Whispering Pixels: Exploiting Uninitialized Register Accesses in Modern GPUs

TL;DR

This work identifies uninitialized register reads as a new GPU-side-channel threat that can leak data processed by prior shader kernels. It demonstrates practical attacks across Apple, NVIDIA, and Qualcomm GPUs, including pixel data leakage via fragment shaders, leakage of intermediate CNN outputs, and extraction of GPT-2 embeddings from LLM workloads, with a GPU-based covert channel achieving hundreds of megabits per second. The authors outline attacker workflows, reveal challenges posed by opaque scheduling and register remapping, and validate the impact on diverse workloads. They also propose multiple mitigations, including software and firmware approaches, and call for vendor-level adoption to close this critical security gap.

Abstract

Graphic Processing Units (GPUs) have transcended their traditional use-case of rendering graphics and nowadays also serve as a powerful platform for accelerating ubiquitous, non-graphical rendering tasks. One prominent task is inference of neural networks, which process vast amounts of personal data, such as audio, text or images. Thus, GPUs became integral components for handling vast amounts of potentially confidential data, which has awakened the interest of security researchers. This lead to the discovery of various vulnerabilities in GPUs in recent years. In this paper, we uncover yet another vulnerability class in GPUs: We found that some GPU implementations lack proper register initialization routines before shader execution, leading to unintended register content leakage of previously executed shader kernels. We showcase the existence of the aforementioned vulnerability on products of 3 major vendors - Apple, NVIDIA and Qualcomm. The vulnerability poses unique challenges to an adversary due to opaque scheduling and register remapping algorithms present in the GPU firmware, complicating the reconstruction of leaked data. In order to illustrate the real-world impact of this flaw, we showcase how these challenges can be solved for attacking various workloads on the GPU. First, we showcase how uninitialized registers leak arbitrary pixel data processed by fragment shaders. We further implement information leakage attacks on intermediate data of Convolutional Neural Networks (CNNs) and present the attack's capability to leak and reconstruct the output of Large Language Models (LLMs).

Figures (7)

• Figure 1: Generalized GPU architecture. A GPU typically contains one or more cores, where each core can contain multiple execution units, which can execute e.g. 32 threads as a wavefront in lockstep.
• Figure 2: Overview of the attack procedure. The adversary provides hand-crafted shader kernels to the GPU interface, while normal user applications use vendor-provided interfaces. In order to achieve co-location with the targeted shaders, the attacker needs to dispatch his kernel in the execution queue of every core.
• Figure 3: Attacker kernels for exploiting stale register reads.
• Figure 4: Covert Channel Performance evaluation for varying numbers of thread groups for sender and receiver.
• Figure 5: Fragment shader leaking approach. Leaked fragments are reconstructed via a genetic puzzle solving algorithm, which is able to reconstruct the screen data.