Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Malware Now Hiding In Graphics Cards

timothy posted 1 year,27 days | from the batteries-graphics-cards-and-lcd-screens dept.

Security 125

mask.of.sanity writes "Researchers are closing in on a means to detect previously undetectable stealthy malware that resides in peripherals like graphics and network cards. The malware was developed by the same researchers and targeted host runtime memory using direct memory access provided to hardware devices. They said the malware was a 'highly critical threat to system security and integrity' and could not be detected by any operating system."

Sorry! There are no comments related to the filter you selected.

Well... (4, Insightful)

Statharas (2901227) | 1 year,27 days | (#44965163)

3 years ago I thought of this possibility, but everyone laughed and pointed at me in my local community. Guess who's laughing now.

Re:Well... (0)

Anonymous Coward | 1 year,27 days | (#44965317)

I can't believe this is a new public notion. Haven't they been warning about hardware bugs in network equipment for years? Why would a computer be any different?

Re:Well... (1)

Nadaka (224565) | 1 year,27 days | (#44965369)

This is NOT a new thing. Malware has been reprogramming video cards since the 80's

Re:Well... (5, Funny)

slashmydots (2189826) | 1 year,27 days | (#44965383)

You're right. Some of the crappier manufacturer's card firmware flashes basically are malicious attacks on the card that shuts them down instantly, lol.

Re:Well... (0)

Anonymous Coward | 1 year,27 days | (#44967135)

Undoing moderation...

Re:Well... (0)

Anonymous Coward | 1 year,27 days | (#44967207)

As AC...seems legit.

Re:Well... (0)

Anonymous Coward | 1 year,27 days | (#44965583)

Back in the day, I heard of malware that would cause your video card to send a signal that would cause your CRT to fail.

Re:Well... (2)

icebike (68054) | 1 year,27 days | (#44966669)

Back in the day, I heard of malware that would cause your video card to send a signal that would cause your CRT to fail.

Back int the days of CRTs that didn't take malware. You could kill them easy enough just by setting the video cards to improper refresh rates.
There were a whole series of Tatung monitors that were particularly prone to this.

Re:Well... (0)

Anonymous Coward | 1 year,27 days | (#44967107)

Forget not, Lucky Goldstar.

Killing a CRT (1)

ArchieBunker (132337) | 1 year,27 days | (#44967139)

I suspect a wrong refresh rate killing a CRT is an urban myth. Even the cheapest monitors that supported power saving simply shut off if they encountered something they couldn't handle. *Maybe* it would have been possible in the early days of fixed refresh rates and resolutions but I'm still skeptical. Who would even sell something so easily damaged?

Re:Killing a CRT (3, Insightful)

icebike (68054) | 1 year,27 days | (#44967201)

Simply shutting of was a step up from the early technology. I don't remember the details but I think it had something to do with burning out some capacitor used in conjunction with the fly back transformer. A three cent part that took 100 bucks to get to and repair.

Not an urban legend I assure you. And the guys getting bit most often were Linux guys trying to figure out X config setting.

Back in the day I was selling a lot of hardware and had to process many warranty returns through our shop.

Re:Killing a CRT (2)

jones_supa (887896) | 1 year,27 days | (#44967337)

AFAIK it's not a myth at all. We're just talking about really old, crusty monitors. They didn't have enough smarts to do some sanity checking for the signal.

Re:Killing a CRT (2)

symbolset (646467) | 1 year,27 days | (#44967403)

I assure you it is completely legitimate.

Re:Killing a CRT (0)

Anonymous Coward | 1 year,27 days | (#44967969)

The Commodore 1960 monitor had no protection from oversync. There were public domain utilities for the Amiga that would allow you to change the refresh to whatever you want. I ran one of these utils, my monitor made a quick squeal and all the magic smoke came out the back.

Re:Killing a CRT (1)

xenobyte (446878) | 1 year,27 days | (#44967995)

I suspect a wrong refresh rate killing a CRT is an urban myth. Even the cheapest monitors that supported power saving simply shut off if they encountered something they couldn't handle. *Maybe* it would have been possible in the early days of fixed refresh rates and resolutions but I'm still skeptical. Who would even sell something so easily damaged?

NEC? - Back when I when to school in the early 1980's we had a bunch of Rc702 Piccolo microcomputers (Z80-based, ran CP/M) and the attached CRT monitor was capable of 80x25 text and was basically a rebranded standard NEC extremely common at the time (http://en.wikipedia.org/wiki/File:Hillebrandt_regnecentralen_rc700-piccolo.jpg). A friend and I was playing around with the CP/M provided and actually hacked it (disassembled, modified and recompiled) to be able to run two programs at once, plus we added a status line (line 26) showing some information (program in front, misc. lock status etc.) and a clock. Now the extra line was about all that could be added without damaging the monitor. Adding line 27 would make it sing and if you add more... Well... A technician from Regnecentralen was so convinced that their hardware could not easily be damaged by software that he entered into a bet about it, and a 7-byte program later he had a smoking and very dead monitor on his hands. There was NO safety limits to what it would accept. So yes, someone was selling something easily damaged.

