Understanding The Security of Discrete GPUs
Zhiting Zhu Sangman Kim
The University of Texas at Austin The University of Texas at Austin
[email protected]
[email protected]
[email protected]
Yige Hu Emmett Witchel
The University of Texas at Austin The University of Texas at Austin
[email protected]
[email protected]
[email protected]
CCS Concepts •Security and privacy → Operating systems se-
curity;
ACM Reference format:
Zhiting Zhu, Sangman Kim, Yuri Rozhanski, Yige Hu, Emmett Witchel,
and Mark Silberstein. 2016. Understanding The Security of Discrete GPUs.
In Proceedings of GPGPU-10, Austin, TX, USA, February 04-05 2017, 11 pages.
DOI: http://dx.doi.org/10.1145/3038228.3038233
Abstract
GPUs have become an integral part of modern systems, but
their implications for system security are not yet clear. This pa-
per demonstrates both that discrete GPUs cannot be used as secure
co-processors and that GPUs provide a stealthy platform for mal-
ware. First, we examine a recent proposal to use discrete GPUs
as secure co-processors and show that the security guarantees of
the proposed system do not hold on the GPUs we investigate. Sec-
ond, we demonstrate that (under certain circumstances) it is possi-
ble to bypass IOMMU protections and create stealthy, long-lived
GPU-based malware. We demonstrate a novel attack that compro-
mises the in-kernel GPU driver and one that compromises GPU mi-
crocode to gain full access to CPU physical memory. In general, we
find that the highly sophisticated, but poorly documented GPU hard-
ware architecture, hidden behind obscure close-source device dri-
vers and vendor-specific APIs, not only make GPUs a poor choice
for applications requiring strong security, but also make GPUs into
a security threat.
1 Introduction
GPUs have enjoyed increasing popularity over the past decade,
both as hardware accelerators for graphics applications and as
highly parallel general-purpose processors. With general purpose
computing on GPUs (GPGPUs) diffusing into the mainstream, re-
searchers are looking at their security implications. In this paper we
analyze two related questions: can GPUs be used to enhance the se-
curity of a computing platform? and can GPUs be used to subvert
the security of a computing platform?
Understanding the security of GPUs requires understanding the
interplay among the GPU hardware, its software stack, and the
busses and chipsets that coordinate a platform’s transfer of data.
The interplay of these features is complicated by GPU hardware
Permission to make digital or hard copies of all or part of this work for personal or
classroom use is granted without fee provided that copies are not made or distributed
for profit or commercial advantage and that copies bear this notice and the full citation
on the first page. Copyrights for components of this work owned by others than the
author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or
republish, to post on servers or to redistribute to lists, requires prior specific permission
and/or a fee. Request permissions from [email protected].
GPGPU-10, Austin, TX, USA
© 2017 Copyright held by the owner/author(s). Publication rights licensed to ACM.
978-1-4503-4915-4/17/02. . . $$15.00
DOI: http://dx.doi.org/10.1145/3038228.3038233
Yuri Rozhanski
Technion-Israel Institute of Technology
Mark Silberstein
Technion-Israel Institute of Technology
that contains quirky features absent from CPUs, such as auxiliary
embedded microprocessors, and by the GPU’s deep software stack
whose boundaries and interactions with GPU hardware are deliber-
ately blurred by the vendor. Unfortunately, the complexity of this
interplay can hide vulnerabilities that attackers can use to subvert a
GPU’s expected behavior and break critical security properties, as
we show in this paper.
For discrete GPUs, their independent memory system and com-
putational resources are physically partitioned from the main CPU
which makes it plausible that a GPU could function as a secure
processor; it might be possible to protect computation on a dis-
crete GPU from code executing on the CPU. While plausible in
theory, we systematically analyze the shortcomings of one specific
proposal to use GPU hardware registers as secure storage (called
PixelVault [44]). We show that PixelVault’s security depends on
assumptions about GPU hardware features that do not hold, and in
practice fully depend on the vulnerable GPU software interface that
GPU vendors expose.
The flaws we find in PixelVault’s GPU security model stem from
the lack of a clear software/hardware boundary and shifting respon-
sibilities of hardware and software across GPU generations. For ex-
ample a non-bypassable hardware feature in one version of a GPU
can migrate to a bypassable software feature in another version.
The problem with such a fluctuating software/hardware boundary
is that it becomes hard, if not impossible, to reason about the actual
security guarantees of a GPU system.
We also systematically analyze risks that originate with NVIDIA
GPUs, where the GPU serves as a host for stealthy, long-lived ma-
licious code. It is difficult to detect the execution of GPU-hosted
malware and in certain cases, it is even difficult to detect its pres-
ence. We demonstrate attack code running on the NVIDIA GPU
that reads secrets from CPU memory and corrupts the memory state
of CPU computations by leveraging GPU Direct Memory Access
(DMA) capabilities.
We demonstrate two novel attacks: one against the proprietary
in-kernel closed-source GPU driver, the other against the GPU mi-
crocode running on an auxiliary microprocessor resident on the
GPU card. For the driver attack, we binary patch the proprietary
NVIDIA GPU driver while it is loaded and being used by the OS
kernel, and force it to map sensitive CPU memory into the address
space of an unprivileged GPU program. Our second attack lever-
ages auxiliary microprocessors [27, 32] which GPUs use for various
functions like power management and video display management.
These microprocessors are not exposed as part of the standard GPU
programming model (e.g., CUDA or OpenCL). We implement the
attack microcode running on such an auxiliary microprocessor that
combines the functionality of the original microcode with malicious
GPGPU-10, February 04-05 2017, Austin, TX, USA
CPU GPU
Process Kernel
Chipset GPU
PCIe Bus
IOMMU Chipset
CPU RAM GPU RAM
Figure 1. CPU-GPU architecture overview. IOMMU use is op-
tional and its behavior is configured by the operating system.
code that can read and write arbitrary CPU memory. To the best of
our knowledge it is the first such attack on NVIDIA GPUs.
Our attacks rely on unlimited DMA access from GPU to CPU
physical memory. The common way to foil such DMA attacks has
been to restrict peripheral access to system memory by using the
IO memory management unit (IOMMU), intended to protect CPU
memory against malicious or malfunctioning peripherals. We, how-
ever, show novel techniques to subvert IOMMU security and bypass
its protection in the strict operation mode that has previously been
considered the most secure (§4).
Similar DMA attacks on other peripherals are known [10, 11,
34, 40] However, our GPU DMA attacks are particularly dangerous
because they are relatively easy to program: the ability of modern
GPUs to execute general purpose code lowers the bar for imple-
menting sophisticated malware on GPU.
Our attacks assume an adversary who transiently gains the ability
to load a kernel module. The primary danger of the GPU-based
attacks is their stealthiness. They would evade most known tools
and research proposals that provide software system integrity.
Our work focuses on discrete GPUs from NVIDIA which come
mounted on an expansion card which is plugged into a computer’s
IO bus. The only current proposal to use a GPU as a secure proces-
sor is for a discrete GPU. While integrated GPUs also use IOMMUs
for safety, we leave for future work the dangers and mitigations for
integrated GPU security.
We begin by summarizing the portions of the GPU architecture
that are most relevant for security (§2), and then describe how we
can defeat the security of PixelVault (§3). Then we discuss how
to bypass IOMMU protections (§4) and attack CPU memory using
a compromised GPU driver (§5) and compromised microcode run-
ning on an embedded GPU microprocessor (§6). We summarize
related work (§7) and conclude.
2 Architecture
This section summarizes relevant aspects of GPU architecture,
paying close attention to the memory subsystem and CPU-GPU
communications. We describe discrete GPUs that connect to the
host via a peripheral component interconnect express (PCIe) bus,
because this paper focuses on discrete GPUs, and in particular on
NVIDIA GPUs. A high-level view of a CPU-GPU system model
used throughout this paper is shown in Figure 1. Process and kernel
are shaded, because they are software abstractions.
Zhu et. al.
