New Whitepaper Claims GPUs Threaten Malware Security

rated by 0 users
This post has 23 Replies | 2 Followers

Top 10 Contributor
Posts 26,095
Points 1,183,405
Joined: Sep 2007
ForumsAdministrator
News Posted: Wed, Sep 29 2010 11:10 AM
For the past 3.5 years or so, NVIDIA has ardently advocated the GPU as a computational platform capable of solving almost any problem. One topic the company hasn't targeted, however, is the tremendous performance advantage the GPU could offer malware authors. The idea that a graphics card could double as a security hole isn't something we've heard before, but according to a paper by Giorgos Vasiliadis, Michalis Polychronakis and Sotiris Ionnidis, it's an attack vector whose popularity could boom in coming years.

The trio argues that all the computational hardware that makes the GPU such an ideal fit for certain types of scientific or graphical workloads could (and will) deliver equal benefits to workloads with considerably darker aspirations. The group wrote two CUDA applications demonstrating the proficiency of GPU-based runtime polymorphism or code unpacking. These two techniques are designed to prevent security white hats from detecting or analyzing maleficent code. As you might imagine, the GPU performed both tasks with considerable aplomb. Although the researchers chose to write their proof-of-concept applications using CUDA, it's not because of any security risk particular to that language (or NVIDIA). At the moment, CUDA is the most widely used language for GPGPU applications; the team notes that including an OpenCL version of the malware package would be trivial.

GPUs, the paper argues, threaten on two fronts. First, there's simple performance—GPU malware could perform far more work than traditional CPU-based schemes. Second is the issue of detection. The traditional means by which malware is typically detected are largely inapplicable when it comes to the GPU. Once code is transferred to the GPU, it's essentially cloaked—there's no mechanism by which a CPU-based program can monitor a GPU program to the degree that's theoretically required. With its plentiful supply of local RAM, malicious code can hide in the shadows, conversing with the CPU only on occasion, and only to transfer apparently innocuous bits of data.

More Watch Than Warning

The paper highlights an interesting and new attack vector but we wouldn't raise a full alarm just yet. Before threats leveraging GPU assets can become widespread programmable GPUs must achieve near-total market penetration. Malware, by its very nature, is built to run on as many systems as is (cheaply) possible. Esoteric or high-profile exploits tend to get the most press, but badware creators don't generally try to create highly-targeted software packages aimed at stealing Cyberdyne's plans for a liquid-metal terminator. It's much simpler to
exploit human stupidity, trick people into installing/downloading software that'll run on any system back to the introduction of IA-32, and then commence hijinks.


Yummy Facebook hijinks. Nomnomnom

You might think that every gamer would have upgraded to at least a DX10-capable video card by now (even if running XP)—but you'd be wrong. According to the latest batch of Steam survey results, 18 percent of its users game on GPUs that support DirectX9 with PS2.0b or PS3.0 shaders. That's enough to severely retard criminal interest right there; we'd presumably see an even higher number of older parts if we conducted the same survey across corporate America.

Even once every GPU supports CUDA (or OpenCL, DirectCompute, etc), there will always be a question as to whether or not the 'right' version is supported. A G80 can run CUDA programs—provided they're written to conform to CUDA 1.0 requirements. Again, there are issues of compatibility to consider, which potentially forces the black hats in question to write code that can run on any GPU and sacrifices performance in the process.

The threat is credible enough that we suspect to see additional safeguards and detection systems developed as time goes by. For now, GPU-assisted malware is a theoretical problem of potentially enormous proportions, but theory is all it is. That said, we can almost see the glee with which McAfee and Norton would view this new development—what better way to combat GPU malware than with GPU antiviral products? 
  • | Post Points: 140
Top 500 Contributor
Posts 153
Points 1,705
Joined: Jul 2010
lonewolf replied on Wed, Sep 29 2010 11:27 AM

Intel has a built in virus code or tool in their processors perhaps the GPU could do the same.

  • | Post Points: 5
Top 10 Contributor
Posts 5,053
Points 60,715
Joined: May 2008
Location: U.S.
Moderator
3vi1 replied on Wed, Sep 29 2010 12:17 PM

Alarmist BS.

Code running on the GPU can't access the framebuffer, so their "show one url while at another" exploit is science fiction. It's not "unfortunate" that it doesn't work today - it's locked out for the very reason that it would add a security hole and is not "inevitable" as they claim.

The keyword here is gpu-*assisted* malware. Malware running on your GPU isn't going to be able to do diddly without a detectable CPU process to talk to and handle i/o. Also, the malware's going to disappear when you flip the power switch unless it writes itself to your disks (again, detectable viral behavior).

What part of "Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn" don't you understand?

++++++++++++[>++++>+++++++++>+++>+<<<<-]>+++.>++++++++++.-------------.+++.>---.>--.

  • | Post Points: 50
Top 25 Contributor
Posts 3,563
Points 54,725
Joined: Jul 2004
Location: United States, Massachusetts
ForumsAdministrator
MembershipAdministrator
Dave_HH replied on Wed, Sep 29 2010 3:04 PM

I don't know 3vi1. Generally speaking, I would say, where there is a will, there is a way.