You were not alone (0)

Anonymous Coward | 1 year,27 days | (#44965365)

This has been a fear of security people for years now (I think we discussed the possibility of this type of attack in a Foundstone class I took 2005.)

Re:You were not alone (5, Informative)

Smallpond (221300) | 1 year,27 days | (#44966147)

The problem is that every card on a PCIe bus can be a master, has access to all of memory, has a processor of some kind, and has insecure firmware. Pick any popular card - network, storage or graphics - and you have a potential attack. Find a bug people are having and post a fix or a tool to fix it [softpedia.com] . There will always be some sucker who will download it and run it.

Re:You were not alone (3, Informative)

Anonymous Coward | 1 year,26 days | (#44968187)

The problem is that every card on a PCIe bus can be a master, has access to all of memory, has a processor of some kind, and has insecure firmware.

AMD was ahead of the curve on this, their CPUs have have a low-level IO manager since around the K8 microarchitecture.

The IO logic block sits between the CPUs interface bus and the memory controller (which is on the CPU, remember) and basically functions like a page-table for direct hardware access so you can actually remap the physical RAM at the hardware level from the perspective of the other devices. [i.e. set it up so that only the parts of the RAM which is being intentionally shared for DMA can be accessed by non-CPU hardware and everything else is unaddressible.

Intel has added their own manager to their newer CPUs as well so this hole is finally being closed up once the Intel feature becomes common enough for Windows to include drivers and low-level logic to use it.

Re:Well... (2)

BLKMGK (34057) | 1 year,27 days | (#44965459)

Yeah, their software finds the malware they wrote to hide in graphics cards - bravo....

Re:Well... (5, Informative)

Anonymous Coward | 1 year,27 days | (#44965543)

3 years ago I thought of this possibility, but everyone laughed and pointed at me in my local community. Guess who's laughing now.

Everything old is new again;

    The Virus Writer's Handbook: The Complete Guide
    (c) 1992 Terminator Z (AKA Harry McBungus)
    http://vxheaven.org/lib/static/vdat/tumisc09.htm

    [...]

      6.4 Himem: above TOM

        (TOM stands for Top Of Memory if you didn't know)

        There are plenty of places in the high memory region for viruses to find
        a cosy hidey-hole, but most are not very safe. They exist in video
        memory, shadow RAM areas and so forth. Programs such as QEMM utilize
        such holes to load drivers and shit, but what's the point of devoting 1k
        of code to find a failsafe hole when you can hide somewhere else for
        less?

        Hiding in video ram is utterly stupid, but nevertheless some programmers
        insist on loading them there. Hmm, maybe they could hook int 10h (video)
        to intercept any calls to change modes and move themselves
        accordingly............... hmm that's actually not a bad idea. But
        where to move to? Why not stay somewhere else and save the bother?

        Also, remember that the majority of PCs in the world are (still) shitbox
        XT's -- they don't have RAM in areas which aren't used, unlike 286/386
        machines and above. You might as well try scratching your name into a
        diamond with a steel file.

        Don't bother with this method unless you're adventurous or stupid.

        Viruses which use this technique:
                        MG-3

    [...]

Re:Well... (0)

Anonymous Coward | 1 year,27 days | (#44966009)

That's just pushing some of the malware's memory off to VRAM. That's not the same as putting a graphics card in a computer and having it haxor you: the computer has to be haxored to begin with. It's still neat, don't get me wrong.

Re:Well... (0)

Anonymous Coward | 1 year,27 days | (#44965669)

Video cards are basically mini computers in themselves, or as I like to jokingly refer to them "NVidia/AMD Consoles".

Re:Well... (1)

niftymitch (1625721) | 1 year,27 days | (#44966289)

Video cards are basically mini computers in themselves, or as I like to jokingly refer to them "NVidia/AMD Consoles".

Not mini... the processing power in modern graphic cards and subsystems is serious stuff.

Rumors are that newer designs are more symmetric and while most are to be dedicated to
driving displayed content that dedication can be toggled or the balance shifted
to give the OS more cores to do work.

The value of this is a don't care to Microsoft. They seem to be well
trained by the GigHz banter of one CPU designer and maker. Power
management is another omission in the OS design matrix. Perhaps
with better instrumentation on chips & motherboards things will improve.

None of this is the full answer. Decades ago I played with X windows
with the server and client separated via a serial line IP link. The slow
link made it obvious that the layers and layers of libraries were not well
designed. With the most trivial event I would see the screen redraw itself
many many times. No wonder perf sucked and the good news is that
we were able to sell hardware upgrades as fast as we could design them.

I wonder if the dot in /. is a reminder to contemplate your navel
and look inward at things?

Re:Well... (1)

Anonymous Coward | 1 year,27 days | (#44966879)

I wonder if the dot in /. is a reminder to contemplate your navel and look inward at things?

No, that's a guy standing next to the Leaning Tower of Pisa.

