Slashdot Mirror
Malware Now Hiding In Graphics Cards
mask.of.sanity writes "Researchers are closing in on a means to detect previously undetectable stealthy malware that resides in peripherals like graphics and network cards. The malware was developed by the same researchers and targeted host runtime memory using direct memory access provided to hardware devices. They said the malware was a 'highly critical threat to system security and integrity' and could not be detected by any operating system."
3 years ago I thought of this possibility, but everyone laughed and pointed at me in my local community. Guess who's laughing now.
This ridiculous push to offload every type of programming into GPUs including bitcoin mining and no one saw this possibility? (Sarcasm, I know people saw the possibility.)
Measures could have been taken... but then again, what better way for the NSA and other government spies to infiltrate a computer independent of an operating system than this? Seriously. It'll work on Mac, Windows and Linux with or without proprietary drivers.
Measures could have been taken...
Any system with an IOMMU can be made immune to this sort of attack.
When information is power, privacy is freedom.
This ridiculous push to offload every type of programming into GPUs including bitcoin mining
Or, you know, programs that benefit from running on a specialized highly-concurrent processor cluster (aka GPU). Graphics and hashing are just two examples.
The payload might be agnostic to the OS, but what about the dropper? I would imagine that would have to be custom-tailored to each OS. Unless the manufacturers are letting NSA drop the payload in before it gets to the consumer.
:(){
If and only if there is sufficient IOMMU resources... and are not disabled by the drivers...
Interesting that security researchers are JUST NOW thinking about this. I was on an flight from San Diego to Japan back around 2005, seated next to a gentleman on his way to a computer conference - I believe it was HITB, and either Dubai or Malaysia - and we were chatting about the inevitability of computer virus exploits being used to co-opt hardware instead of operating systems. He had recently developed a way to suborn the Nvidia Geforce bios update process by presenting the card with a working update that contained arbitrary code. Once loaded into the BIOS, the update version number was far beyond any possible build number - so it could not be removed except by either replacing the card or by replacing the BIOS chip. If I remember correctly, the gentleman who I was talking to was rather interested in my mentioning that the most beneficial place to install similar software would be a networking card, as the network card could "listen" for command and control signals without the interference of the operating system or any security software - kind of an "outside the tripwire" situation.
This has been a fear of security people for years now (I think we discussed the possibility of this type of attack in a Foundstone class I took 2005.)
I've worked on GPU hardware since before we called them GPUs. I've also done malware investigation in my youth.
In 1998, I wrote a proof of concept for this very thing. I'm actually impressed it took 15 years for someone to go public with it.
Posting as AC for obvious reasons...
So yeah, not too worried about the malware. Fever immunity FTW
I actually still don't see the possibility. Bitcoin mining uses the GPU cores and a tiny amount of graphics memory. You turn off the computer and all the GPU caches and GDDR5 is wiped. Hiding malware in the video BIOS is unrelated to hashing and bitcoin operations. The BIOS certainly has enough system permission and is big enough though!
It seems that internal (and that includes USB/Firewire etc) hardware and buses are now at a similar stage of development, security wise, to that of networking in the late 1980s: most hardware seems to be implicitly trusted, but its increasing intelligence means that formerly dumb peripherals now constitute a serious threat to the integrity of the system.
Removing DMA could wreck system performance, so, perhaps, the provision of an internal broker of some sort within systems is called for, similar in concept to a network firewall, and which would mediate peripheral access to memory, i/o, interrupts etc and, importantly, remove this task from the main CPU(s), which can increasingly be unstoppably bypassed by these threats.
I spent almost two months trying to diagnose and fix this.
I reinstalled, tried to wipe the mbr and disk with zeroes, tried to reset CMOS on my stationary pc (try that on a fucking laptop)...
Since I depended on my laptop for my internship...missing work, using my limited resources(read medicine) trying to fix what i though to be fixable, to salvagable, to dear god give me another bottle of Grouse!
I installed both Avast and Malwarebyte(yes they worked together) some years ago...but somehow they didnt catch the wild changes in the registry, every location for programs was replaced with an CLSID exploiting that fucking virtualisation hack windows provided.
