MOLE: Breaking GPU TEE with GPU-Embedded MCU

Graphics Processing Units (GPUs) are extensively used for applications such as machine learning, scientific computing, and graphics rendering. To protect sensitive data processed by GPUs, Trusted Execution Environments (TEEs) for GPUs have been proposed. GPU TEEs, built with hardware-based isolation primitives, can defend against high-privilege attackers like OS kernels. However, in this paper, we present MOLE, a novel attack that compromises the security of GPU TEEs on Arm Mali GPUs by exploiting the GPU-embedded Microcontroller Unit (MCU). By injecting malicious firmware into the MCU, an attacker can bypass GPU TEEs' security guarantees. We evaluated MOLE with state-of-the-art GPU TEE proposals under multiple real-world attack scenarios, such as in-GPU AES encryption and object detection tasks. Our evaluation shows that MOLE can successfully extract sensitive data or manipulate the computation results of GPU TEEs. We responsibly disclosed our findings to the authors of the affected GPU TEE proposals and received acknowledgments from all of them. Moreover, our findings prompted Arm to enhance the security of its GPU firmware supply chains.