2.1 GPU execution model
GPUs are slave processors controlled entirely by a CPU execut-
ing a GPU driver running in privileged mode. Any CPU process can
initiate the execution of a GPU program by making API calls to the
kernel-resident GPU driver. The initiating CPU process is called the
GPU-controlling process. The unprivileged CPU process invokes a
GPU kernel, which is specially written and compiled for execution
on a GPU.
There are public APIs to allow the CPU-controlling process to
manipulate the address space of any GPU kernel that it launches.
Both NVIDIA CUDA and OpenCL contain APIs that allow man-
agement of the GPU kernel’s memory, including transfer of data
from/to the CPU, and mapping CPU memory into a kernel’s ad-
dress space, as we discuss next. Once the GPU-controlling process
terminates, all the GPU resources associated with it are released.
In particular, the driver reclaims the GPU memory and terminates
active GPU kernels associated with the process.
2.2 Memory Hierarchy
NVIDIA GPUs contain several streaming multiprocessors
(SMs), which concurrently run thousands of sequential threads.
Each thread may access its private registers, local on-die scratchpad
memory, and global GPU memory shared among all SMs. Global
memory is cached with two levels of hardware cache. The L1 data
cache is local for each SM, while the L2 is shared across all SMs.
Instruction cache. NVIDIA GPUs have multiple levels of instruc-
tion cache, though the exact architecture has not been officially dis-
closed. Wong et al. [48] suggest that there are three levels. The in-
struction caches in GPUs are used exclusively for instructions. Fur-
ther, the instruction cache is not kept coherent with the GPU global
memory where the instructions are stored. The GPU driver flushes
the instruction cache when a new GPU program starts. However, if
the CPU writes to GPU instructions in memory while the GPU is
running, the (stale) instructions are not invalidated from the cache.
NVIDIA does not provide any public API for flushing the instruc-
tion cache. Therefore, overwriting a GPU kernel’s program code in
GPU memory while a GPU is running may not change the actual
running program.
2.3 Accessing CPU memory from the GPU
Modern GPUs provide limited access to CPU memory
from programs running on a GPU. In particular, a stan-
dard API (cudaHostRegister for CUDA [33] and
clEnqueueMapBuffer for OpenCL [23]) allows the CPU
to map a CPU memory region into a GPU kernel’s address space.
Once mapped, the GPU may directly access the mapped CPU
memory without CPU involvement via direct memory access
(DMA). Similarly, GPUs may be configured to access memory-
mapped input/output (MMIO) regions of other peer peripheral
devices connected to the PCIe bus. For example, the NVIDIA
GPUDirectRDMA API enables peer-to-peer access to Infiniband
network cards, allowing GPU programs to communicate over the
network without CPU mediation [31]. The GPU internal page table
is generally accessible only through the GPU driver and is not
visible to the CPU OS.
In contrast to CPU programs, in which memory protection is en-
forced for every load, store and instruction execution at runtime by
hardware, GPU accesses to CPU memory do not pass through the
CPU’s memory management unit (MMU) and therefore the CPU
Understanding The Security of Discrete GPUs
performs no runtime checks. Rather, the GPU driver validates ac-
cess rights at the time of mapping in software. Additional hardware
protection can be provided by the IOMMU which we describe next.
2.4 IOMMU
When a device performs direct memory access (DMA) to read
or write CPU physical memory, it uses device addresses. When the
IOMMU is working, it maps device addresses to CPU physical ad-
dresses (just as the CPU’s MMU maps virtual to physical address).
The IOTLB caches entries from the IO page table, just as the CPU’s
TLB caches entries from the process’ page table. IO page table en-
tries contain protection information, and the IOMMU will check
each access to system memory from a peripheral device, to make
sure it has sufficient permissions.
The IOTLB is not kept coherent with the IO page table by hard-
ware, similarly to TLBs in most common CPUs. Software must
explicitly manage the IOTLB, flushing the cached mappings when
they are removed from the IO page table. We exploit this software-
managed IOTLB coherence mechanism to circumvent IOMMU pro-
tection and enable unauthorized access to system memory from the
GPU, as we discuss in Section 4.
2.5 Microprocessors and MMIO registers in GPUs
GPUs expose a set of memory mapped input output (MMIO)
registers used by the driver for GPU management [2, 27]. In addi-
tion, they contain several special-purpose microprocessors used to
manage internal hardware resources. A GPU driver updates GPU
microprocessor code every time a GPU is initialized. The docu-
mentation about the actual purpose of microprocessors and MMIO
registers used in NVIDIA GPUs is fairly scarce; it usually comes
from unofficial sources, such as open-source driver developers who
partially reverse-engineered the official driver.
We found that the GPU MMIO registers can invalidate the GPU
instruction caches. Flushing the instruction caches is key to dynam-
ically updating the code of a running kernel, which breaks the se-
curity guarantees of PixelVault (§ 3.2). Our microcode attack (§ 6)
leverages an important capability of NVIDIA microprocessors that
allows unrestricted access to GPU and CPU memory [17].
3 Attacking PixelVault
In this section we analyze the GPU model and security guaran-
tees PixelVault uses to claim a GPU as a secure co-processor. We
then present several attacks that clearly violate PixelVault’s assump-
tions, and therefore its security properties. We conclude that sys-
tems developed using PixelVault’s approach are insecure.
Experimental platform. The attacks described in Section 3.4
and Section 3.3 are performed on NVIDIA Tesla C2050/C2075
GPU (Fermi) and an NVIDIA GK110GL Tesla K20c (Kepler), us-
ing NVIDIA driver versions 319.37 and 331.38 respectively, and
CUDA version 5.5. The attack in Section 3.2 is performed on an
NVIDIA Tesla C2050/C2075 (Fermi) with the open source nou-
veau [29] and gdev [21] [22]) drivers.
3.1 PixelVault summary and guarantees
PixelVault proposes a GPU-based design of a security co-
processor for RSA and AES encryption which is resilient to even
a strong adversary with full control of CPU and/or GPU software.
PixelVault stores the secret keys encrypted in GPU memory, and the
master key in GPU registers. It implements a software infrastruc-
ture that strives to prevent any adversarial access to these registers
from CPU or GPU.
GPGPU-10, February 04-05 2017, Austin, TX, USA
PixelVault threat model. PixelVault assumes that the system boots
from a trusted configuration, and it can set up its execution environ-
ment on the GPU. Once PixelVault is established, the attacker may
have full control over the platform. Specifically, the attacker can
execute code at any privilege level and it has access to all platform
hardware.
To achieve this goal PixelVault leverages several characteristics
of the NVIDIA GPU architecture and execution model. While some
of these characteristics are well known and have been officially con-
firmed, some were only assumed to be correct and others were par-
tially validated experimentally.
Below we list only those assumptions that we later experimen-
tally refute. Even if only one of these assumptions is not satisfied,
PixelVault is no longer able to guarantee the secrecy of the master
encryption key under its threat model.
1. It is impossible to replace the code of a running GPU kernel
if the code is fully resident in the instruction cache. This
feature is critical to ensuring that an adversary cannot re-
place the PixelVault GPU code without stopping the kernel,
and therefore without losing the master key stored in GPU
registers. We show that NVIDIA GPUs have unpublished
MMIO registers that flush the instruction cache, allowing
replacement of code from running kernels that are as small
as 32B (4 instructions).
2. The contents of GPU registers cannot be retrieved after ker-
nel termination. This feature is essential to PixelVault’s
ability to prevent a strong adversary from retrieving a mas-
ter key by stopping a running PixelVault kernel. We show
that under certain conditions it is possible to retrieve the
contents of registers after kernel termination, and the Pixel-
Vault design satisfies these conditions.
3. A running GPU kernel cannot be stopped and debugged if
it is not compiled with explicit debug support. This fea-
ture is necessary to ensure that an adversary cannot retrieve
register contents by attaching a GPU debugger to the run-
ning PixelVault kernel. We show that newer versions of
the NVIDIA CUDA runtime provide support for attaching
a debugger to any running kernel and it is unclear how to
disable this capability. This attack requires root privileges
to attach to any running process, yet this is permitted under
PixelVault threat model.
