Vulnerable Intel GPU Context: Prohibit Complete Context Restore by Modifying Kernel Driver

Wonseok Choi; Youngjoo Shin

doi:10.1145/3708821.3733885

Vulnerable Intel GPU Context: Prohibit Complete Context Restore by Modifying Kernel Driver

Wonseok Choi^*
, Youngjoo Shin

^*Corresponding author for this work

School of Cybersecurity

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

GPUs are increasingly utilized in modern virtual computing platforms, as they not only specialize in graphics-related tasks but also accelerate the computation of various workloads. Consequently, vendors are developing new GPU virtualization technologies to enable the efficient sharing of a single GPU in virtualized environments. However, these advancements also introduce the potential for novel attack scenarios. GPUs employ contexts to manage multiple processes, executing context save/restore operations during context switches. We devised an attack primitive that prematurely terminate context restoration by exploiting mechanisms within the context-switching process. This primitive allows other contexts to observe the state of previously executed contexts on the GPU.In virtual computing environments, where multiple virtual machines share a single GPU through GPU virtualization, an attacker with root privileges on one virtual machine can leverage this attack primitive to circumvent security boundaries between virtual machines. In this paper, we successfully established a covert channel between two distinct virtual machines and conducted a website fingerprinting attack. Finally, we propose mitigation strategies to prevent the described attack.

Original language	English
Title of host publication	ACM ASIA CCS 2025 - Proceedings of the 20th ACM ASIA Conference on Computer and Communications Security
Publisher	Association for Computing Machinery
Pages	1632-1642
Number of pages	11
ISBN (Electronic)	9798400714108
DOIs	https://doi.org/10.1145/3708821.3733885
Publication status	Published - 2025 Aug 24
Event	20th ACM ASIA Conference on Computer and Communications Security, ASIA CCS 2025 - Hanoi, Viet Nam Duration: 2025 Aug 25 → 2025 Aug 29

Publication series

Name	Proceedings of the ACM Conference on Computer and Communications Security
ISSN (Print)	1543-7221

Conference

Conference	20th ACM ASIA Conference on Computer and Communications Security, ASIA CCS 2025
Country/Territory	Viet Nam
City	Hanoi
Period	25/8/25 → 25/8/29

Bibliographical note

Publisher Copyright:
© 2025 Copyright held by the owner/author(s).

Keywords

Context switching
Covert channel
GPU attack
GPU virtualization
Virtual computing security
Website fingerprinting

ASJC Scopus subject areas

Software
Computer Networks and Communications

Access to Document

10.1145/3708821.3733885

Cite this

Choi, W., & Shin, Y. (2025). Vulnerable Intel GPU Context: Prohibit Complete Context Restore by Modifying Kernel Driver. In ACM ASIA CCS 2025 - Proceedings of the 20th ACM ASIA Conference on Computer and Communications Security (pp. 1632-1642). (Proceedings of the ACM Conference on Computer and Communications Security). Association for Computing Machinery. https://doi.org/10.1145/3708821.3733885

Vulnerable Intel GPU Context: Prohibit Complete Context Restore by Modifying Kernel Driver. / Choi, Wonseok; Shin, Youngjoo.
ACM ASIA CCS 2025 - Proceedings of the 20th ACM ASIA Conference on Computer and Communications Security. Association for Computing Machinery, 2025. p. 1632-1642 (Proceedings of the ACM Conference on Computer and Communications Security).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Choi, W & Shin, Y 2025, Vulnerable Intel GPU Context: Prohibit Complete Context Restore by Modifying Kernel Driver. in ACM ASIA CCS 2025 - Proceedings of the 20th ACM ASIA Conference on Computer and Communications Security. Proceedings of the ACM Conference on Computer and Communications Security, Association for Computing Machinery, pp. 1632-1642, 20th ACM ASIA Conference on Computer and Communications Security, ASIA CCS 2025, Hanoi, Viet Nam, 25/8/25. https://doi.org/10.1145/3708821.3733885

Choi W, Shin Y. Vulnerable Intel GPU Context: Prohibit Complete Context Restore by Modifying Kernel Driver. In ACM ASIA CCS 2025 - Proceedings of the 20th ACM ASIA Conference on Computer and Communications Security. Association for Computing Machinery. 2025. p. 1632-1642. (Proceedings of the ACM Conference on Computer and Communications Security). doi: 10.1145/3708821.3733885