Re:Well... (0)

Anonymous Coward | 1 year,27 days | (#44967497)

You realize i'll see THAT image every time i see /. Now?!? Hmmm... Could be worse...

Re:Well... (1)

jones_supa (887896) | 1 year,27 days | (#44967359)

Rumors are that newer designs are more symmetric and while most are to be dedicated to driving displayed content that dedication can be toggled or the balance shifted to give the OS more cores to do work.

I'm not sure what that would mean. The current GPUs are able to give you pretty much all the cores (shader units) to do general purpose work if you want to.

Re:Well... (1)

dave562 (969951) | 1 year,27 days | (#44966239)

I agree. What do they mean "now" hiding in graphics cards? My dad, who was programming back in the 60s, suggested this to me when I started getting interested in assembly coding and viruses in the mid-1990s.

Seriously? Did no one see this coming? (5, Insightful)

erroneus (253617) | 1 year,27 days | (#44965167)

This ridiculous push to offload every type of programming into GPUs including bitcoin mining and no one saw this possibility? (Sarcasm, I know people saw the possibility.)

Measures could have been taken... but then again, what better way for the NSA and other government spies to infiltrate a computer independent of an operating system than this? Seriously. It'll work on Mac, Windows and Linux with or without proprietary drivers.

Re:Seriously? Did no one see this coming? (-1, Troll)

Anonymous Coward | 1 year,27 days | (#44965253)

That's because Israel is working with the NSA to oppress the American people, which is actually pretty easy because America loves to die for God's chosen people.

Re:Seriously? Did no one see this coming? (2)

Jah-Wren Ryel (80510) | 1 year,27 days | (#44965291)

Measures could have been taken...

Any system with an IOMMU [wikipedia.org] can be made immune to this sort of attack.

Re:Seriously? Did no one see this coming? (0)

Anonymous Coward | 1 year,27 days | (#44965349)

If and only if there is sufficient IOMMU resources... and are not disabled by the drivers...

WRONG (0)

Anonymous Coward | 1 year,27 days | (#44965441)

packet payloads can be manipulated on the card long before the data even gets to the dma buffers

Re:Seriously? Did no one see this coming? (0)

Anonymous Coward | 1 year,27 days | (#44965585)

Or Intel's version - VT-d.

Look into the Qubes OS [ http://qubes-os.org/ ] for a very good implementation of this for general desktop computing.

IOMMU (4, Informative)

Bruce Perens (3872) | 1 year,27 days | (#44965899)

Yes, when I saw this I thought that this was a reason to make motherboard IOMMUs a security feature. Also, the DMA destination memory pages should not have the executable bit turned on. Recent generations of Intel/AMD CPUs have provided the ability to turn that bit off.

Re:IOMMU (2)

Burz (138833) | 1 year,26 days | (#44968203)

Yes, when I saw this I thought that this was a reason to make motherboard IOMMUs a security feature. Also, the DMA destination memory pages should not have the executable bit turned on. Recent generations of Intel/AMD CPUs have provided the ability to turn that bit off.

Qubes implements [qubes-os.org] this security feature. Pretty much every peripheral is isolated from the core system / hypervisor via the IOMMU, and it even runs X11 and the network stack in separate VMs. It is probably the only Linux (or Linux-ish) system to secure these known vulnerabilities.

You can also do the same for other hardware devices (assign hardware to certain VMs) using the GUI, along with a lot of other really nice point-and-click features. Security context is reflected in the GUI using window colors.

A final note: Multi-user is actually deprecated and security is all based on domains. The system is designed to function strictly as a single-user PC (in fact, the focus is more toward laptops), which I find refreshing. If you need multiuser you can always create an HVM to run non-native OSes.

Re:Seriously? Did no one see this coming? (0)

Anonymous Coward | 1 year,27 days | (#44967175)

Hopefully some other folks will now join me in my being pissed at lack of IOMMU support in random subsets of Intel's product line. Its a critical feature. Without it, all PCIe based stuff (graphics cards, FireWire, thunderbolt etc) all have full read/write memory access. Thats horrible.

Re:Seriously? Did no one see this coming? (0)

Anonymous Coward | 1 year,27 days | (#44965293)

This ridiculous push to offload every type of programming into GPUs including bitcoin mining

Or, you know, programs that benefit from running on a specialized highly-concurrent processor cluster (aka GPU). Graphics and hashing are just two examples.

Re:Seriously? Did no one see this coming? (2)

DeadCatX2 (950953) | 1 year,27 days | (#44965307)

The payload might be agnostic to the OS, but what about the dropper? I would imagine that would have to be custom-tailored to each OS. Unless the manufacturers are letting NSA drop the payload in before it gets to the consumer.

create your own payloads (5, Interesting)

Anonymous Coward | 1 year,27 days | (#44965465)

network cards can create magical endpoints from thin air without having to send or receive any packets

or they can look for a specific pattern in a packet and ship its contents to a preordained destination

don't try to think about what they cannot do, think about what they can do, it's frightening

Re:Seriously? Did no one see this coming? (2)

slashmydots (2189826) | 1 year,27 days | (#44965399)

I actually still don't see the possibility. Bitcoin mining uses the GPU cores and a tiny amount of graphics memory. You turn off the computer and all the GPU caches and GDDR5 is wiped. Hiding malware in the video BIOS is unrelated to hashing and bitcoin operations. The BIOS certainly has enough system permission and is big enough though!

