Rendered Insecure GPU Side Channel Attacks are Practical

  • Slides: 25
Download presentation
Rendered Insecure: GPU Side Channel Attacks are Practical Hoda Naghibijouybari, Ajaya Neupane, Zhiyun Qian

Rendered Insecure: GPU Side Channel Attacks are Practical Hoda Naghibijouybari, Ajaya Neupane, Zhiyun Qian and Nael Abu-Ghazaleh University of California, Riverside 1

Graphics Processing Units Ø Optimize the performance of graphics and multi-media heavy workloads Ø

Graphics Processing Units Ø Optimize the performance of graphics and multi-media heavy workloads Ø Integrated on data centers and clouds to accelerate a range of computational applications 2

Background: GPU architecture and Programming Interfaces Threat Model and Leakage Vectors Outline Side Channel

Background: GPU architecture and Programming Interfaces Threat Model and Leakage Vectors Outline Side Channel Attacks: • Graphics-Graphics: Website Fingerprinting, Keystroke Timing attack • CUDA-CUDA: Neural Network model recovery • CUDA-Graphics: Website Fingerprinting Mitigation 4

GPU Architecture: massive paralleism 5

GPU Architecture: massive paralleism 5

GPU Programming Interfaces • Computation: CUDA and Open. CL • Graphics: Open. GL and

GPU Programming Interfaces • Computation: CUDA and Open. CL • Graphics: Open. GL and Web. GL Programmable steps of Graphics pipeline which are executed on SMs 6

Increasingly designed for sharing 7

Increasingly designed for sharing 7

Prior work—covert channels on GPUs 12. 9 x 3. 8 x 1. 7 x

Prior work—covert channels on GPUs 12. 9 x 3. 8 x 1. 7 x Error-free bandwidth of over 4 Mbps Constructing and Characterizing Covert Channels on GPUs [Micro 2017] Colocate Spy and Trojan Construct the Channels Remove Noise 8

Finer grain microarchitectural channels CPU Co-location D-cache attacks Control flow based attacks Possible on

Finer grain microarchitectural channels CPU Co-location D-cache attacks Control flow based attacks Possible on different cores / same core GPU Concurrent apps not possible in all scenarios (e. g. Graphics and CUDA) • Prime+Probe • Flush+Reload • … • Difficult (many active threads and small caches) • No flush instruction • I-cache attack • branch prediction attacks • SIMT computational model limits this leakage • No branch prediction 9

Threat Model Programming Interfaces CUDA/Open. GL Spy on CUDA/Open. GL Victim Example Applications GPU

Threat Model Programming Interfaces CUDA/Open. GL Spy on CUDA/Open. GL Victim Example Applications GPU rendering (Web Browsers, …) GPU Accelerated challenges: Computations (DNN, Encryption, …) Key 1. How can attacker co-locate with victim 2. What leakage can be measured? CUDA Spy on CUDA Victim GPU Accelerated Computations (DNN, Encryption, …) 10

Leakage Vectors Memory allocation API : Exposes the amount of available physical memory on

Leakage Vectors Memory allocation API : Exposes the amount of available physical memory on the GPU 1 GPU hardware performance counters: memory, instruction, multiprocessor, cache and texture metrics. 2 3 Timing operations: measuring the time of memory allocation events 11

Graphics-Graphics Attack Overview Open. GL Spy App Screen Rendering 12

Graphics-Graphics Attack Overview Open. GL Spy App Screen Rendering 12

Graphics-Graphics Side Channel (Co-location) • Reverse engineering the co-location of two concurrent applications: Graphics

Graphics-Graphics Side Channel (Co-location) • Reverse engineering the co-location of two concurrent applications: Graphics App 1 CPU Code GPU Code (vertex and fragment shaders) Two graphics applications whose workloads do Graphics App 2 not exceed the GPU hardware resources can colocate concurrently. CPU Code: Read the pixel colors from framebuffer and decode the information gl. Read. Pixels(…); GPU Code (vertex and fragment shaders) GPU Code (fragment shader): Use Open. GL extensions to read Thread. ID, Warp. ID, SMID and clock of each fragment (pixel/thread) on the GPU and encode this information in the color of each pixel. SMID = float(gl_SMIDNV)/3. 0; clock = float(clock 2 x 32 ARB(). y)/4294967295. 0; Thread. ID = float(gl_Thread. In. Warp. NV)/32. 0; color = vec 4(0, Thread. ID , SMID, clock); 13