In the remainder of this section, we explain in more details how
we have invalidated the listed assumptions, thereby debunking Pix-
elVault’s security.
3.2 Replacing PixelVault as it runs
To run a kernel, a GPU needs the binary code to be resident in
GPU memory. The binary is transferred from CPU memory to GPU
memory by the driver prior to kernel invocation. GPUs do not sup-
port code modification while the kernel is executing. Therefore,
PixelVault assumes that GPU hardware makes it impossible for an
attacker to alter the execution of a running PixelVault kernel by re-
placing the original PixelVault binary in GPU memory, as long as
the binary is entirely resident in the instruction cache. PixelVault
explicitly validates that its kernel is small enough to fit in the in-
struction cache. Assuming the kernel is simple, PixelVault also ex-
plores all possible execution paths to make the kernel fully resident
in the cache soon after starting execution.
GPGPU-10, February 04-05 2017, Austin, TX, USA
We find that the lack of software interfaces for dynamic code
update does not imply the lack of hardware support. Using the open
source Envytools [13] reverse engineering toolkit, we can invalidate
the instruction caches and replace the instructions of the running
kernel with the attacker’s modified instructions from GPU memory.
Technical details. We perform an experiment to show that we can
dynamically update GPU kernel code using a matrix addition ker-
nel and an updater process. The updater process locates the GPU
kernel code in GPU physical memory by searching for the kernel’s
instructions. In the case of PixelVault, the binary is not secret, so
it can be detected by an attacker. Once invoked, PixelVault kernel
runs indefinitely, giving the updater enough time to identify and up-
date its code. If the code is erased from memory, the attacker can
speculate on its location, methodically working through the address
space.
The updater replaces the addition instructions in our test kernel
with subtraction instructions. When the effective size of the code
in the GPU kernel loop is larger than 32 KB, overwriting the in-
structions in memory causes the behavior of the kernel to change.
Such a large kernel (presumably larger than the size of the last level
instruction cache) experiences instruction cache misses at runtime,
yielding a result that is not a simple matrix addition.
However overwriting the kernel’s program has no effect if the
size of the kernel’s main loop is smaller than 32KB. In these cases,
only if we flush the instruction cache via GPU MMIO registers do
we see the expected change in the kernel output.
Our prototype requires 3.1 seconds to scan and identify kernel
code in GPU memory. Therefore, we can only effectively flush the
cache for long running kernels. The PixelVault kernel is intended to
run continuously as it provides a runtime encryption service, there-
fore it is vulnerable to this cache flush attack.
MMIO registers for instruction cache flush. To invalidate the
L1 instruction cache with the updated code memory, it is nec-
essary to flush all the cache levels. The addresses in paren-
theses are the offsets within the MMIO region, which is re-
ferred by the first set of the PCI base address registers (BAR0)
of NVIDIA GPUs. The register that flushes the per-GPC
caches is PGRAPH.GPC BROADCAST.CCACHE.CACHE CTRL
(0x419000), especially the first bit of the 32-bit register.
For the per-SM flush, we used the first and ninth bits
of PGRAPH.GPC BROADCAST.TPC ALL.MP.CCACHE CTRL
(0x419ea4). To the best of our knowledge, the use of the ninth
bit of CCACHE CTRL for flushing per-SM cache is not reported or
documented.
3.3 Capturing PixelVault secrets after termination
PixelVault relies on GPU registers being initialized to zero when
a new kernel is loaded onto a GPU and begins execution. Initial zero
values for registers is necessary to prevent an adversary from termi-
nating the PixelVault kernel and running a new kernel that looks
for PixelVault secrets in its initial register values. Because initial
zero values is not a feature officially documented by NVIDIA, 1
the PixelVault developers experimentally validate that the register
contents cannot be retrieved by another kernel invoked after Pix-
elVault terminates. Yet, there is no guarantee that GPU hardware
clears registers after termination of a GPU kernel.
1 http://docs.nvidia.com/cuda/parallel-thread-execution/index.html#state-
spaces-types-and-variables
Zhu et. al.
We find that a cuda-gdb debugger can retrieve register values
even after kernel termination. However it requires that other GPU
tasks are concurrently active with the execution of the victim ker-
nel. Specifically, NVIDIA CUDA enables multiple GPU operations
such as CPU-GPU memory transfers or GPU invocations to be in-
voked concurrently by the same CPU process. Each operation is in-
voked in its own CUDA stream, and a GPU handles the operations
in different streams concurrently. We found that if GPU kernel B is
invoked in parallel with running kernel A, A’s register state can be
retrieved using the debugger API even after A terminates, as long
as B is still running.
The PixelVault implementation employs two CUDA streams,
one for kernel execution and another for data transfers between a
CPU and a GPU. An attacker may take advantage of the data trans-
fer stream to invoke a long-running kernel, terminate PixelVault,
and retrieve its secrets.
Technical details. We modified the cuda-gdb source code to
read the registers of a terminated kernel. The modifications were
necessary because by default cuda-gdb will refuse to read the
registers of a terminated kernel. If we launch two kernels on differ-
ent CUDA streams, cuda-gdb can read the register values from
the terminated kernel so long as the other kernel is running. As soon
as both kernels terminate, we cannot access either of their registers.
3.4 Stopping PixelVault with a debugger
The PixelVault version discussed in their paper runs NVIDIA
CUDA version 4.2. This version of CUDA provided no support for
attaching and setting a breakpoint in a running GPU kernel, unless
that kernel was explicitly compiled with debug information. This
property of the runtime environment disguised itself as a hardware
feature. Therefore, PixelVault relied on it to ensure that an adver-
sary cannot attach a debugger to retrieve the values of GPU registers
which store the secret keys, without stopping the running PixelVault
GPU kernel and consequently without erasing the contents of those
registers.
However, with the GPU system software evolving so rapidly,
many desirable features like attaching a debugger to a running ker-
nel are added in every new release. In particular, this feature was
added in the cuda-gdb GPU debugger starting from CUDA ver-
sion 5.0 [18]. By using the CUDA debug API it is possible to stop
a kernel, and inspect all GPU registers of the executing kernel from
the CPU. This ability invalidates the privacy guarantees for Pixel-
Vault’s master encryption key.
We found no simple way of preventing software from being able
to attach to a running kernel. When attaching, cuda-gdb needs
access to certain predefined memory locations stored as symbols
in libcuda.so [30], which is the main library providing CUDA
driver API support to GPU applications. In an older version of the
CUDA driver (we tested version 319.37), the attach information re-
sides in the symtab section and it can be safely stripped. However,
more recent versions of the library (we tested version 331.38), no
longer place the attach information in symtab, they place it in the
dynsym section. The dynsym section cannot be stripped from
the binary because it holds important data necessary for dynamic
linking. If we remove the dynsym section from the binary, the
dynamic linker can no longer load libcuda.so.
It is possible to zero out the entries in the dynsym section used
by cuda-gdb, which causes cuda-gdb to crash the controlling
CPU process when attaching to the running GPU kernel. PixelVault
could make its own copy of libcuda.so (so that other users can
Understanding The Security of Discrete GPUs
continue to debug their kernels) and just zero out or corrupt the
attach information in dynsym. Ultimately however, the ability to
stop the running kernel is a hardware feature that PixelVault cannot
disable. Because the PixelVault threat model assumes the attacker
controls the host, the attacker can still attach to a running kernel
and examine its register state even if the default support for how
cuda-gdb attaches is removed from a version of libcuda.so.
Technical details. We use cuda-gdb to attach to a running GPU
kernel, and retrieve all GPU registers via the CUDA debugger call
CUDBGResult (*CUDBGAPI st::readRegister) even if
the CUDA application is compiled without debug information (i.e.,
without the -G flag for the NVCC compiler).
A simple experiment verifies this attack. A CUDA application
launches a kernel with one thread that spins in an infinite loop
and continuously changes a value stored in a register. We attach
cuda-gdb to the GPU-controlling CPU process and then attach
to the GPU kernel that the process spawned. All register values
from the running kernel can be extracted whether or not the GPU
kernel was built with debug information.
