GPUs from all major suppliers are vulnerable to new pixel-stealing attack

By | September 26, 2023
GPUs from all major suppliers are vulnerable to new pixel-stealing attack

GPUs from all six of the major suppliers are vulnerable to a newly discovered attack that allows malicious websites to read the usernames, passwords, and other sensitive visual data displayed by other websites, researchers have demonstrated in a paper published Tuesday.

The cross-origin attack allows a malicious website from one domain—say, example.com—to effectively read the pixels displayed by a website from example.org, or another different domain. Attackers can then reconstruct them in a way that allows them to view the words or images displayed by the latter site. This leakage violates a critical security principle that forms one of the most fundamental security boundaries safeguarding the Internet. Known as the same origin policy, it mandates that content hosted on one website domain be isolated from all other website domains.

Optimizing bandwidth at a cost

GPU.zip, as the proof-of-concept attack has been named, starts with a malicious website that places a link to the webpage it wants to read inside of an iframe, a common HTML element that allows sites to embed ads, images, or other content hosted on other websites. Normally, the same origin policy prevents either site from inspecting the source code, content, or final visual product of the other. The researchers found that data compression that both internal and discrete GPUs use to improve performance acts as a side channel that they can abuse to bypass the restriction and steal pixels one by one.

“We found that modern GPUs automatically try to compress this visual data, without any application involvement,” Yingchen Wang, the lead author and a researcher at the University of Texas at Austin, wrote in an email. “This is done to save memory bandwidth and improve performance. Since compressibility is data dependent, this optimization creates a side channel which can be exploited by an attacker to reveal information about the visual data.”

For GPU.zip to work, a malicious page must be loaded into the Chrome or Edge browsers. Under-the-hood differences in the way Firefox and Safari work prevent the attack from succeeding when those browsers process an attack page. Another requirement is that the page linked to in the iframe must not be configured to deny being embedded by cross-origin websites.

The security threats that can result when HTML is embedded in iframes on malicious websites have been well-known for more than a decade. Most websites restrict the cross-origin embedding of pages displaying user names, passwords, or other sensitive content through X-Frame-Options or Content-Security-Policy headers. Not all, however, do. One example is Wikipedia, which shows the usernames of people who log in to their accounts. A person who wants to remain anonymous while visiting a site they don’t trust could be outed if it contained an iframe containing a link to https://en.wikipedia.org/wiki/Main_Page.

Pixel stealing PoC for deanonymizing a user, run with other tabs open playing video. “Ground Truth” is the victim iframe (Wikipedia logged in as “Yingchenw”). “AMD” is the attack result on a Ryzen 7 4800U after 30 minutes, with 97 percent accuracy. “Intel” is the attack result for an i7-8700 after 215 minutes with 98 percent accuracy.
Enlarge / Pixel stealing PoC for deanonymizing a user, run with other tabs open playing video. “Ground Truth” is the victim iframe (Wikipedia logged in as “Yingchenw”). “AMD” is the attack result on a Ryzen 7 4800U after 30 minutes, with 97 percent accuracy. “Intel” is the attack result for an i7-8700 after 215 minutes with 98 percent accuracy.
Wang et al.

The researchers showed how GPU.zip allows a malicious website they created for their PoC to steal pixels one by one for a user’s Wikipedia username. The attack works on GPUs provided by Apple, Intel, AMD, Qualcomm, Arm, and Nvidia. On AMD’s Ryzen 7 4800U, GPU.zip took about 30 minutes to render the targeted pixels with 97 percent accuracy. The attack required 215 minutes to reconstruct the pixels when displayed on a system running an Intel i7-8700.

All of the GPUs analyzed use proprietary forms of compression to optimize the bandwidth available in the memory data bus of the PC, phone, or other device displaying the targeted content. The compression schemes differ from manufacturer to manufacturer and are undocumented, so the researchers reverse-engineered each one. The insights yielded a method that uses the SVG, or the scalable vector graphics image format, to maximize differences in DRAM traffic between black and white target pixels in the presence of compression. While their paper discusses GPU.zip as it applies to iGPUs, or internal GPUs, the technique applies equally to standalone or discrete GPUs as well.

In their paper, the researchers wrote:

We demonstrate that an attacker can exploit the iGPU-based compression channel to perform cross-origin pixel stealing attacks in the browser using SVG filters (the latest version of Google Chrome as of April 2023), even though SVG filters are implemented at constant time. The reason is that the attacker can create highly redundant or highly non-redundant patterns depending on a single secret pixel in the browser. As these patterns are processed by the iGPU, their varying degrees of redundancy cause the lossless compression output to depend on the secret pixel. The data-dependent compression output directly translates to data-dependent DRAM traffic and data-dependent cache occupancy. Consequently, we show that, even under the most passive threat model—where an attacker can only observe coarse-grained redundancy information of a pattern using a coarse-grained timer in the browser and lacks the ability to adaptively select input—individual pixels can be leaked. Our proof-of-concept attack succeeds on a range of devices (including computers, phones) from a variety of hardware vendors with distinct GPU architectures (Intel, AMD, Apple, Nvidia). Surprisingly, our attack also succeeds on discrete GPUs, and we have preliminary results indicating the presence of software-transparent compression on those architectures as well.

Source