That and Alternative Data Streams....JESUS CHRIST!
I had internal winsock commands that came from absolute NOWHERE!
Im not an expert.....Im happy for people to call me mad and/or idiot.
But when a fresh install of Ubuntu decides to include every fucking packagea that includes virtualisation solutions....
"If I am mad, it is mercy! May the gods pity the man who in his callousness can remain sane to the hideous end!”
I have two laptops (one Ive sent to repair begging them to nuke every fucking ROM from space), the other overheats withing 30 minutes and my stationary...everything got certs I cant trust for shit.
Again, Am i dense? Have I panicked for nothing and led myself astray by red herrings? (This is not meant to be a tech support plea, just sort of...retorical)
My -1 Troll is actually a +1 funny. And my -1 flame is actually a +1 insightfull.
Not to mention how accecible it is to flash the shit from the OS...secure computing is fucking trash.
My -1 Troll is actually a +1 funny. And my -1 flame is actually a +1 insightfull.
Bitcoin mining with the GPU is almost over. The way it is done these days is through specialized ASIC circuits. So really it's not all that relevant anymore.
packet payloads can be manipulated on the card long before the data even gets to the dma buffers
network cards can create magical endpoints from thin air without having to send or receive any packets
or they can look for a specific pattern in a packet and ship its contents to a preordained destination
don't try to think about what they cannot do, think about what they can do, it's frightening
The thing is if the malware communicates with the outside world all you have to do is get a trustworthy router that allows you to view the traffic between a computer and the outside world from another computer. At worst the traffic is encrypted but at least you can see that there is unusual traffic and you can see the destination of the traffic. You can get packet inspection software to do it (Ethereal comes to mind but I'm sure there are others). If done right with the right equipment the hardware couldn't hide the existence of traffic and the source/destination (even if the traffic is encrypted). From there you can dig more into the hardware to discover the origin and intent of the traffic. So something like this would be hard to hide from someone looking for it.
(To continue off my last post).
Now the trick is, say the malware communicates with Microsoft during a windows update, the transition of which is encrypted. Perhaps the malware might be able to hide itself in that traffic and disguise itself as part of a Windows update. This could be more difficult to detect.
Or during your encrypted (https) connection with Bank of America or whatever website you are connecting to.
- have your OS scan executables/libs before they are loaded
- disable GPGPU
- STAY OFF THE FUCKING INTERNET
Anons need not reply. Questions end with a question mark.
Bitcoin mining with your own GPU is almost over.
What if you aren't paying for the hardware or the electricity bill on a thousand machines?.
"The Adobe Updater must update itself before it can check for updates. Would you like to update the Adobe Updater now?"
It's just another half-assed job. Computer tech is full of half-ass ideas that sounded pretty good but were never completed. The 640k limit and protected mode. Expanded/Extended memory through A20. Half assed effort by Lotus, IBM and Microsoft. Operating systems - sold as secure, almost as insecure as ever. About the only good thing is they don't usually automatically install malware from the internet without asking you first. Half assed. Trusted Computing - half assed. UEFI, half assed.
I don't know if it's a lack of budget, or if computer techies (not your regular coders but the guys that come up with this stuff and implement it) really have such short attention spans. Or maybe it's just a marketing thing - give us a new tech word we can market for this generation, it doesn't have to work, we'll just pretend it's something good and make people want it.
Seven puppies were harmed during the making of this post.
That is why I mine crypto currencies with my graphics card 24/7 and liquid cool them.
The overclocking burns the malware out, then the distilled water flushes it out. My 99.8% pure silver kill coil takes care of any remaining parasites - just in case the UV lighting didn't burn them to death already....
Or Intel's version - VT-d.
Look into the Qubes OS [ http://qubes-os.org/ ] for a very good implementation of this for general desktop computing.
You are correct, he was talking out of his ass. These programs don't run "on the GPU" but rather utilize the GPU resources to do highly parallel processing that it's suited well for. That has exactly zippy to do with is being reported here.