Using this technique, we can also attack a more realistic kernel.
We implement the AES encryption algorithm in a GPU program,
emulating part of PixelVault’s operation. The AES key is stored in
GPU registers. While the kernel is running, we attach to it using
cuda-gdb, read the GPU registers, and expose the secret key.
3.5 Discussion
Discrete GPUs appear to have potential as secure coproces-
sors because they have physically distinct and complete process-
ing resources: processor, caches, RAM, and access to I/O. They
also have micro-architectural (though seemingly robust) guarantees
about non-preemption and an incoherent instruction cache. The Pix-
elVault system is an intelligent attempt at trying to build a secure
system from these components.
However, our investigation yields the clear conclusion that GPUs
are not appropriate as secure coprocessors and cannot contribute to
the trusted computing base (TCB) of the system. GPUs are complex
devices that rely on sophisticated proprietary hardware and soft-
ware which is poorly (often purposefully so) publicly documented
– the opposite of a firm basis for security. GPU manufacturers are
not interested in exposing their architecture internals, and they can
easily change the architecture in ways that invalidate the security of
systems based on a GPU, e.g., by adding preemption.
We have found a variety of documented and undocumented ways
of violating the security of PixelVault. We learned of the existence
of many MMIO registers from the Envytools GPU reverse engineer-
ing project [13]. However, some registers that allowed us to invali-
date the GPU instruction cache are not documented as flushing the
cache—yet another example of an obscure GPU architectural sub-
tlety which undermines its use as a secure coprocessor.
4 Threat model and IOMMU
We explore how GPUs might host stealthy malware. Our mal-
ware attacks compromise the privacy and integrity of system mem-
ory by reading and writing it from the GPU. First we specify our
threat model.
4.1 Threat model
An attacker may load and unload kernel modules. In Linux, this
can be done by briefly gaining the CAP SYS MODULE capability
(which is a user credential stored in the process control block) using
kernel exploits (e.g., [4, 6, 7]), by bypassing capability checks (e.g.,
GPGPU-10, February 04-05 2017, Austin, TX, USA
[5, 8, 9]), or by exploiting kernel module loader weaknesses [12].
After loading a module, the attacker also has access to the GPU con-
trol interface i.e., MMIO register regions, and as we explain in our
microcode attack (§6), it can use these registers to load malicious
microcode onto an embedded auxiliary GPU processor. Loading
the microcode is done by reloading the GPU driver module into the
OS kernel. After the malware is installed, the attacker loses the
module loading capability and is allowed only unprivileged access.
If an attacker can load a module, why should he or she bother
with the attacks we describe? The primary reason is stealthiness:
all of our attacks originate with the GPU reading and writing CPU
memory (e.g., sensitive operating system data structures), making
them hard to detect. Detecting root-level compromise is the subject
of much published work (e.g., [20], [36], [35], [3]), open source
tools (e.g., chkrootkit) and commercial tools (e.g., Malwarebytes
AntiRootkit, McAfee Rootkit Remover). To our knowledge, there
are no tools and precious few research studies to detect GPU-based
malware. Our attacks require no changes to the page table of any
unprivileged process, and they bypass the CPU’s MMU and mem-
ory protection settings. The GPU page table that stores the map-
pings into system memory are not visible from the CPU (at least
not via the public API). Therefore, once mapped into the GPU, a
malicious unprivileged GPU kernel may keep accessing any CPU
memory without raising suspicion.
Modern systems, however, usually contain an input/output mem-
ory management unit (IOMMU) which monitors devices’ Direct
Memory Accesses (DMAs) to system memory in order to protect it
from unauthorized accesses. The IOMMU restricts the devices to
access only the CPU memory pages specified in its I/O page table.
Unlike the hidden GPU page tables, the I/O page table can be mon-
itored by security tools (though we are not aware of any that do),
undermining the stealthiness of the attack.
The malware, therefore, must circumvent IOMMU protection to
evade detection, and the next section details the techniques to ac-
complish that.
4.2 IOMMU
We exploit the subtleties of IOTLB management in the Linux
kernel and our prototype is based on the Intel IOMMU. We first
provide a brief overview of the IOMMU management policies.
IO device drivers strive to make all memory mappings as short-
lived as possible to increase security at the expense of higher man-
agement overheads [26]. The OS, therefore, offers several IOMMU
configurations that influence the IOTLB management policy and
enable different tradeoffs between management cost and security.
The configurations and their respective management policies are
summarized in Table 1.
IOMMU disabled. Though it is detrimental to security, many
systems, especially those that include discrete GPUs, disable their
IOMMU by default. IOMMU support for Intel chipsets must be
configured through the BIOS as part of setup for device virtualiza-
tion technology (VT-d), and it also must be enabled in the Linux
kernel. Some server manufacturers ship their products with VT-d
disabled in the BIOS by default [14].
Several major Linux distributions (e.g., Ubuntu 15.04, CentOS
7, RHEL 7, OpenSUSE 13.2) ship with Intel’s IOMMU disabled
in the kernel. The primary reasons for disabling the IOMMU is re-
duced I/O performance [49] and the IOMMU’s incompatibility with
certain devices and features. For example, the peer-to-peer DMA
GPGPU-10, February 04-05 2017, Austin, TX, USA Zhu et. al.

Mode IOTLB Flush Workload Bit rate Stale period

Strategy Timing Idle ssh connection 10 bps 1 day
Disabled None NA Web radio 130 Kbps 1 hour
Pass Web video: Auto (480p) 2 Mbps 1 minute
None NA
through Table 2. Workload, average measured bit rate, and the time a stale
When deferred list is IOTLB entry stays resident.
Flush entire
full or t ms after the
Deferred
IOTLB. first entry 2 , whichever
comes first. Strict mode also respects IO protection domains. Each device,
Flush individual Immediately after e.g., NIC, GPU, is placed in its own protection domain and en-
Strict entry in given unmapping entry from tries in the IOTLB are tagged with the domain identifier. When
domain. IO page table. the IOMMU driver flushes an entry from one domain, it does not
Table 1. Different IOMMU modes, their properties and security affect other domains.
characteristics. This mode is considered safer than the deferred mode, because
it flushes the IOTLB immediately after the entry gets unmapped.
4.3 IOMMU attacks
capability of NVIDIA GPUs, essential for high I/O performance in
Our driver and microcode attacks work when the IOMMU is dis-
multi-GPU systems, requires the IOMMU to be disabled [31].
abled or in pass through mode. Therefore, we now describe how we
While we state the obvious, when the IOMMU is disabled, it
attack strict mode and how we can surreptitiously transition from
does not protect CPU memory from malicious accesses performed
deferred mode to strict mode.
from the GPU.
We describe how to keep a stale malicious mapping in the IOTLB
IOMMU pass through mode. In pass through mode, device ad-
without having it installed in the I/O page table. Keeping the entry
dresses are used directly as CPU physical addresses. In this mode
out of the I/O page table makes an attack more difficult to detect
the hardware IOMMU is turned off, so there is no permissions
(though we know of no security tool that even validates I/O page
checking for DMA requests. Devices enter pass through mode if
tables).
it is enabled by a kernel parameter, and if during device discovery,
Stale IOMMU entries in strict mode. Our attack writes a mali-
the kernel determines that a device can address all of physical mem-
cious IO page table entry (e.g., one that maps an unrelated process’
ory. Some devices can be in pass through mode without all devices
credential structure), launches a GPU kernel which accesses the de-
being in this mode.
vice address of the mapping, causing the entry to be cached in the
Because there is no permissions checking, our driver and mi-
IOTLB. Then the attack code overwrites the IO page table entry and
crocode attacks work in pass through mode. Pass through mode is
the GPU kernel terminates. The malicious entry remains cached in
intended to use a software TLB [50], but we verified that on our sys-
the IOTLB, with no way for software to detect its presence, and no
tem, the software TLB does not check permissions. In our system,
evidence of it in the backing IO page table.
even though GPU device addresses are 40 bits, it identifies as a 32-
The question remains, how long can a stale entry last in the
bit device during its initialization. Therefore, the kernel must boot
IOTLB? We do experiments on a machine running Ubuntu 14.04
with less than or equal to 4 GB of memory to enable pass through
with X and Xfce desktop, the Linux 3.16 kernel with an Intel
mode. We verified that regardless of how much physical memory
82579LM Gigabit Network Card. We run several experiments each
is in the machine, if the kernel boots with a mem=4G option, the
with progressively more network traffic to create different levels of
kernel defaults to pass through mode where our attacks work.
