LeftoverLocals

Updates

• 2024-01-16: Initial release
• 2024-01-16: Khronos Statement
• 2024-01-29: LeftoverLocals Arxiv Paper
• 2024-05-07: AMD has posted plans to enable an option for secure compute, however this option will be disabled by default.

Description

Trail of Bits is disclosing LeftoverLocals: a vulnerability that allows data recovery from GPU memory created by another process on Apple, Qualcomm, and AMD GPUs. LeftoverLocals impacts the security posture of GPU applications, with particular significance to LLMs and ML models that run on impacted GPUs. By recovering local memory – an optimized GPU memory region – we built a PoC where an attacker can listen into another user’s interactive LLM session (e.g., llama.cpp) across process or container boundaries.

Demo

Report

See the full report at our blog here.