Search papers, labs, and topics across Lattice.
This study introduces WGPULens, a framework designed to measure privacy-relevant signals in WebGPU, revealing how shared browser and GPU states can leak sensitive information. Through controlled experiments and a participant field study, the authors identify persistent pipeline compilation state as a significant privacy risk, demonstrating that native GPU activity can be inferred from browser-visible observables. The findings underscore the need for surface-specific privacy analysis in WebGPU, highlighting the importance of understanding which GPU states are exposed and the effectiveness of potential mitigations.
Persistent pipeline compilation state poses a significant privacy risk in WebGPU, revealing how browser and GPU interactions can leak sensitive information.
WebGPU lets ordinary web pages run GPU workloads through a validated programming model. Validation protects memory safety, but shared browser, driver, OS, and GPU state can still expose privacy-relevant signals. We present WGPULens, a framework for measuring those signals across controlled scenarios, browser-native co-residency, a participant field study, public page loads, and mitigation policies. Our framework separates measurements: controlled scenarios support leakage, boundary, and mitigation claims; participant runs support deployment, compatibility, and fingerprintability; and a Tranco crawl measures WebGPU exposure in real-world pages. Our controlled results identify persistent pipeline compilation state as the clearest surface. Cold/warm pipeline probes reveal prior compilation state across selected origin, profile, and browser placements. Controlled browser/native experiments also show native GPU activity can be inferred from browser-visible observables under labeled workloads. Other resource probes provide weaker positive results and negative controls. The participant field study shows active WebGPU behavior is highly distinctive within the sample, with deterministic components stable within runs and lower exact stability across repeated visits. A page-load crawl finds WebGPU use mainly as adapter probing and static support code, with no observed page-load shader, pipeline, queue, query, or map activity. Mitigation pilots identify source-level key separation as a proxy for evaluating pipeline-cache partitioning. Overall, WGPULens shows that WebGPU privacy analysis must be surface-specific: browsers need to measure which GPU state crosses which boundary, which browser-visible signals reveal it, and what the corresponding mitigations cost.