabytes of data per each query processed by a seven-billion-parameter language model.

After discovering LeftoverLocals last summer, Trail of Bits notified the affected hardware makers. Apple has included fixes in its latest iPhone and Mac chips’ integrated GPUs, but earlier devices still contain the flaw. Qualcomm is currently in the process of rolling out software patches for vulnerable products, while AMD plans to follow suit in March. 

Image: AMD