Slashdot Mirror

← Back to Stories (view on slashdot.org)

Nvidia GPUs Can Leak Data From Google Chrome's Incognito Mode (softpedia.com)

Posted by Soulskill on from the edge-cases-abound dept.

An anonymous reader writes: Nvidia GPUs don't clear out memory that was previously allocated, and neither does Chrome before releasing memory back to the shared memory pool. When a user recently fired up Diablo 3 several hours after closing an Incognito Mode window that contained pornography, the game launched with snapshots of the last "private" browsing session appearing on the screen — revealing his prior activities. He says, "It's a fairly easy bug to fix. A patch to the GPU drivers could ensure that buffers are always erased before giving them to the application. It's what an operating system does with the CPU RAM, and it makes sense to use the same rules with a GPU. Additionally, Google Chrome could erase their GPU resources before quitting."

24 of 148 comments (clear)

  1. Porn AND Diablo? by halivar · · Score: 5, Funny

    Are you sure this isn't God judging your evil deeds?
    /duck
    /run

  2. Ads by bill_mcgonigle · · Score: 4, Interesting

    > Google Chrome could erase their GPU resources before quitting.

    Why blank it when you can write a gaming ad to the buffer instead? #incentives

    Why write a gaming ad when you can write a Radeon ad instead? #alsoincentives

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  3. AMD Open Source Driver on Linux by grumbel · · Score: 4, Informative

    The AMD Open Source Driver on Linux do the same thing. It's not really a new or spectacular bug, graphics cards and drivers have done that stuff for quite a long while. Once there was also a fun bug that would make large texts in Firefox 'bleed' into the desktop background image, so it wasn't just showing old content, but actively manipulating content of another application.

    1. Re:AMD Open Source Driver on Linux by The+MAZZTer · · Score: 4, Insightful

      Yeah. Your GPU was not designed with security of the information stored in it in mind. It was designed to play video games and a few other things, and it's not a big deal if a few of your game textures leak, if it means the GPU can be slightly faster at managing its memory. The responsibility should be Chrome's to clear out its GPU memory in incognito mode after it's done using it.

    2. Re:AMD Open Source Driver on Linux by Anonymous Coward · · Score: 3, Insightful

      > Chrome's to clear out its GPU memory in incognito mode after it's done using it.

      The driver manages the GPU memory and there is no particular reason to assume that if Chrome did that it would actually write to the same RAM location that had the sensitive data and not some other random memory area it was assigned temporarily.
      Thus the calls for Chrome to fix it are nonsense. Yes, it might work. But it might break any time with a driver update. This needs to be in the drivers.
      The discussion and arguments isn't really any different than for kernel-allocated memory for the CPU.

    3. Re:AMD Open Source Driver on Linux by edtice1559 · · Score: 3, Insightful

      It used to be that the programmer was responsible for clearing sensitive data out of general-purpose memory to ensure that no other process got access to the data. It didn't work out very well. Now, the OS is responsible for clearing out memory prior to handing it to another process. It doesn't really make sense to have every application do something that could be implemented one time, correctly, in the operating system.

  4. Why is Diablo showing this? by zifnabxar · · Score: 2

    I'm less concerned with GPUs not clearing their memory when done (known bug in PCs) and more with the fact that Diablo 3 is just using whatever happens to be in the buffer.

    1. Re:Why is Diablo showing this? by dkman · · Score: 2

      This is what I came to say. Why would an application draw from memory it hasn't written to yet? I know that games often go to a black screen at launch. Is it just chance that it chose an area that was zeroed vs random garbage? I would think that if it just pulled from the beginning of memory that people would see some old image pretty often. Maybe that is the case and we just perceive it as a flicker unless it hangs for a moment as it did for him.

      --
      I refuse to sign
  5. Re: Performance Hits? by Delwin · · Score: 4, Informative

    The performance hit is real - and without custom silicon it's quite expensive. This bit me on the ass recently on a GPGPU project I was working because the amount of time taken to clear the buffer before use was about 10x the amount of time to actually do the computation.

