Slashdot Mirror
Malware Now Hiding In Graphics Cards
mask.of.sanity writes "Researchers are closing in on a means to detect previously undetectable stealthy malware that resides in peripherals like graphics and network cards. The malware was developed by the same researchers and targeted host runtime memory using direct memory access provided to hardware devices. They said the malware was a 'highly critical threat to system security and integrity' and could not be detected by any operating system."
3 years ago I thought of this possibility, but everyone laughed and pointed at me in my local community. Guess who's laughing now.
This ridiculous push to offload every type of programming into GPUs including bitcoin mining and no one saw this possibility? (Sarcasm, I know people saw the possibility.)
Measures could have been taken... but then again, what better way for the NSA and other government spies to infiltrate a computer independent of an operating system than this? Seriously. It'll work on Mac, Windows and Linux with or without proprietary drivers.
So yeah, not too worried about the malware. Fever immunity FTW
network cards can create magical endpoints from thin air without having to send or receive any packets
or they can look for a specific pattern in a packet and ship its contents to a preordained destination
don't try to think about what they cannot do, think about what they can do, it's frightening
It's just another half-assed job. Computer tech is full of half-ass ideas that sounded pretty good but were never completed. The 640k limit and protected mode. Expanded/Extended memory through A20. Half assed effort by Lotus, IBM and Microsoft. Operating systems - sold as secure, almost as insecure as ever. About the only good thing is they don't usually automatically install malware from the internet without asking you first. Half assed. Trusted Computing - half assed. UEFI, half assed.
I don't know if it's a lack of budget, or if computer techies (not your regular coders but the guys that come up with this stuff and implement it) really have such short attention spans. Or maybe it's just a marketing thing - give us a new tech word we can market for this generation, it doesn't have to work, we'll just pretend it's something good and make people want it.
Seven puppies were harmed during the making of this post.
Yes, when I saw this I thought that this was a reason to make motherboard IOMMUs a security feature. Also, the DMA destination memory pages should not have the executable bit turned on. Recent generations of Intel/AMD CPUs have provided the ability to turn that bit off.
Bruce Perens.
Welcome to the real world!
If you open your eyes wide enough,you'll notice that pretty much everything is half-assed in one manner or another. This isn't necessarily a bad thing because doing the job "properly" is either impractical, too expensive, or takes too long. In reality, we don't even know what "properly" is most of the time.
I'd go as far as to say that humanity's real achievement is the ability to say "fuck it" and go forward with a pragmatic solution that's useful enough to come out ahead and not dangerous enough to kill us all.
The problem is that every card on a PCIe bus can be a master, has access to all of memory, has a processor of some kind, and has insecure firmware. Pick any popular card - network, storage or graphics - and you have a potential attack. Find a bug people are having and post a fix or a tool to fix it. There will always be some sucker who will download it and run it.
Basically this theorized malware would use the GPU (or other DMA capable device in the system) to bypass page permissions. Since most operating systems depend on virtual addressing and CPU page permissions to protect things, having a DMA capabile device that didn't respect page permission could easily bypass the assumptions made by most OS's and malware detection programs.
The problem is of course with the limitations of current malware detection programs. They could of course theoretically detect GPU viruses as they need to exist somwhere (even GPUs execute instructions and have page tables for their memory). The problem is that there are so many different types of GPUs and each has a different proprietary driver architecture, current malware detection companies don't have enough information or experience to even attempt to try this even if they had the desire and the resources. Then again maybe the GPU vendors have built in malware in their drivers (kinda like some of the phone-home free-pdf/fax printer drivers). If so, you are just screwed.
FWIW, there was an attempt a few years ago to impose an IOMMU into the PC architecture that could filter DMA requests from devices. The idea was that if the OS was in control of the IOMMU, like the page tables, it could disallow a DMA request from a rogue device request similar to how it could trap a CPU access. I lost track of this, but I doubt it will go anywhere...
However, this isn't usually the weak point in the chain, this is merely a theoretical threat kind of like warning people about how installing random program on their PC is a "highly critical threat to system security and integrity" when most folks have a browser setting that allows running just about any browser plugin suggested by a random web-page by merely clicking "OK" when the warning dialog box comes up. It's just scary because you've never heard of it before and it's yet another thing to worry about.
Simply shutting of was a step up from the early technology. I don't remember the details but I think it had something to do with burning out some capacitor used in conjunction with the fly back transformer. A three cent part that took 100 bucks to get to and repair.
Not an urban legend I assure you. And the guys getting bit most often were Linux guys trying to figure out X config setting.
Back in the day I was selling a lot of hardware and had to process many warranty returns through our shop.
Sig Battery depleted. Reverting to safe mode.
The article actually refers to being able to detect the malware; the key here is DMA, or "Direct Memory Access." DMA is in use by a great many things, including FireWire (IEEE 1394), USB 3.0, and Thunderbolt as well as many internal peripherals like graphics cards.
Why, you ask? Simple...for performance. If you think of memory as being like a big warehouse, other methods are like having a guy at the front of it on the other side of that counter...you know, the one with the fencing and a little slot for you to pass him your invoice so he can go get what you came to pick up? You show up, give him the invoice, he looks at it, goes to get exactly the thing you're allowed to take, and brings it to you. This is secure, but also a bottleneck. DMA, on the other hand, is more like having that guy standing at the front door to the warehouse, just making sure you have an invoice at all...then he waves you on through to go get it yourself. Obviously, that has security ramifications.
And that's the real key to this threat...if they've come up with a way to detect attacks like that, they've come up with a way to defend against them coming from more than just malware in a graphics or network card. They've come up with a way to help protect against password-reading via USB 3.0 ports and the like as well. It would also, however, provide more methods for counter-forensics...so its a double-edged sword.
For your security, this post has been encrypted with ROT-13, twice.
The problem is that every card on a PCIe bus can be a master, has access to all of memory, has a processor of some kind, and has insecure firmware.
AMD was ahead of the curve on this, their CPUs have have a low-level IO manager since around the K8 microarchitecture.
The IO logic block sits between the CPUs interface bus and the memory controller (which is on the CPU, remember) and basically functions like a page-table for direct hardware access so you can actually remap the physical RAM at the hardware level from the perspective of the other devices. [i.e. set it up so that only the parts of the RAM which is being intentionally shared for DMA can be accessed by non-CPU hardware and everything else is unaddressible.
Intel has added their own manager to their newer CPUs as well so this hole is finally being closed up once the Intel feature becomes common enough for Windows to include drivers and low-level logic to use it.