And I'd ask - what firmware exactly? NVIDIA? AMD? Intel? Hell, on the new CPUs with video onboard where is the firmware even located? BIOS now there's some fun - even the same manufacturer has different code for different boards for different chipsets. I don't see anyone making anything that's not one off for that anytime soon even with UEFI supposedly making things more uniform. Safeboot and other things already check much of that anyway when enabled properly.
Build it, Drive it, Improve it! Hybridz.org
I remember a "dinosaur" telling me about an S/390 "virus" in my youth. It was written to infect the disk, drum, and tape controllers, and to replicate itself to any uninfected devices in the system.
It was relatively harmless. It would periodically pop up a console message like "I want a cookie.", and lock up the system until the operator typed in "cookie".
However, apparently the only way to purge the thing was to replace all the hardware controllers at the same time.
Whether true or not, I do not know. But it's the oldest "virus" story I've ever heard -- it was told to me way back in the 80s.
I do not fail; I succeed at finding out what does not work.
Oooh! Good, make sure you say NSA in every post!
Then you're a thief...
Yes, when I saw this I thought that this was a reason to make motherboard IOMMUs a security feature. Also, the DMA destination memory pages should not have the executable bit turned on. Recent generations of Intel/AMD CPUs have provided the ability to turn that bit off.
Bruce Perens.
A) The cross-platform advantage, as you present it, is tremendously smaller than the disadvantage of having to create specific-per-GPU implementations (Although I'm not that knowledgable in the GPU market, perhaps there's some Nvidia chipset that takes 80% of the market. I'm assuming that's not the case)
B) The cross-platform is not that important even by itself. This stuff matters more since those (viruses) are harder to detect by the OS / AV running on the OS.
IMHO it's not cost-effective. Creating generic viruses for Windows is still the best cost-effective. And since Mac and Linux users typically don't run any defense and are much more vulnerable than PCs running Win7/8, it's more of a matter of will.
Well, in fact you can't run such a code without quite high privileges for a reason. Simple shader won;t be able to read arbitrary memory. And it's easier to use graphics card's DMA to patch kernel with some evil code in keyboard procedure than monitor buffer all the time.
If this things gets for real we will have a Crysis.
Think about it: The second EEPROM's came around/flashable BIOS' in equipment? The "doors opened" for this type of thing to occur folks...
* Everything has 2 sides, & it ALL depends on what set of 'rosie colored glasses' & perspective you maintain...
APK
P.S.=> In other words - as nice as flashable proms are, it was only a matter of time before malware makers took advantage it as well. Technically though? A 'reflash' would/should, take care of it (no, I didn't read the article, but I imagine this is just a variation of the theme I just expounded upon here, based on technical fact)...
... apk
Welcome to the real world!
If you open your eyes wide enough,you'll notice that pretty much everything is half-assed in one manner or another. This isn't necessarily a bad thing because doing the job "properly" is either impractical, too expensive, or takes too long. In reality, we don't even know what "properly" is most of the time.
I'd go as far as to say that humanity's real achievement is the ability to say "fuck it" and go forward with a pragmatic solution that's useful enough to come out ahead and not dangerous enough to kill us all.
They said the malware was a 'highly critical threat to system security and integrity' and could not be detected by any operating system."
Can someone 'splain that, or is it just nonsense? The malware was put into the GPU or whatever by a program running on the OS, why can't another program on the OS detect it? Write Only Memory?
Measures could have been taken... but then again, what better way for the NSA and other government spies to infiltrate a computer independent of an operating system than this? Seriously.
Perhaps this?
http://www.theregister.co.uk/2013/09/23/intel_stuns_world_with_wakeon3g/
NSA already have a hidden 3G enabled backdoor straight in to your CPU and can even power up computers remotely and provide power to HDDs and access them remotely.
It even has it's own OS within the chip so your OS of choice doesn't matter
You say it as if fact, but you must have missed this line in the article: "No evidence is offered for the assertions detailed above."