  6. WebGL has had similiar issues by Anonymous Coward · · Score: 2, Insightful

    It's been shown that you randomly snag other running applications data by initializing new framebuffers and seeing what happens to be in them.

    The problem is that your graphics card simply cant zero out chunks of ram every time an application requests them, not if you want your high performance rendering for your video games. This issue is an old one, and one that's tied to the hardware architecture itself, and can't be fixed as easily as the submitter seems to think.

    1. Re:WebGL has had similiar issues by tepples · · Score: 2

      Consider the following policy: If a process requests video memory, and all of this memory previously belonged to the same process, don't clear it. Otherwise, zero it. And while the GPU is idle, zero some of the memory released by processes in the background, especially by processes that have ended. How would such a policy interfere with "high performance rendering for your video games"?

  7. Re: Why does a web browser need GPU for basic by tysonedwards · · Score: 5, Insightful

    You mean using a graphics processing unit to process graphics? What level of weapons grade bullshit is this?

    --
    Thirty four characters live here.
  8. Re:They should just rename it PornMode by Austerity+Empowers · · Score: 4, Insightful

    There is value in using that mode for porn (although your IP address is still exposed, and it's unclear that anyone is going to understand why you were at LustyHotBabes.com for any non auto-erotic pursuits). But it is also incredibly useful for the times you want to visit a site that caches credentials locally or otherwise relies on client-side tracking, but you don't want that behavior. I do not like to leave data for gmail, facebook, linked-in etc. on my work machine, for example, I don't own it and IT can seize it at any time.

  9. Re: Performance Hits? by fuzzyfuzzyfungus · · Score: 2

    Out of curiosity, in terms of 'what should be done', is the idea that an application should be responsible for clearing memory before releasing it considered a good practice; or is it considered a least-worst option to deal with the fact that the OS can't necessarily be trusted to do the job properly?

    Speaking as a complete layman, I would think that, just as handling memory allocation is usually left to the OS, in an ideal world the OS' memory allocation mechanism would also be responsible for clearing something before allocating it to some other process, rather than relying on every last random application to behave correctly.

    Is that a "No, so wrong I'd need to spend ages teaching you enough to even understand why it's stupid." situation? A "It'd be nice, but since we can't trust the OS we clear memory before we release it if we are concerned about it." or a "Too much overhead to do universally; but having a mechanism to tell the OS 'this memory is now free, needs cleaning' would be nice" situation?

  10. Re:Why does a web browser need GPU for basic by fuzzyfuzzyfungus · · Score: 2

    In the case of most modern OS window managers, don't most programs end up getting their output scrawled onto some surface that the GPU manipulates, even the seriously retro ones that predate the concept of 'GPU' as anything other than a RAMDAC and some primitive fixed-function elements?

    Chrome, and similar, interact substantially more than that; but I thought that most of the various desktop transparency/preview/fancy-window-swooshing/etc. stuff was handled by drawing program output to something that the GPU can then manipulate.

  11. Not just PornMode by crow · · Score: 4, Interesting

    I use "incognito mode" all the time. Anytime I see some interesting link on Facebook, I always open it in incognito mode. Just one more level of protection against associating the link with my account or leaving behind unwanted trash.

    I also find it very useful for news sites that let you have a certain number of articles free before throwing up a paywall. Using incognito mode resets the counter back to zero.

  12. Re:Note by cfalcon · · Score: 2

    There's some BIG differences there. First, there's OS tools available that try to handle this case. Second, there's great workarounds for this insecure-but-fast disk habit, such as storing the data encrypted, or on an encrypted partitions. Third, the time/tradeoff is much greater with disk cases- writing a block of RAM on SHUTDOWN ONLY is not nearly as great a burden as writing over an arbitrary file on the disk.

    I could see Google's position on this- it's not technically their fault- but they could at least try to blank the RAM that they allocate on exit.

  13. Re:They should just rename it PornMode by Anonymous Coward · · Score: 3, Informative

    Use it to browse sites that need cookies to work, but then use them to fix or mess with prices against you. Like airline sites and travel search engines that will sometimes raise prices if you search from a browser with the same cookies.

