A novel side-channel attack called GPU.zip renders virtually all modern graphics processing units (GPU) vulnerable to information leakage.
“This channel exploits an optimization that is data dependent, software transparent, and present in nearly all modern GPUs: graphical data compression,” a group of academics from the University of Texas at Austin, Carnegie Mellon University, University of Washington, and the University of Illinois Urbana-Champaign said.
Graphical data compression is a feature in integrated GPUs (iGPUs) that allows for saving memory bandwidth and improving performance when rendering frames, compressing visual data losslessly even when it’s not requested by software.
The study found that the compression, which happens in various vendor-specific and undocumented ways, induces data-dependent DRAM traffic and cache occupancy that can be measured using a side-channel.
“An attacker can exploit the iGPU-based compression channel to perform cross-origin pixel stealing attacks in the browser using SVG filters, even though SVG filters are implemented as constant time,” the researchers said.
“The reason is that the attacker can create highly redundant or highly non-redundant patterns depending on a single secret pixel in the browser. As these patterns are processed by the iGPU, their varying degrees of redundancy cause the lossless compression output to depend on the secret pixel.”
Successful exploitation could allow a malicious web page to infer the values of individual pixels from another web page embedded in an iframe element in the latest version of Google Chrome, effectively circumventing critical security boundaries such as same-origin policy (SOP).
Chrome and Microsoft Edge are particularly vulnerable to the attack because they allow cross-origin iframes to be loaded with cookies, permit rendering SVG filters on iframes, and delegate rendering tasks to the GPU. However, Mozilla Firefox and Apple Safari are not impacted.
In other words, the GPU graphical data compression leakage channel can be used to steal pixels from a cross-origin iframe by “either measuring the rendering time difference due to memory bus contention or by using the LLC walk time metric to infer the GPU-induced CPU cache state changes.”
A proof-of-concept (PoC) devised by the researchers discovered that it’s possible for a threat actor could trick a potential target into visiting a rogue website and learn information about a logged-in user’s Wikipedia username.
Fight AI with AI — Battling Cyber Threats with Next-Gen AI Tools
Ready to tackle new AI-driven cybersecurity challenges? Join our insightful webinar with Zscaler to address the growing threat of generative AI in cybersecurity.
This, in turn, is rooted in the fact that some web standards allow for the framing page to apply visual effects (i.e., SVG filters) to the iframed page, thereby exposing the mechanism to side-channel attacks by, say, computing the time differences between rendering black and white pixels and then distinguish between them using the timing information.
Affected GPUs include those from AMD, Apple, Arm, Intel, Nvidia, and Qualcomm. That said, websites that already deny being embedded by cross-origin websites via X-Frame-Options and Content Security Policy (CSP) rules are not susceptible to the pixel-stealing attack.
The findings come on the back of a related side-channel attack called Hot Pixels that leverages a similar approach to conduct “browser-based pixel stealing and history sniffing attacks” against Chrome and Safari web browsers.