Malware Running On Graphics Cards 103
An anonymous reader writes "Given the great potential of general-purpose computing on graphics processors, it is only natural to expect that malware authors will attempt to tap the powerful features of modern GPUs to their benefit. In this paper, the authors demonstrate the feasibility of implementing a malware that can utilize the GPU (PDF) to evade virus scanning applications. Moreover, the authors discuss the potential of more sophisticated attacks, like accessing the screen pixels periodically to harvest private data displayed on the user screen, or to trick the the user by displaying false, benign-looking information when visiting rogue web sites (e.g., overwriting suspicious URLs with benign-looking ones in the browser's address bar)."
I guess it already happened to me (Score:5, Funny)
It says slashdot.org in my URL bar but since the last few months the comments of users appear to be from digg.
I am pleased (Score:5, Funny)
With this technology, new, more sophisticated Rickrolling is now possible.
Re:I am pleased (Score:4, Funny)
cudaMemcpy(d_rickAstley,h_rickAstley, AMOUNT_OF_TIME*TO_GIVE_U_UP * sizeof(float) ,cudaMemcpyHostToDevice);
d_RickRolled >> (d_rickAstley);
Re: (Score:2)
Rewriting arbitrary stuff on your screen is possible for any virus without "infesting" the GPU. You own the OS, so you can force the GPU to paint anything you want without running specialized code on it. Actually, simply changing the contents of your screen was all what most old DOS-virii did. The interesting part is the "hiding from detection" part, not the "yet another way to write stuff on the screen" part.
Re: (Score:1)
Maybe I should actually read what this story is about, seems interesting.
Re: (Score:2)
That so? I thought owning a modern OS wouldn't give you the hardware access you had in the ol' days of DOS, not by a long shot. Just freely drawing around the screen doesn't work.
Yeah I hate these modern OSes where all the apps, games, screensavers, desktop buddies etc can't just freely output to the screen.. it makes Photoshop and CAD really difficult to use :s
Re: (Score:2, Flamebait)
Re: (Score:2)
Re: (Score:2)
I am not a CUDA developer, but I'm pretty sure that yes it only works on nVidia GPUs, but no you don't need to install the CUDA SDK to be able to run CUDA apps, all you need is the hardware. So it would be a pretty big target really.
I know that malware authors would think of doing this eventually, but I still think that giving them ideas like this is Bad. Just look at what happened with Twitter this week - someone releases a harmless proof of concept type attack, and now already the script kiddies are comin
Re: (Score:2)
Nope, it wouldn't suffice for SSL sites.
Re: (Score:3, Interesting)
Sure it would. It changes pixels directly onscreen, the browser/app/whatever will never know.
Re: (Score:2)
Re:KISS (Score:4, Insightful)
All the malware has to do is add a CA it already owns.
Re:KISS (Score:4, Insightful)
It would be pretty difficult to determine which pixels are the URL bar on the GPU though. Unless of course all this GPU acceleration they're putting in browsers now allows you to somehow read the coordinates directly.
Re: (Score:2)
If you know the coordinates of the window, then you can make a pretty good guess as to the location of the URL bar.
Re:KISS (Score:4, Insightful)
Re:KISS (Score:4, Interesting)
Fortunately, it's running on the GPU, which we all know from the marketing hype is an amazing infinitely powerful CPU. It will have no problem running a recognition program to find the URL bar.
Re: (Score:3, Interesting)
If you know the coordinates of the window, then you can make a pretty good guess as to the location of the URL bar.
Not in my browser. When you add extensions, the URL field moves to accomodate them. I would guess similar behavior is common elsewhere. I think this attack is going to be hard to do in practice.
Re: (Score:3, Interesting)
Unless you run IE/Win Vista/7, where the address bar cannot be moved or removed (I've tried) and is a calculable distance from the top and left.
Although it's not the original reason I wish I could move the elements of that top bar, I just might have to add it to my list.
(XP lets you move the address bar practically anywhere, so it would be harder to "guess" unless you were to read API messages concerning the stored location of said bar.)
Re: (Score:2)
Re: (Score:2)
Sorry, but if you think adding a few GPUs into the mix is going to make a difference, you don't have much idea about cracking encryption.