Re:Seriously? Did no one see this coming? (1)

MickyTheIdiot (1032226) | 1 year,27 days | (#44965431)

Bitcoin mining with the GPU is almost over. The way it is done these days is through specialized ASIC circuits. So really it's not all that relevant anymore.

Re:Seriously? Did no one see this coming? (2)

Molochi (555357) | 1 year,27 days | (#44965561)

Bitcoin mining with your own GPU is almost over.

What if you aren't paying for the hardware or the electricity bill on a thousand machines?.

Re:Seriously? Did no one see this coming? (1)

Anonymous Coward | 1 year,27 days | (#44965793)

Then you're a thief...

Re:Seriously? Did no one see this coming? (0)

Anonymous Coward | 1 year,27 days | (#44966297)

solar!

Re:Seriously? Did no one see this coming? (1)

davydagger (2566757) | 1 year,27 days | (#44966769)

still a $25 dollar ASIC now has the hash rate of a high end video card that costs over $200. the ASIC uses 2.5 watts, plugs into a usb port, is silent, and requires little physical space, and can be run from a raspi.

GPU mining, fuck off

Re:Seriously? Did no one see this coming? (1)

dbIII (701233) | 1 year,27 days | (#44967043)

Bitcoin was never relevant apart from those poor sods that got tricked into the stupid virtual ponzi scheme. Even minecraft mining has more of a real effect on the world.

Re:Seriously? Did no one see this coming? (2)

BLKMGK (34057) | 1 year,27 days | (#44965587)

You are correct, he was talking out of his ass. These programs don't run "on the GPU" but rather utilize the GPU resources to do highly parallel processing that it's suited well for. That has exactly zippy to do with is being reported here.

And I'd ask - what firmware exactly? NVIDIA? AMD? Intel? Hell, on the new CPUs with video onboard where is the firmware even located? BIOS now there's some fun - even the same manufacturer has different code for different boards for different chipsets. I don't see anyone making anything that's not one off for that anytime soon even with UEFI supposedly making things more uniform. Safeboot and other things already check much of that anyway when enabled properly.

Re:Seriously? Did no one see this coming? (1)

Deus.1.01 (946808) | 1 year,27 days | (#44965425)

Not to mention how accecible it is to flash the shit from the OS...secure computing is fucking trash.

Re:Seriously? Did no one see this coming? (4, Insightful)

Dunbal (464142) | 1 year,27 days | (#44965563)

It's just another half-assed job. Computer tech is full of half-ass ideas that sounded pretty good but were never completed. The 640k limit and protected mode. Expanded/Extended memory through A20. Half assed effort by Lotus, IBM and Microsoft. Operating systems - sold as secure, almost as insecure as ever. About the only good thing is they don't usually automatically install malware from the internet without asking you first. Half assed. Trusted Computing - half assed. UEFI, half assed.

I don't know if it's a lack of budget, or if computer techies (not your regular coders but the guys that come up with this stuff and implement it) really have such short attention spans. Or maybe it's just a marketing thing - give us a new tech word we can market for this generation, it doesn't have to work, we'll just pretend it's something good and make people want it.

Re:Seriously? Did no one see this coming? (4, Insightful)

Anonymous Coward | 1 year,27 days | (#44966055)

Welcome to the real world!

If you open your eyes wide enough,you'll notice that pretty much everything is half-assed in one manner or another. This isn't necessarily a bad thing because doing the job "properly" is either impractical, too expensive, or takes too long. In reality, we don't even know what "properly" is most of the time.

I'd go as far as to say that humanity's real achievement is the ability to say "fuck it" and go forward with a pragmatic solution that's useful enough to come out ahead and not dangerous enough to kill us all.

Re:Seriously? Did no one see this coming? (1)

Kozz (7764) | 1 year,27 days | (#44967151)

I pretty universally blame management for not listening to their techies-with-brains for the loads of half-assed jobs of all kinds out there. I say "shit rolls downhill".

Re:Seriously? Did no one see this coming? (0)

Anonymous Coward | 1 year,27 days | (#44965477)

The thing is if the malware communicates with the outside world all you have to do is get a trustworthy router that allows you to view the traffic between a computer and the outside world from another computer. At worst the traffic is encrypted but at least you can see that there is unusual traffic and you can see the destination of the traffic. You can get packet inspection software to do it (Ethereal comes to mind but I'm sure there are others). If done right with the right equipment the hardware couldn't hide the existence of traffic and the source/destination (even if the traffic is encrypted). From there you can dig more into the hardware to discover the origin and intent of the traffic. So something like this would be hard to hide from someone looking for it.

