Re: malware in gpu adress space

From: Neel Chauhan <nc_at_FreeBSD.org>
Date: Fri, 03 Sep 2021 19:06:26 -0700
Hi,

Disclaimer: I work at Microsoft, but not on Windows. In fact, I am 
pretty much clueless on how NT works on the inside.

On 2021-09-02 13:11, Tomasz CEDRO wrote:
> I have found that article on hiding malware/rootkit in GPU address
> space using OpenCL 2.0+ and launching it from there as evasion on
> antivirus software.
> 
> https://www.bleepingcomputer.com/news/security/cybercriminal-sells-tool-to-hide-malware-in-amd-nvidia-gpus/
> 
> Is it bug/feature of Windows GPU drivers? Is it bug/feature of OpenCL?
> Is it possible on FreeBSD? :-)

If you read this quote in the article:

> According to the advertiser, the project works only on Windows systems 
> that support versions 2.0 and above of the OpenCL framework for 
> executing code on various processors, GPUs included.

The app by itself can't run on FreeBSD as it exists today. It would 
depend on whether mesa has the same vulnerability as the Windows OpenGL 
implementation, or if it's a hardware vulnerability (in which case it 
can affect all OSes).

I'm no expert on OpenCL. Yes, I've helped with drm-kmod 5.6-wip, but 
that's about it with GPU drivers.

-Neel (nc_at_)
Received on Sat Sep 04 2021 - 02:06:26 UTC

Original text of this message