Unless you figure out a weakness in the algorithm, you are not brute forcing a 128 bit key without either a lot of luck, centuries of time, or a quantum computer.
Here's a quote from an article about encryption [zdnet.com].
Ah, but what about the dreaded massively distributed cracking brute force method for attacking something like 128 bit RC5 encryption? There are massive zombie farms of infected computers throughout the world and some may have gotten as big as 1 million infected computers. What if that entire army was unleashed upon the commonly used 128 bit RC5 encryption? Surprisingly, the answer is not much. For the sake of argument, let’s say we unleash 4.3 billion computers for the purpose of distributed cracking. This means that it would be 4.3 billion or 2 to the 32 times faster than a single computer. This means we could simply take 2 to the 128 combinations for 128-bit encryption and divide it by 2 to the 32 which means that 2 to the 96 bits are left. With 96 bits left, it’s still 4.3 billion times stronger than 64 bit encryption. 64 bit encryption happens to be the world record for the biggest RC5 bit key cracked in 2002 which took nearly 5 years to achieve for a massive distributed attack.
Now that we know that the distributed attacks will only shave off a few bits, what about Moore’s law which historically meant that computers roughly doubled in speed every 18 months? That means in 48 years we can shave another 32 bits off the encryption armor which means 5 trillion future computers might get lucky in 5 years to find the key for RC5 128-bit encryption. But with 256-bit AES encryption, that moves the date out another 192 years before computers are predicted to be fast enough to even attempt a massively distributed attack. To give you an idea how big 256 bits is, it’s roughly equal to the number of atoms in the universe!
Re:KISS (Score:4, Interesting)
It would be pretty difficult to determine which pixels are the URL bar on the GPU though.
No, not really. The browser window's address bar is a pretty easy shape for simple computer vision algorithms to spot, and you've go access to a nice parallel processor to run them on...
Re:KISS (Score:4, Interesting)
Re: (Score:1)
I had an idea like this. (Score:3, Interesting)
except instead of doing that, it looked for textures that were generated anyway by games ads and swapped in other textures.
My friends looked at me like I was evil and crazy.
I will show them... (Score:5, Interesting)
"Moreover, the authors discuss the potential of more sophisticated attacks, like accessing the screen pixels periodically and harvest private data displayed on the user screen"
I guess we just change all fields to mask the entries with **** or if we want to really fool them use dots.
Re: (Score:1)
Re: (Score:2)
Of course, I could never find a use for it besides installing it on friends' computers when they weren't looking...
Re: (Score:2)
I'm trying to create a similar plugin, only converting a specific type of text to garbage; the problem is that I don't have time to start from scratch and I can't find anything similar to start with as a base.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
You're really uncreative. What about those on-screen keyboards banking sites use? Just access the display data, combine with a click logger and presto! You now have access to a person's banking.
Wrong summary (Score:3, Funny)
imagine (Score:3, Insightful)
Re: (Score:3, Funny)
Gotta log off now and start working on an algorithm to detect the presence of areola color and texture.
Hehe, what goes around comes around (Score:5, Interesting)
I used to run a small computer repair and write-to-order software shop for a living while in the Uni with two more people. One of them had that idea around 1994. In those days it was just to store the code in the video RAM pages which are not directly accessible to a scanner and keep a small polymorphic backstrap routine in main memory.
What goes around comes around. Looks like this is using a similar approach. Even if you compute some stuff on the card you still need a bootstrap within the main system to use it and talk back to the "mothership".
Re:Hehe, what goes around comes around (Score:4, Funny)
Now that I think of it, my electric razor with new programming, was trying to attack me this morning, or so it seemed...
Re: (Score:3, Interesting)
I agree that somehow the code has to get into the GPU, which means a bootstrap of some kind from the main CPU. I'm not sure it has to remain in the main memory for any period of time, however, as long as the graphics card has DMA access back into main memory.
I'm not sure how memory protection works on the most modern systems, but at least in the past DMA had wide-open access to everything. So, if the graphics card needed to get back into the CPU for a short time, it could just modify the interrupt descrip
Re:Hehe, what goes around comes around (Score:4, Informative)
Re: (Score:2)
I used to run a small computer repair and write-to-order software shop for a living while in the Uni with two more people. One of them had that idea around 1994. In those days it was just to store the code in the video RAM pages which are not directly accessible to a scanner and keep a small polymorphic backstrap routine in main memory.
