A bug ``Leftover Locals'' that leaks conversations with AI from Apple, Qualcomm, and AMD GPUs is discovered



Security firm Trail of Bits has revealed a vulnerability called 'LeftoverLocals (

CVE-2023-4969 )' that allows data to be recovered from GPU memory created by processes on Apple, Qualcomm, and AMD GPUs. The results of the survey have been published.

LeftoverLocals
https://leftoverlocals.com/

New Flaw in Apple, AMD, and Qualcomm GPUs Could Expose AI Data - Cyber Kendra
https://www.cyberkendra.com/2024/01/LeftoverLocals-flaws-leak-ai-data-via-gpu.html

A Flaw in Millions of Apple, AMD, and Qualcomm GPUs Could Expose AI Data | WIRED
https://www.wired.com/story/leftoverlocals-gpu-vulnerability-generative-ai/

LeftoverLocals is a vulnerability that allows applications using GPUs to access other data in local memory. GPUs have local memory, a high-speed memory area that temporarily stores frequently used data, but GPUs with the LeftoverLocals vulnerability do not clear local memory properly, allowing malicious applications to It can be used to steal local memory data used by other applications.



LeftoverLocals can be used to attack any application that uses the GPU's local memory, such as image processing or drawing, but data leakage from large-scale language models (LLMs) is of particular concern. .

An attacker attempting to exploit LeftoverLocals would first identify the LLM in use by repeatedly reading local memory data to steal weighting and activation data from the LLM execution data.

The attacker then steals data from the model's output layer and reproduces the output by extracting the input stored in local memory, restoring the LLM's response.



Trail of Bits showed that the output of LLM can be reconstructed with high accuracy through a proof of concept. Specifically, they were able to steal 181MB of data from an LLM run on an AMD GPU Radeon RX 7900 XT, enough to fully reproduce the response of a 7B (7 billion parameters) model. He said.

Trail of Bits reports that the LeftoverLocals vulnerability was not found in GPUs from NVIDIA, Intel, and Arm, but products from Apple, Qualcomm, and AMD contained this vulnerability. This means that GPUs popular among gamers, such as the aforementioned Radeon RX 7900 XT, as well as Apple devices such as iPhones and MacBooks, can be targeted.

Heidy Khlaaf, director of engineering at Trail of Bits, said, ``There are broader security concerns that these GPUs are less secure and can leak a significant amount of data.''



Since discovering this vulnerability in September 2023, Trail of Bits has notified multiple GPU manufacturers about the vulnerability through security agencies. The status of each company's response to LeftoverLocals is as follows.

An Apple spokesperson said the company has applied the fix to the M3 and A17 processors announced in late 2023. However, this vulnerability remains in iPhones, iPads, and MacBooks equipped with previous-generation Apple chips, and Trail of Bits fixed it in the 3rd generation iPad Air equipped with A12 in a test on January 10, 2024. We have confirmed that although the patch has been applied, MacBook Airs equipped with M2 are still affected by LeftoverLocals.

Qualcomm says it is in the process of providing security updates to customers, and in a statement said, ``We encourage end users to apply security updates as they become available from device manufacturers.'' Trail of Bits has confirmed that Qualcomm has indeed released a firmware fix for this vulnerability.

Google said it was aware of the vulnerability and was releasing a patch for ChromeOS devices with GPUs from AMD and Qualcomm.

Although major GPU manufacturers are taking action, there are still many vulnerable GPUs, and the Trail of Bits requires the entire GPU industry to develop stronger specifications, conduct testing, and establish an audit system. I am proposing.

in Security, Posted by log1l_ks