Re:Seriously? Did no one see this coming? (0)

Anonymous Coward | 1 year,27 days | (#44965499)

(To continue off my last post).

Now the trick is, say the malware communicates with Microsoft during a windows update, the transition of which is encrypted. Perhaps the malware might be able to hide itself in that traffic and disguise itself as part of a Windows update. This could be more difficult to detect.

Or during your encrypted (https) connection with Bank of America or whatever website you are connecting to.

Re:Seriously? Did no one see this coming? (-1)

Anonymous Coward | 1 year,27 days | (#44965541)

Measures could have been taken... but then again, what better way for the NSA and other government spies to infiltrate a computer independent of an operating system than this? Seriously.

Perhaps this?

http://www.theregister.co.uk/2013/09/23/intel_stuns_world_with_wakeon3g/ [theregister.co.uk]

NSA already have a hidden 3G enabled backdoor straight in to your CPU and can even power up computers remotely and provide power to HDDs and access them remotely.

It even has it's own OS within the chip so your OS of choice doesn't matter

Re:Seriously? Did no one see this coming? (2)

drkstr1 (2072368) | 1 year,27 days | (#44966237)

Measures could have been taken... but then again, what better way for the NSA and other government spies to infiltrate a computer independent of an operating system than this? Seriously.

Perhaps this?

http://www.theregister.co.uk/2013/09/23/intel_stuns_world_with_wakeon3g/ [theregister.co.uk]

NSA already have a hidden 3G enabled backdoor straight in to your CPU and can even power up computers remotely and provide power to HDDs and access them remotely.

It even has it's own OS within the chip so your OS of choice doesn't matter

You say it as if fact, but you must have missed this line in the article: "No evidence is offered for the assertions detailed above."

Re:Seriously? Did no one see this coming? (0)

Anonymous Coward | 1 year,27 days | (#44966357)

You have to keep an open mind.

Re:Seriously? Did no one see this coming? (1)

Anonymous Coward | 1 year,27 days | (#44965715)

Oooh! Good, make sure you say NSA in every post!

Re:Seriously? Did no one see this coming? (1)

Anonymous Coward | 1 year,27 days | (#44965931)

A) The cross-platform advantage, as you present it, is tremendously smaller than the disadvantage of having to create specific-per-GPU implementations (Although I'm not that knowledgable in the GPU market, perhaps there's some Nvidia chipset that takes 80% of the market. I'm assuming that's not the case)

B) The cross-platform is not that important even by itself. This stuff matters more since those (viruses) are harder to detect by the OS / AV running on the OS.

IMHO it's not cost-effective. Creating generic viruses for Windows is still the best cost-effective. And since Mac and Linux users typically don't run any defense and are much more vulnerable than PCs running Win7/8, it's more of a matter of will.

Re:Seriously? Did no one see this coming? (0)

Anonymous Coward | 1 year,27 days | (#44965973)

Well, in fact you can't run such a code without quite high privileges for a reason. Simple shader won;t be able to read arbitrary memory. And it's easier to use graphics card's DMA to patch kernel with some evil code in keyboard procedure than monitor buffer all the time.

Old news and Prior Art. (2, Interesting)

Anonymous Coward | 1 year,27 days | (#44965351)

Interesting that security researchers are JUST NOW thinking about this. I was on an flight from San Diego to Japan back around 2005, seated next to a gentleman on his way to a computer conference - I believe it was HITB, and either Dubai or Malaysia - and we were chatting about the inevitability of computer virus exploits being used to co-opt hardware instead of operating systems. He had recently developed a way to suborn the Nvidia Geforce bios update process by presenting the card with a working update that contained arbitrary code. Once loaded into the BIOS, the update version number was far beyond any possible build number - so it could not be removed except by either replacing the card or by replacing the BIOS chip. If I remember correctly, the gentleman who I was talking to was rather interested in my mentioning that the most beneficial place to install similar software would be a networking card, as the network card could "listen" for command and control signals without the interference of the operating system or any security software - kind of an "outside the tripwire" situation.

Re:Old news and Prior Art. (1)

BLKMGK (34057) | 1 year,27 days | (#44965595)

and what did that checking of the version number? The flashing software? No problem, subvert that and you're back to a working card.

Re:Old news and Prior Art. (0)

Anonymous Coward | 1 year,27 days | (#44967919)

You may need working software to flash the bios and the new software may disable new bios flashes.

If designed and implemented correctly the way it should work is that it will

A: Keep a backup

B: Ensure a working interface is hard coded (ie: read only in a way that's physically impossible to remove) and always accessible (in case of a malicious update the someone can access the hard coded interface to change the bios).

C: Ensure that the update is digitally signed by NVidia.

Good security is possible but the problem is that manufacturers don't implement it because what good does it do them profit wise? Worst case scenario you get a virus that you can't undo from your chip and you have to go buy a new graphics card.