So which one of you guys is the guilty party?
Re: (Score:3, Informative)
Popups 2.0 (Score:5, Interesting)
This should make for some wonderful new kinds of pop up ads that can't be dismissed or in any way taken out of focus.
Re: (Score:2)
Re: (Score:2)
Well thats already an issue - I've seen Malware that makes fake "Blue Screen of Death" with the warning about viruses. You can't Alt+tab or Alt+f4 out of it, CTRL+ALT+Delete does nothing, it acts just like a Blue Screen of Death except for 2 things: Your mouse is still visible and moves, and it'll actually go away if you leave it for 5 minutes - instead of everyones initial reaction to reboot the machine.
I always wondered how it was they managed to bypass all the other functions that I should have had avail
Re: (Score:2)
By using rootkits and system level injections. That's the only way to do it, and Vundo(and varients) is probably the most famous offender of it.
Process Authentication and Authorization (Score:4, Interesting)
User and role based authentication/authorization is essential to security, but not sufficient. A machine that brings authentication/authorization down to the process level would be more secure.
I'd like a PC that enforced access control on each process running. Every call to any HW, whether CPU, MMU, GPU, or any bus, to require authentication. A crypto ASIC with scores of simultaneous auth units pointing at each process space and the ACL table for auth in just a few extra clock ticks on operations per process, at startup and randomly every dozen or so calls. More frequently when there's a "heightened alert" either by network notification or during and after other security events like DoS attacks and malware discovery.
Re: (Score:2, Funny)
I, too, want my system to crawl to a halt due to a bunch of authentication overhead.
Re: (Score:2)
Then don't get the auth ASIC I helpfully described, or use it infrequently the way I helpfully described.
Re: (Score:2)
This is more or less how the new game consoles (X360 and PS3) work.
Re: (Score:1)
So I'm guessing you've never used any modern security focused operating system.
We've had everything you've mentioned for years ... probably 30 years or more.
The problem is, if you want to get anything done in a reasonable amount of time, you're going to turn all that stuff off. When you hook EVERY syscall things tend to get mighty slow. Go run some software in a profiler and you'll get a rough idea of just how shitty it performs in the real world.
Theres a reason general purpose operating systems don't do
Re: (Score:2)
I have. All of which is why I want the machine to have an ASIC that effectively adds an AUTH instruction that takes only a few clock cycles, rather than do this essential operation in software every time, also caching credentials and grants in ASIC RAM or LUT.
Re: (Score:2)
I think it would work very well to support rules like "no browser process can access my disk" plus "email processes can access my disk", even if email is running as my user and so are other processes. Think of host firewalls like ZoneAlarm that assign permissions for network access per process per user, but applied to the entire range of HW.
Re: (Score:1)
You want no caching at all?
You want 'save page source' to not be possible?
You want it impossible to download anything off the web?
You want it to be impossible for external document viewers to view temporary files?
You want there to be no persistent cookie storage?
You want there to be no persistent storage of any settings that could be changed from within the program?
You want there to be no possibility for plugins?
Your hypothesised browser would apparently have a user-ba
Re: (Score:2)
Sometimes, yeah.
Really, though, you're too dense to understand that such a use case is an arbitrary one that isn't the entire feature. Which is why I mentioned ZoneAlarm for an example. How about "no processes but the ones I've allowed today (before I connected the network) can access my disk or my network, until a dialog box adding them to the ACL is approved"?
Re: (Score:1)
And I'd rather stay that way, thanks.
Re: (Score:2)
Too dense to understand that a rough example that might not be popular but does explain how the feature works doesn't mean the feature is limited to that example. Even though the ZoneAlarm example should satisfy.
Clearly you're committed to staying that dense.
Snow Crash anyone?! (Score:1)
So when can we expect the GPU port of the nam-shub to protect us from the Cult of A5h3rah?
Re: (Score:1)
The moment another shitty story writer pops up.
Malware everywhere (Score:1, Interesting)
I have seen somewhere botnets on routers here in slashdot.
What's the next device to be infected? Network printers? SSDs with that little ARM to perform GC? NICs?