Attack 1: Website Fingerprinting • Current versions of web browsers utilize the GPU to

Attack 1: Website Fingerprinting • Current versions of web browsers utilize the GPU to accelerate the rendering process. • A content-related pattern (depending on the size and shape of the object) of memory allocations is performed on the GPU. Uploading objects as Textures to the GPU Rendering 14

GPU memory allocation trace • Open. GL: query “GPU_MEMORY_INFO_CURRENT_AVAILABLE_VIDMEM_NVX” • Same attack can be

GPU memory allocation trace • Open. GL: query “GPU_MEMORY_INFO_CURRENT_AVAILABLE_VIDMEM_NVX” • Same attack can be done by a CUDA spy using CUDA API: “cuda. Mem. Get. Info” 15

Classification Results The classification results for Memory API based website fingerprinting attack on 200

Classification Results The classification results for Memory API based website fingerprinting attack on 200 Alexa Top Websites: • Gaussian Naive Bayes (NB) • K-Nearest Neighbor with 3 neighbors (KNN-3) • Random Forest with 100 estimators (RF) 16

Attack 2: Keystroke Timing • Record the timing of memory allocation events Password bar

Attack 2: Keystroke Timing • Record the timing of memory allocation events Password bar is rendered at constant rate, when user is not typing Password bar is rendered when user types a character 6 -character password 17

Keystroke timing: Ground Truth vs. GPU The probability density of the normalized measurement error

Keystroke timing: Ground Truth vs. GPU The probability density of the normalized measurement error with 250 key presses/timing samples The inter-keystroke timing for 25 pairs of characters being typed 18

CUDA-CUDA: Attack overview CUDA App CUDA Spy App 19

CUDA-CUDA: Attack overview CUDA App CUDA Spy App 19

CUDA-CUDA Side Channel Colocation: Multi-Process Service (MPS) on NVIDIA GPUs allows execution of concurrent

CUDA-CUDA Side Channel Colocation: Multi-Process Service (MPS) on NVIDIA GPUs allows execution of concurrent kernels from different processes on the GPU MPI Process B MPI Process A MPS Client Context B Many to one context Server CUDA Context MPI Service Process Leakage: Monitoring GPU Performance Counters provided by NVIDIA profiling tools Concurrent Scheduler Time-Sliced Scheduler Processors GPU 20

Attack 3: Neural Network Model Recovery Victim: A CUDA-implemented back-propagation (Rodinia benchmark) Spy: Launches

Attack 3: Neural Network Model Recovery Victim: A CUDA-implemented back-propagation (Rodinia benchmark) Spy: Launches several hundred consecutive CUDA kernels Methodology: • Colocate: Reverse engineer GPU hardware schedulers to colocate on each SM • Create contention: Different threads (or warps) utilize different hardware resources in parallel to create contention • Measure: Collecting one vector of performance counter values from each spy kernel 21

Results The classification results for identifying the number of neurons through the side channel

Results The classification results for identifying the number of neurons through the side channel attack: Input layer size varying in the range between 64 and 65536 neurons collecting 10 samples for each input size 22

CUDA-Graphics Side Channel Colocation (reverse engineering): Fine-grained interleaving execution (not concurrent) of CUDA kernels

CUDA-Graphics Side Channel Colocation (reverse engineering): Fine-grained interleaving execution (not concurrent) of CUDA kernels and graphics operations on the GPU Leakage: • Memory API • From CPU, so concurrent execution • GPU Performance Counters sampling after every frame by a short CUDA kernel • Result: Classification accuracy of 93% for 200 Alexa top websites 23