Part of the reason new computers do not come with a Windows 8 installation disks (and I even tried to contact the manufacturer to request one and they said they do not send them out for Windows 8. I even tried to tell them they are legally obligated to, not sure if that's true, and they kept giving me the run around and transferring me from person to person and refusing to send me a Windows 8 installation disk) is that if your operating system stops functioning after the warranty is up what do they care? You now need a new laptop and can't simply reinstall which is beneficial to their profit margins.

The problem here isn't one of manufacturers simply finding a pragmatic solution. It's one of them finding the most profitable course of action.

It took this long? (0)

Anonymous Coward | 1 year,27 days | (#44965377)

I've worked on GPU hardware since before we called them GPUs. I've also done malware investigation in my youth.

In 1998, I wrote a proof of concept for this very thing. I'm actually impressed it took 15 years for someone to go public with it.

Posting as AC for obvious reasons...

Cook out the bugs (5, Funny)

SpaceManFlip (2720507) | 1 year,27 days | (#44965379)

No worries, the malware will all get cooked out while I'm overclocking the GPU. Frequently I get driver crashes while it's OC'd, and sometimes the DX11 game will dump out completely, and other times it even causes artifacts in the game while I'm cooking it up over 85 C

So yeah, not too worried about the malware. Fever immunity FTW

Re:Cook out the bugs (4, Funny)

slashmydots (2189826) | 1 year,27 days | (#44965413)

Just make sure you're doing it correctly. The USDA recommends overclocking by at least 10% for 60 seconds or more to eliminate all strains of viruses.

Internal firewalls (0)

Anonymous Coward | 1 year,27 days | (#44965409)

It seems that internal (and that includes USB/Firewire etc) hardware and buses are now at a similar stage of development, security wise, to that of networking in the late 1980s: most hardware seems to be implicitly trusted, but its increasing intelligence means that formerly dumb peripherals now constitute a serious threat to the integrity of the system.

Removing DMA could wreck system performance, so, perhaps, the provision of an internal broker of some sort within systems is called for, similar in concept to a network firewall, and which would mediate peripheral access to memory, i/o, interrupts etc and, importantly, remove this task from the main CPU(s), which can increasingly be unstoppably bypassed by these threats.

Lovecraftian horror. (0, Troll)

Deus.1.01 (946808) | 1 year,27 days | (#44965415)

I spent almost two months trying to diagnose and fix this.

I reinstalled, tried to wipe the mbr and disk with zeroes, tried to reset CMOS on my stationary pc (try that on a fucking laptop)...

Since I depended on my laptop for my internship...missing work, using my limited resources(read medicine) trying to fix what i though to be fixable, to salvagable, to dear god give me another bottle of Grouse!

I installed both Avast and Malwarebyte(yes they worked together) some years ago...but somehow they didnt catch the wild changes in the registry, every location for programs was replaced with an CLSID exploiting that fucking virtualisation hack windows provided.
That and Alternative Data Streams....JESUS CHRIST!

I had internal winsock commands that came from absolute NOWHERE!

Im not an expert.....Im happy for people to call me mad and/or idiot.

But when a fresh install of Ubuntu decides to include every fucking packagea that includes virtualisation solutions....

"If I am mad, it is mercy! May the gods pity the man who in his callousness can remain sane to the hideous end!”

I have two laptops (one Ive sent to repair begging them to nuke every fucking ROM from space), the other overheats withing 30 minutes and my stationary...everything got certs I cant trust for shit.

Again, Am i dense? Have I panicked for nothing and led myself astray by red herrings? (This is not meant to be a tech support plea, just sort of...retorical)

Re:Lovecraftian horror. (0)

Anonymous Coward | 1 year,27 days | (#44965487)

You mad idiot.

Re:Lovecraftian horror. (0)

Anonymous Coward | 1 year,27 days | (#44965491)

yes you are dense

Re:Lovecraftian horror. (1)

Anonymous Coward | 1 year,27 days | (#44966353)

Someone needs to rewrite this in a more Lovecraftian style.

Re:Lovecraftian horror. (1)

Zontar The Mindless (9002) | 1 year,27 days | (#44967553)

^ Why we need a +1, Troll option for moderation. ^

alternative solutions (0)

Gravis Zero (934156) | 1 year,27 days | (#44965533)

- have your OS scan executables/libs before they are loaded
- disable GPGPU
- STAY OFF THE FUCKING INTERNET

Re:alternative solutions (0)

Anonymous Coward | 1 year,27 days | (#44965877)

None of which does a thing against the NSA bribing nvidia to install their malware in their cards for you. Or china bribing the people assembling the cards to do it themselves. Also, it's not gpgpu that's the problem, it's that the bus allows the game to tell the video card "ok read these textures from 0xdeadbeef to 0xfeedface" and everything just trusts the video card not to read from 0x0000... to 0xfffff... . See also how the firewire bus allows you to pwn a computer by plugging into it and taking over its RAM.

Staying off the internet might make it hard for the rootkit to phone home though, so I'll give you that.

Mine it (2)

dindi (78034) | 1 year,27 days | (#44965575)

That is why I mine crypto currencies with my graphics card 24/7 and liquid cool them.

The overclocking burns the malware out, then the distilled water flushes it out. My 99.8% pure silver kill coil takes care of any remaining parasites - just in case the UV lighting didn't burn them to death already....

Re:Mine it (2)

ortholattice (175065) | 1 year,27 days | (#44965937)

I flush mine out by giving it a Class-A compulsory directive to compute pi to the last digit. Since the value of pi is a transcendental figure without resolution, this is a task it can never complete.

Re:Mine it (1)

dindi (78034) | 1 year,27 days | (#44967037)

Almost as useless and annoying as mining primecoin then :)

Nothing new here (2, Interesting)

msobkow (48369) | 1 year,27 days | (#44965657)

I remember a "dinosaur" telling me about an S/390 "virus" in my youth. It was written to infect the disk, drum, and tape controllers, and to replicate itself to any uninfected devices in the system.

It was relatively harmless. It would periodically pop up a console message like "I want a cookie.", and lock up the system until the operator typed in "cookie".

However, apparently the only way to purge the thing was to replace all the hardware controllers at the same time.

Whether true or not, I do not know. But it's the oldest "virus" story I've ever heard -- it was told to me way back in the 80s.

Re:Nothing new here (2)

Jah-Wren Ryel (80510) | 1 year,27 days | (#44966153)

Sounds like the Multics Cookie Monster. [multicians.org]
The Wikipedia entry has a slightly different take on the story. [wikipedia.org]

Re:Nothing new here (1)

msobkow (48369) | 1 year,26 days | (#44968299)

Analogous programs were even coded for non-Multics systems...

A variant on it at least.

This can become serious (0)

Anonymous Coward | 1 year,27 days | (#44966011)

If this things gets for real we will have a Crysis.

Dichotomies, abound... apk (0)

Anonymous Coward | 1 year,27 days | (#44966043)

Think about it: The second EEPROM's came around/flashable BIOS' in equipment? The "doors opened" for this type of thing to occur folks...

* Everything has 2 sides, & it ALL depends on what set of 'rosie colored glasses' & perspective you maintain...

APK

P.S.=> In other words - as nice as flashable proms are, it was only a matter of time before malware makers took advantage it as well. Technically though? A 'reflash' would/should, take care of it (no, I didn't read the article, but I imagine this is just a variation of the theme I just expounded upon here, based on technical fact)...

... apk

Re:Dichotomies, abound... apk (0)

Anonymous Coward | 1 year,27 days | (#44968007)

What? No HOSTS file solution for this? I'm disappointed!

Huh? (1)

Obfuscant (592200) | 1 year,27 days | (#44966113)

They said the malware was a 'highly critical threat to system security and integrity' and could not be detected by any operating system."

Can someone 'splain that, or is it just nonsense? The malware was put into the GPU or whatever by a program running on the OS, why can't another program on the OS detect it? Write Only Memory?

Re:Huh? (1)

Anonymous Coward | 1 year,27 days | (#44966229)

Basically, they claim it's possible to send data... which I suppose could be an exploit... directly to the GPU's memory via DMA from a malicious piece of hardware. it would be undetectable, because graphics card memory is separate from system memory. Nothing checks graphics memory for malware, because generally: 1) a normal app has to be running (thus this app would be detectable) to run GPU code, and 2) code running on the GPU generally can't do all that much

The practicality of this "attack" is questionable to me.
Assuming they were able to even reflash the video card (to avoid the computer being disinfected by being reset), I'm not sure the malicious code could interact with the rest of the system (read main memory, disk, network) and hence send any kind of useful information to anyone. It could spy on your bitcoins as you find them, but it'd lack the ability to steal them.

Running code on the GPU is easy. Running GPU only code to do something useful... that is what I'm still not convinced is possible.
I'm puzzled by the utility of this...

Re:Huh? (0)

Anonymous Coward | 1 year,27 days | (#44966461)

That is a possibility. The GPU can map sections of it's memory as "write only". What that really means is that it's "write only" from the other side of the bus, the GPU itself has full permission to read, write, and execute that block of memory flagged as "write only". On top of that it's not too hard to overwrite, just force a Direct3D device or OpenGL context open into that section of memory and load a null array as "dynamic", overwrites the flags so that it's only "write only" to the program that allocated that block.

There is just so much nonsense in the GPU that makes it a prime target for a virus to set up shop, I'm surprised the majority of virus are still CPU side.

Bad summary... (4, Informative)

slew (2918) | 1 year,27 days | (#44966553)

Basically this theorized malware would use the GPU (or other DMA capable device in the system) to bypass page permissions. Since most operating systems depend on virtual addressing and CPU page permissions to protect things, having a DMA capabile device that didn't respect page permission could easily bypass the assumptions made by most OS's and malware detection programs.

