Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malware Running On Graphics Cards

Posted by CmdrTaco on from the freeing-up-the-cpu dept.

An anonymous reader writes "Given the great potential of general-purpose computing on graphics processors, it is only natural to expect that malware authors will attempt to tap the powerful features of modern GPUs to their benefit. In this paper, the authors demonstrate the feasibility of implementing a malware that can utilize the GPU (PDF) to evade virus scanning applications. Moreover, the authors discuss the potential of more sophisticated attacks, like accessing the screen pixels periodically to harvest private data displayed on the user screen, or to trick the the user by displaying false, benign-looking information when visiting rogue web sites (e.g., overwriting suspicious URLs with benign-looking ones in the browser's address bar)."

16 of 103 comments (clear)

  1. I had an idea like this. by RyuuzakiTetsuya · · Score: 2, Interesting

    except instead of doing that, it looked for textures that were generated anyway by games ads and swapped in other textures.

    My friends looked at me like I was evil and crazy.

    --
    Non impediti ratione cogitationus.
  2. I will show them... by halfEvilTech · · Score: 5, Interesting

    "Moreover, the authors discuss the potential of more sophisticated attacks, like accessing the screen pixels periodically and harvest private data displayed on the user screen"

    I guess we just change all fields to mask the entries with **** or if we want to really fool them use dots.

  3. Hehe, what goes around comes around by arivanov · · Score: 4, Interesting

    I used to run a small computer repair and write-to-order software shop for a living while in the Uni with two more people. One of them had that idea around 1994. In those days it was just to store the code in the video RAM pages which are not directly accessible to a scanner and keep a small polymorphic backstrap routine in main memory.

    What goes around comes around. Looks like this is using a similar approach. Even if you compute some stuff on the card you still need a bootstrap within the main system to use it and talk back to the "mothership".

    --
    Baker's Law: Misery no longer loves company. Nowadays it insists on it
    http://www.sigsegv.cx/
    1. Re:Hehe, what goes around comes around by Rich0 · · Score: 2, Interesting

      I agree that somehow the code has to get into the GPU, which means a bootstrap of some kind from the main CPU. I'm not sure it has to remain in the main memory for any period of time, however, as long as the graphics card has DMA access back into main memory.

      I'm not sure how memory protection works on the most modern systems, but at least in the past DMA had wide-open access to everything. So, if the graphics card needed to get back into the CPU for a short time, it could just modify the interrupt descriptor table, trigger an IRQ, and so on. Or, it could patch any code in RAM to run, and then replace it back when it was done. Then again, I'm not sure if it is strictly necessary to ever get back into RAM - perhaps the virus could just directly talk to the NIC/HD/etc and get whatever it needs done. Who needs the main CPU?

      Again, I'm not familiar enough with PCI/etc to know if this is practical. But I bet you could exploit a lot of code that is already in the system.

  4. Popups 2.0 by BradleyUffner · · Score: 4, Interesting

    This should make for some wonderful new kinds of pop up ads that can't be dismissed or in any way taken out of focus.

  5. Process Authentication and Authorization by Doc+Ruby · · Score: 3, Interesting

    User and role based authentication/authorization is essential to security, but not sufficient. A machine that brings authentication/authorization down to the process level would be more secure.

    I'd like a PC that enforced access control on each process running. Every call to any HW, whether CPU, MMU, GPU, or any bus, to require authentication. A crypto ASIC with scores of simultaneous auth units pointing at each process space and the ACL table for auth in just a few extra clock ticks on operations per process, at startup and randomly every dozen or so calls. More frequently when there's a "heightened alert" either by network notification or during and after other security events like DoS attacks and malware discovery.

    --

    --
    make install -not war

  6. Malware everywhere by Anonymous Coward · · Score: 1, Interesting

    I have seen somewhere botnets on routers here in slashdot.

    What's the next device to be infected? Network printers? SSDs with that little ARM to perform GC? NICs?

    1. Re:Malware everywhere by Mister+Whirly · · Score: 2, Interesting

      There is malware that runs on network printers already. There was the Hoots worm that printed out the picture of an owl with "O RLY" on it.

      --
      "But this one goes to 11!"
  7. Re:KISS by nospam007 · · Score: 2, Interesting

    Sure it would. It changes pixels directly onscreen, the browser/app/whatever will never know.

  8. Driver problem by TheRaven64 · · Score: 4, Interesting

    Modern GPUs include memory protection, so different processes can be prevented from reading each others' VRAM, just as they can be prevented from running each others' RAM. This is not always used by the drivers, which may just map the entire physical VRAM into the GPU's virtual address space. With properly written drivers, this is much harder.

    The big malware potential comes from WebGL. This allows you to run arbitrary GLSL code in the browser's (GPU) address space. Although you probably can't take over the entire display, you can potentially take over the entire browser window without permission. Hopefully, the driver will give you entirely separate GPU address spaces per GL context, but given how incompetent AMD and nVidia's driver teams have demonstrated themselves to be, I doubt it.

    --
    I am TheRaven on Soylent News
  9. Government researchers? by Chemisor · · Score: 1, Interesting

    Does anyone find it disturbing that taxpayers' money is used to do the bad guys' work for them? I can understand researching anti-malware strategies, but why are these people given money to come up with bad things to do to my computer?

  10. Re:KISS by wealthychef · · Score: 2, Interesting

    If you know the coordinates of the window, then you can make a pretty good guess as to the location of the URL bar.

    Not in my browser. When you add extensions, the URL field moves to accomodate them. I would guess similar behavior is common elsewhere. I think this attack is going to be hard to do in practice.

    --
    Currently hooked on AMP
  11. Re:KISS by TheRaven64 · · Score: 3, Interesting

    It would be pretty difficult to determine which pixels are the URL bar on the GPU though.

    No, not really. The browser window's address bar is a pretty easy shape for simple computer vision algorithms to spot, and you've go access to a nice parallel processor to run them on...

    --
    I am TheRaven on Soylent News
  12. Re:KISS by nschubach · · Score: 2, Interesting

    Unless you run IE/Win Vista/7, where the address bar cannot be moved or removed (I've tried) and is a calculable distance from the top and left.

    Although it's not the original reason I wish I could move the elements of that top bar, I just might have to add it to my list.

    (XP lets you move the address bar practically anywhere, so it would be harder to "guess" unless you were to read API messages concerning the stored location of said bar.)

    --
    Every time I start to have faith in humanity, I ruin it by driving to work between 7 and 8 am.
  13. Re:KISS by jpapon · · Score: 3, Interesting

    Yeah, I suppose. I could make this happen today if I knew how to dump the screen buffer contents to a readable array in device global memory in CUDA.

    --
    -- Let us endeavor so to live that when we pass even the undertaker shall be sorry. -- M. Twain
  14. Re:KISS by sjames · · Score: 3, Interesting

    Fortunately, it's running on the GPU, which we all know from the marketing hype is an amazing infinitely powerful CPU. It will have no problem running a recognition program to find the URL bar.