A team of coders have published a new “educational” rootkit,
dubbed Jellyfish, that’s virtually undetectable by current software
practices. Their work is designed to demonstrate that GPUs, which have
become considerably more powerful and flexible over the past decade, are
now capable of running keyloggers and rootkits.
Jellyfish is capable of running on Nvidia, AMD, and Intel
hardware (this last thanks to support from AMD’s APP SDK). The advantage
of using a GPU to perform system snooping and keylogging is
substantial. If you stop and think about it, there are a variety of
methods to determine exactly what is running on your CPU. From the
Windows Task Manager to applications like Process Explorer, there are
built-in or free tools that will help you isolate exactly which
processes are being called and what those processes are doing. Malware
detection software is more complex, but it offers an even deeper window
into process analysis.
Contrast that with GPUs. In terms of freeware utilities,
you’ve got GPU-Z and a handful of other applications that provide a
similar “GPU Load” monitoring function. Nvidia, AMD, and Intel all
provide some basic profiling tools that can be used to analyze a GPU’s
performance in a specific application, but these toolkits plug into
existing software packages, like Visual Studio. They don’t take a
snapshot of what’s running on the GPU in general — they allow you to
monitor code that you’ve explicitly told to run on the GPU.
Hackers and researchers
have been exploring
more of what a GPU can be used for and come away with some interesting
results, including a project last year that turned a graphics card into a
keylogger. As they noted at the time, “By instructing the GPU to
carefully monitor via DMA the physical page where the keyboard buffer
resides, a GPU-based keylogger can record all user keystrokes and store
them in the memory space of the GPU.”
For those of you wondering about using a simple GPU load
monitor to catch this work, it’s not really feasible — the estimated CPU
and GPU utilization was ~0.1%. The Jellyfish rootkit discussed above
doesn’t just have the ability to transmit information back across a
network — it can theoretically remain resident in between warm reboots
of the target system.
How do we fix this?
It seems likely that malware detection methods will have to
evolve to scan the GPU as well as the CPU, but it’s not clear how easy
that’s going to be. The keylogger research team noted that Nvidia’s CUDA
environment did offer the ability to attach to a running process and
monitor its actions, but states that this is currently Nvidia-specific
and of only limited (though important) use.
Software detection methods are going to need to
fundamentally step up their game. Malware researchers tend to use
virtual machines (for all the reasons you’d imagine), but these
applications are not designed to support GPU API virtualization. That’s
going to need to change if we’re going to protect systems from code
running on GPUs.
Given the fact that code running on the GPU is almost
untraceable today, it wouldn’t surprise me in the slightest to discover
that state governments had already exploited these detection weaknesses.
White hats, start your engines. Jellyfish is a Linux utility
for now, but nothing in the literature suggests that this issue is unique to that operating system.
Comments
Post a Comment