The problem is of course with the limitations of current malware detection programs. They could of course theoretically detect GPU viruses as they need to exist somwhere (even GPUs execute instructions and have page tables for their memory). The problem is that there are so many different types of GPUs and each has a different proprietary driver architecture, current malware detection companies don't have enough information or experience to even attempt to try this even if they had the desire and the resources. Then again maybe the GPU vendors have built in malware in their drivers (kinda like some of the phone-home free-pdf/fax printer drivers). If so, you are just screwed.

FWIW, there was an attempt a few years ago to impose an IOMMU into the PC architecture that could filter DMA requests from devices. The idea was that if the OS was in control of the IOMMU, like the page tables, it could disallow a DMA request from a rogue device request similar to how it could trap a CPU access. I lost track of this, but I doubt it will go anywhere...

However, this isn't usually the weak point in the chain, this is merely a theoretical threat kind of like warning people about how installing random program on their PC is a "highly critical threat to system security and integrity" when most folks have a browser setting that allows running just about any browser plugin suggested by a random web-page by merely clicking "OK" when the warning dialog box comes up. It's just scary because you've never heard of it before and it's yet another thing to worry about.

Re:Bad summary... (0)

Anonymous Coward | 1 year,26 days | (#44968171)

http://en.wikipedia.org/wiki/List_of_IOMMU-supporting_hardware

It is more for virtualisation then as a security feature like you mention though. I was looking into this last year because I like the idea of running just a bare-metal hyper-visor and being able to load a windows virtual machine if I want to play games or a linux vm for anything else. The IO-MMU allows you to have direct access to the video card from a virtual machine...

Deceptive title (0)

manu0601 (2221348) | 1 year,27 days | (#44966585)

Slashdot's title is deceptive: that is not a real malware but a PoC created by the researchers. They just fight their own creation.

Re:Deceptive title (0)

Anonymous Coward | 1 year,27 days | (#44966943)

When Tegra grabs a bit more share, this will be back in the news with a fresh coat of surprise.

This is old news indeed (0)

Anonymous Coward | 1 year,27 days | (#44966613)

I've worked in GPU software since before they were GPUs, and in my youth I "researched" malware and viruses.

I wrote a proof of concept for a GPU virus in 1998 (no suspicious code executing on the CPU). I'm quite surprised that it took this long for someone to actually make it into actual malware.

Posting as AC for obvious reasons.

Undetectable stealthy malware .. (1)

codeusirae (3036835) | 1 year,27 days | (#44966893)

How does this malware get onto the targeted system, without user action or root access?

Bigger scope to this solution... (4, Informative)

Shoten (260439) | 1 year,27 days | (#44967213)

The article actually refers to being able to detect the malware; the key here is DMA, or "Direct Memory Access." DMA is in use by a great many things, including FireWire (IEEE 1394), USB 3.0, and Thunderbolt as well as many internal peripherals like graphics cards.

Why, you ask? Simple...for performance. If you think of memory as being like a big warehouse, other methods are like having a guy at the front of it on the other side of that counter...you know, the one with the fencing and a little slot for you to pass him your invoice so he can go get what you came to pick up? You show up, give him the invoice, he looks at it, goes to get exactly the thing you're allowed to take, and brings it to you. This is secure, but also a bottleneck. DMA, on the other hand, is more like having that guy standing at the front door to the warehouse, just making sure you have an invoice at all...then he waves you on through to go get it yourself. Obviously, that has security ramifications. [crackpassword.com]

And that's the real key to this threat...if they've come up with a way to detect attacks like that, they've come up with a way to defend against them coming from more than just malware in a graphics or network card. They've come up with a way to help protect against password-reading via USB 3.0 ports and the like as well. It would also, however, provide more methods for counter-forensics...so its a double-edged sword.

Gulf war flashbacks (1)

Anonymous Coward | 1 year,27 days | (#44967265)

No one remembers the altered printers the Iraqis got?

OpenBSD impact (1)

cpm99352 (939350) | 1 year,27 days | (#44967747)

Given the recent revelations including NIST weaknesses, does OpenBSD withstand the likely attacks?

Its real: Gigabyte mb seem more vulnerable (0)

Anonymous Coward | 1 year,27 days | (#44967801)

I thought Geforce was doing this to my motherboard 5+ years ago. When I reproduced the same type of problems with newer ATI and Gigabyte motherboards, I became a beleiver. The Gigabyte motherboards, with its dual bioses , somehow became corrupted. It Sucks.

Re:Its real: Gigabyte mb seem more vulnerable (0)

Anonymous Coward | 1 year,27 days | (#44968031)

Yeah, I had one of those dual-bios gigabyte boards too. Damn backup bios got corrupted before it ever got used.

Is flashing the graphics card enough to remove (1)

MultiPak (2475794) | 1 year,27 days | (#44967939)

Is flashing the graphics card enough to remove? Yes, No, Maybe?

Useless in NT 4.1 (1)

Khyber (864651) | 1 year,27 days | (#44968049)

Windows NT4.1 explicitly disallowed DMA to video memory. Want to venture a guess as to why?

But of course, now you get DMA to the video card in later versions of Windows. Devs hated not having DMA.

Reap what you sow, instead of trying to follow good security practice.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?