From nobody Sat Sep 04 02:06:26 2021
X-Original-To: freebsd-desktop@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 2F00417BED55
	for <freebsd-desktop@mlmmj.nyi.freebsd.org>; Sat,  4 Sep 2021 02:06:38 +0000 (UTC)
	(envelope-from nc@FreeBSD.org)
Received: from rainpuddle.neelc.org (locks.neelc.org [IPv6:2602:fed2:7106:25ff::1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4H1dM16NP5z4sV3;
	Sat,  4 Sep 2021 02:06:37 +0000 (UTC)
	(envelope-from nc@FreeBSD.org)
Received: from mail.neelc.org (locks.neelc.org [IPv6:2602:fed2:7106:25ff::1])
	by rainpuddle.neelc.org (Postfix) with ESMTPSA id 2C81F89333;
	Fri,  3 Sep 2021 19:06:28 -0700 (PDT)
List-Id: Using and improving FreeBSD on the desktop <freebsd-desktop.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-desktop
List-Help: <mailto:freebsd-desktop+help@freebsd.org>
List-Post: <mailto:freebsd-desktop@freebsd.org>
List-Subscribe: <mailto:freebsd-desktop+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-desktop+unsubscribe@freebsd.org>
Sender: owner-freebsd-desktop@freebsd.org
MIME-Version: 1.0
Date: Fri, 03 Sep 2021 19:06:26 -0700
From: Neel Chauhan <nc@FreeBSD.org>
To: Tomasz CEDRO <tomek@cedro.info>
Cc: freebsd-desktop@freebsd.org, FreeBSD Questions Mailing List
 <freebsd-questions@freebsd.org>
Subject: Re: malware in gpu adress space
In-Reply-To: <CAM8r67CJQziZf=aKxBTCQ=sgdomG25fmqsSY0oTf3BHGHq6Zbw@mail.gmail.com>
References: <CAM8r67CJQziZf=aKxBTCQ=sgdomG25fmqsSY0oTf3BHGHq6Zbw@mail.gmail.com>
User-Agent: Roundcube Webmail/1.4.11
Message-ID: <54142f61126127c158644229e32ba99f@FreeBSD.org>
X-Sender: nc@FreeBSD.org
Content-Type: text/plain; charset=US-ASCII;
 format=flowed
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 4H1dM16NP5z4sV3
X-Spamd-Bar: /
Authentication-Results: mx1.freebsd.org;
	none
X-Spamd-Result: default: False [0.00 / 15.00];
	 ASN(0.00)[asn:23470, ipnet:2602:fed2:7106::/48, country:US];
	 local_wl_from(0.00)[FreeBSD.org]
X-ThisMailContainsUnwantedMimeParts: N

Hi,

Disclaimer: I work at Microsoft, but not on Windows. In fact, I am 
pretty much clueless on how NT works on the inside.

On 2021-09-02 13:11, Tomasz CEDRO wrote:
> I have found that article on hiding malware/rootkit in GPU address
> space using OpenCL 2.0+ and launching it from there as evasion on
> antivirus software.
> 
> https://www.bleepingcomputer.com/news/security/cybercriminal-sells-tool-to-hide-malware-in-amd-nvidia-gpus/
> 
> Is it bug/feature of Windows GPU drivers? Is it bug/feature of OpenCL?
> Is it possible on FreeBSD? :-)

If you read this quote in the article:

> According to the advertiser, the project works only on Windows systems 
> that support versions 2.0 and above of the OpenCL framework for 
> executing code on various processors, GPUs included.

The app by itself can't run on FreeBSD as it exists today. It would 
depend on whether mesa has the same vulnerability as the Windows OpenGL 
implementation, or if it's a hardware vulnerability (in which case it 
can affect all OSes).

I'm no expert on OpenCL. Yes, I've helped with drm-kmod 5.6-wip, but 
that's about it with GPU drivers.

-Neel (nc@)