Slashdot Mirror
Malware Running On Graphics Cards
An anonymous reader writes "Given the great potential of general-purpose computing on graphics processors, it is only natural to expect that malware authors will attempt to tap the powerful features of modern GPUs to their benefit. In this paper, the authors demonstrate the feasibility of implementing a malware that can utilize the GPU (PDF) to evade virus scanning applications. Moreover, the authors discuss the potential of more sophisticated attacks, like accessing the screen pixels periodically to harvest private data displayed on the user screen, or to trick the the user by displaying false, benign-looking information when visiting rogue web sites (e.g., overwriting suspicious URLs with benign-looking ones in the browser's address bar)."
It says slashdot.org in my URL bar but since the last few months the comments of users appear to be from digg.
With this technology, new, more sophisticated Rickrolling is now possible.
except instead of doing that, it looked for textures that were generated anyway by games ads and swapped in other textures.
My friends looked at me like I was evil and crazy.
Non impediti ratione cogitationus.
"Moreover, the authors discuss the potential of more sophisticated attacks, like accessing the screen pixels periodically and harvest private data displayed on the user screen"
I guess we just change all fields to mask the entries with **** or if we want to really fool them use dots.
Nope, it wouldn't suffice for SSL sites.
Should read "nvidia adds twitter and pop3 integration to newest line of GPUs"
In soviet Russia, God creates you!
Imagine starting to be target for specific porn habits. No amount of private browsing would keep the ads from showing up on your computer.
GENERATION 25: The first time you see this, copy it into your sig on any forum and add 1 to the generation. Social exper
I used to run a small computer repair and write-to-order software shop for a living while in the Uni with two more people. One of them had that idea around 1994. In those days it was just to store the code in the video RAM pages which are not directly accessible to a scanner and keep a small polymorphic backstrap routine in main memory.
What goes around comes around. Looks like this is using a similar approach. Even if you compute some stuff on the card you still need a bootstrap within the main system to use it and talk back to the "mothership".
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
This should make for some wonderful new kinds of pop up ads that can't be dismissed or in any way taken out of focus.
User and role based authentication/authorization is essential to security, but not sufficient. A machine that brings authentication/authorization down to the process level would be more secure.
I'd like a PC that enforced access control on each process running. Every call to any HW, whether CPU, MMU, GPU, or any bus, to require authentication. A crypto ASIC with scores of simultaneous auth units pointing at each process space and the ACL table for auth in just a few extra clock ticks on operations per process, at startup and randomly every dozen or so calls. More frequently when there's a "heightened alert" either by network notification or during and after other security events like DoS attacks and malware discovery.
--
make install -not war
So when can we expect the GPU port of the nam-shub to protect us from the Cult of A5h3rah?
It would be pretty difficult to determine which pixels are the URL bar on the GPU though. Unless of course all this GPU acceleration they're putting in browsers now allows you to somehow read the coordinates directly.
-- Let us endeavor so to live that when we pass even the undertaker shall be sorry. -- M. Twain
I have seen somewhere botnets on routers here in slashdot.
What's the next device to be infected? Network printers? SSDs with that little ARM to perform GC? NICs?
Sure it would. It changes pixels directly onscreen, the browser/app/whatever will never know.
Modern GPUs include memory protection, so different processes can be prevented from reading each others' VRAM, just as they can be prevented from running each others' RAM. This is not always used by the drivers, which may just map the entire physical VRAM into the GPU's virtual address space. With properly written drivers, this is much harder.
The big malware potential comes from WebGL. This allows you to run arbitrary GLSL code in the browser's (GPU) address space. Although you probably can't take over the entire display, you can potentially take over the entire browser window without permission. Hopefully, the driver will give you entirely separate GPU address spaces per GL context, but given how incompetent AMD and nVidia's driver teams have demonstrated themselves to be, I doubt it.
I am TheRaven on Soylent News
If you know the coordinates of the window, then you can make a pretty good guess as to the location of the URL bar.
Headline: "Malware Running On Graphics Cards"
TFS/TFA: "Here's a paper showing that malware on graphics cards is theoretically possible and could possibly evade detection."
If you were trying to sensationalize the headline, you might as well have thrown "won't anyone think of the children!?!?" in there as well.
"Always forgive your enemies; nothing annoys them so much." - Oscar Wilde
It might suffice for SSL sites if one of the CAs is authorizing the malware. With several governments acting as CAs, this is likely to become a possibility very soon.
"I was really not watching porn, it was just the virus that infected my geforce!"
