Re: malware in gpu adress space

From: Tomasz CEDRO <tomek_at_cedro.info>
Date: Sat, 4 Sep 2021 04:44:08 +0200
On Sat, Sep 4, 2021 at 4:06 AM Neel Chauhan wrote:
> Disclaimer: I work at Microsoft, but not on Windows. In fact, I am
> pretty much clueless on how NT works on the inside.
>
> On 2021-09-02 13:11, Tomasz CEDRO wrote:
> > I have found that article on hiding malware/rootkit in GPU address
> > space using OpenCL 2.0+ and launching it from there as evasion on
> > antivirus software.
> >
> > https://www.bleepingcomputer.com/news/security/cybercriminal-sells-tool-to-hide-malware-in-amd-nvidia-gpus/
> >
> > Is it bug/feature of Windows GPU drivers? Is it bug/feature of OpenCL?
> > Is it possible on FreeBSD? :-)
>
> If you read this quote in the article:
>
> > According to the advertiser, the project works only on Windows systems
> > that support versions 2.0 and above of the OpenCL framework for
> > executing code on various processors, GPUs included.
>
> The app by itself can't run on FreeBSD as it exists today. It would
> depend on whether mesa has the same vulnerability as the Windows OpenGL
> implementation, or if it's a hardware vulnerability (in which case it
> can affect all OSes).
>
> I'm no expert on OpenCL. Yes, I've helped with drm-kmod 5.6-wip, but
> that's about it with GPU drivers.
>
> -Neel (nc_at_)

Just a curiosity and maybe hint to someone that knows the internals
and might check if we might have similar problem in the GPU layer :-)

Looks like a design flaw / exploited feature of OpenCL 2.0+ ? This is
not the part of base, but I was wondering if problem is / may be
multiplatform :-)

Thanks for your time and reply Neel :-)

-- 
CeDeROM, SQ7MHZ, http://www.tomek.cedro.info
Received on Sat Sep 04 2021 - 02:44:08 UTC

Original text of this message