Editor In Chief
http://hothardware.com


  • | Post Points: 20
Top 10 Contributor
Posts 6,181
Points 90,135
Joined: Aug 2003
Location: United States, Virginia
Moderator

Idk I would have to agree with 3vi1 on this one. Sure any program can take advantage of the GPUs power, but it would still have to be running a detectable CPU process to do much of anything.

  • | Post Points: 5
Top 25 Contributor
Posts 3,795
Points 40,670
Joined: Jan 2010
Location: New York
Inspector replied on Wed, Sep 29 2010 5:21 PM

idk who is smarter here, Dave or 3vi1 but Dave sounds like he knows a way to do it but isn't telling us :P.

  • | Post Points: 5
Top 50 Contributor
Posts 3,102
Points 38,250
Joined: Aug 2003
Location: Texas
acarzt replied on Wed, Sep 29 2010 6:52 PM

3vi1:

Also, the malware's going to disappear when you flip the power switch unless it writes itself to your disks (again, detectable viral behavior).

That's immediately what I thought. Sure if it somehow loaded itself from a website it will run on your computer.... but unless it writes itself to the hard drive... it will be gone as soon as you flip the power switch.

The GPU has DMA(direct memory access) so the virus can bypass the CPU.... but something is going to have to tell it to do that... and that something will run on the CPU before anything reaches the GPU.

Also, don't most(if not all) HIDS' scan what's running in ram? No matter what, the virus will have to hit system memory, and AV programs should have no problem seeing it.

  • | Post Points: 20
Top 10 Contributor
Posts 8,622
Points 103,890
Joined: Apr 2009
Location: Shenandoah Valley, Virginia
MembershipAdministrator
Moderator
realneil replied on Wed, Sep 29 2010 7:46 PM

3vi1:
Also, the malware's going to disappear when you flip the power switch unless it writes itself to your disks

Of course it will store itself on your ready-boost thumb drive!

Dogs are great judges of character, and if your dog doesn't like somebody being around, you shouldn't trust them.

  • | Post Points: 5
Top 75 Contributor
Posts 1,809
Points 18,105
Joined: May 2009
Location: Waikiki

There are many countries all across the globe where the people have nothing better to do than figure this stuff out!

My theory is that attacks either come from antivirus companies or other scammers with a political agenda. If you use a BB gun the wrong way then dad should take it and wrap it around a tree, that way you can never use it again.

Instead of giving them jobs for their creative Malware, take away their computers so they can even have porn anymore!

This is also why I don't keep my computers constantly hooked to the Internet. I connect to specific sites only for a short time, except for my HH addiction:P

Intel Core i7-875K Quad
Asetek 510LC 120MM
4GB Kingston Hyper-X DDR-3
ASUS P7P55D-E Pro
CyberPower 800 PSU
Kingston 64GB SSD 
2 Hitachi 1-TB HDD'S
FirePro V8800
8X Blu-Ray DVD±R/±RW
HPw2207 22" LCD
Cintiq 21UX
CoolerMaster 690II Advance
Win 7 Pro 64 bit
Special thanks to HotHardware.com!
Not Ranked
Posts 1
Points 35
Joined: Sep 2010

Does anyone here know what DMA is? 3vi1?..........

  • | Post Points: 35
Top 50 Contributor
Posts 3,102
Points 38,250
Joined: Aug 2003
Location: Texas
acarzt replied on Wed, Sep 29 2010 11:16 PM

Uhhhh... if that's sarcasm... see my post above...

If that is a legitimate question.... See my post above...  or see the following link...

http://en.wikipedia.org/wiki/Direct_memory_access

  • | Post Points: 5
Top 25 Contributor
Posts 3,563
Points 54,725
Joined: Jul 2004
Location: United States, Massachusetts
ForumsAdministrator
MembershipAdministrator
Dave_HH replied on Wed, Sep 29 2010 11:28 PM

DMA is Direct Memory Access and yeah... it could be a little scary in this case.

Editor In Chief
http://hothardware.com


  • | Post Points: 20
Top 50 Contributor
Posts 2,911
Points 24,625
Joined: Jul 2001
Location: United States, New York
digitaldd replied on Thu, Sep 30 2010 8:48 AM

GPU assisted. so they'll use your GPU's processing power to crack some banks encryption scheme while you surf. And most won't even notice. COOL!

  • | Post Points: 20
Top 10 Contributor
Posts 8,622
Points 103,890
Joined: Apr 2009
Location: Shenandoah Valley, Virginia
MembershipAdministrator
Moderator
realneil replied on Thu, Sep 30 2010 9:23 AM

digitaldd:
GPU assisted. so they'll use your GPU's processing power to crack some banks encryption scheme while you surf.

Yeah, and it will happen while you're logged into your account too. Then you get to take the federal rap for bank robbery!


Dogs are great judges of character, and if your dog doesn't like somebody being around, you shouldn't trust them.