Fanboy Status: Apache Flex, C#, Eclipse, KDE, Pirate Party, Ron Paul, Slackware, Windows 7
solar!
It certainly is not that out of the question: http://lists.freedesktop.org/archives/nouveau/2013-September/014497.html
You have to keep an open mind.
Basically this theorized malware would use the GPU (or other DMA capable device in the system) to bypass page permissions. Since most operating systems depend on virtual addressing and CPU page permissions to protect things, having a DMA capabile device that didn't respect page permission could easily bypass the assumptions made by most OS's and malware detection programs.
The problem is of course with the limitations of current malware detection programs. They could of course theoretically detect GPU viruses as they need to exist somwhere (even GPUs execute instructions and have page tables for their memory). The problem is that there are so many different types of GPUs and each has a different proprietary driver architecture, current malware detection companies don't have enough information or experience to even attempt to try this even if they had the desire and the resources. Then again maybe the GPU vendors have built in malware in their drivers (kinda like some of the phone-home free-pdf/fax printer drivers). If so, you are just screwed.
FWIW, there was an attempt a few years ago to impose an IOMMU into the PC architecture that could filter DMA requests from devices. The idea was that if the OS was in control of the IOMMU, like the page tables, it could disallow a DMA request from a rogue device request similar to how it could trap a CPU access. I lost track of this, but I doubt it will go anywhere...
However, this isn't usually the weak point in the chain, this is merely a theoretical threat kind of like warning people about how installing random program on their PC is a "highly critical threat to system security and integrity" when most folks have a browser setting that allows running just about any browser plugin suggested by a random web-page by merely clicking "OK" when the warning dialog box comes up. It's just scary because you've never heard of it before and it's yet another thing to worry about.
Slashdot's title is deceptive: that is not a real malware but a PoC created by the researchers. They just fight their own creation.
I've worked in GPU software since before they were GPUs, and in my youth I "researched" malware and viruses.
I wrote a proof of concept for a GPU virus in 1998 (no suspicious code executing on the CPU). I'm quite surprised that it took this long for someone to actually make it into actual malware.
Posting as AC for obvious reasons.
still a $25 dollar ASIC now has the hash rate of a high end video card that costs over $200. the ASIC uses 2.5 watts, plugs into a usb port, is silent, and requires little physical space, and can be run from a raspi.
GPU mining, fuck off
How does this malware get onto the targeted system, without user action or root access?
Bitcoin was never relevant apart from those poor sods that got tricked into the stupid virtual ponzi scheme. Even minecraft mining has more of a real effect on the world.
I suspect a wrong refresh rate killing a CRT is an urban myth. Even the cheapest monitors that supported power saving simply shut off if they encountered something they couldn't handle. *Maybe* it would have been possible in the early days of fixed refresh rates and resolutions but I'm still skeptical. Who would even sell something so easily damaged?
Only the State obtains its revenue by coercion. - Murray Rothbard
I pretty universally blame management for not listening to their techies-with-brains for the loads of half-assed jobs of all kinds out there. I say "shit rolls downhill".
I only post comments when someone on the internet is wrong.
Hopefully some other folks will now join me in my being pissed at lack of IOMMU support in random subsets of Intel's product line. Its a critical feature. Without it, all PCIe based stuff (graphics cards, FireWire, thunderbolt etc) all have full read/write memory access. Thats horrible.
The article actually refers to being able to detect the malware; the key here is DMA, or "Direct Memory Access." DMA is in use by a great many things, including FireWire (IEEE 1394), USB 3.0, and Thunderbolt as well as many internal peripherals like graphics cards.
Why, you ask? Simple...for performance. If you think of memory as being like a big warehouse, other methods are like having a guy at the front of it on the other side of that counter...you know, the one with the fencing and a little slot for you to pass him your invoice so he can go get what you came to pick up? You show up, give him the invoice, he looks at it, goes to get exactly the thing you're allowed to take, and brings it to you. This is secure, but also a bottleneck. DMA, on the other hand, is more like having that guy standing at the front door to the warehouse, just making sure you have an invoice at all...then he waves you on through to go get it yourself. Obviously, that has security ramifications.
