Hidden password-stealing malware lurking in your GPU card? Intel Security thinks not Fears that malware is hiding in people's graphics chipsets may be overclocked, according to Intel Security. Earlier this year, researchers from the self-styled “Team JellyFish” released a proof-of-concept software nasty capable of exploiting GPUs to swipe passwords and other information typed in by a PC's user. The same …
Anti-virus software, and OS protection, all works on the assumption that the CPU controls everything that goes on in the machines address space.
That is clearly not the case. Everything plugged into the bus can read/write memory via DMA: graphics cards, ethernet controllers, USB controllers, heck, even UARTs! If any of these have any nefarious software + CPU (or teeny tiny state machines) in them then they can read/write what they want and then do whatever they want.
So it is very much possible to get some modded GPU firmware that does naughty things.
These guys even attacked Mac by just by plugging in an attacker, no software, no user intervention required:
http://www.slideshare.net/blowmenowpls/thunderbolts-and-lightning-very-very-frightening
Since Thunderbus is just wrapped PCI/E, the attacker device could do DMA via Thunderbus and search system RAM for anything they want. Heck, with a bit more effort they could have also read the disk!
There are things you can do about this, but the security has to be moved further towards hardware level locking and must be less dependent on software.
> There are things you can do about this, but the security has to be moved further towards hardware level locking and must be less dependent on software.
Those of us who work on the low-level x86 hardware are aware of these attack vectors. Microsoft even requires BIOS vendors to disable PCI bus mastering by default to limit the ease at which a rogue hardware controller can access system memory.
Long term, I believe technologies like Intel SGX, which I believe is what Intel was referring to as "enclaves" at the latest IDF, will help protect data for each process from being snooped from other processes or even other hardware controllers.
"Microsoft even requires BIOS vendors to disable PCI bus mastering"
But at some time you have to reenable the bus mastering otherwise your GPU, ethernet controller, USB, etc etc won't work.
Any nefarious device just has to wait until it is granted access to slip in a few extra naughty samples.
Yes, there are things that can be done to help, but just trying to fix it in the bios is not enough.
At the time Microsoft made the requirement, most systems were still using a traditional BIOS rather than UEFI.
Disabling PCI Bus Master by default offers little protection, but it is better than unfettered access. In theory, the OS can authenticate a driver before it is loaded and before PCI Bus Master access is granted to the driver.
Again, the industry is working towards hardware solutions to these problems, but it takes a long time to spin updated processors to implement new technologies.
"it takes a long time to spin updated processors"
If the security hole is not in the CPU, then it is hard to see how the CPU can fix it.
Sure MS can be sure the driver is OK, but what if the hardware itself is doing the accesses without even the driver's say so?
For a crust I occasionally do work with Altera SOCFPGAs. These are an FPGA and Dual core SOC that sit as bus masters on the same RAM. Since they share RAM, the FPGA can read/write wherever it wants without the CPu being able to stop it.
The FPGA can also access the SOC peripherals (hard ethernet controllers, GPIOs, MMC etc etc) as part of the memory map, but the CPU can limit access onto those buses.
Just like the NSA probably got Intel to backdoor their CPUs it would also be easy for them to backdoor something like an ethernet controller. Most ethernet controller designs only come from a few vendors such as Designware. If Desnware was sufficiently motivated by threats, dollars or partiotism they could easily plant a small state machine in an ethernet controller that acts on malformed naughty packets and goes reads/writes RAM and sends the data out again as an ethernet frame.
I'm not saying Designware are naughty, just using them as a for-example.
The only way to solve these sorts of issue is to design the whole system security from the buses up. That's a challenging thing to do and it can't be retrofitted or fixed by changing from Windows to Linux.
"The only way to solve these sorts of issue is to design the whole system security from the buses up. That's a challenging thing to do and it can't be retrofitted or fixed by changing from Windows to Linux."
The ONLY only way to solve this issue is to not trust anyone and build your own system from the ground up, seeing as how anyone else you add to the mix could really be a government mole...
1. The thunderbolt attack as as old as firewire. Literally. You could swipe all of the memory on older Macs via a Firewire attack and analyze at leasure. It is however a _DIFFERENT_ threat and attack.
2. Putting malware components into video ram is as old as SVGA. It was done multiple times going as far back as 1990-es. The moment you could map video memory properly (starting with VESA cards) was the moment that became possible and it was used from time to time.
The biggest problem with malware is to be undetected on disk and at load, not at runtime. Going into GPU memory does not help you with the first two - it helps only with runtime evasion. If you are going to go through the effort of non-x86 coding you might as well code some malware for mmu-less ARM Linux and load yourself into the hard drive firmware. No detection on disk, no detection on load, no removal. Check, Check, Mate.
"No detection on disk, no detection on load, no removal. Check, Check, Mate."
But whatever channel you use to get onto the firmware should be the same channel to get it out again by a clean flash. Unless you're saying they can infiltrate the firmware AND block a "nuke from orbit". That's the #4 condition of a good malware: able to avoid being swept clean, because who cares if they detect you once you're there, if you've become too entrenched to remove AND too valuable to abandon.
Just to nitpick... the wording you're using isn't entirely reliable. In all modern architectures, the PCIe bus is directly connected to the CPU which also hosts the MMU. The like between CPU and MMU has been blurred a great deal and as a result it would be highly inaccurate to suggest the CPU is not the bus master anymore. In a modern PC platform, I can't imagine any data which passes card to card or device to memory which isn't passed through the CPU.... chip.
It's probably important that we find a way for the purpose of wording in the future the differentiation between the logical CPU and the physical package
Consider that McAfee antivirus couldn't find water standing neck-deep in the ocean, I don't trust this report. You would think that with all the cash Intel has that McAfee would turn into an efficient, fast, and effective antivirus product. Sadly, it has not. If you cannot do the basics correct, can I expect you to get something more complicated correct?
It has been proven beyond any plausible doubt that :
a) All viruses are at least temporarily stored in capacitors
b) No virus company has taken this threat seriously
Both older electrolytic and more modern tantalum capacitors have been used for reliable short term storage of nearly every virus during their time in short term memory systems.
In addition, since capacitors are highly sensitive to audible sounds (consider what happens when you hold a telephone close to an amplifier which also contains these capacitors), it is obvious that there is an endless number of methods which can be used to disrupt data flow or even act as triggers. Consider a device no more complicated than a walkman radio from the 1980's feeding electromagnetic pulses into the air and with the right microphone being used to record back the signal to be deciphered later.
I believe companies such as Symantec, McAfee, ... all the security experts should contact companies like FoxConn and Asus and make it clear that by including capacitors on motherboards, they are leaving nearly every computer on the planet wide open to any virus which could exploit such method.
As a consumer, you should NEVER purchase ANY device containing capacitors as they are such a high security risk and viruses stored in capacitors are 100% undetectable.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