Re: (Score:3, Interesting)
Driver problem (Score:5, Interesting)
Modern GPUs include memory protection, so different processes can be prevented from reading each others' VRAM, just as they can be prevented from running each others' RAM. This is not always used by the drivers, which may just map the entire physical VRAM into the GPU's virtual address space. With properly written drivers, this is much harder.
The big malware potential comes from WebGL. This allows you to run arbitrary GLSL code in the browser's (GPU) address space. Although you probably can't take over the entire display, you can potentially take over the entire browser window without permission. Hopefully, the driver will give you entirely separate GPU address spaces per GL context, but given how incompetent AMD and nVidia's driver teams have demonstrated themselves to be, I doubt it.
Re: (Score:1)
hopes for Gallium3D (Score:2)
then this gives us hopes for the Gallium 3D driver stack to fix this and implement proper memory protection on hardware supporting it. Well, to bad for Windows users.
and nonetheless, AdBlock+ and NoScript will very probably block GLSL as they does with any other scripting language. So shoddy websites won't be able to assault you with unstopable full window ads. Well, to bad for IE users.
Is this possible in a correctly configured Linux? (Score:1, Offtopic)
I don't want to plow the horn or wave the flag unless I know it's true. But given the various access levels and things that Linux uses in X.org and all that, I wonder if those same issues are more or less likely in a Linux + X situation?
To my understanding, there is not direct reading or writing to the screen. There is screen capture functionality, but I don't know how it works or if it is simply a standard feature of the X window system (and either way, is THAT a vulnerability to be wary of?).
In Windows
Re: (Score:2)
Oh boy... After reading through the first four paragraphs, I was reminded of Direct/Active-X. Device drivers in userland? I kinda knew about this but I guess I wanted to push it from my mind.
Is it really possible to have an advanced graphics environment with all the performance we desire without the windowing system having direct access to hardware? I suppose it would only be possible with an extremely rich API and high-speed communications interface and a whole lot of other things which would otherwise
root-less X still problematic (Score:2)
With kernel modesetting, it is possible to run an accelerated X without root privileges (MeeGo does this) but currently there are safety caveats [lwn.net]. To support multiple simultaneous users there is a need for a revoke syscall otherwise other users could snoop your input devices by not dropping previous access to devices (you can watch some X devs discussing the issue on Phoronix [phoronix.com]).
Re: (Score:3, Informative)
No, you're thinking at the wrong level. The problem is that every application that gets an OpenGL context can upload programs to the GPU and run them. Fine in theory, and a modern GPU has the ability to isolate different context's memory from each other, but the drivers don't always use it (and don't always use it correctly when they do). If you're using an nVidia or ATi blob driver, then you have the same code controlling the GPU as a Windows user, so if the vulnerability is on Windows it will also be o
Sigh (Score:3, Insightful)
TFS/TFA: "Here's a paper showing that malware on graphics cards is theoretically possible and could possibly evade detection."
If you were trying to sensationalize the headline, you might as well have thrown "won't anyone think of the children!?!?" in there as well.
Re: (Score:2)
Headline: "Malware Running On Graphics Cards" TFS/TFA: "Here's a paper showing that malware on graphics cards is theoretically possible and could possibly evade detection." If you were trying to sensationalize the headline, you might as well have thrown "won't anyone think of the children!?!?" in there as well.
No kidding! This is just as bad as as that rail-gun rocket launcher headline from 2 weeks ago that had nothing to with crazy weapons.
I see what's going on (Score:2)
"I was really not watching porn, it was just the virus that infected my geforce!"
Government researchers? (Score:2, Interesting)
Does anyone find it disturbing that taxpayers' money is used to do the bad guys' work for them? I can understand researching anti-malware strategies, but why are these people given money to come up with bad things to do to my computer?
Re:Government researchers? (Score:5, Insightful)
Before you can build a wall, you have to imagine someone walking over the imaginary line at the edge of your yard.
Or you can figure out that a wall would have been useful after they come into your yard, but then it's too late.
See, most taxpayers understand that we pay taxes to prevent the crime, we don't wait until it happens and then rail that the government isn't doing anything about it.
Re: (Score:2)
For the most part if you wait until you're attacked to deal with it, you've already lost and you're pretty much stuck with damage mitigation at best.
Re: (Score:1)
Re: (Score:2)
Most people get the point after being arrested. Others after being jailed for a few days.
