New Whitepaper Claims GPUs Threaten Malware Security

For the past 3.5 years or so, NVIDIA has ardently advocated the GPU as a computational platform capable of solving almost any problem. One topic the company hasn't targeted, however, is the tremendous performance advantage the GPU could offer malware authors. The idea that a graphics card could double as a security hole isn't something we've heard before, but according to a paper by Giorgos Vasiliadis, Michalis Polychronakis and Sotiris Ionnidis, it's an attack vector whose popularity could boom in coming years.

The trio argues that all the computational hardware that makes the GPU such an ideal fit for certain types of scientific or graphical workloads could (and will) deliver equal benefits to workloads with considerably darker aspirations. The group wrote two CUDA applications demonstrating the proficiency of GPU-based runtime polymorphism or code unpacking. These two techniques are designed to prevent security white hats from detecting or analyzing maleficent code. As you might imagine, the GPU performed both tasks with considerable aplomb. Although the researchers chose to write their proof-of-concept applications using CUDA, it's not because of any security risk particular to that language (or NVIDIA). At the moment, CUDA is the most widely used language for GPGPU applications; the team notes that including an OpenCL version of the malware package would be trivial.

GPUs, the paper argues, threaten on two fronts. First, there's simple performance—GPU malware could perform far more work than traditional CPU-based schemes. Second is the issue of detection. The traditional means by which malware is typically detected are largely inapplicable when it comes to the GPU. Once code is transferred to the GPU, it's essentially cloaked—there's no mechanism by which a CPU-based program can monitor a GPU program to the degree that's theoretically required. With its plentiful supply of local RAM, malicious code can hide in the shadows, conversing with the CPU only on occasion, and only to transfer apparently innocuous bits of data.

More Watch Than Warning

The paper highlights an interesting and new attack vector but we wouldn't raise a full alarm just yet. Before threats leveraging GPU assets can become widespread programmable GPUs must achieve near-total market penetration. Malware, by its very nature, is built to run on as many systems as is (cheaply) possible. Esoteric or high-profile exploits tend to get the most press, but badware creators don't generally try to create highly-targeted software packages aimed at stealing Cyberdyne's plans for a liquid-metal terminator. It's much simpler to
exploit human stupidity, trick people into installing/downloading software that'll run on any system back to the introduction of IA-32, and then commence hijinks.

Yummy Facebook hijinks. Nomnomnom

You might think that every gamer would have upgraded to at least a DX10-capable video card by now (even if running XP)—but you'd be wrong. According to the latest batch of Steam survey results, 18 percent of its users game on GPUs that support DirectX9 with PS2.0b or PS3.0 shaders. That's enough to severely retard criminal interest right there; we'd presumably see an even higher number of older parts if we conducted the same survey across corporate America.

Even once every GPU supports CUDA (or OpenCL, DirectCompute, etc), there will always be a question as to whether or not the 'right' version is supported. A G80 can run CUDA programs—provided they're written to conform to CUDA 1.0 requirements. Again, there are issues of compatibility to consider, which potentially forces the black hats in question to write code that can run on <i>any</i> GPU and sacrifices performance in the process.

The threat is credible enough that we suspect to see additional safeguards and detection systems developed as time goes by. For now, GPU-assisted malware is a theoretical problem of potentially enormous proportions, but theory is all it is. That said, we can almost see the glee with which McAfee and Norton would view this new development—what better way to combat GPU malware than with GPU antiviral products? 
Via:  Whitepaper
lonewolf 4 years ago

Intel has a built in virus code or tool in their processors perhaps the GPU could do the same.

3vi1 4 years ago

Alarmist BS.

Code running on the GPU can't access the framebuffer, so their "show one url while at another" exploit is science fiction. It's not "unfortunate" that it doesn't work today - it's locked out for the very reason that it would add a security hole and is not "inevitable" as they claim.

The keyword here is gpu-*assisted* malware. Malware running on your GPU isn't going to be able to do diddly without a detectable CPU process to talk to and handle i/o. Also, the malware's going to disappear when you flip the power switch unless it writes itself to your disks (again, detectable viral behavior).

Dave_HH 4 years ago

I don't know 3vi1. Generally speaking, I would say, where there is a will, there is a way.

bob_on_the_cob 4 years ago

Idk I would have to agree with 3vi1 on this one. Sure any program can take advantage of the GPUs power, but it would still have to be running a detectable CPU process to do much of anything.

acarzt 4 years ago

[quote user="3vi1"]

Also, the malware's going to disappear when you flip the power switch unless it writes itself to your disks (again, detectable viral behavior).


That's immediately what I thought. Sure if it somehow loaded itself from a website it will run on your computer.... but unless it writes itself to the hard drive... it will be gone as soon as you flip the power switch.

