From owner-freebsd-questions@freebsd.org Sat Sep 4 02:44:47 2021 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 8D18A6A9F54 for ; Sat, 4 Sep 2021 02:44:47 +0000 (UTC) (envelope-from tomek@cedro.info) Received: from mail-oo1-xc2b.google.com (mail-oo1-xc2b.google.com [IPv6:2607:f8b0:4864:20::c2b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4H1fC32lDlz3Jt2 for ; Sat, 4 Sep 2021 02:44:47 +0000 (UTC) (envelope-from tomek@cedro.info) Received: by mail-oo1-xc2b.google.com with SMTP id b5-20020a4ac285000000b0029038344c3dso240660ooq.8 for ; Fri, 03 Sep 2021 19:44:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cedro.info; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Rf7EisIBXIktGDVX6BKWLFWfHCl1Y5Z2gAfSAu83mIo=; b=iCOKFHaMms0SazOnRiG7rgjNe42/WArtIBbSTLrZVr1P3MxXBZtlpyiQcnoeXhQgc7 Okg5oD1iNmvkDNCfx/JoDUVmQHn/2/rttw6ncvPp28VpOl5yC/6Ie8kIxg0ZGj2XA4Ln vHN43LRqDHlJwvjQfPo8OGfTaKbxasfp5W7R7yLqvZZrA+nN+GLhInqEkLoWwoIWz8eO hWqiuJVhBTGqRgYHleKNNLHjW4qXgaIive7C5sIYGKVMpSqrlGolikyBFLR7/g1IAVBO t2oyuBInZ4OtYUZ6akL34vmQsh/d3GOLQSLGx7TlzUDpc7Cfs67U7RThUbj/o12nYeAn vs4Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Rf7EisIBXIktGDVX6BKWLFWfHCl1Y5Z2gAfSAu83mIo=; b=Df3LjhByKCmc59xZPtLwFWKFLafdDX7Wa9Kah3a4POqAgX5nmlXAQInoHEUjXV4yAX KXDycBhTml3726tMLu/1G8scPK2sT1U6EQ4x+7OJzu1cGUTpAZe+xWT4dLIUZoxkJ1rN 5vgt/lHIs2bhoTV6LTyEhCR9fwMrb0jLW5N2+owf9zBSugFqYod7ow0OtyHGOQUWhthS WIWkVhzOVNAB+NLS4auIPgdnk21chilcWL/TAistX8Aptcdy+2hK7mKce52KEPxZONXN cqmsxLEFhyoi0So9S2qsgol4tbubZ692IMq6W8Z/RNFJ6Dx+bvpCY1BgOKnih28yxLQL FD4w== X-Gm-Message-State: AOAM530oLcfljBfJNbGaqv26R5vpoTsPQp2k2LmOH7UTmIh70badeVfz 7+dt85RmutjHSh7xHshrjvCrIMy+vnlrJA9+KTlPbg== X-Google-Smtp-Source: ABdhPJwFLpD9Q99rmTMCoFAtA9BJgISWMTJhpGl8+nY9EYUhJ42XPwt+aCIHr1kUSAjNwMfA+09MTqHd/0nLKJPJshA= X-Received: by 2002:a4a:a40c:: with SMTP id v12mr5403233ool.72.1630723486329; Fri, 03 Sep 2021 19:44:46 -0700 (PDT) MIME-Version: 1.0 References: <54142f61126127c158644229e32ba99f@FreeBSD.org> In-Reply-To: <54142f61126127c158644229e32ba99f@FreeBSD.org> From: Tomasz CEDRO Date: Sat, 4 Sep 2021 04:44:08 +0200 Message-ID: Subject: Re: malware in gpu adress space To: Neel Chauhan Cc: freebsd-desktop@freebsd.org, FreeBSD Questions Mailing List Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4H1fC32lDlz3Jt2 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Sep 2021 02:44:47 -0000 On Sat, Sep 4, 2021 at 4:06 AM Neel Chauhan wrote: > Disclaimer: I work at Microsoft, but not on Windows. In fact, I am > pretty much clueless on how NT works on the inside. > > On 2021-09-02 13:11, Tomasz CEDRO wrote: > > I have found that article on hiding malware/rootkit in GPU address > > space using OpenCL 2.0+ and launching it from there as evasion on > > antivirus software. > > > > https://www.bleepingcomputer.com/news/security/cybercriminal-sells-tool-to-hide-malware-in-amd-nvidia-gpus/ > > > > Is it bug/feature of Windows GPU drivers? Is it bug/feature of OpenCL? > > Is it possible on FreeBSD? :-) > > If you read this quote in the article: > > > According to the advertiser, the project works only on Windows systems > > that support versions 2.0 and above of the OpenCL framework for > > executing code on various processors, GPUs included. > > The app by itself can't run on FreeBSD as it exists today. It would > depend on whether mesa has the same vulnerability as the Windows OpenGL > implementation, or if it's a hardware vulnerability (in which case it > can affect all OSes). > > I'm no expert on OpenCL. Yes, I've helped with drm-kmod 5.6-wip, but > that's about it with GPU drivers. > > -Neel (nc@) Just a curiosity and maybe hint to someone that knows the internals and might check if we might have similar problem in the GPU layer :-) Looks like a design flaw / exploited feature of OpenCL 2.0+ ? This is not the part of base, but I was wondering if problem is / may be multiplatform :-) Thanks for your time and reply Neel :-) -- CeDeROM, SQ7MHZ, http://www.tomek.cedro.info