Related papers: NVIDIA GPU Confidential Computing Demystified

NVIDIA GPU Confidential Computing Demystified

URL: http://arxiv.org/abs/2507.02770v1
Date: Thu, 03 Jul 2025 16:31:07 GMT
Title: NVIDIA GPU Confidential Computing Demystified
Authors: Zhongshu Gu, Enriquillo Valdez, Salman Ahmed, Julian James Stephen, Michael Le, Hani Jamjoom, Shixuan Zhao, Zhiqiang Lin,
Abstract summary: GPU Confidential Computing was introduced as part of the NVIDIA Hopper Architecture, extending the trust boundary beyond traditional CPU-based confidential computing.<n>For end users, transitioning to GPU-CC mode is seamless, requiring no modifications to existing AI applications.<n>The lack of transparency presents significant challenges for security researchers seeking a deeper understanding of GPU-CC's architecture and operational mechanisms.
Score: 23.473530599624937
License: http://creativecommons.org/licenses/by/4.0/
Abstract: GPU Confidential Computing (GPU-CC) was introduced as part of the NVIDIA Hopper Architecture, extending the trust boundary beyond traditional CPU-based confidential computing. This innovation enables GPUs to securely process AI workloads, providing a robust and efficient solution for handling sensitive data. For end users, transitioning to GPU-CC mode is seamless, requiring no modifications to existing AI applications. However, this ease of adoption contrasts sharply with the complexity of the underlying proprietary systems. The lack of transparency presents significant challenges for security researchers seeking a deeper understanding of GPU-CC's architecture and operational mechanisms. The challenges of analyzing the NVIDIA GPU-CC system arise from a scarcity of detailed specifications, the proprietary nature of the ecosystem, and the complexity of product design. In this paper, we aim to demystify the implementation of NVIDIA GPU-CC system by piecing together the fragmented and incomplete information disclosed from various sources. Our investigation begins with a high-level discussion of the threat model and security principles before delving into the low-level details of each system component. We instrument the GPU kernel module -- the only open-source component of the system -- and conduct a series of experiments to identify the security weaknesses and potential exploits. For certain components that are out of reach through experiments, we propose well-reasoned speculations about their inner working mechanisms. We have responsibly reported all security findings presented in this paper to the NVIDIA PSIRT Team.

Related papers

GPU in the Blind Spot: Overlooked Security Risks in Transportation [3.3296812191509786]
This paper highlights GPU security as a critical blind spot in transportation cybersecurity.<n>To support this concern, it also presents a case study showing the impact of stealthy unauthorized crypto miners on critical AI workloads.
arXiv Detail & Related papers (2025-08-04T02:25:43Z)
Scaling Computer-Use Grounding via User Interface Decomposition and Synthesis [59.83524388782554]
Graphical user interface (GUI) grounding remains a critical bottleneck in computer use agent development.<n>We introduce OSWorld-G, a comprehensive benchmark comprising 564 finely annotated samples across diverse task types.<n>We synthesize and release the largest computer use grounding dataset Jedi, which contains 4 million examples.
arXiv Detail & Related papers (2025-05-19T15:09:23Z)
Crypto Miner Attack: GPU Remote Code Execution Attacks [0.0]
Remote Code Execution (RCE) exploits pose a significant threat to AI and ML systems.<n>This paper focuses on RCE attacks leveraging deserialization vulnerabilities and custom layers, such as Lambda layers.<n>We demonstrate an attack that utilizes these vulnerabilities to deploy a crypto miner on a GPU.
arXiv Detail & Related papers (2025-02-09T19:26:47Z)
Confidential Computing on Heterogeneous CPU-GPU Systems: Survey and Future Directions [21.66522545303459]
In recent years, the widespread informatization and rapid data explosion have increased the demand for high-performance heterogeneous systems. The combination of CPU and GPU is particularly popular due to its versatility. Advances in privacy-preserving techniques, especially hardware-based Trusted Execution Environments (TEEs) offer effective protection for GPU applications.
arXiv Detail & Related papers (2024-08-21T13:14:45Z)
Generative AI for Secure and Privacy-Preserving Mobile Crowdsensing [74.58071278710896]
generative AI has attracted much attention from both academic and industrial fields. Secure and privacy-preserving mobile crowdsensing (SPPMCS) has been widely applied in data collection/ acquirement.
arXiv Detail & Related papers (2024-05-17T04:00:58Z)
Networking Systems for Video Anomaly Detection: A Tutorial and Survey [55.28514053969056]
Video Anomaly Detection (VAD) is a fundamental research task within the Artificial Intelligence (AI) community.<n>With the advancements in deep learning and edge computing, VAD has made significant progress.<n>This article offers an exhaustive tutorial for novices in NSVAD.
arXiv Detail & Related papers (2024-05-16T02:00:44Z)
Whispering Pixels: Exploiting Uninitialized Register Accesses in Modern GPUs [6.1255640691846285]
We showcase the existence of a vulnerability on products of 3 major vendors - Apple, NVIDIA and Qualcomm. This vulnerability poses unique challenges to an adversary due to opaque scheduling and register remapping algorithms. We implement information leakage attacks on intermediate data of Convolutional Neural Networks (CNNs) and present the attack's capability to leak and reconstruct the output of Large Language Models (LLMs)
arXiv Detail & Related papers (2024-01-16T23:36:48Z)
FusionAI: Decentralized Training and Deploying LLMs with Massive Consumer-Level GPUs [57.12856172329322]
We envision a decentralized system unlocking the potential vast untapped consumer-level GPU. This system faces critical challenges, including limited CPU and GPU memory, low network bandwidth, the variability of peer and device heterogeneity.
arXiv Detail & Related papers (2023-09-03T13:27:56Z)
Characterizing Concurrency Mechanisms for NVIDIA GPUs under Deep Learning Workloads [1.0660480034605242]
We investigate the performance of the mechanisms available on NVIDIA's new Ampere GPU microarchitecture under deep learning and inference workloads. We find that the lack of fine-grained preemption mechanisms, robust task prioritization options, and contention-aware thread block placement policies limits the effectiveness of NVIDIA's mechanisms.
arXiv Detail & Related papers (2021-10-01T14:48:50Z)
Dos and Don'ts of Machine Learning in Computer Security [74.1816306998445]
Despite great potential, machine learning in security is prone to subtle pitfalls that undermine its performance. We identify common pitfalls in the design, implementation, and evaluation of learning-based security systems. We propose actionable recommendations to support researchers in avoiding or mitigating the pitfalls where possible.
arXiv Detail & Related papers (2020-10-19T13:09:31Z)
Towards an Interface Description Template for AI-enabled Systems [77.34726150561087]
Reuse is a common system architecture approach that seeks to instantiate a system architecture with existing components. There is currently no framework that guides the selection of necessary information to assess their portability to operate in a system different than the one for which the component was originally purposed. We present ongoing work on establishing an interface description template that captures the main information of an AI-enabled component.
arXiv Detail & Related papers (2020-07-13T20:30:26Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.