The GPU has DMA(direct memory access) so the virus can bypass the CPU.... but something is going to have to tell it to do that... and that something will run on the CPU before anything reaches the GPU.

Also, don't most(if not all) HIDS' scan what's running in ram? No matter what, the virus will have to hit system memory, and AV programs should have no problem seeing it.

realneil 4 years ago

[quote user="3vi1"] Also, the malware's going to disappear when you flip the power switch unless it writes itself to your disks [/quote]

Of course it will store itself on your ready-boost thumb drive!

UnderBridge 4 years ago

Does anyone here know what DMA is? 3vi1?..........

acarzt 4 years ago

Uhhhh... if that's sarcasm... see my post above...

If that is a legitimate question.... See my post above...  or see the following link...

Dave_HH 4 years ago

DMA is Direct Memory Access and yeah... it could be a little scary in this case.

3vi1 4 years ago

Maybe I'm missing something, but I don't see the harm in DMA access - since it would only allow access to memory that the same process has allocated (just like every other program in the world).

realneil 4 years ago

[quote user="3vi1"]I don't see the harm in DMA access[/quote]

Big Smile As long as it doesn't impregnate anything while it's there!,.................Super Angry

inspector 4 years ago

idk who is smarter here, Dave or 3vi1 but Dave sounds like he knows a way to do it but isn't telling us :P.

animatortom 4 years ago

There are many countries all across the globe where the people have nothing better to do than figure this stuff out!

My theory is that attacks either come from antivirus companies or other scammers with a political agenda. If you use a BB gun the wrong way then dad should take it and wrap it around a tree, that way you can never use it again.

Instead of giving them jobs for their creative Malware, take away their computers so they can even have porn anymore!

This is also why I don't keep my computers constantly hooked to the Internet. I connect to specific sites only for a short time, except for my HH addiction:P

digitaldd 4 years ago

GPU assisted. so they'll use your GPU's processing power to crack some banks encryption scheme while you surf. And most won't even notice. COOL!

realneil 4 years ago

[quote user="digitaldd"] GPU assisted. so they'll use your GPU's processing power to crack some banks encryption scheme while you surf. [/quote]

Yeah, and it will happen while you're logged into your account too. Then you get to take the federal rap for bank robbery!

JJr 4 years ago

Gpu antivirus? maybe they would just add it or improve GPU Drivers to at least BLOCK malwares?

Joel H 4 years ago


"My theory is that attacks either come from antivirus companies or other scammers with a political agenda."

The concept of attacks coming from kids in their basement is ten years out of date; the idea that Norton or McAfee bankrolls these attacks is ludicrous. Malware and spam is a very corporate business these days. If you want to send a few billion emails advertising your illegal spam products, you don't contact the nerd down the street, you get in touch with the right sort of Russian corporation.

I've written extensively on this topic elsewhere; I can produce links if you're curious.

bob_on_the_cob 4 years ago

You know what. I take it all back. I am scared. My mom just called me and told me that her PC was running slow and that a while back she had done a virus scan and it didn't find to many so it can't be that. Then I realize that is the average PC user Ick!

realneil 4 years ago

[quote user="bob_on_the_cob"]she had done a virus scan and it didn't find to many[/quote]

It didn't find too many? Ha-Ha! Lost Pepsi through the nose when I read that!

Ok, I'm back after changing my shirt. Have a long talk with Mom dude.

EDIT: I do free computer work for a lady across the street. She can't afford to pay for help, yet she needs help all of the time. Virus is her middle name. (I think that her grand-kids are doing it)

I finally cloned her drive when I went over there and showed her how to save important docs and files onto a 16GB flash drive. Already I have restored her system from my cloned source-drive once. It goes much faster now!

acarzt 4 years ago

That would drive me crazy neil lol

I've worked with people like that.... You want to help them... but at what point does it become them taking advantage of you? Gotta draw the line somewhere.


realneil 4 years ago

[quote user="acarzt"]Gotta draw the line somewhere.[/quote]

She brings over some of the best country cooking that you'll ever taste, and she does it a lot.

She's always been a good neighbor to us, so I can put up with the occasional repairs, since I now have a clone of her drive to use!

clamport 4 years ago

I want to alleviate the myth of GPU DMA. There is no DMA'ing currently available from the GPU. For data to be transferred back and forth, there has to be memory allocation done on the host which implicitly means that there is CPU involvement. There is something called Zero Copy in which the GPU reads from host memory, but this STILL requires obtaining a pointer to host memory, again requiring the CPU.

If you don't believe it go read the CUDA documentation.

Joel H 4 years ago


As I recall, DMA was added in the AGP days as a method for allowing the GPU to copy texture data from host memory without talking to the CPU. As far as I'm aware, this function was carried over to PCI-E. Are you stating that it wasn't, or referring to using DMA for other purposes?

Post a Comment
or Register to comment