IOTLB contention, because the network card competes for IOTLB
IOMMU deferred mode. If the IOMMU is enabled, Linux config-
entries with the GPU. We also tried to create IOTLB pressure from
ures it to work in deferred mode by default. When system memory
the GPU by running glxgears, a web browser, and displaying
is unmapped from IO devices, the OS clears the IO page table entry
video, but none of these activities generated significant competition
and adds it to a flush list. The IOMMU driver flushes the entire
for IOTLB entries, and none of them caused the GPU or driver to
IOTLB when the list contains a certain number of entries (250 for
flush the IOTLB.
the kernel version 4.1) or at most 10ms after an entry is added to
Table 2 summarizes our experiments where we run workloads
the list, whichever comes first.
with increasing network load and measure the stale period—the pe-
Deferred mode is considered less secure for memory integrity
riod of time a stale entry stays in the IOTLB.
because the memory unmapped from the device by the device driver
The first workload keeps an open ssh connection (using the
remains accessible from the device for up to 10ms [26]. However,
TCPKeepAlive option) to an idle machine. We measure a stale
we show below that this mode foils the GPU malware attack.
period of more than 24 hours (after one day we discontinued the ex-
IOMMU strict mode. Strict mode does not defer flushing the
periment). Next we continuously stream a web radio station which
IOTLB when unmapping IO memory; each page is flushed by the
generates on average 130 Kbps of incoming network traffic. With-
driver immediately after its entry is unmapped from the IO page ta-
out refreshing the stale entry, the stale mapping can be read after
ble. The driver flushes only the region covered by the entry (which
T = 1 hour. By periodically running an unprivileged GPU kernel to
can be a single page, or a power-of-two contiguous and aligned se-
read the memory mapped by the stale IOTLB entry every hour, we
quence of pages) and it never flushes the entire IOTLB, as it does
can keep the stale IOTLB entry resident for 10 hours.
in deferred mode.
Finally, we increase the network load by streaming a video from
youtube using the Firefox web browser. The video is played at the
2 In Linux t = 10 for Intel IOMMUs “Auto (480p)” setting, generating an average of 2 Mbps as measured
Understanding The Security of Discrete GPUs
by a network monitor. This workload uses the NIC and the graph-
ics rendering capability of the GPU. The mapping can be reliably
read 1 minute after it was erased from the IO page table. Running
a GPU kernel every 1 minute is sufficient to keep the stale IOTLB
entry resident for one hour, after which we discontinued the exper-
iment. Streaming higher bandwidth videos, like the “Auto (720p)”
setting, cause the attack to fail, even when we refresh the stale en-
try every minute. We use round numbers like 1 minute for a stale
period to validate that our attacks are practical. Future work might
determine more clever ways to keep an IOTLB entry resident, but
our experiments establish a large enough window of vulnerability
to be a security concern.
Stealthy transition from deferred to strict. Keeping a stale entry
in the IOTLB is possible only if the IOMMU is configured in strict
mode, because it is the only mode that invalidates each IOTLB en-
try separately. However, if the IOMMU is enabled, Linux uses de-
ferred mode by default, which flushes the IOTLB as a whole. These
IOTLB flushes frustrate our attacks (and form a practical counter-
measure to both of our attacks).
We find that the kernel transitions between deferred
and strict mode based on the state of a single variable
(intel iommu strict). By setting this variable to 1, the
kernel will put all devices into strict mode. Because this is a small,
legal change to kernel state, it is quite stealthy. We experimentally
verify that it is effective at engaging strict mode, where we can
cache a stale IOTLB entry and launch one of the attacks we now
describe.
We leave for future work developing a Linux IOMMU manage-
ment policy that combines the best parts of strict and deferred mode.
Strict mode minimizes the chances of memory corruption by a de-
vice by quickly unmapping DMA memory. Deferred mode frus-
trates our attacks by periodically flushing the entire IOTLB.
5 GPU driver attack
In this section we show an attack on the stock NVIDIA closed-
source GPU driver. The attack enables arbitrary CPU memory map-
ping into an unprivileged GPU program, concealing malware code
which monitors or changes CPU memory from a GPU kernel.
The attack scenario. An attacker loads a malicious kernel mod-
ule which installs a backdoor by patching a GPU driver in CPU
memory (Step 1 in Figure 2). The driver continues to operate nor-
mally. To trigger the backdoor, an unprivileged GPU-controlling
process performs a sequence of standard GPU API calls (a trigger
sequence) 3 , and maps the requested CPU memory into the GPU
4 . The driver patch bypasses the standard access control checks
in the driver, and allows the attacker to map any user or kernel mem-
ory page. The CPU process invokes a malicious, unprivileged GPU
kernel 5 which accesses the mapped page 6 . The attack module
may unload itself, leaving the modified driver in kernel memory to
subsequently repeat the attack from another unprivileged process.
If no more attacks are planned, a stealthier alternative is to recon-
struct the original driver code to evade detection by kernel code
integrity scanners [35]. We implement two proof-of-concept GPU
malware kernels – one that escalates the privileges of a given pro-
cess by manipulating its cred structure, and another that diverts
the execution flow of a given process by updating its code, which
resides in read-only memory.
Our attack is similar to the previously reported GPU keylog-
ger [24] attack. Both attacks exploit GPU DMA capabilities; in
GPGPU-10, February 04-05 2017, Austin, TX, USA
CPU GPU
User Process 3
User Space
Kernel 5
1 2
Attack Patch
2 6
Module GPU driver
Kernel Space
PCIe Bus
Chipset GPU Chipset
4 DMA
CPU RAM GPU RAM
Figure 2. The driver attack, where a patched GPU driver has its
memory mapping access control bypassed to allow a GPU kernel to
access all of the CPU’s memory.
the keylogger case access is to the keyboard buffer in OS kernel
memory. The primary difference is that our attack requires no long-
running CPU process to proceed, while the keylogger does. That
is because for the keylogger, the malicious memory mapping to the
keyboard buffer must be installed into an unprivileged process that
is running while the root-level compromise is active. The attack is
lost if that unprivileged process subsequently terminates. Attack-
ing the driver directly allows us to map any page to any process as
many times as necessary, and without modifying sensitive kernel
data structures.
Driver patch. Identifying the specific locations in the NVIDIA
driver that control access to memory would seem difficult because
most of the driver is proprietary and undisclosed. However, the par-
ticular functions that control memory mapping reside in the wrap-
per of the driver that is shipped open source and compiled at the
time of driver installation, making it easier to determine the exact
location that needs patching.
We choose to patch the NVIDIA driver in memory rather than
modify its source code. Patching the driver enables the attack on a
system where the GPU driver module has been already loaded and
is in use by the kernel, allowing the attack to avoid unloading it first,
which can be easily noticed. The patch is installed by a malicious
module which finds the driver module in memory, overwrites some
of its code, and then unloads itself.
The patch diverts the original control flow of the driver to bypass
the memory permission checks when handling the cudaHost-
Register() API call, which is normally used to lock CPU mem-
ory pages (os_lock_user_pages()) and map them into the
GPU address space (nv_dma_map_pages()).
The driver acts normally as long as the trigger sequence has not
been detected. The trigger sequence is a series of legal but erro-
neous calls to cudaHostRegister(), e.g., passing pointers to
unallocated memory. Once triggered, the modified driver expects
another call to cudaHostRegister() with the hidden buffer as
a parameter. The hidden buffer contains the actual parameters of
the malicious mapping request. For instance, the driver may map
the virtual address of a certain process, or some known kernel data
structure like the task control block (task_struct in Linux).
The patch resolves the physical address of the requested memory
region, injects this address into the original control structures of the
driver, and resumes the original driver which updates the internal
GPGPU-10, February 04-05 2017, Austin, TX, USA
GPU page table with the new mapping. The GPU-controlling pro-
cess then may launch the malicious GPU kernel that accesses the
mapped region.
6 GPU microcode attack
We demonstrate a novel attack that modifies GPU microcode to
spy on or corrupt CPU and GPU state. The attack uses an embed-
ded microprocessor in NVIDIA GPUs and can evade any detection
mechanism that relies on evidence from CPU or GPU memory.
6.1 Background: NVIDIA GPU microprocessors
NVIDIA GPUs contain several on-board microprocessors for
power management, video display, decoding, decryption, and other
purposes. The existence of multiple Falcon microprocessors in
NVIDIA GPUs has been officially disclosed by NVIDIA [32], but
no official public API has been released. The reverse-engineering
community discovered that Falcon microprocessors are capable
of issuing data transfers from CPU or GPU physical memory to
microprocessor memory using dedicated memory transfer instruc-
tions [13, 17].
Falcon microprocessors expose a common set of MMIO regis-
ters that both a CPU and the microprocessor can access or update
(GPU kernels normally cannot access them). These registers enable
communication between privileged CPU code and the microcode.
Certain MMIO registers update the code and data memory of the
microprocessor and restart its execution. Linux kernel source code
contains the assembly code for certain Falcon processors3 .
The platform’s GPU driver loads control code onto the Falcon
microprocessors as part of its initialization sequence. The code is
invoked in response to certain events, for example when serving re-
quests to switch GPU control to another CPU process (called GPU
context switch [15]). It is this control code that we attack. We call
this a GPU microcode attack because the microprocessor code is
one of several non-user visible code modules loaded into the GPU
at its initialization, and because it is terminology accepted by GPU
driver developers [16].
6.2 The attack
The attack consists of three phases: launch, monitor, and execute,
as illustrated in Figure 3. In the launch phase, the attacker with
privileged access installs the attack microcode on one of the Fal-
con microprocessors, and executes the code. Now the attack enters
the monitor phase, in which the microprocessor monitors regions
of GPU memory to identify commands from the attacker. The com-
mands can be located in GPU memory or MMIO registers, though
our prototype monitors only specific GPU memory locations. Fi-
nally, once the commands are identified, they are executed by the
microprocessor as part of the execution phase.
In our proof-of-concept attack, we use a seemingly random bi-
nary string as the trigger for the attack. An unprivileged attacker
executes a CUDA program that has a large data structure contain-
ing repeated copies of the trigger string. Our modified microcode
detects the trigger (probably) in one of its monitoring locations and
transitions into the attack execution phase. In our prototype, the
attacking microcode escalates the privilege of a predefined running
shell process, by writing into the process’ credential structure in
CPU memory.
Stealth and unobtrusiveness. The key benefit of this attack is
stealth. We observe no evidence that the attack is occurring in
3 Located in drivers/gpu/drm/nouveau/core/engine/graph/fuc.
Zhu et. al.
CPU GPU
Process Kernel
GPU Chipset
GPU
Microprocessor
3
Microcode
1
Chipset
PCIe Bus
RAM
2
CPU RAM GPU RAM
Figure 3. The GPU microcode attack. ( 1 Launch) The attacker
loads the attack code into microprocessor storage. ( 2 Monitor)
The microcode transfers data from GPU memory to its own memory
in order to identify triggers or commands from the attacker. ( 3
Execute) Once it detects the commands, it launches the attack by
writing to critical data structures in CPU memory.
CPU memory or in GPU memory. We check all of the GPU base
address register (BAR) regions mapped by the CPUs (BAR0 for
MMIO, BAR1 for VRAM aperture, BAR3 for kernel-accessible
control memory) and none contain any sign of the microcode data
or code, both in big- and little- endian representations. The only
forensic tool we could find for dumping GPU memory [37] did not
reveal the microcode. The microcode resides only in the GPU mi-
croprocessor memory. The Falcon processor has MMIO registers
for uploading the microcode from CPU memory to microprocessor
memory. It also has an MMIO register for transferring microproces-
sor memory back to CPU memory, but we know of no tool that uses
this interface, let alone one that tries to determine if the microcode
is malicious.
Once established, the microcode attack does not require support
from a kernel module or a CPU user process, unlike previously
known GPU malware attacks [24]. The attack does not affect the
integrity of kernel-level data structures.
6.3 Technical details
The attack code is written in C, based on the microcode assem-
bly code in the Linux kernel. It is then compiled by the publicly
available LLVM backend and envytools [17]. The Falcon’s xfer
instruction can initiate DMA, and it can transfer data from both
GPU and CPU memory to its own memory, or vice versa.
Out of many Falcon microprocessors, we use a microproces-
sor that manages context switching between multiple command
streams, e.g., between the X server and a 3D application. There are
several microprocessors involved in this process; microprocessors
manage the context switch of a group of SMs (graphics process-
ing clusters, or GPCs), and a HUB microprocessor that manages
these GPC microprocessors. We update the microcode of HUB mi-
croprocessor because it has larger code and data memory, and the
open-source version of the microcode is available in the Linux ker-
nel. An official version of the microcode can be also extracted [16],
and used to build modified microcode.
Understanding The Security of Discrete GPUs
The compiled binary is loaded into the microprocessor of the
NVIDIA C2075 GPU using a set of MMIO registers. The envy-
tools [13] project contains a set of tools the open-source commu-
nity has developed and used to build the open-source nouveau
Linux driver for NVIDIA GPUs. RNN is the community-built
knowledge base for MMIO registers in NVIDIA GPUs. The ad-
dresses in parentheses are the offsets within the MMIO region,
which is referred by the first set of the PCI base address registers
(BAR0) of NVIDIA GPUs.
Microcode is uploaded to Falcon using CODE VIRT ADDR
(0x188) and CODE (0x180) registers. The user can issue 32 bit
stores to the CODE VIRT ADDR register for the index of the 256B
chunk of code to be written, and CODE for the content of the code
at the address pointed by CODE VIRT ADDR. DATA (0x1c4) allows
upload of microcode data.
Most of the attack microcode is loaded into regions that do not
overlap with the existing code or data, to have minimal effect on the
normal system operation. Only small patches to the code region are
needed to redirect the control flow to the injected attack code.
To remain unobtrusive, we split the work done by the attack mi-
crocode into small units and execute only for a limited time, chain-
ing together subsequent executions using continuations. The mi-
crocode is originally designed to be interrupt-driven: most of the
functions are interrupt handlers for different types of interrupts,
such as periodic timers or commands waiting to be handled. The
microprocessor assumes that interrupt handlers will be brief.
We test the unobtrusiveness of our attack code by running glx-
gears from the Mesa GL utility library. This application reports
the frame rate of 3D graphics rendering, and we could observe
lower frame rates or even GPU lockup if the execution time of
our inserted operations took too long. By fine-tuning the amount
of work done at each interrupt, our attack microcode supports the
same glxgears framerate as the unmodified microcode. We also
could not subjectively observe an effect on typical desktop opera-
tions.
We implement our proof-of-concept microcode attack on top of
the open source nouveau driver. The attack code for the nouveau dri-
ver includes all of the attack steps we describe in the attack scenario.
We verify that we can unobtrusively inject simple code sequences
into the NVIDIA microcode, but do not implement the entire attack
for the NVIDIA microcode.
The embedded NVIDIA microprocessor has a periodic timer in-
terrupt and a one-shot watchdog timer, but in our experience, the
use of the periodic timer affects the graphics output. Therefore, to
remain undetectable, we use the watchdog timer and have the watch-
dog event handler reschedule another watchdog event. Our attack
code is 4KB, which we add to the 3KB of Nouveau microcode fit-
ting comfortably in the device’s 16KB capacity.
6.4 Discussion
Falcon microprocessors are relatively slow, the one we used runs
at 270MHz. We only read a small number of GPU memory loca-
tions to keep execution time short. Therefore, our trigger consists
of a GPU program that fills much of its memory with the target
string which gives a high probability of it being read by the attack
microcode. Our proof-of-concept trigger fills 3GB of data and the
microcode reads five memory locations at 1GB offsets. This com-
bination makes the microcode recognize the trigger for each of 10
trials.
GPGPU-10, February 04-05 2017, Austin, TX, USA
Small code size. Different types of Falcon processors have differ-
ent limits on code and data memory. For example, the maximum
code size and data size for a microprocessor are 16 KB and 4 KB,
respectively, whereas the limits for closely related microprocessors
is only 8 KB and 2KB. If multiple microprocessors communicate
and launch a more complex attack than one microprocessor can han-
dle, the attacker can distribute the work according to the memory
limit of each processor.
Microcode validation. Starting from Maxwell GPUs, NVIDIA
significantly strengthened the security of Falcon microprocessors
by requiring their code to be signed and preventing code modifica-
tions after code is initially loaded [32]. Unsigned microprocessor
code may run in unsecure mode, but it cannot use certain hardware
features (the precise set of constraints depends on the processor).
These new security mechanisms, therefore, are likely to complicate
or even entirely prevent our microcode attack, because most (but
not all) Falcons on NVIDIA Pascal GPUs do not allow unsigned
code access to physical memory. We leave the vulnerability analy-
sis of Pascal GPUs for future work.
7 Related work
GPU malware. Vasiliadis et al. [45] present two GPU malware
techniques, code unpacking and runtime polymorphism, used to
evade malware detection. These techniques make use of the GPU
computing capacity to build more complex packing algorithms and
leverage GPU direct memory access (DMA) to modify host mem-
ory.
Ladakis et. al. implement a keylogger on the GPU [24], leverag-
ing the DMA capability of GPUs to monitor the operating system
keyboard buffer from a GPU kernel. The GPU-based keylogger re-
quires an unprivileged helper process to set up the attack. It relies
on a kernel module to update a page table entry of the helper, so
that the process’ address space contains a window on the kernel-
level keyboard buffer. The keyboard buffer address is then moved
to the GPU page table, and erased from the page table in the CPU,
keeping the kernel memory mapping for a short time.
Both of these attacks require helper processes on the CPU, and
these processes violate certain address space integrity properties
(though in most systems, these integrity properties are implicit).
Hiding malware with unpacking and polymorphism on the GPU re-
quires mapping a CPU memory region that is executable, writable,
and IO-mapped. The GPU-based keylogger has a user-level page
that maps kernel memory which no user process should ever map.
These distinctive memory regions that clearly violate certain safety
properties make the malware easy to detect by some rootkit detec-
tors [19, 36].
The GPU-based microcode attack described in this paper does
not require any running process once it is installed in the micropro-
cessor. It leaves no trace in CPU or GPU memory and therefore
does not violate any memory integrity property. The GPU driver
attack does not need a CPU helper until the malicious behavior is
triggered. The attack is entirely encapsulated in the driver and does
not change any kernel data structure, however the patched driver
module might still be detected by kernel integrity checkers.
Villani et. al. analyze four GPU-assisted malware anti-memory-
forensics techniques without modification of GPU microcode: un-
limited code execution, process-less code execution, context-less
code execution and inconsistent memory mapping and apply them
to integrated Intel GPU cards [46].
GPGPU-10, February 04-05 2017, Austin, TX, USA
GPU as secure co-processor. PixelVault [44] proposes to use
GPUs as secure co-processors for cryptographic operations. We
have shown in this paper how features from the official NVIDIA
debugger to unofficial hardware interfaces violate the security as-
sumptions of PixelVault.
Firmware attacks. There are several firmware-based attacks that
target diverse devices [1, 3, 10, 41, 47, 51]. Similar to the mi-
crocode attack in this paper, these attacks embed malicious code
into the firmware to circumvent the platform’s security while evad-
ing detection. Triulzi [42] presents a sniffer that uses a combination
of NIC and GPU to access main memory. The GPU runs an ssh dae-
mon that accepts packets from the NIC through PCI-to-PCI transfer.
The firmware modification on the GPU is mainly due to lack of PCI-
to-PCI transfer support. With GPUDirectRDMA [31], this attack
can be implemented without GPU firmware modification. To the
best of our knowledge, our attack is the first GPU microcode-based
attack that leverages GPU embedded microprocessors.
Newer NVIDIA GPUs are expected to disallow the use of un-
signed microcode, preventing the microcode attack.
Information leaks through GPU. Recent works notice that the
GPU driver does not erase the device memory after kernel termi-
nation, leaking private information [25, 28]. This paper describes a
different type of attacks that leverage the GPU to stealthily perform
unauthorized accesses to CPU memory.
Attacks using graphics software stack. The security aspects of
using GPUs in graphics applications have been the subject of much
work [38, 39, 43]. Our work is complementary in that we focus on
the GPU microcode and the driver, and investigate the weaknesses
of using GPUs as secure co-processors.
Reverse-engineering GPU hardware. Detailed information about
GPU hardware architecture is usually never disclosed by the ven-
dors. Wong et al. [48] reverse engineer GPU internals via carefully
crafted microbenchmarks. We use similar techniques in this paper
to discover the size of the instruction cache. Fujii et al. [17] explain
the internal organization of GPU microprocessors which we use to
implement the microcode attack.
8 Conclusion
GPUs are not an appropriate choice for a secure coprocessor, and
they pose a security threat to computing platforms, even those with
an IOMMU. The problem with making hardware, especially hard-
ware as complex as a GPU, into something that enhances security is
that the security guarantees rely on a large set of assumptions about
architectural, micro-architectural, and software features. These as-
sumptions are difficult to verify and they can change for different
versions of the product because the underlying motivation of the
manufacturer is not security.
As an attack platform, they combine powerful access to plat-
form hardware with an opacity encouraged by its proprietary nature.
While forensic tools for GPUs will improve, they represent another
nettlesome resource for determined attackers.
9 Acknowledgements
Mark Silberstein was supported by the Israel Science Foundation
(grant No. 1138/14) and the Israeli Ministry of Science. We also
gratefully acknowledge funding from NSF grants CNS-1017785
and CCF-1333594.
References
[1] B ROCKER , M., AND C HECKOWAY, S. iSeeYou: disabling the MacBook web-
cam indicator LED. In Proceedings of the USENIX Security Symposium (2014),
Zhu et. al.
USENIX Association, pp. 337–352.
[2] C ORP., I. Intel 965 Express Chipset Family and Intel G35 Express Chipset
Graphics Controller Programmers Reference Manual. Volume 1: Graphics
Core, 2008. https://01.org/sites/default/files/documentation/965 g35 vol 1
graphics core 0.pdf.
[3] C UI, A., C OSTELLO , M., AND STOLFO , S. J. When firmware modifications
attack: A case study of embedded exploitation. In Proceedings of the Network
and Distributed System Security Symposium (NDSS) (2013).
[4] CVE. CVE-2007-1019. https://www.cvedetails.com/cve/CVE-2007-1881/.
Accessed: May 2016.
[5] CVE. CVE-2011-1019. https://www.cvedetails.com/cve/CVE-2011-1019/.
Accessed: May 2016.
[6] CVE. CVE-2014-5207. https://web.nvd.nist.gov/view/vuln/detail?
vulnId=CVE-2014-5207. Accessed: May 2016.
[7] CVE. CVE request: ro bind mount bypass using user namespaces. http://www.
openwall.com/lists/oss-security/2014/08/13/9. Accessed: May 2016.
[8] CVE. How to exploit the x32 recvmmsg() kernel vulnerability CVE 2014-
0038. http://blog.includesecurity.com/2014/03/exploit-CVE-2014-0038-
x32-recvmmsg-kernel-vulnerablity.html. Accessed: May 2016.