And that's the real key to this threat...if they've come up with a way to detect attacks like that, they've come up with a way to defend against them coming from more than just malware in a graphics or network card. They've come up with a way to help protect against password-reading via USB 3.0 ports and the like as well. It would also, however, provide more methods for counter-forensics...so its a double-edged sword.
For your security, this post has been encrypted with ROT-13, twice.
No one remembers the altered printers the Iraqis got?
Given the recent revelations including NIST weaknesses, does OpenBSD withstand the likely attacks?
I thought Geforce was doing this to my motherboard 5+ years ago. When I reproduced the same type of problems with newer ATI and Gigabyte motherboards, I became a beleiver. The Gigabyte motherboards, with its dual bioses , somehow became corrupted. It Sucks.
Is flashing the graphics card enough to remove? Yes, No, Maybe?
Windows NT4.1 explicitly disallowed DMA to video memory. Want to venture a guess as to why?
But of course, now you get DMA to the video card in later versions of Windows. Devs hated not having DMA.
Reap what you sow, instead of trying to follow good security practice.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
https://www.blackhat.com/html/bh-us-12/bh-us-12-archives.html#Brossard
No time to research this now, I'm supposed to be working, but my colleagues and I had a quick 5-minute brainstorm on this and came up with a few points.
1) If the malware is initialised by the OS and loaded into the GPU that way, you've got a tiny window of opportunity to detect it then or you can use deep-scan techniques to pluck it off the hard drive. However, this is unlikely to work in practise because...
2) If a virus developer is smart enough to load malware into your GPU, they're smart enough to embed it into your firmware and add some rootkit protection against reflashing - time to buy a new GPU because you ain't ever getting that sucker out of there now.
3) That means, as always, the only practical time to deal with this is before the infection take enough of a hold to defend itself against anti-malware software. It needs a standard infection vector, so the usual anti-virus packages could be updated to spot this type of infection just like anything else that comes in off the wire.
4) IOMMU and VT-D could be used (extended?) to implement a per-device GPU DMA memory zone whitelisting scheme, something along the lines of the no-execute bit used with CPUs today. This would blunt the snooping capabilities of GPU malware. Further extensions to allow review of GPU communication may be able to detect or prevent initial infection of the GPU or the initialization of unwanted processes (depending on the malware type as above), but that would imply a huge increase in latency that would not be suitable for all applications.
Not all malware communicates with the outside.
I wonder if my gfx-card virus that adds a new fake dead pixel every month is still floating around. It would be interesting to see if monitor sales have gone up since it started jumping around.
See subject-line: Hosts work on that principle vs. it or other threats online in malware or malicious script served from a site (provided it has it in its blocklist) - so yes, it would on that basis vs. this even since it is a malware payload deliverable that does it typically in cases like this
* Thanks for bringing it up!
APK
P.S.=> Hosts are incredibly versaitile, & what makes creating one easy? This (by "yours truly"):
---
APK Hosts File Engine 9.0++ 32/64-bit:
http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74
(Benefits hosts files provide on numerous levels for speed, security, reliability, & anonymity = in link above)
---
Custom hosts files give users of custom hosts files added speed, security, reliability, & even anonymity + are far, Far, FAR superior to AdBlock/Ghostery/RequestPolicy (hosts do far more, on far more levels).
---
"The premise is, quite simple: Take something designed by nature & reprogram it to make it work FOR the body, rather than against it..." - Dr. Alice Krippen "I AM LEGEND"
...apk
Stealthy GPU-based Keylogger
http://cryptome.org/2013/09/gpu-keylogger.pdf
++
In Response To Slashdot Article: Former Pentagon Analyst: China Has Backdoors To 80% of Telecoms
How many rootkits does the US[2] use officially or unofficially?
How much of the free but proprietary software in the US spies on you?
Which software would that be?
Visit any of the top freeware sites in the US, count the number of thousands or millions of downloads of free but proprietary software, much of it works, again on a proprietary Operating System, with files stored or in transit.
