LeftoverLocals: Listening to LLM responses through leaked GPU local memory

LeftoverLocals: Listening to LLM responses through leaked GPU local memory(blog.trailofbits.com)

136 points by ks6g10 2 years ago | 39 comments

At this point, I assume this is the default and don’t expect data recovery to not be provide on the same physical machine (even across virtualization barriers).

If your data is that sensitive, run it on dedicated hardware. Papering over this with mitigation over mitigation is a fool’s errand: both a genuine waste of compute resources and guaranteed to be a game of cat and mouse.

Retr0id 2 years ago | |

This is certainly the pragmatic approach to GPU memory in 2024, but I don't think it's a fool's errand. It's a solved problem on the CPU side of things, and I don't see any reason why we can't solve it in the GPU domain too.

Notably:

> NVIDIA: confirmed that their devices are not currently impacted

> ARM: also confirmed that their devices are not currently impacted.

malf 2 years ago | | |

> It's a solved problem on the CPU side of things

Is it? gestures at pile of cpu bugs

ks6g10 2 years ago | | |

The reason why arm is not affected is that their "local" memory is non existent and they just spill everything to cache.

htrp 2 years ago | | |

TIL that ARM has GPUs

declaredapple 2 years ago |

GPU memory isolation is generally really bad, from between processes and entire virtual machines.

Does anyone know if nvidia's virtual gpus improve the isolation at all?

jeroenhd 2 years ago | |

This is one of my main concerns with technologies like WebGPU. Luckily, WebGPU seems to sacrifice some performance to keep attacks like these from working: https://github.com/trailofbits/LeftoverLocalsRelease/tree/ma...

hhh 2 years ago | |

IIRC it only improves if you use MIG.

declaredapple 2 years ago | | |

So I guess only the A30/A100/H100 then?

Kab1r 2 years ago |

I've been told that historically performance has been prioritized over security in the GPU space. Mitigating things like this does incur a performance penalty.

frankjr 2 years ago |

> Since September 2023, we have been working with CERT (..)

> Apple: Despite multiple efforts to establish contact through CERT/CC, we only received a response from Apple on January 13, 2024.

> Apple did not respond or engage with us regarding the disclosure.

Well at least they are consistent at not giving a flying f*ck about working with bug reporters, no matter who you are. I have reported 5+ radars in the past and have never received any response, not even a confirmation.

kridsdale1 2 years ago | |

My first job post college was a Radar triager for specific Apple frameworks. I was 23 or so, probably high the previous evening, and I did not give a FUCK about some external developer and their problems.

Sorry. That was a long time ago.

adr1an 2 years ago | |

At least you don't get sued or incarcerated /s

Veserv 2 years ago |

tl;dr GPU drivers made by various vendors do not sanitize compute unit hardware scratch memory between uses, so you can just freely read whatever the last user left laying around when they stopped.

Literally too incompetent to follow even basic security 101 practices. A time shared device must be sanitized between users to prevent state leakage. There is no reason to believe that a security culture that clueless when developing a universally shared, high criticality device can be believed if they claim to do better elsewhere. Their process is either so incompetent or so inconsistent that their claims can not be believed without external audits.

In this case: Apple, Qualcomm, AMD, Imagination.

Edit: Added Imagination as noted by reply.

dmvdoug 2 years ago |

Is this the Golden Age of hardware vulnerabilities?

formerly_proven 2 years ago | |

At some point in the last ~20 years a lot of people started interpreting "this system is meant to protect against programming errors crashing the whole system" as "this is a watertight security boundary and I can rely on zero information leaking across". The results are, uh, roughly what you'd expect.

ngneer 2 years ago | |

Kind of. However, I would venture most real world attack scenarios do not leverage HW vulnerabilities. But wait, how do we know what is happening invisibly? And what about state actors? The answer is we do not know, but the economics do not change based on whether an attack is made visible or not. Attacks tend to follow and reveal the path of least impedance. If software attacks are working fine for most, why would anyone spend more on weaponizing a HW exploit?

dmvdoug 2 years ago | | |

I just feel like maybe 20 years ago people thought the hardware was the hardware and all the security issues were inevitably to be found in software. I mean, I know that people who work with hardware for a living always say that hardware has always been shit, but it really does feel now like everything is a security vulnerability, in a way that people weren’t looking for previously. Then again, maybe they were, and I just wasn’t paying attention. Ah, to be young and carefree again.

geuis 2 years ago |

I don't know if this is related, but I reported an issue back in September or October about conversations with ChatGPT 3.5 leaking into new sessions. I noticed that after having a semi long exchange, I could start a new session and ask a question about one of the previous sessions and the LLM would respond with details it could only obtain from one of the prior ones.

This was definitely happening with OpenAI's web interface. It might have been happening via API calls too but it's been a while and I don't remember.

Nothing ever came of the report as far as I know.

dang 2 years ago |

Url changed from https://leftoverlocals.com/, which points to this and has more information.