New Whitepaper Claims GPUs Threaten Malware Security
For the past 3.5 years or so, NVIDIA has ardently advocated the GPU as a computational platform capable of solving almost any problem. One topic the company hasn't targeted, however, is the tremendous performance advantage the GPU could offer malware authors. The idea that a graphics card could double as a security hole isn't something we've heard before, but according to a paper by Giorgos Vasiliadis, Michalis Polychronakis and Sotiris Ionnidis, it's an attack vector whose popularity could boom in coming years.
The trio argues that all the computational hardware that makes the GPU such an ideal fit for certain types of scientific or graphical workloads could (and will) deliver equal benefits to workloads with considerably darker aspirations. The group wrote two CUDA applications demonstrating the proficiency of GPU-based runtime polymorphism or code unpacking. These two techniques are designed to prevent security white hats from detecting or analyzing maleficent code. As you might imagine, the GPU performed both tasks with considerable aplomb. Although the researchers chose to write their proof-of-concept applications using CUDA, it's not because of any security risk particular to that language (or NVIDIA). At the moment, CUDA is the most widely used language for GPGPU applications; the team notes that including an OpenCL version of the malware package would be trivial.
GPUs, the paper argues, threaten on two fronts. First, there's simple performance—GPU malware could perform far more work than traditional CPU-based schemes. Second is the issue of detection. The traditional means by which malware is typically detected are largely inapplicable when it comes to the GPU. Once code is transferred to the GPU, it's essentially cloaked—there's no mechanism by which a CPU-based program can monitor a GPU program to the degree that's theoretically required. With its plentiful supply of local RAM, malicious code can hide in the shadows, conversing with the CPU only on occasion, and only to transfer apparently innocuous bits of data.
More Watch Than Warning
The paper highlights an interesting and new attack vector but we wouldn't raise a full alarm just yet. Before threats leveraging GPU assets can become widespread programmable GPUs must achieve near-total market penetration. Malware, by its very nature, is built to run on as many systems as is (cheaply) possible. Esoteric or high-profile exploits tend to get the most press, but badware creators don't generally try to create highly-targeted software packages aimed at stealing Cyberdyne's plans for a liquid-metal terminator. It's much simpler to
exploit human stupidity, trick people into installing/downloading software that'll run on any system back to the introduction of IA-32, and then commence hijinks.
Yummy Facebook hijinks. Nomnomnom
You might think that every gamer would have upgraded to at least a DX10-capable video card by now (even if running XP)—but you'd be wrong. According to the latest batch of Steam survey results, 18 percent of its users game on GPUs that support DirectX9 with PS2.0b or PS3.0 shaders. That's enough to severely retard criminal interest right there; we'd presumably see an even higher number of older parts if we conducted the same survey across corporate America.
Even once every GPU supports CUDA (or OpenCL, DirectCompute, etc), there will always be a question as to whether or not the 'right' version is supported. A G80 can run CUDA programs—provided they're written to conform to CUDA 1.0 requirements. Again, there are issues of compatibility to consider, which potentially forces the black hats in question to write code that can run on <i>any</i> GPU and sacrifices performance in the process.
The threat is credible enough that we suspect to see additional safeguards and detection systems developed as time goes by. For now, GPU-assisted malware is a theoretical problem of potentially enormous proportions, but theory is all it is. That said, we can almost see the glee with which McAfee and Norton would view this new development—what better way to combat GPU malware than with GPU antiviral products?
The trio argues that all the computational hardware that makes the GPU such an ideal fit for certain types of scientific or graphical workloads could (and will) deliver equal benefits to workloads with considerably darker aspirations. The group wrote two CUDA applications demonstrating the proficiency of GPU-based runtime polymorphism or code unpacking. These two techniques are designed to prevent security white hats from detecting or analyzing maleficent code. As you might imagine, the GPU performed both tasks with considerable aplomb. Although the researchers chose to write their proof-of-concept applications using CUDA, it's not because of any security risk particular to that language (or NVIDIA). At the moment, CUDA is the most widely used language for GPGPU applications; the team notes that including an OpenCL version of the malware package would be trivial.
GPUs, the paper argues, threaten on two fronts. First, there's simple performance—GPU malware could perform far more work than traditional CPU-based schemes. Second is the issue of detection. The traditional means by which malware is typically detected are largely inapplicable when it comes to the GPU. Once code is transferred to the GPU, it's essentially cloaked—there's no mechanism by which a CPU-based program can monitor a GPU program to the degree that's theoretically required. With its plentiful supply of local RAM, malicious code can hide in the shadows, conversing with the CPU only on occasion, and only to transfer apparently innocuous bits of data.
More Watch Than Warning
The paper highlights an interesting and new attack vector but we wouldn't raise a full alarm just yet. Before threats leveraging GPU assets can become widespread programmable GPUs must achieve near-total market penetration. Malware, by its very nature, is built to run on as many systems as is (cheaply) possible. Esoteric or high-profile exploits tend to get the most press, but badware creators don't generally try to create highly-targeted software packages aimed at stealing Cyberdyne's plans for a liquid-metal terminator. It's much simpler to
exploit human stupidity, trick people into installing/downloading software that'll run on any system back to the introduction of IA-32, and then commence hijinks.
Yummy Facebook hijinks. Nomnomnom
You might think that every gamer would have upgraded to at least a DX10-capable video card by now (even if running XP)—but you'd be wrong. According to the latest batch of Steam survey results, 18 percent of its users game on GPUs that support DirectX9 with PS2.0b or PS3.0 shaders. That's enough to severely retard criminal interest right there; we'd presumably see an even higher number of older parts if we conducted the same survey across corporate America.
Even once every GPU supports CUDA (or OpenCL, DirectCompute, etc), there will always be a question as to whether or not the 'right' version is supported. A G80 can run CUDA programs—provided they're written to conform to CUDA 1.0 requirements. Again, there are issues of compatibility to consider, which potentially forces the black hats in question to write code that can run on <i>any</i> GPU and sacrifices performance in the process.
The threat is credible enough that we suspect to see additional safeguards and detection systems developed as time goes by. For now, GPU-assisted malware is a theoretical problem of potentially enormous proportions, but theory is all it is. That said, we can almost see the glee with which McAfee and Norton would view this new development—what better way to combat GPU malware than with GPU antiviral products?
