This October, UCR computer science researchers successfully accomplished side channel GPU attacks using direct and cross computational stacks, or in layman’s terms, indirectly used computer graphics systems to attack multiple programs at once. Three experimental attacks demonstrated that computer graphics cards could be manipulated to steal victim information such as passwords, web history and even corporate cloud neural network structure.
The team was led by doctoral student Hoda Naghibijouybari, post-doctoral researcher Ajaya Neupane, computer science and engineering professor Nael Abu-Ghazaleh and Associate Professor of Computer science and Engineering Zhiyun Qian. In an interview with the Highlander, Abu-Ghazaleh explained the science behind this discovery, how research can be used to curb malicious attacks in the future and what UCR students can do to improve their own cybersecurity.
Presented at the ACM SIGSAC Conference on Computer and Communications Security last October, the research paper titled “Rendered Insecure: GPU Side Channel Attacks are Practical” explains how graphics processors could be used to launch unconventionally complex attacks on users. Explaining the terms for non-specialists, Abu-Ghazaleh stated that computational stacks are “software that is used by a certain type of program. To manage complexity, a lot of software systems consist of different ‘stacked’ layers, such as the operating system at the lowest level, libraries and run-time software, and then the application.”
The team used these layers in GPUs to initiate side channel attacks which, as Abu-Ghazaleh explains, are indirect acquisitions of data. Abu-Ghazaleh explained, “To give you an analogy, prisoners in a prison are isolated and are not supposed to be able to talk to each other, but they may find that they can communicate by banging on pipes. In a computer … there are a lot of shared resources that are the equivalent of pipes.”
The team used these pipes to launch three attacks targeting different computer functions. Abu-Ghazaleh explained that the first attack was able to track web history because every “page has a set of objects (text boxes, images, other items) that have to be rendered on the screen. As the browser uses the GPU to render them, it asks for memory for each.” He added that “the attacker monitors the available memory on the GPU repeatedly” and since “each page has a unique layout and set of objects … [the] sequence can be used to identify the websites that the attacker is accessing (with the help of some machine learning magic).”
The other two attacks are similar, Abu-Ghazaleh said, with the second method tracking passwords by “observing the times of the allocations … when the user presses a key” before using “different inter-keystroke timing for different key pairs” to calculate likely combinations. The final attack targeted cloud networks because GPUs give users performance counters to optimize their experience: “By observing the performance counters, the attacker observes the pattern of contention between itself and the victim, which discloses sensitive information about the victim application. In this case, we recover the structure of a neural network, often a sensitive secret of companies.”
Regarding whether or not user’s would see these types of malicious attacks in the future, Abu-Ghazaleh says, “side channel attacks are a very hot research topic, but the attacks are sometimes complicated. However, they are very difficult to defend against. This is why it is of large concern to computing system companies.” He goes on to say that big companies such as “Intel and Microsoft have a bug bounty program that pays several hundred thousand dollars for a newly discovered side channel vulnerability.”
Concerning if UCR students are at risk for malicious attacks, Abu-Ghazaleh says “the short answer is yes. Computer programs (and even hardware) are really complex systems … offering attackers opportunities to compromise them.” These compromises are often presented through “attacks such as phishing or social engineering when a user opens a malicious attachment or downloads an untrusted app can open the door to malicious software.”
Abu-Ghazaleh says students can keep their information secure by “keeping software updated; using strong passwords and changing them periodically; being careful about browsing to untrusted sites and learning to identify phishing attacks and malicious emails.” He affirms that “increasingly there are tools that help with some of these steps” and that by taking these steps students can do their part to improve personal and campus cybersecurity.