@inproceedings{d565327248db4d169656176e5592b513,

title = "Vulnerable Intel GPU Context: Prohibit Complete Context Restore by Modifying Kernel Driver",

abstract = "GPUs are increasingly utilized in modern virtual computing platforms, as they not only specialize in graphics-related tasks but also accelerate the computation of various workloads. Consequently, vendors are developing new GPU virtualization technologies to enable the efficient sharing of a single GPU in virtualized environments. However, these advancements also introduce the potential for novel attack scenarios. GPUs employ contexts to manage multiple processes, executing context save/restore operations during context switches. We devised an attack primitive that prematurely terminate context restoration by exploiting mechanisms within the context-switching process. This primitive allows other contexts to observe the state of previously executed contexts on the GPU.In virtual computing environments, where multiple virtual machines share a single GPU through GPU virtualization, an attacker with root privileges on one virtual machine can leverage this attack primitive to circumvent security boundaries between virtual machines. In this paper, we successfully established a covert channel between two distinct virtual machines and conducted a website fingerprinting attack. Finally, we propose mitigation strategies to prevent the described attack.",

keywords = "Context switching, Covert channel, GPU attack, GPU virtualization, Virtual computing security, Website fingerprinting",

author = "Wonseok Choi and Youngjoo Shin",

note = "Publisher Copyright: {\textcopyright} 2025 Copyright held by the owner/author(s).; 20th ACM ASIA Conference on Computer and Communications Security, ASIA CCS 2025 ; Conference date: 25-08-2025 Through 29-08-2025",

year = "2025",

month = aug,

day = "24",

doi = "10.1145/3708821.3733885",

language = "English",

series = "Proceedings of the ACM Conference on Computer and Communications Security",

publisher = "Association for Computing Machinery",

pages = "1632--1642",

booktitle = "ACM ASIA CCS 2025 - Proceedings of the 20th ACM ASIA Conference on Computer and Communications Security",

}

TY - GEN

T1 - Vulnerable Intel GPU Context

T2 - 20th ACM ASIA Conference on Computer and Communications Security, ASIA CCS 2025

AU - Choi, Wonseok

AU - Shin, Youngjoo

PY - 2025/8/24

Y1 - 2025/8/24

N2 - GPUs are increasingly utilized in modern virtual computing platforms, as they not only specialize in graphics-related tasks but also accelerate the computation of various workloads. Consequently, vendors are developing new GPU virtualization technologies to enable the efficient sharing of a single GPU in virtualized environments. However, these advancements also introduce the potential for novel attack scenarios. GPUs employ contexts to manage multiple processes, executing context save/restore operations during context switches. We devised an attack primitive that prematurely terminate context restoration by exploiting mechanisms within the context-switching process. This primitive allows other contexts to observe the state of previously executed contexts on the GPU.In virtual computing environments, where multiple virtual machines share a single GPU through GPU virtualization, an attacker with root privileges on one virtual machine can leverage this attack primitive to circumvent security boundaries between virtual machines. In this paper, we successfully established a covert channel between two distinct virtual machines and conducted a website fingerprinting attack. Finally, we propose mitigation strategies to prevent the described attack.

AB - GPUs are increasingly utilized in modern virtual computing platforms, as they not only specialize in graphics-related tasks but also accelerate the computation of various workloads. Consequently, vendors are developing new GPU virtualization technologies to enable the efficient sharing of a single GPU in virtualized environments. However, these advancements also introduce the potential for novel attack scenarios. GPUs employ contexts to manage multiple processes, executing context save/restore operations during context switches. We devised an attack primitive that prematurely terminate context restoration by exploiting mechanisms within the context-switching process. This primitive allows other contexts to observe the state of previously executed contexts on the GPU.In virtual computing environments, where multiple virtual machines share a single GPU through GPU virtualization, an attacker with root privileges on one virtual machine can leverage this attack primitive to circumvent security boundaries between virtual machines. In this paper, we successfully established a covert channel between two distinct virtual machines and conducted a website fingerprinting attack. Finally, we propose mitigation strategies to prevent the described attack.

KW - Context switching

KW - Covert channel

KW - GPU attack

KW - GPU virtualization

KW - Virtual computing security

KW - Website fingerprinting

UR - https://www.scopus.com/pages/publications/105015959213

U2 - 10.1145/3708821.3733885

DO - 10.1145/3708821.3733885

M3 - Conference contribution

AN - SCOPUS:105015959213

T3 - Proceedings of the ACM Conference on Computer and Communications Security

SP - 1632

EP - 1642

BT - ACM ASIA CCS 2025 - Proceedings of the 20th ACM ASIA Conference on Computer and Communications Security

PB - Association for Computing Machinery

Y2 - 25 August 2025 through 29 August 2025

ER -

Vulnerable Intel GPU Context: Prohibit Complete Context Restore by Modifying Kernel Driver

Abstract

Publication series

Conference

Bibliographical note

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this