    Use it to follow links you don't want messing with other tracked histories. You see an article on weird stuff for sale but don't want Amazon or other sites suggesting related stuff every time you visit in the future?

    Having trouble with sites that stupidly use cookies to track login attempts, either because you don't quite remember your password or because of connection problems requiring you to login too frequently? Or similarly to visit sites that try to only work a certain number of times before requiring a fee, but also restrict their tracking of visit count to cookies.

    It is basically an easy way to pre-emptively stop cookies from remembering things for a particular session, instead of having to clean-up things afterwards.

  14. Re:Note by MachineShedFred · · Score: 2

    Why should Google fix Nvidia's fuck up? Like they even could.

    There's plenty to not like about some of Google's recent moves, but you're just being a hater here.

    --
    Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
  15. Re:They should just rename it PornMode by MachineShedFred · · Score: 5, Funny

    it's unclear that anyone is going to understand why you were at LustyHotBabes.com for any non auto-erotic pursuits

    I'm sure they read it for the articles. You know, unlike Slashdot where nobody reads the articles.

    --
    Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
  16. The OS to blame? Don't think so... by gwolf · · Score: 4, Insightful

    The GPU memory is not handled by the OS, it runs on a separate piece of hardware, a full computer system if you allow, that does not run an OS by itself.

    The NUMA API for using nVidia cards for GPGPU operations is quite simple and straightforward; when requesting memory, it allocates a chunk; when releasing it, it's just marked as "not yours anymore". Due to the massive parallel programming model, there is even some *value* in not clearing it, as for algorithmic iterations sometimes you can save the cost of populating and freeing memory blocks if you know you will get the same pieces of RAM (or if it does not really matter, and each algorithmic pass can work exclusively on a given set of data until a certain point has reached — think i.e. symmetric encryption schemes).

    Due to every time more intelligent C compilers (and of course higher level constructs) we have got used to memory being zeroed out on assignation, but no AFAICT no standard mandates that. I would place the burden of cleaning the memory on the *initialization* of the new application. After all, be it pr0n or just random flipped bits, Diablo looks bad by starting with the display of digital noise.

    I don't think it should be *too much* of a concern for Chrome cleaning up before closing a tab. Yes, there is a certain thing about it being "incognito mode" that should be honored, and –as a special case– it *should* ensure to clean up its act. But the main fault I'd say is at Diablo.

    1. Re:The OS to blame? Don't think so... by ComputerGeek01 · · Score: 2

      Diablo looks bad by ?starting with the display of digital noise.

      This brings up an interesting point, I think what we really have here is an exploit in the NVidia drivers rather than a "Super Scary oh noze mine pr0nz gots pwnd" privacy issue. What if next time, instead of stills from your latest crush fetish video, your VRAM was sitting on a call to "glGetTexImage()" and pulls an arbitrary instruction onto your stack? It is basically telling us that read-after-release is possible and DMA can be a lot of fun in the "right" hands. This is a lot more interesting than this rather pedestrian article is making it out to be. More importantly it finally illustrates that "Don't worry, it's a Walled Garden" is just as dumb of a security measure as it sounds.

    2. Re:The OS to blame? Don't think so... by hankwang · · Score: 2

      "AFAICT no standard mandates that. I would place the burden of cleaning the memory on the *initialization* of the new application."

      Common sense mandates that a multi-user system separates users and processes from each other. If I log off from a workstation, the next user should not be able to do screen captures (potentially confidential documents, emails with passwords) using software that exploits this "feature".

      --
      Avantslash: low-bandwidth mobile slashdot.
  17. Re:Boy Scout rulez apply... by JesseMcDonald · · Score: 2

    JVM and .NET VM makers take note - You could add this to your GC and shutdown code and give all programs automatic support for this easily.

    It would be better to put this in the OS cleanup code, clearing the buffers in a background thread before they're returned to the free pool. If the cleanup is left up to the application or framework then the application could exit due to a crash without getting a chance to clear the buffers.

    --
    "The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat