CUDA de Grâce
Talk by @chompie1337 and Samuel Lovejoy about exploiting a race condition that leads to a double-free in the NVIDIA GPU driver to escape a container created with NVIDIA Container Toolkit.
Video: https://www.youtube.com/watch?v=Lvz2_ZHj3lo
Slides: https://docs.google.com/presentation/d/1FgfURpMyHhnflGWtxeq8ClPPaB5ZDCzT/edit?usp=sharing
From what I can tell, Azure serverless in particular is well architected and avoids cross tenant infra sharing. However that’s not the case for other AI/ML cloud providers (DigitalOcean, Replicate, RunPod, Vast.ai, Heroku, are a few that come to mind) that rely on OS level containerization for isolation. Cross tenant access is a huge concern there; that’s a main reason why I chose this target!
Even in “good” setups like Azure, GPU compromise is still a concern for a few reasons.
For example supply chain attacks via compromised container images or malicious models (we’re already seeing examples of this happening!), a compromised data scienctist running untrusted workloads, or even GPU side channel attacks.
Phrack turns 40.
The digital drop is live.
Download it. Archive it. Pass it on.
💾 https://www.phrack.org
I've been asked countless times how to learn VR & xdev. The answer is always: "do something you think is cool". It's hard to figure out what to do. Try the PhrackCTF which I've now open-sourced. It's not a contrived CTF - modeled after real vulnerabilities
Linux Kernel Security
Phrack