Stealing webpages rendered on your browser by exploiting GPU vulnerabilities

Sangho Lee; Youngsok Kim; Jangwoo Kim; Jong Kim

doi:10.1109/SP.2014.9

Stealing webpages rendered on your browser by exploiting GPU vulnerabilities

Sangho Lee, Youngsok Kim, Jangwoo Kim, Jong Kim

Department of Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

36 Citations (Scopus)

Abstract

Graphics processing units (GPUs) are important components of modern computing devices for not only graphics rendering, but also efficient parallel computations. However, their security problems are ignored despite their importance and popularity. In this paper, we first perform an in-depth security analysis on GPUs to detect security vulnerabilities. We observe that contemporary, widely-used GPUs, both NVIDIA's and AMD's, do not initialize newly allocated GPU memory pages which may contain sensitive user data. By exploiting such vulnerabilities, we propose attack methods for revealing a victim program's data kept in GPU memory both during its execution and right after its termination. We further show the high applicability of the proposed attacks by applying them to the Chromium and Firefox web browsers which use GPUs for accelerating webpage rendering. We detect that both browsers leave rendered webpage textures in GPU memory, so that we can infer which web pages a victim user has visited by analyzing the remaining textures. The accuracy of our advanced inference attack that uses both pixel sequence matching and RGB histogram matching is up to 95.4%.

Original language	English
Title of host publication	Proceedings - IEEE Symposium on Security and Privacy
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	19-33
Number of pages	15
ISBN (Electronic)	9781479946860
DOIs	https://doi.org/10.1109/SP.2014.9
Publication status	Published - 2014 Nov 13
Event	35th IEEE Symposium on Security and Privacy, SP 2014 - San Jose, United States Duration: 2014 May 18 → 2014 May 21

Publication series

Name	Proceedings - IEEE Symposium on Security and Privacy
ISSN (Print)	1081-6011

Conference

Conference	35th IEEE Symposium on Security and Privacy, SP 2014
Country	United States
City	San Jose
Period	14/5/18 → 14/5/21

Fingerprint

All Science Journal Classification (ASJC) codes

Safety, Risk, Reliability and Quality
Software
Computer Networks and Communications

Cite this

Lee, S., Kim, Y., Kim, J., & Kim, J. (2014). Stealing webpages rendered on your browser by exploiting GPU vulnerabilities. In Proceedings - IEEE Symposium on Security and Privacy (pp. 19-33). [6956554] (Proceedings - IEEE Symposium on Security and Privacy). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/SP.2014.9

@inproceedings{d515d7cf6a6c4b1eb13fb134fe71794f,

title = "Stealing webpages rendered on your browser by exploiting GPU vulnerabilities",

abstract = "Graphics processing units (GPUs) are important components of modern computing devices for not only graphics rendering, but also efficient parallel computations. However, their security problems are ignored despite their importance and popularity. In this paper, we first perform an in-depth security analysis on GPUs to detect security vulnerabilities. We observe that contemporary, widely-used GPUs, both NVIDIA's and AMD's, do not initialize newly allocated GPU memory pages which may contain sensitive user data. By exploiting such vulnerabilities, we propose attack methods for revealing a victim program's data kept in GPU memory both during its execution and right after its termination. We further show the high applicability of the proposed attacks by applying them to the Chromium and Firefox web browsers which use GPUs for accelerating webpage rendering. We detect that both browsers leave rendered webpage textures in GPU memory, so that we can infer which web pages a victim user has visited by analyzing the remaining textures. The accuracy of our advanced inference attack that uses both pixel sequence matching and RGB histogram matching is up to 95.4%.",

author = "Sangho Lee and Youngsok Kim and Jangwoo Kim and Jong Kim",

year = "2014",

month = nov

day = "13",

doi = "10.1109/SP.2014.9",

language = "English",

series = "Proceedings - IEEE Symposium on Security and Privacy",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "19--33",

booktitle = "Proceedings - IEEE Symposium on Security and Privacy",

address = "United States",

note = "35th IEEE Symposium on Security and Privacy, SP 2014 ; Conference date: 18-05-2014 Through 21-05-2014",

}

Lee, S, Kim, Y, Kim, J & Kim, J 2014, Stealing webpages rendered on your browser by exploiting GPU vulnerabilities. in Proceedings - IEEE Symposium on Security and Privacy., 6956554, Proceedings - IEEE Symposium on Security and Privacy, Institute of Electrical and Electronics Engineers Inc., pp. 19-33, 35th IEEE Symposium on Security and Privacy, SP 2014, San Jose, United States, 14/5/18. https://doi.org/10.1109/SP.2014.9

Stealing webpages rendered on your browser by exploiting GPU vulnerabilities. / Lee, Sangho; Kim, Youngsok; Kim, Jangwoo; Kim, Jong.

Proceedings - IEEE Symposium on Security and Privacy. Institute of Electrical and Electronics Engineers Inc., 2014. p. 19-33 6956554 (Proceedings - IEEE Symposium on Security and Privacy).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Stealing webpages rendered on your browser by exploiting GPU vulnerabilities

AU - Lee, Sangho

AU - Kim, Youngsok

AU - Kim, Jangwoo

AU - Kim, Jong

PY - 2014/11/13

Y1 - 2014/11/13

N2 - Graphics processing units (GPUs) are important components of modern computing devices for not only graphics rendering, but also efficient parallel computations. However, their security problems are ignored despite their importance and popularity. In this paper, we first perform an in-depth security analysis on GPUs to detect security vulnerabilities. We observe that contemporary, widely-used GPUs, both NVIDIA's and AMD's, do not initialize newly allocated GPU memory pages which may contain sensitive user data. By exploiting such vulnerabilities, we propose attack methods for revealing a victim program's data kept in GPU memory both during its execution and right after its termination. We further show the high applicability of the proposed attacks by applying them to the Chromium and Firefox web browsers which use GPUs for accelerating webpage rendering. We detect that both browsers leave rendered webpage textures in GPU memory, so that we can infer which web pages a victim user has visited by analyzing the remaining textures. The accuracy of our advanced inference attack that uses both pixel sequence matching and RGB histogram matching is up to 95.4%.

AB - Graphics processing units (GPUs) are important components of modern computing devices for not only graphics rendering, but also efficient parallel computations. However, their security problems are ignored despite their importance and popularity. In this paper, we first perform an in-depth security analysis on GPUs to detect security vulnerabilities. We observe that contemporary, widely-used GPUs, both NVIDIA's and AMD's, do not initialize newly allocated GPU memory pages which may contain sensitive user data. By exploiting such vulnerabilities, we propose attack methods for revealing a victim program's data kept in GPU memory both during its execution and right after its termination. We further show the high applicability of the proposed attacks by applying them to the Chromium and Firefox web browsers which use GPUs for accelerating webpage rendering. We detect that both browsers leave rendered webpage textures in GPU memory, so that we can infer which web pages a victim user has visited by analyzing the remaining textures. The accuracy of our advanced inference attack that uses both pixel sequence matching and RGB histogram matching is up to 95.4%.

UR - http://www.scopus.com/inward/record.url?scp=84914100506&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84914100506&partnerID=8YFLogxK

U2 - 10.1109/SP.2014.9

DO - 10.1109/SP.2014.9

M3 - Conference contribution

AN - SCOPUS:84914100506

T3 - Proceedings - IEEE Symposium on Security and Privacy

SP - 19

EP - 33

BT - Proceedings - IEEE Symposium on Security and Privacy

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 35th IEEE Symposium on Security and Privacy, SP 2014

Y2 - 18 May 2014 through 21 May 2014

ER -

Access to Document

10.1109/SP.2014.9