There are some major benefits to running AI workloads locally, but beware—a newly discovered vulnerability can be exploited to obtain leftover data from vulnerable Apple, AMD, Qualcomm and Imagination Technologies GPUs.
As reported by BleepingComputer, this new security flaw (tracked as CVE-2023-4969) has been dubbed LeftoverLocals after it was discovered by security researchers Tyler Sorensen and Heidy Khlaaf at Trail of Bits.
Essentially, this flaw allows for data recovery from impacted GPUs running large language models (LLMs) and machine learning processes locally. While a hacker would need physical access to a vulnerable GPU on a system running AI workloads to exploit this flaw, this new attack method is still concerning.
Whether you run AI models locally yourself or are just concerned about the dangers posed by AI, here’s everything you need to know about LeftoverLocals, including whether or not there’s already a fix for this flaw for your devices.
Extracting leftover AI data from vulnerable GPUs
According to a blog post from Trail of Bits, this security flaw arises from the fact that some GPU frameworks don’t completely isolate their memory. As such, one kernel running on a vulnerable machine could read the values stored in local memory that were written by another kernel.
Trail of Bits’ security researchers also explain that an attacker just needs to run a GPU compute application such as OpenCL, Vulkan or Metal to read data left in a GPU’s local memory by another user. This is done by “writing a GPU kernel that dumps uninitialized local memory,” according to the researchers.
This recovered data can reveal all sorts of sensitive information from a victim’s computations while running AI models locally including model inputs, outputs, weights and intermediate computations.
The security researchers at Trail of Bits took things a step further by creating a proof of concept (available on GitHub) which demonstrates how the LeftoverLocals vulnerability can be exploited to recover 5.5MB of data per GPU invocation, though the exact amount of data recovered depends on the GPU framework. For instance, on an AMD Radeon RX 7900 XT GPU running the open-source llama.cpp LLM, an attacker could recover as much as 181MB of leftover AI data per query. This is more than enough to reconstruct responses from an LLM with high accuracy which would let an attacker know exactly what you were discussing with the AI in question.
Your devices may already be patched
As Trail of Bits reached out to Apple, AMD, Qualcomm and Imagination Technologies back in September, many companies have already released patches to address this flaw or are currently in the process of doing so.
It’s also worth noting that while the MacBook M2 and iPhone 12 Pro are vulnerable, Apple’s iPhone 15 line as well as the MacBook M3 and other M3-powered laptops and computers are unaffected.
According to a security bulletin from AMD, some of its GPU models are still vulnerable but its engineers are working on a fix. Likewise, Qualcomm has released a patch in its firmware v2.0.7 that addresses LeftoverLocals in some chips but not others. Meanwhile, while Imagination Technologies released a fix back in December of last year with DDK v23.3, Google warned this month that some of its GPUs are still vulnerable to this flaw. Fortunately, Intel, Nvidia and ARM GPUs aren’t impacted by LeftoverLocals at all.
For GPUs that are still vulnerable though, Trail of Bits suggests that the companies who make them implement an automatic local memory clearing mechanism between kernel calls as this isolates any sensitive data written by a single process. However, this might impact performance. Still though, given the severity of the LeftoverLocals flaw, this trade-off might be worth it.
We’ll likely learn more about LeftoverLocals as GPU manufacturers work to nip this flaw in the bud once and for all.
