Modern GPUs Exposed to Side-Channel Attacks That Leak Data Through Browsers
Researchers from the University of Texas at Austin, Carnegie Mellon University, the University of Washington, and the University of Illinois Urbana-Champaign have developed a new side-channel attack targeting modern graphics cards. This attack, called GPU.zip, exploits data compression to leak confidential visual information when users visit web pages. Nearly all modern graphics processing units (GPUs) are vulnerable to this attack.
The researchers reported the issue to GPU manufacturers as early as March 2023. However, as of September 2023, none of the vendors—including AMD, Apple, Arm, NVIDIA, and Qualcomm—have released patches. There are also no fixes yet for Google Chrome, which is involved in the attack.
How GPU.zip Works
GPU.zip takes advantage of hardware-based compression of graphical data, a feature in modern GPUs designed to improve performance and save memory bandwidth by losslessly compressing visual data—even when software doesn’t request it.
According to the researchers, “We found that modern GPUs automatically attempt to compress visual data without any application involvement. This is done to save memory bandwidth and boost performance. Since compressibility depends on the data, this optimization creates an opportunity for a side-channel attack that can be used by attackers to reveal information about visual data.”
Because data compression creates a noticeable relationship between DRAM traffic and cache load, this can be exploited to leak secrets. That’s why software handling sensitive data typically disables compression. However, modern GPUs—especially integrated solutions from Intel and AMD—perform data compression even when not requested. This compression is often undocumented and varies by manufacturer, but the researchers found a way to use it to leak visual data from graphics cards.
Proof-of-Concept and Attack Method
The proof-of-concept for GPU.zip starts with a malicious website embedding a link to a target web page inside an iframe. Normally, the Same-Origin Policy prevents sites from viewing the source code, content, or final visual output of another site. However, the researchers discovered that the data compression used by both integrated and discrete GPUs to improve performance allows these restrictions to be bypassed, enabling attackers to steal individual pixels one by one.
To execute GPU.zip, a malicious page must be loaded in Chrome or Edge (the attack does not work in Firefox or Safari). The browser must allow loading cross-origin iframes with cookies, permit rendering of SVG filters in iframes, and delegate rendering tasks to the GPU.
Test results showed that stealing a username from a Wikipedia iframe could be accomplished in 30 minutes on a Ryzen 7 4800U with 97% accuracy, and in 215 minutes on an Intel i7-8700 GPU with 98.3% accuracy.
Scope and Limitations
While GPU.zip affects almost all major GPU manufacturers—including AMD, Apple, Arm, Intel, Qualcomm, and NVIDIA—not all graphics cards are equally vulnerable. The attack is unlikely to be widely exploited due to its complexity and the time required to carry it out. Additionally, websites that block embedding of cross-origin iframes cannot be used for data leakage via this method.
The researchers note, “There are other reasons, beyond pixel theft, why people should pay attention to this issue. First, GPU.zip could enable other, yet undiscovered attacks beyond pixel theft, which may pose greater risks to end users. Second, GPU.zip is another example of how hardware optimization can create a side-channel attack that software cannot neutralize. This highlights the need for users to rethink their trust in hardware.”
Industry Response and Future Research
The full report on GPU.zip will be presented at the 45th IEEE Symposium on Security and Privacy in May 2024.
Intel representatives have responded to the researchers’ claims, stating, “Although Intel did not have access to the full text of the researchers’ article, we reviewed the provided findings and determined that the root cause lies not in our GPUs, but in third-party software.” Google has also stated that it is investigating GPU.zip and is in ongoing contact with the researchers.