How many free but proprietary programs have you downloaded and scanned entire hard drives, flash drives, and other media? Do you realize you are giving these types of proprietary programs complete access to all of your computerâ(TM)s files on the basis of faith alone?
If you are an atheist, the comparison is that you believe in code you cannot see to detect and contain malware on the basis of faith! So you do believe in something invisible to you, donâ(TM)t you?
Iâ(TM)m now going to touch on a subject most anti-malware, commercial or free, developers will DELETE on most of their forums or mailing lists:
APT malware infecting and remaining in BIOS, on PCI and AGP devices, in firmware, your router (many routers are forced to place backdoors in their firmware for their government) your NIC, and many other devices.
Where are the commercial or free anti-malware organizations and individualâ(TM)s products which hash and compare in the cloud and scan for malware for these vectors? If you post on mailing lists or forums of most anti-malware organizations about this threat, one of the following actions will apply: your post will be deleted and/or moved to a hard to find or âdeleted/junk postsâ(TM) forum section, someone or a team of individuals will mock you in various forms âtin foil hatâ(TM), âconspiracy nutâ(TM), and my favorite, âwhere is the proof of these infections?â(TM) One only needs to search Google for these threats and they will open your malware world view to a much larger arena of malware on devices not scanned/supported by the scanners from these freeware sites. This point assumed youâ(TM)re using the proprietary Microsoft Windows OS. Now, letâ(TM)s move on to Linux.
The rootkit scanners for Linux are few and poor. If youâ(TM)re lucky, youâ(TM)ll know how to use chkrootkit (but you can use strings and other tools for analysis) and show the strings of binaries on your installation, but the results are dependent on your capability of deciphering the output and performing further analysis with various tools or in an environment such as Remnux Linux. None of these free scanners scan the earlier mentioned areas of your PC, either! Nor do they detect many of the hundreds of trojans and rootkits easily available on popular websites and the dark/deep web.
Compromised defenders of Linux will look down their nose at you (unless they are into reverse engineering malware/bad binaries, Google for this and Linux and begin a valuable education!) and respond with a similar tone, if they donâ(TM)t call you a noob or point to verifying/downloading packages in a signed repo/original/secure source or checking hashes, they will jump to conspiracy type labels, ignore you, lock and/or shuffle the thread, or otherwise lead you astray from learning how to examine bad binaries. The world of Linux is funny in this way, and Iâ(TM)ve been a part of it for many years. The majority of Linux users, like the Windows users, will go out of their way to lead you and say anything other than pointing you to information readily available on detailed binary file analysis.
Donâ(TM)t let them get you down, the information is plenty and out there, some from some well known publishers of Linux/Unix books. Search, learn, and share the informatio
Will security firms detect police spyware?
By Declan McCullagh, News.com
Published on ZDNet News: Jul 17, 2007 11:00:00 AM
--
* This article is being archived on pastebins because it is not available at the original location where it was published. This copy/paste does not include the links (urls) within the article.
original story url: http://news.zdnet.com/2100-1009_22-6197020.html
* Attention ZDNet News: Please do not move or expire articles as they age.
"The New Zealand Copyright Act 1994 specifies certain circumstances where all or a substantial part of a copyright work may be used without the copyright owner's permission. A "fair dealing" with copyright material does not infringe copyright if it is for the following purposes: research or private study; criticism or review; or reporting current events."
---
"A recent federal court decision raises the question of whether antivirus companies may intentionally overlook spyware that is secretly placed on computers by police.
In the case decided earlier this month by the 9th U.S. Circuit Court of Appeals, federal agents used spyware with a keystroke loggerâ"call it fedwareâ"to record the typing of a suspected Ecstasy manufacturer who used encryption to thwart the police.
A CNET News.com survey of 13 leading antispyware vendors found that not one company acknowledged cooperating unofficially with government agencies. Some, however, indicated that they would not alert customers to the presence of fedware if they were ordered by a court to remain quiet.