Mitigation • Limiting the rate of the calls • Limiting the precision of returned

Mitigation • Limiting the rate of the calls • Limiting the precision of returned information • Combined (Rate limiting at 4 MB granularity) 24

Disclosure • We have reported all of our findings to NVIDIA: • CVE 2018

Disclosure • We have reported all of our findings to NVIDIA: • CVE 2018 -6260, security notice • Patch: offers system administrators the option to disable access to performance counters from user processes • Main issue is backward compatibility • Later reported to Intel and AMD; working on replicating attacks there. 25

Conclusion • Side channels on GPUs • Fine grain channels impractical? • …between two

Conclusion • Side channels on GPUs • Fine grain channels impractical? • …between two concurrent applications on GPUs: • A series of end-to-end GPU attacks on both graphics and computational stacks, as well as across them. • Mitigations based on limiting the rate and precision are effective • Future work: Multi-GPU systems; integrated GPU systems 26

Remote Timing Attacks NICOLE HIPPOLITE Side Channel AttacksRemote Timing Attacks NICOLE HIPPOLITE Side Channel Attacks
Insecure work and insecure workers in Australia theInsecure work and insecure workers in Australia the
GPGPU MultiGPUs GPU General Purpose CPU GPU GPUGPGPU MultiGPUs GPU General Purpose CPU GPU GPU
Resourcebased Attacks Attacking Networks ResourceBased Attacks Resourcebased attacksResourcebased Attacks Attacking Networks ResourceBased Attacks Resourcebased attacks
Side Channel Attacks Against the Arduino Uno OwenSide Channel Attacks Against the Arduino Uno Owen
New Methods for CostEffective Side Channel Attacks onNew Methods for CostEffective Side Channel Attacks on
Computer Security 2014 Side channel attacks Background AnComputer Security 2014 Side channel attacks Background An
Thwarting cache based side channel attacks using virtualThwarting cache based side channel attacks using virtual
Attack Directories Not Caches Side Channel Attacks inAttack Directories Not Caches Side Channel Attacks in
Keemiline side Molekulid Kovalentne side Kovalentne side tekibKeemiline side Molekulid Kovalentne side Kovalentne side tekib
BOOKS OPEN READ SIDE STEP SIDE TO SIDEBOOKS OPEN READ SIDE STEP SIDE TO SIDE
Channel Participants Classification of Channel Participants All channelChannel Participants Classification of Channel Participants All channel
Channel Participants Classification of Channel Participants All channelChannel Participants Classification of Channel Participants All channel
CHANNEL CONFLICT Channel Conflict A channel conflict mayCHANNEL CONFLICT Channel Conflict A channel conflict may
Multi Channel Customer Contact Channel Shift Channel ChoiceMulti Channel Customer Contact Channel Shift Channel Choice
CHANNEL CONFLICT Channel Conflict A channel conflict mayCHANNEL CONFLICT Channel Conflict A channel conflict may
Calcium Channel Blockers Calcium Channel Blockers Calcium ChannelCalcium Channel Blockers Calcium Channel Blockers Calcium Channel
Practical Graphs for Optimal Side Channel Resistant MemoryHardPractical Graphs for Optimal Side Channel Resistant MemoryHard
HPC GPU Global Marketing GPU 4 Confidential GlobalHPC GPU Global Marketing GPU 4 Confidential Global
GPGPU overview Graphics Processing Unit GPU GPU isGPGPU overview Graphics Processing Unit GPU GPU is
CS 179 GPU PROGRAMMING RECITATION 2 GPU MemoryCS 179 GPU PROGRAMMING RECITATION 2 GPU Memory
NVIDIA Tesla GPU Zhuting Xue EE 126 GPUNVIDIA Tesla GPU Zhuting Xue EE 126 GPU
Matrix Operations on the GPU CIS 665 GPUMatrix Operations on the GPU CIS 665 GPU
CS 179 GPU Computing LECTURE 4 GPU MEMORYCS 179 GPU Computing LECTURE 4 GPU MEMORY