Fwd: [Cryptography] Did Intel just execute its warrant canary ?

grarpamp grarpamp@gmail.com
Mon Jun 8 22:01:44 PDT 2015

---------- Forwarded message ----------
From: Henry Baker <hbaker1@pipeline.com>
Date: Mon, Jun 8, 2015 at 6:24 PM
Subject: [Cryptography] Did Intel just execute its warrant canary ?
To: cryptography@metzdowd.com

FYI -- I conjecture that the second GPU story following less than one
month after the first GPU story is not just coincidence, but one of
the requirements of a secret National Security Letter to Intel.

The first story shows how GPU's can house malware, while the second
story explains that Intel won't be sharing its GPU code where such
malware will be housed.

"no reverse engineering, decompilation, or disassembly of this
software is permitted"

As feared, the DMCA will be used against those who attempt to look for
this malware in Intel GPU's.


GPU-based rootkit and keylogger offer superior stealth and computing power

Proof-of-concept malware may pave the way for future in-the-wild attacks.

by Dan Goodin - May 7, 2015 3:43 pm UTC

Developers have published two pieces of malware that take the highly
unusual step of completely running on an infected computer's graphics
card, rather than its CPU, to enhance their stealthiness and give them
increased computational abilities.

Both the Jellyfish rootkit and the Demon keylogger are described as
proofs-of-concept by their pseudo-anonymous developers, whom Ars was
unable to contact.  Tapping an infected computer's GPU allows malware
to run without the usual software hooks or modifications malware makes
in the operating system kernel.  Those modifications can be dead
giveaways that a system is infected.



Here's how the developers describe their rootkit:

Jellyfish is a Linux based userland gpu rootkit proof of concept
project utilizing the LD_PRELOAD technique from Jynx (CPU), as well as
the OpenCL API developed by Khronos group (GPU).  Code currently
supports AMD and NVIDIA graphics cards.  However, the AMDAPPSDK does
support Intel as well.

Advantages of gpu stored memory:

* No gpu malware analysis tools available on web
* Can snoop on cpu host memory via DMA
* Gpu can be used for fast/swift mathematical calculations like
xor'ing or parsing
* Stubs
* Malicious memory is still inside gpu after shutdown

Requirements for use:

* Have OpenCL drivers/icds installed
* Nvidia or AMD graphics card (intel supports amd's sdk)
* Change line 103 in rootkit/kit.c to server ip you want to monitor
gpu client from

Stay tuned for more features:

* client listener; let buffers stay stored in gpu until you send magic
packet from server


Educational purposes only; authors of this project/demonstration are
in no way, shape or form responsible for what you may use this for
whether illegal or not.

They provide no technical details about Demon keylogger other than to
say it's a proof-of-concept that implements the malware described in
this 2013 academic research paper titled You Can Type, but You Can’t
Hide: A Stealthy GPU-based Keylogger.  The Demon creators stress that
they aren't associated with the researchers.


"The key idea behind our approach is to monitor the system’s keyboard
buffer directly from the GPU via DMA [direct memory access], without
any hooks or modifications in the kernel's code and data structures
besides the page table," the researchers behind the 2013 paper wrote.
"The evaluation of our prototype implementation shows that a GPU-based
keylogger can effectively record all user keystrokes, store them in
the memory space of the GPU, and even analyze the recorded data
in-place, with negligible runtime overhead."

Aside from malware that taps GPUs to mint Bitcoin and other crypto
currencies, Ars isn't aware of malicious software actively circulating
in the wild that makes use of infected computers' graphics processors.
And even then, most or all of those titles run mainly on the CPU and
offload only the computationally intensive workloads to the GPU.  In
March, researchers from Kaspersky Lab documented highly sophisticated
malware in the wild that infected firmware that runs 12 different
models of hard drives.  The group that created the malware had flown
under the radar for 14 years.

In its current form Jellyfish is likely to remain a highly niche
undertaking, since it requires a dedicated GPU.  Since many computers
don't contain stand-alone graphics cards, such malware might greatly
limit the machines that could be infected.  Still, the approach may
make sense in certain situations, say for attackers targeting gamers
or video enthusiasts, or espionage campaigns where stealth is crucial.
And as readers have pointed out in comments below, it's feasible
malware could be developed that runs on graphics processors integrated
into CPUs.

Post updated to recast the last paragraph to account for integrated
graphics processors, and to add details in the second-to-last
paragraph about malware infecting hard-drive firmware.

Intel Skylake & Broxton To Require Graphics Firmware Blobs

Published on 05 June 2015 06:20 PM EDT

Written by Michael Larabel in Intel

Intel's upcoming Skylake and Broxton hardware will require some
binary-only firmware blobs by the i915 DRM kernel graphics driver.

Rodrigo Vivi of Intel's Open-Source Technology Center sent in the pull
request for landing these binary files into the linux-firmware
repository.  Up to now there's been no i915 blobs within the
linux-firmware tree.

These first i915 DRM firmware blobs are for Skylake and Broxton for
the GuC and DMC.  DMC in this context is the Display Microcontroller,
which is present in Skylake (Gen9) and newer and used within the
display engine to save and restore its state when entering into
low-power states and then resuming.  The DMC is basically
saving/restoring display registers across low-power states separate of
the kernel.

The GuC engine on Skylake is responsible for workload scheduling on
the parallel graphics engines.  Intel explained on 01.org, "GuC is
designed to perform graphics workload scheduling on the various
graphics parallel engines.  In this scheduling model, host software
submits work through one of the 256 graphics doorbells and this
invokes the scheduling operation on the appropriate graphics engine.
Scheduling operations include determining which workload to run next,
submitting a workload to a command streamer, pre-empting existing
workloads running on an engine, monitoring progress and notifying host
SW when work is done."  This page also seems to indicate that these
firmware blobs are required by the DRM driver rather than being an
optional add-on.

The license of these firmware blobs also indicate that redistribution
is only allowed in binary form without modification.  Beyond that, "no
reverse engineering, decompilation, or disassembly of this software is

These new firmware blobs will certainly have some open-source
enthusiasts less excited now about Skylake, Broadwell's successor
beginning to ship later this year, and Broxton meanwhile is the new
Atom SoC built using the Goldmont architecture and will feature
Skylake graphics.  If there's any good news out of the situation, at
least Intel is shipping these firmware files early rather than NVIDIA
that with their months-old hardware still hasn't released their GTX
900 Maxwell firmware files needed by the Nouveau driver to provide
open-source hardware acceleration.  AMD also tends to be timely with
the releasing of their necessary binary-only GPU firmware files for
the open-source Linux driver.

The cryptography mailing list

More information about the cypherpunks mailing list