Malware Running On Graphics Cards 103
An anonymous reader writes "Given the great potential of general-purpose computing on graphics processors, it is only natural to expect that malware authors will attempt to tap the powerful features of modern GPUs to their benefit. In this paper, the authors demonstrate the feasibility of implementing a malware that can utilize the GPU (PDF) to evade virus scanning applications. Moreover, the authors discuss the potential of more sophisticated attacks, like accessing the screen pixels periodically to harvest private data displayed on the user screen, or to trick the the user by displaying false, benign-looking information when visiting rogue web sites (e.g., overwriting suspicious URLs with benign-looking ones in the browser's address bar)."
I had an idea like this. (Score:3, Interesting)
except instead of doing that, it looked for textures that were generated anyway by games ads and swapped in other textures.
My friends looked at me like I was evil and crazy.
I will show them... (Score:5, Interesting)
"Moreover, the authors discuss the potential of more sophisticated attacks, like accessing the screen pixels periodically and harvest private data displayed on the user screen"
I guess we just change all fields to mask the entries with **** or if we want to really fool them use dots.
Hehe, what goes around comes around (Score:5, Interesting)
I used to run a small computer repair and write-to-order software shop for a living while in the Uni with two more people. One of them had that idea around 1994. In those days it was just to store the code in the video RAM pages which are not directly accessible to a scanner and keep a small polymorphic backstrap routine in main memory.
What goes around comes around. Looks like this is using a similar approach. Even if you compute some stuff on the card you still need a bootstrap within the main system to use it and talk back to the "mothership".
Popups 2.0 (Score:5, Interesting)
This should make for some wonderful new kinds of pop up ads that can't be dismissed or in any way taken out of focus.
Process Authentication and Authorization (Score:4, Interesting)
User and role based authentication/authorization is essential to security, but not sufficient. A machine that brings authentication/authorization down to the process level would be more secure.
I'd like a PC that enforced access control on each process running. Every call to any HW, whether CPU, MMU, GPU, or any bus, to require authentication. A crypto ASIC with scores of simultaneous auth units pointing at each process space and the ACL table for auth in just a few extra clock ticks on operations per process, at startup and randomly every dozen or so calls. More frequently when there's a "heightened alert" either by network notification or during and after other security events like DoS attacks and malware discovery.
Malware everywhere (Score:1, Interesting)
I have seen somewhere botnets on routers here in slashdot.
What's the next device to be infected? Network printers? SSDs with that little ARM to perform GC? NICs?
Re:KISS (Score:3, Interesting)
Sure it would. It changes pixels directly onscreen, the browser/app/whatever will never know.
Driver problem (Score:5, Interesting)
Modern GPUs include memory protection, so different processes can be prevented from reading each others' VRAM, just as they can be prevented from running each others' RAM. This is not always used by the drivers, which may just map the entire physical VRAM into the GPU's virtual address space. With properly written drivers, this is much harder.
The big malware potential comes from WebGL. This allows you to run arbitrary GLSL code in the browser's (GPU) address space. Although you probably can't take over the entire display, you can potentially take over the entire browser window without permission. Hopefully, the driver will give you entirely separate GPU address spaces per GL context, but given how incompetent AMD and nVidia's driver teams have demonstrated themselves to be, I doubt it.
Government researchers? (Score:2, Interesting)
Does anyone find it disturbing that taxpayers' money is used to do the bad guys' work for them? I can understand researching anti-malware strategies, but why are these people given money to come up with bad things to do to my computer?
Re:KISS (Score:3, Interesting)
If you know the coordinates of the window, then you can make a pretty good guess as to the location of the URL bar.
Not in my browser. When you add extensions, the URL field moves to accomodate them. I would guess similar behavior is common elsewhere. I think this attack is going to be hard to do in practice.
Re:Hehe, what goes around comes around (Score:3, Interesting)
I agree that somehow the code has to get into the GPU, which means a bootstrap of some kind from the main CPU. I'm not sure it has to remain in the main memory for any period of time, however, as long as the graphics card has DMA access back into main memory.
I'm not sure how memory protection works on the most modern systems, but at least in the past DMA had wide-open access to everything. So, if the graphics card needed to get back into the CPU for a short time, it could just modify the interrupt descriptor table, trigger an IRQ, and so on. Or, it could patch any code in RAM to run, and then replace it back when it was done. Then again, I'm not sure if it is strictly necessary to ever get back into RAM - perhaps the virus could just directly talk to the NIC/HD/etc and get whatever it needs done. Who needs the main CPU?
Again, I'm not familiar enough with PCI/etc to know if this is practical. But I bet you could exploit a lot of code that is already in the system.
Re:KISS (Score:4, Interesting)
It would be pretty difficult to determine which pixels are the URL bar on the GPU though.
No, not really. The browser window's address bar is a pretty easy shape for simple computer vision algorithms to spot, and you've go access to a nice parallel processor to run them on...
Re:KISS (Score:3, Interesting)
Unless you run IE/Win Vista/7, where the address bar cannot be moved or removed (I've tried) and is a calculable distance from the top and left.
Although it's not the original reason I wish I could move the elements of that top bar, I just might have to add it to my list.
(XP lets you move the address bar practically anywhere, so it would be harder to "guess" unless you were to read API messages concerning the stored location of said bar.)
Re:Malware everywhere (Score:3, Interesting)
Re:KISS (Score:4, Interesting)
Re:KISS (Score:4, Interesting)
Fortunately, it's running on the GPU, which we all know from the marketing hype is an amazing infinitely powerful CPU. It will have no problem running a recognition program to find the URL bar.