EyeSpy: Inferring Eye Gaze via Side-Channel Attacks Against Foveated Rendering

from arxiv, 20 pages, 12 figures. Accepted to the 47th IEEE Symposium on Security and Privacy (IEEE S&P 2026). Artifacts: https://bmdj-vt.github.io/project_pages/xr_side_channels

While eye tracking provides valuable capabilities for virtual reality, such as gaze interaction and dynamic foveated rendering (DFR), eye-tracking data can inadvertently reveal sensitive user information if not properly protected. Current protections, such as adding permission prompts or gatekeeping gaze data, are insufficient on DFR-enabled systems because gaze data is used internally to drive DFR. When DFR is implemented, objects in the fovea (i.e., immediate gaze area) incur a higher GPU workload than those in the periphery. This gaze-contingent workload creates a novel side channel, which can be leveraged to reconstruct gaze positions. Specifically, we design a novel attack that sweeps imperceptible high-cost objects (HCOs) across the user's field of view and logs rendering performance metrics (e.g., frame rate or frame time) commonly exposed through standard game engines. Then, we correlate variation in these metrics (caused by HCO-foveal overlap) with the known HCOs' positions to infer gaze coordinates directly without using eye-tracking APIs. Our experimental results show that mean gaze prediction errors (1.1-4.4 degrees) across the Meta Quest Pro, Varjo XR-4, and desktop platforms are comparable to typical eye-tracker accuracy. We demonstrate that the attack generalizes across various hardware platforms, standard game engines, and foveated rendering pipelines. Finally, we design defense mechanisms based on supervised and unsupervised detectors that can flag the attack reliably (F1 of 0.99) over short time windows.

翻译：虽然眼动追踪为虚拟现实提供了注视交互和动态注视点渲染（DFR）等宝贵功能，但若防护不足，眼动追踪数据可能无意中泄露用户敏感信息。现有防护措施（如添加权限提示或对注视数据实施访问控制）在支持DFR的系统中效果有限，因为注视数据需在系统内部用于驱动DFR。当实现DFR时，中央凹区域（即即时注视区域）内的物体比周边区域物体产生更高的GPU负载。这种依赖注视点的负载差异构成了新型侧信道，可被利用来重建注视位置。具体而言，我们设计了一种新型攻击方法，该方法在用户视野中扫过不可感知的高成本物体（HCOs），并记录标准游戏引擎通常暴露的渲染性能指标（如帧率或帧时间）。随后，我们通过分析由HCOs与中央凹重叠引起的这些指标波动，将之与已知HCOs位置相关联，从而在不使用眼动追踪API的情况下直接推断注视坐标。实验结果表明，在Meta Quest Pro、Varjo XR-4及桌面平台上，平均注视预测误差（1.1-4.4度）与典型眼动追踪仪精度相当。我们证明该攻击可泛化至多种硬件平台、标准游戏引擎及注视点渲染管线。最后，我们设计了基于监督与无监督检测器的防御机制，可在短时间窗口内可靠识别此类攻击（F1分数达0.99）。