It's when when you're releasing violent, repeat, or crazy offenders for budgetary reasons you know your legislature is missing the point.
Re: (Score:2)
No, not in the least. You have to know where you are vulnerable to know what to protect. This is much like medical research, you have to know how to induce a disease in order to test new treatments.
Re: (Score:2)
Does have the gpu in the cpu make it easy to (Score:2)
Does have the gpu in the cpu make it easy to get on the system / make it harder to get rid of?
Imagine the rootkits... (Score:2)
1.It'd get to run with ring 0 access on each boot before the OS has a chance to do anything.
2. On EFI systems it'd have access to a TCP stack, full FAT and NTFS filesystem access, all included in the EDK [transact.net.au]. So it could update itself on the fly each boot.
The video card makes a great trojan horse to house your malware.
IE9 Question (Score:1)
yawn (Score:1)
I advise reading "My Other Computer is Your GPU" by myself and Jason Rodzik from earlier this year:
http://dank.qemfd.net/dankwiki/images/d/d2/Cubar2010.pdf [qemfd.net]
It covers these topics, and many more. :D
I fail to see how this is a big deal (Score:2)
Once a virus is running on a system, it can shut down virus scanners, and all that kind of stuff. That is always the case. Doesn't matter where it runs. The key is to keep it from running and that's what virus scanners do. They are the doormen, they stop people who are on the "Bad list" from coming in. Well even if your virus was GPU based, it'd still have to come in and execute on the CPU like normal. There is no way to directly load something in the GPU and run it there. As such the virus scanner would ge
Re: (Score:2)
Oh, executable packing/encryption. Ya viruses haven't done that since always. Sorry guys, but virus scanners are wise to that. They check for packed code.
So really, I don't see anything special here.
What is special: that you AV would run at CPU speed while the packers/unpackers will run at GPU speed. It would be like trying to catch a bank-robber who drives a Ferrari while riding your push-bike. Granted, you can still control the "roads", but control them too tight and I'll throw away your AV solution because it's making my computer run like on a 386/40 MHz on an everyday basis
Plus this kind of malware might be easier to deal with: Just shut down GPU processing. Unlike the CPU, that is a feasible thing to do. So if a system is infected, the GPU gets turned off, the malware cleaned, the GPU restarted. Graphics cards still work fine when addressed in old "Just a bunch of pixels," mode.
I imagine that a wise AV would use the GPU to actually run the unpacking and analysis/detection code faster.
Re: (Score:2)
You are confused in to thinking GPUs are magical "everything acceleration" devices. Please remember if that were the case, we'd just use them as CPUs instead. It isn't the case. GPUs are special kinds of processors, called stream processors. There are only some things they are good at. Other things, they are much slower than CPUs. You also miss that the virus has to execute on the CPU first. There is no way, none, in Windows to directly execute on a GPU. Just not how the system works. You have to have a CPU
Re: (Score:2)
You are confused in to thinking GPUs are magical "everything acceleration" devices.
Oh, am I now? That's incorrect, but I wonder what made you think so?
So the virus has to come in, and then launch on the CPU, then it can unpack code to the GPU and execute it. The CPU process will still have to keep running the whole time, because that is how the system schedules resource time.
With the minor correction that the CPU may be scheduled to other processes/threads (until the GPU finished and releases the lock on the memory), you are correct.
Again I fail to see what any of this gains. A virus scanner doesn't even need to look at the GPU to deal with this.
I never said the AV scanner would need to look at the GPU (only that would be advisable the AV scanner to use the GPU by itself).
I assert that the AV scanner cannot take any decision based solely on the behavior of "programs asks the GPU to do something then start executing from me
Threats are not serious (Score:3, Insightful)
So the only issue is polymorphic virus that may use GPGPU decryption. If this happens, scanners will start using CUDA, or GPU virtualization.
Tradition (Score:2)
Nowadays systems are so complex, and tools to study them / keep an eye on them are so relatively clueless, there could be^H^H^H^H^H^H^H^H are dozens of things going on in our PCs that we are blissfully unaware of. Very unfortunate
Harder (Score:1)
It's harder, therefore effort vs reward is not good enough unless they have some good malware. Just slap some code into a PDF and you're all set.