Researchers at the University of California, Irvine presented Sugar (Secure GPU Acceleration), a new OS solution to enhance the security of GPU acceleration for web apps. Their research paper titled, Sugar: Secure GPU Acceleration in Web Browsers, is a collective effort of Zhihao Yao et al.
Recently, GPU based graphics acceleration in web apps has become increasingly popular. WebGL is the key component which provides OpenGL–such as graphics for web apps
and is currently used in 53% of the top-100 websites. However, several attack vendors have been demonstrated through WebGL making it vulnerable to security attacks. One such example is the Rowhammer attack which took place in May, this year. Although web browsers have patched the vulnerabilities and have added new runtime security checks, the systems are still vulnerable to zero-day vulnerability exploits, especially given the large size of the Trusted Computing Base of the graphics plane.
Sugar OS uses a dedicated virtual graphics plane for a web app by leveraging modern GPU virtualization solutions. It enhances the system security since a virtual graphics plane is fully isolated from the rest of the system. Despite GPU virtualization overhead, Sugar achieves high performance.
Unlike current systems, Sugar uses two underlying physical GPUs, when available, to co-render the User Interface (UI),
- One GPU, to provide virtual graphics planes for web apps
- The other one to provide the primary graphics plane for the rest of the system.
Thus, this design not only provides strong security guarantees but also provides enhanced performance isolation.
The two GPU designs in Sugar OS for secured web apps
The researchers presented two different designs of Sugar in their paper; a single-GPU and a dual-GPU. In both these designs, web apps use the virtual graphics planes created by the virtualizable GPU. The main difference between the two is the primary graphics plane.
Design target: They designed a Single-GPU Sugar for machines with a single virtualizable GPU. The main targets of this design are commodity desktops and laptops using Intel processors that incorporate a virtualizable integrated GPU (all Intel Core processors starting from the 4th generation, i.e., Haswell ).
Primary Graphics plane, in this design, uses the same underlying virtualizable GPU but has exclusive access to the display connected to it.
Design target: The dual-GPU Sugar is designed for machines with two physical GPUs, one of which is virtualizable. The main targets for this design are high-end desktops and laptops that incorporate a second GPU in addition to the virtualizable integrated Intel GPU.
Primary graphics plane, here, uses the other GPU, which is connected to the display.
However, Dual-GPU Sugar provides better security than single-GPU Sugar, especially against Denial-of-Service attacks. Moreover, dual-GPU Sugar achieves better graphics performance isolation.
The researchers demonstrated that Sugar reduces the Trusted Computing Base (TCB) exposed to web apps and thus eliminates various vulnerabilities already reported in the WebGL framework. They also showed that Sugar’s performance is high, providing similar user-visible performance with existing less secure systems.
Read more about Sugar OS in detail in its research paper