Does anyone find it disturbing that taxpayers' money is used to do the bad guys' work for them? I can understand researching anti-malware strategies, but why are these people given money to come up with bad things to do to my computer?
Maybe, but people have so many addons and toolbars it would be a pretty rough guess.
-- Let us endeavor so to live that when we pass even the undertaker shall be sorry. -- M. Twain
If you know the coordinates of the window, then you can make a pretty good guess as to the location of the URL bar.
Not in my browser. When you add extensions, the URL field moves to accomodate them. I would guess similar behavior is common elsewhere. I think this attack is going to be hard to do in practice.
Currently hooked on AMP
It would be pretty difficult to determine which pixels are the URL bar on the GPU though.
No, not really. The browser window's address bar is a pretty easy shape for simple computer vision algorithms to spot, and you've go access to a nice parallel processor to run them on...
I am TheRaven on Soylent News
Oh boy... After reading through the first four paragraphs, I was reminded of Direct/Active-X. Device drivers in userland? I kinda knew about this but I guess I wanted to push it from my mind.
Is it really possible to have an advanced graphics environment with all the performance we desire without the windowing system having direct access to hardware? I suppose it would only be possible with an extremely rich API and high-speed communications interface and a whole lot of other things which would otherwise create a slow and complex means of interaction.
I guess from a security standpoint, all anyone who is Pro-Microsoft has to do is link to that page to prove that Desktop Linux isn't a whole lot better than Windows.
(But then again, none of my servers run X at all.)
No, you're thinking at the wrong level. The problem is that every application that gets an OpenGL context can upload programs to the GPU and run them. Fine in theory, and a modern GPU has the ability to isolate different context's memory from each other, but the drivers don't always use it (and don't always use it correctly when they do). If you're using an nVidia or ATi blob driver, then you have the same code controlling the GPU as a Windows user, so if the vulnerability is on Windows it will also be on Linux.
The latest versions of Nouveau do provide some support for giving different contexts different virtual address spaces, but this support may not always be used correctly. I've no idea about ATi / AMD drivers.
If you don't have on-GPU memory protection properly configured, then any GLSL, OpenCL, CUDA, HLSL, or whatever, program can access any of the GPU's memory. This means that anything in VRAM, including the contents of every on-screen window (and even some off-screen ones if you're on a system like OS X, X11 with a compositing manager, or Windows with Aero) is available to the malware.
I am TheRaven on Soylent News
Unless you run IE/Win Vista/7, where the address bar cannot be moved or removed (I've tried) and is a calculable distance from the top and left.
Although it's not the original reason I wish I could move the elements of that top bar, I just might have to add it to my list.
(XP lets you move the address bar practically anywhere, so it would be harder to "guess" unless you were to read API messages concerning the stored location of said bar.)
Every time I start to have faith in humanity, I ruin it by driving to work between 7 and 8 am.
Yeah, I suppose. I could make this happen today if I knew how to dump the screen buffer contents to a readable array in device global memory in CUDA.
-- Let us endeavor so to live that when we pass even the undertaker shall be sorry. -- M. Twain
With kernel modesetting, it is possible to run an accelerated X without root privileges (MeeGo does this) but currently there are safety caveats. To support multiple simultaneous users there is a need for a revoke syscall otherwise other users could snoop your input devices by not dropping previous access to devices (you can watch some X devs discussing the issue on Phoronix).
All the malware has to do is add a CA it already owns.
Fortunately, it's running on the GPU, which we all know from the marketing hype is an amazing infinitely powerful CPU. It will have no problem running a recognition program to find the URL bar.
Does have the gpu in the cpu make it easy to get on the system / make it harder to get rid of?
Breaking key-based encryption used to be considered hard to do. Bring more horsepower to bear, ie. a GPU, and today's Hard To Do turns into a Proof of Concept and eventually becomes tomorrow's Commonplace.
If you were able to use the GPU to brute-force a password hash or similar authentication token for the system, you could install a rootkit on the card's option ROM.
1.It'd get to run with ring 0 access on each boot before the OS has a chance to do anything.
2. On EFI systems it'd have access to a TCP stack, full FAT and NTFS filesystem access, all included in the EDK. So it could update itself on the fly each boot.
The video card makes a great trojan horse to house your malware.
So does this mean that IE9 with its GPU acceleration can be used as the avenue for attack?