Spyware survey
Most of the companies surveyed, which covered the range from tiny firms to Symantec and IBM, said they never had received such a court order. The full list of companies surveyed: AVG/Grisoft, Computer Associates, Check Point, eEye, IBM, Kaspersky Lab, McAfee, Microsoft, Sana Security, Sophos, Symantec, Trend Micro and Websense. Only McAfee and Microsoft flatly declined to answer that question. (Click here for the verbatim responses to the survey.)
Because only two known criminal prosecutions in the United States involve police use of key loggers, important legal rules remain unsettled. But key logger makers say that police and investigative agencies are frequent customers, in part because recording keystrokes can bypass the increasingly common use of encryption to scramble communications and hard drives. Microsoft's Windows Vista and Apple's OS X include built-in encryption.
Some companies that responded to the survey were vehemently pro-privacy. "Our customers are paying us for a service, to protect them from all forms of malicious code," said Marc Maiffret, eEye Digital Security's co-founder and chief technology officer. "It is not up to us to do law enforcement's job for them so we do not, and will not, make any exceptions for law enforcement malware or other tools." eEye sells Blink Personal for $25, which includes antivirus and antispyware features.
Others were more conciliatory. Check Point, which makes the popular ZoneAlarm utility, said it would offer federal police the "same courtesy" that it extends to legitimate third-party vendors that request to be whitelisted. A Check Point representative said, though, that the company had "never been" in that situation.
This isn't exactly a new question. After the last high-profile case in which federal agents turned to a key logger, some security companies allegedly volunteered to ignore fedware. The Associated Press reported in 2001 that "McAfee Corp. contacted the FBI⦠to ensure its software wouldn't inadvertently detect the bureau's snooping software." McAfee subsequently said the report was inaccurate.
=
Later that year, the FBI confirmed that it was creating spy software called "Magic Lantern" that would allow agents to inject keystroke loggers remotely through a virus without having physical access to the computer. (In both the recent Ecstasy case and the earlier key lo
I know it's a kind of joke to say that, but that's not what an open mind. An open mind is one prepared to consider and process ideas rather than discard them based on the probability that they may clash with [one's] currently accepted ideas.
I don't know about GPUs in general, but in the Intel HD (GMA, etc) architecture, code (shaders) running on the GPU can only do DMA through page table windows in the GPU, which can only be setup by the CPU, unless perhaps you could map the GPU page table descriptor into a GPU page table entry, which would come undone as soon as the driver initialised the card and reset the descriptor.
This attack is not feasible, at least on Intel GPUs.
About the attacks:
Direct-Memory Access (DMA) has been an attack vector since ages
(Remember the attacks over FireWire 1394 ? Any RDMA-capable interface is at risk: high-speed modern netwrok, infiniband, firewire, etc.)
From that point of view, a Graphic Card is nothing new. But it has several advantages:
- A big hunking GPU which can locally do advanced attacks (some light bruteforcing if needed).
- A crapton of resources: GFX card firmwares are huge, available RAM on a GPU is bigger than HDD used to be when the first RDMA attacks where invented.
About the defense:
The defense too is known since age: IOMMU.
A IOMMU is to PCIe cards (and other peripherals) exactly what a MMU is to (virtual) memory - it enforces protection. It helps you control which bits of physical RAM should be seens by which user-space software/peripheral and a which arbitrary addresses.
As mentioned by others, IOMMUs have bin available as long as 64bits (because they are a requirement for 64bits systems: they can address way much more memory than what a 32bit or 16bit card can see. If you want a 32bits card on a 64bits system, either you do nothing special and are in a world of pain with buggy drivers that only randomly function (like the original Vista 64bits drivers for the 32bits SoundBlaster Audigy series of sound card. Depending on where the DMA buffer was allocated today, the sound card might completely refuse to play any coherent audio) or you use a IOMMU to map the actual RAM used into the 32bits address space of your peripheral.
Since the days of FireWire RDMA exploits, progress have been made to better use IOMMU to protect the system from malicious memory access. (At least on the Linux front for sure, but I suspect that Microsoft might have tried to secure Windows too)
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]