InterviewSolution
Saved Bookmarks
InterviewSolution
| 1. |
Solve : New proof-of-concept: malware hiding in graphics cards? |
|
Answer» Full title is: Peripheral-based malware is particularly difficult to detect, because it doesn’t have to rely on a weakness in your computer’s operating system, according to Stewin. Instead, it takes advantage of the processing power already present in peripherals like graphics cards that may not be expecting an attack.In order to get into the peripheral, the malware would have to exploit a weakness somewhere. Firmware updates to a Graphics Adapter typically require pure DOS operation, and flashing tools will require certain Security keys within that Firmware package to check out or it will refuse to flash the hardware with that firmware. Therefore the only alternative would be for a malicious user to create a new Firmware package installer. The Technical details of flashing the Video BIOS are not exactly well documented, however; and often have minor nuances between versions. a 9800GT may require one thing, and even a 9800GTX+ will require some other thing. NVidia and the various manufacturers know how their hardware works and can make generalized solutions since they have all the important information. But outside of that information bubble all there is is guesswork. Quote Graphics cards, sound cards, and other PC components can process data using direct memory access (DMA). Instead waiting to receive data processing via a PC’s CPU, a graphics card can bypass the CPU to access and process graphical data directly from memory.What it fails to mention is that the Video BIOS, which is the only flashable component (even with the above limitations) is ACTUALLY replaced quite early in the boot process by the 32-bit Drivers., which typically even take over the VESA 3.0 capabilities, making the Video BIOS no longer actually execute for anything (the BIOS itself is masked into system RAM for system initialization but is otherwise dormant. Quote Once infected, DMA attacks can do all sorts of damage, such as copying encryption keys or installing other types of malware for identity theftDMA access of a peripheral means it access memory directly. This means that the device doesn't have the advantage of understanding the virtual memory address layout of the system. This paired with ASLR makes it impossible to fathom how such a device would be able to use DMA to access System Data, particularly since DMA access is restricted to certain memory locations. In fact, the CPU is the one that invokes a DMA transfer, and EFFECTIVELY locks the portions of Memory that can be accessed. A n-memory Texture can be transferred to the Video Card VRAM but this transfer is invoked by the CPU and the Application, which will essentially restrict the memory access possible in that transfer to that section of Memory. Therefore even ignoring the fact that such a piece of hardware-based malware wouldn't know where to look in the entire physical Memory for such data (and certainly couldn't scan all of it without causing a DMA timeout), it cannot access beyond what the DMA controller gives it access to. It's called "Direct Memory Access" but it still has to go through the Memory Controller. The Paper has no Citations and has been cited zero times. It READS more like an advertisement of BARM than any serious research paper, and the parts that might count as experiment read more like a narrative.BC, thanks for reading the article The PCworld article is none of the worst I have ever used. The point being made is the firmware infection is known to exist. There are many documented cases of firmware infection. I posted this as a news item due to is timely relevance to to the 2013 security congress. That detail makes it newsworthy, even tho it was badly written for technical detail. Yest another link: HP fix for network card weakness. Quote Conference Proceeding BC, do you understand un-time polymorphism?When the malware gets into your firmware, it does not wave a red flag ans say 'here I am'. It uses resources hidfe its presence. Source code that does this has been already published some time ago. Here are names of people. No, not mentioned in the article, but deeply involved in research about malware threats to PCs and other devices. Giorgos Vasiliadis FORTH-ICS, Greece [emailprotected] Michalis Polychronakis Columbia University, USA [emailprotected] Sotiris Ioannidis FORTH-ICS, Greece [emailprotected] Moderator: These people published emails in an article about how a GPU can help a malware do its thing. Take out the e-mail if you want, but it can be found here. http://dcs.ics.forth.gr/Activities/papers/gpumalware.malware10.pdf For the average user, knowing how it does it evil work is not the issue. People need to know the researches are finding the malware is worse that what sone might think. Really, Intel and AMD 386 code does NOT have some magical barrier that keeps out evil intent. Another detail. This is about a book. Quote Rent 1st edition today, or search our site for Salvatore textbooks. Every textbook comes with a 21-day "Any Reason" guarantee. Published by Springer.Another link. http://www.raid-symposium.org/ I could go on and provide more links. Such links are not light reading. But it is a real topic. Dull reading for most of us. But the danger is real. For more, search http://www.raid-symposium.org/ Soon detention programs will be available. Here is a good read from Gizmo's. But it was two years ago. Times have CHANGED. http://www.techsupportalert.com/content/next-generation-malware-attacks-pcs-firmware-hardware-devices.htm If you are still SKEPTICAL, read the Gizmo page. Yes, my writing skills are weak. But the message is strong. |
|