I advise reading "My Other Computer is Your GPU" by myself and Jason Rodzik from earlier this year:
http://dank.qemfd.net/dankwiki/images/d/d2/Cubar2010.pdf
It covers these topics, and many more. :D
Once a virus is running on a system, it can shut down virus scanners, and all that kind of stuff. That is always the case. Doesn't matter where it runs. The key is to keep it from running and that's what virus scanners do. They are the doormen, they stop people who are on the "Bad list" from coming in. Well even if your virus was GPU based, it'd still have to come in and execute on the CPU like normal. There is no way to directly load something in the GPU and run it there. As such the virus scanner would get to have a sniff at it and determine if it got to run.
Also, GPU code still has to have a CPU component. The system doesn't have tasks that run just in the GPU. They even note this in their paper. Their "proof of concept" solution? Oh the malware will be "packed" in the CPU code and then unpacked to the GPU. Oh, executable packing/encryption. Ya viruses haven't done that since always. Sorry guys, but virus scanners are wise to that. They check for packed code.
So really, I don't see anything special here. It is the same situation as now where you run the virus scanner to keep the baddies out. If a computer is already infected, it can keep the AV software out and you need to scan it offline.
Plus this kind of malware might be easier to deal with: Just shut down GPU processing. Unlike the CPU, that is a feasible thing to do. So if a system is infected, the GPU gets turned off, the malware cleaned, the GPU restarted. Graphics cards still work fine when addressed in old "Just a bunch of pixels," mode.
None of the described future attacks are feasible. Shared framebuffer is not accessible to applications directly for security reasons (authors think that this is "unfortunate"); direct access to framebuffer is not "inevitable" in the future -- much better technique is to use driver-controlled fast GPU blits: data doesn't leave GPU. Non-timesharing is non-issue -- driver can detect timeouts and reset hardware (TDR on Vista).
So the only issue is polymorphic virus that may use GPGPU decryption. If this happens, scanners will start using CUDA, or GPU virtualization.
And why not - it's a time-honored tradition to make code run anywhere you can. Those who owned C64s (especially those who read Transactor) will recall that for a while there, programming the 1541 floppy-drive CPU was just about as cool as could be.
... making things simple enough / safe enough for grandma has diminished / lulled many of us into blissful ignorance.
Nowadays systems are so complex, and tools to study them / keep an eye on them are so relatively clueless, there could be^H^H^H^H^H^H^H^H are dozens of things going on in our PCs that we are blissfully unaware of. Very unfortunate
"You must try to forget all you have learned. You must begin to dream." -- Sherwood Anderson
It's harder, therefore effort vs reward is not good enough unless they have some good malware. Just slap some code into a PDF and you're all set.
Thid is whu I usw a dynakicly genwrated captcja fomt. Supdr-secire, witr onky minor typo skde effrcts.
Sorry, but if you think adding a few GPUs into the mix is going to make a difference, you don't have much idea about cracking encryption.
Unless you figure out a weakness in the algorithm, you are not brute forcing a 128 bit key without either a lot of luck, centuries of time, or a quantum computer.
Here's a quote from an article about encryption.
Ah, but what about the dreaded massively distributed cracking brute force method for attacking something like 128 bit RC5 encryption? There are massive zombie farms of infected computers throughout the world and some may have gotten as big as 1 million infected computers. What if that entire army was unleashed upon the commonly used 128 bit RC5 encryption? Surprisingly, the answer is not much. For the sake of argument, let’s say we unleash 4.3 billion computers for the purpose of distributed cracking. This means that it would be 4.3 billion or 2 to the 32 times faster than a single computer. This means we could simply take 2 to the 128 combinations for 128-bit encryption and divide it by 2 to the 32 which means that 2 to the 96 bits are left. With 96 bits left, it’s still 4.3 billion times stronger than 64 bit encryption. 64 bit encryption happens to be the world record for the biggest RC5 bit key cracked in 2002 which took nearly 5 years to achieve for a massive distributed attack.
Now that we know that the distributed attacks will only shave off a few bits, what about Moore’s law which historically meant that computers roughly doubled in speed every 18 months? That means in 48 years we can shave another 32 bits off the encryption armor which means 5 trillion future computers might get lucky in 5 years to find the key for RC5 128-bit encryption. But with 256-bit AES encryption, that moves the date out another 192 years before computers are predicted to be fast enough to even attempt a massively distributed attack. To give you an idea how big 256 bits is, it’s roughly equal to the number of atoms in the universe!
which is totally what she said
then this gives us hopes for the Gallium 3D driver stack to fix this and implement proper memory protection on hardware supporting it. Well, to bad for Windows users.
and nonetheless, AdBlock+ and NoScript will very probably block GLSL as they does with any other scripting language. So shoddy websites won't be able to assault you with unstopable full window ads. Well, to bad for IE users.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]