pith. machine review for the scientific record. sign in

arxiv: 2507.02770 · v2 · submitted 2025-07-03 · 💻 cs.CR

Recognition: unknown

Blueprint, Bootstrap, and Bridge: A Security Look at NVIDIA GPU Confidential Computing

Zhongshu Gu , Enriquillo Valdez , Salman Ahmed , Julian James Stephen , Michael Le , Hani Jamjoom , Shixuan Zhao , Zhiqiang Lin
Authors on Pith no claims yet
classification 💻 cs.CR
keywords securitygpu-ccnvidiasystemblueprintbootstrapbridgecomputing
0
0 comments X
read the original abstract

NVIDIA GPU Confidential Computing (GPU-CC) aims to provide secure execution for AI workloads. For end users, enabling GPU-CC is seamless and requires no modifications to existing applications. However, this ease of adoption relies on a proprietary and highly complex system that is difficult to inspect, creating challenges for researchers seeking to understand its architecture and security landscape. In this work, we provide a security look at GPU-CC by reconstructing a coherent view of the system. We first examine the system's blueprint, focusing on the specialized architectural engines that support its security mechanisms. We then analyze the bootstrap process, which coordinates hardware and software components to establish these protections. Finally, we conduct targeted experiments to assess whether, under the GPU-CC threat model, data transfers along different paths remain protected across the bridge between trusted CPU and GPU domains. We responsibly disclosed all security findings presented in this paper to the NVIDIA Product Security Incident Response Team (PSIRT).

This paper has not been read by Pith yet.

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 4 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. GPUBreach: Privilege Escalation Attacks on GPUs using Rowhammer

    cs.CR 2026-05 unverdicted novelty 8.0

    Unprivileged CUDA kernels can use Rowhammer to tamper with GPU page tables for targeted privilege escalation, leaking cryptographic keys and escalating to CPU root access by bypassing IOMMU.

  2. Revealing NVIDIA Closed-Source Driver Command Streams for CPU-GPU Runtime Behavior Insight

    cs.PF 2026-04 conditional novelty 7.0

    A technique recovers complete GPU hardware command streams from NVIDIA's closed-source CUDA driver via kernel instrumentation and doorbell watchpoints, demonstrated on data movement and CUDA Graphs.

  3. When Agents Handle Secrets: A Survey of Confidential Computing for Agentic AI

    cs.CR 2026-05 unverdicted novelty 5.0

    A survey providing a taxonomy of TEE platforms, an agent-centric threat model, and open challenges for applying confidential computing to secure agentic AI systems.

  4. When Agents Handle Secrets: A Survey of Confidential Computing for Agentic AI

    cs.CR 2026-05 unverdicted novelty 4.0

    A structured survey of confidential computing for agentic AI that catalogs TEE platforms, agent-specific threats, transferable defenses, and remaining gaps in end-to-end frameworks.