  • | Post Points: 20
Not Ranked
Posts 16
Points 110
Joined: Sep 2010
Location: United States, NV
JJr replied on Thu, Sep 30 2010 11:03 AM

Gpu antivirus? maybe they would just add it or improve GPU Drivers to at least BLOCK malwares?

  • | Post Points: 5
Top 100 Contributor
Posts 1,072
Points 11,625
Joined: Jul 2009
Joel H replied on Thu, Sep 30 2010 11:52 AM

Anima,

"My theory is that attacks either come from antivirus companies or other scammers with a political agenda."

The concept of attacks coming from kids in their basement is ten years out of date; the idea that Norton or McAfee bankrolls these attacks is ludicrous. Malware and spam is a very corporate business these days. If you want to send a few billion emails advertising your illegal spam products, you don't contact the nerd down the street, you get in touch with the right sort of Russian corporation.

I've written extensively on this topic elsewhere; I can produce links if you're curious.

  • | Post Points: 5
Top 10 Contributor
Posts 6,181
Points 90,135
Joined: Aug 2003
Location: United States, Virginia
Moderator

You know what. I take it all back. I am scared. My mom just called me and told me that her PC was running slow and that a while back she had done a virus scan and it didn't find to many so it can't be that. Then I realize that is the average PC user Ick!

  • | Post Points: 20
Top 10 Contributor
Posts 8,622
Points 103,890
Joined: Apr 2009
Location: Shenandoah Valley, Virginia
MembershipAdministrator
Moderator
realneil replied on Thu, Sep 30 2010 1:08 PM

bob_on_the_cob:
she had done a virus scan and it didn't find to many

It didn't find too many? Ha-Ha! Lost Pepsi through the nose when I read that!

Ok, I'm back after changing my shirt. Have a long talk with Mom dude.


EDIT: I do free computer work for a lady across the street. She can't afford to pay for help, yet she needs help all of the time. Virus is her middle name. (I think that her grand-kids are doing it)

I finally cloned her drive when I went over there and showed her how to save important docs and files onto a 16GB flash drive. Already I have restored her system from my cloned source-drive once. It goes much faster now!

Dogs are great judges of character, and if your dog doesn't like somebody being around, you shouldn't trust them.

  • | Post Points: 20
Not Ranked
Posts 1
Points 5
Joined: Sep 2010
clamport replied on Thu, Sep 30 2010 4:21 PM

I want to alleviate the myth of GPU DMA. There is no DMA'ing currently available from the GPU. For data to be transferred back and forth, there has to be memory allocation done on the host which implicitly means that there is CPU involvement. There is something called Zero Copy in which the GPU reads from host memory, but this STILL requires obtaining a pointer to host memory, again requiring the CPU.

If you don't believe it go read the CUDA documentation.

  • | Post Points: 5
Top 50 Contributor
Posts 3,102
Points 38,250
Joined: Aug 2003
Location: Texas
acarzt replied on Thu, Sep 30 2010 7:42 PM

That would drive me crazy neil lol

I've worked with people like that.... You want to help them... but at what point does it become them taking advantage of you? Gotta draw the line somewhere.

 

Top 10 Contributor
Posts 8,622
Points 103,890
Joined: Apr 2009
Location: Shenandoah Valley, Virginia
MembershipAdministrator
Moderator
realneil replied on Thu, Sep 30 2010 9:35 PM

acarzt:
Gotta draw the line somewhere.

She brings over some of the best country cooking that you'll ever taste, and she does it a lot.

She's always been a good neighbor to us, so I can put up with the occasional repairs, since I now have a clone of her drive to use!

Dogs are great judges of character, and if your dog doesn't like somebody being around, you shouldn't trust them.

  • | Post Points: 5
Top 10 Contributor
Posts 5,053
Points 60,715
Joined: May 2008
Location: U.S.
Moderator
3vi1 replied on Fri, Oct 1 2010 7:23 PM

Maybe I'm missing something, but I don't see the harm in DMA access - since it would only allow access to memory that the same process has allocated (just like every other program in the world).

What part of "Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn" don't you understand?

++++++++++++[>++++>+++++++++>+++>+<<<<-]>+++.>++++++++++.-------------.+++.>---.>--.

  • | Post Points: 20
Top 10 Contributor
Posts 8,622
Points 103,890
Joined: Apr 2009
Location: Shenandoah Valley, Virginia
MembershipAdministrator
Moderator

3vi1:
I don't see the harm in DMA access

Big Smile As long as it doesn't impregnate anything while it's there!,.................Super Angry

Dogs are great judges of character, and if your dog doesn't like somebody being around, you shouldn't trust them.

  • | Post Points: 5
Top 100 Contributor
Posts 1,072
Points 11,625
Joined: Jul 2009
Joel H replied on Sun, Oct 3 2010 4:38 PM

Clamport,

As I recall, DMA was added in the AGP days as a method for allowing the GPU to copy texture data from host memory without talking to the CPU. As far as I'm aware, this function was carried over to PCI-E. Are you stating that it wasn't, or referring to using DMA for other purposes?

  • | Post Points: 5
Page 1 of 1 (24 items) | RSS