Wenjian He, Wei Zhang, Sharad Sinha and Sanjeev Das. iGPU Leak: An Information Leakage Vulnerability on Intel Integrated GPU. In Proceedings of the 25th Asia and South Pacific Design Automation Conference (ASP-DAC'20).
A security issue was found on Intel integrated GPUs (iGPUs). It allows attackers to leak private data from an iGPU. Besides games, nowadays a large variety of software leverage GPU acceleration, e.g. web browsers and blockchains. These applications are all at risk. The problem is caused by defective GPU management of the graphics driver. When an application uses the GPU, some private data inevitably get stored in GPU. We find the graphics driver fails to wipe them after the application finishes, so the data preserve in the GPU. Therefore, an attacker can run a GPU spyware to steal these private data.
For details, see Technical explanation.
Affected Hardware: Most Intel 3rd to 10th Generation Core processors and many other Intel processor families are all affected.
| Affected OSes | Patch |
|---|---|
| Win | Intel Graphics DCH driver >= 26.20.100.7209 |
| Linux | Consult your OS vendor. Learn More |
| Mac | macOS Catalina 10.15.4. Learn More |
We recommend you to update the Intel Graphics driver as soon as it becomes available. Please refer to the Intel Security Advisory INTEL-SA-00314 for the complete list of affected products and operating systems.
We are not aware of any exploitations in the wild. However, we expect it is easy to develop attacks with the vulnerability. According to our experiments, the following 2 attacks are possible.
By monitoring the Intel iGPU, an attacker may know which website the user is visiting.
If you are using an iGPU for cryptographic tasks, the plaintext or even the key may be leaked due to the iGPU-Leak vulnerability.
This is an uninitialized data vulnerability due to the Intel Graphics driver, and it results in information leakage through GPU hardware. In essence, the GPU state is not reset during a GPU context switch. We identify two components in Intel iGPUs that leak information due to this vulnerability:
- shared local memory, and
- the general register file in every execution unit (EU).
- Demo video of Shared Local Memory (SLM) leakage: https://youtu.be/xHihb2SwXyo
- Demo video of General Register File (GRF) leakage: https://youtu.be/AouEeCF4cj0
./democontains the source code of the proof-of-concept attack. Please refer to the./demo/README.mdfor the instructions to run the demo.
| Intel Graphics | CPU uArch | Patch | Status |
|---|---|---|---|
| Gen 9 | Skylake, Kaba Lake, Coffee Lake | Link | Merged into mainline at Linux 5.5-rc7, and backported. |
| Gen 8 | Broadwell | Immune | |
| Gen 7 | Haswell, Ivy Bridge | Link | Under development. |
We appreciate Intel's professional handling of our report.
- September 2019: We reported our findings to Intel.
- October 14, 2019: Intel confirmed the vulnerability.
- January 14, 2020: Intel released INTEL-SA-00314.
- Wenjian He, wheac@connect.ust.hk, Hong Kong Univ. of Science and Technology
- Wei Zhang, wei.zhang [at] ust.hk, Hong Kong Univ. of Science and Technology
- Sharad Sinha, sharad [at] iitgoa.ac.in, Indian Institute of Technology, Goa
- Sanjeev Das, sdas [at] cs.unc.edu, Univ. of North Carolina at Chapel Hill, USA