[9] CVE. Local root exploit for CVE-2014. https://github.com/saelo/cve-2014-
0038. Accessed: May 2016.
[10] D UFLOT, L., PEREZ, Y.-A., AND M ORIN , B. What if you can’t trust your
network card? In Proceedings of the International Symposium on Recent
Advances in Intrusion Detection (RAID) (Berlin, Heidelberg, 2011), Springer-
Verlag, pp. 378–397.
[11] D UFLOT, L., PEREZ, Y.-A., VALADON , G., AND L EVILLAIN , O. Can you still
trust your network card. CanSecWest/core10 (2010).
[12] E DGE, J. A crypto module loading vulnerability. https://lwn.net/Articles/
630762/. Accessed: May 2016.
[13] ENVYTOOLS. envytools - tools for people envious of nvidia’s blob driver. https://
github.com/envytools/envytools. Accessed: May 2016.
[14] FISCHER , W. Activating the Intel VT-d virtualization feature. https://
www.thomas-krenn.com/en/wiki/Activating the Intel VT-d Virtualization
Feature. Accessed: May 2016.
[15] FREEDESKTOP. ORG. nouveau context switching. http://nouveau.freedesktop.
org/wiki/ContextSwitching/. Accessed: May 2016.
[16] FREEDESKTOP. ORG. nouveau context switching firmware. http://nouveau.
freedesktop.org/wiki/NVC0 Firmware/. Accessed: May 2016.
[17] FUJII, Y., A ZUMI, T., N ISHIO , N., K ATO , S., AND E DAHIRO , M. Data transfer
matters for GPU computing. In Proceedings of the International Conference
on Parallel and Distributed Systems (ICPADS) (Washington, DC, USA, 2013),
IEEE Computer Society, pp. 275–282.
[18] G ERFIN , G., AND V ENKATARAMAN , V. Debugging experience with CUDA-
GDB and CUDA-MEMCHECK. In GPU Technology Conference (2012).
[19] H OFMANN , O. S., D UNN , A., K IM, S., ROY, I., AND W ITCHEL , E. Ensuring
operating system kernel integrity with OSck. In Proceedings of the ACM Inter-
national Conference on Architectural Support for Programming Languages and
Operating Systems (ASPLOS) (March 2011).
[20] H OFMANN , O. S., PORTER , D. E., ROSSBACH , C. J., R AMADAN , H. E., AND
W ITCHEL , E. Solving difficult HTM problems without difficult hardware. In
Proceedings of the 2nd Workshop on Transactional Computing (TRANSACT)
(Portland, OR, August 2007).
[21] K ATO , S. Gdev: Open-source GPGPU runtime and driver software. https://
github.com/shinpei0208/gdev.
[22] K ATO , S., M C T HROW, M., AND M ALTZAHN , C ARLOSAND B RANDT, S.
Gdev: First-class GPU resource management in the operating system. In Pro-
ceedings of the USENIX Annual Technical Conference (June 2012).
[23] K HRONOS G ROUP. The OpenCL Specification, Version 2.0, 2014.
[24] KOROMILAS , L., VASILIADIS , G., IOANNIDIS , S., L ADAKIS , E., AND POLY-
CHRONAKIS , M. You can type, but you can’t hide: A stealthy GPU-based key-
logger. In Proceedings of the Sixth European Workshop on System Security (EU-
ROSEC) (2013), ACM.
[25] L EE, S., K IM, Y., K IM, J., AND K IM, J. Stealing webpages rendered on your
browser by exploiting GPU vulnerabilities. In Proceedings of the IEEE Sympo-
sium on Security and Privacy (Oakland) (Washington, DC, USA, 2014), IEEE
Computer Society, pp. 19–33.
[26] M ALKA , M., A MIT, N., B EN -Y EHUDA , M., AND T SAFRIR , D. rIOMMU: Ef-
ficient IOMMU for I/O Devices That Employ Ring Buffers. In Proceedings of
the Twentieth International Conference on Architectural Support for Program-
ming Languages and Operating Systems (New York, NY, USA, 2015), ASPLOS
’15, ACM.
[27] M ARECK , R. AMD x86 Firmware Analysis. Accessed: May 2016.
[28] M AURICE , C., N EUMANN , C., H EEN , O., AND FRANCILLON , A. Confiden-
tiality issues on a GPU in a virtualized environment. In Financial Cryptography
and Data Security. Springer, 2014, pp. 119–135.
[29] NOUVEAU. Nouveau: Accelerated open source driver for nvidia cards. http://
nouveau.freedesktop.org/wiki/. Accessed: May 2016.
[30] NVIDIA. Debugger API. http://docs.nvidia.com/cuda/debugger- api/index.
html.
[31] NVIDIA. GPUDirectRDMA technology. http://docs.nvidia.com/cuda/
gpudirect-rdma/index.html.
Understanding The Security of Discrete GPUs GPGPU-10, February 04-05 2017, Austin, TX, USA

[32] NVIDIA. NVIDIA Falcon security. ftp://download.nvidia.com/open-gpu-

doc/Falcon-Security/1/Falcon-Security.html.
[33] NVIDIA. CUDA Runtime API, 2014.
[34] O LEKSIUK , D. Breaking uefi security with software dma attacks. http://blog.
cr4.sh/2015/09/breaking-uefi-security-with-software.html. Accessed: May
2016.
[35] PENDERGRASS , J. A., AND N. M C G ILL, K. LKIM: The linux kernel integrity
measurer. In Johns Hopkins APL Technical Digest. September 2013.
[36] PETRONI , J R ., N. L., AND H ICKS , M. Automated detection of persistent kernel
control-flow attacks. In Proceedings of the 14th ACM Conference on Computer
and Communications Security (New York, NY, USA, 2007), CCS ’07, ACM,
pp. 103–115.
[37] R ICHARD III, G. GPU memory dump tool. 2015 DFRWS Forensics Challenge,
2015. http://cs.uno.edu/∼golden/Materials/gpumalware/nvidia-dump-fb-1.
0.tar.gz.
[38] SECURITY, C. I. WebGL-a new dimension for browser exploita-
tion. http://www.contextis.com/resources/blog/webgl-new-dimension-
browser- exploitation/. Accessed: 2015-02-15.
[39] SECURITY, C. I. WebGL-more WebGL security flaws. http://www.contextis.
com/resources/blog/webgl-more-webgl-security-flaws/. Accessed: May
2016.
[40] SEVINSKY, R. Funderbolt: Adventures in thunderbolt dma attacks. https://
media.blackhat.com/us-13/US-13-Sevinsky-Funderbolt-Adventures-in-
Thunderbolt-DMA-Attacks-Slides.pdf. Accessed: May 2016.
[41] STEWIN , P. Detecting peripheral-based attacks on the host memory. PhD thesis,
Technische Universität Berlin, 2015.
[42] T RIULZI , A. Project maux mk.ii. http://www.alchemistowl.org/arrigo/
Papers/Arrigo-Triulzi-PACSEC08-Project-Maux-II.pdf. Accessed: May
2016.
[43] US-CERT. Vulnerability summary for CVE-2014-8298. National Vulnerability
Database, Dec 2014. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-
2014-8298.
[44] VASILIADIS , G., ATHANASOPOULOS , E., POLYCHRONAKIS , M., AND IOAN -
NIDIS , S. PixelVault: Using GPUs for securing cryptographic operations. In
Proceedings of the ACM Conference on Computer and Communications Secu-
rity (CCS) (2014), ACM.
[45] VASILIADIS , G., POLYCHRONAKIS , M., AND IOANNIDIS , S. GPU-assisted
malware. International Journal of Information Security (2010), 1–9.
[46] V ILLANI , A., B ALZAROTTI , D., AND DI PIETRO , R. The impact of GPU-
assisted malware on memory forensics: A case study. In DFRWS 2015, Annual
Digital Forensics Research Conference, Philadelphia, USA (2015).
[47] WOJTCZUK , R., AND RUTKOWSKA , J. Attacking Intel trusted execution tech-
nology. Black Hat DC (2009).
[48] WONG , H., PAPADOPOULOU , M.-M., SADOOGHI-A LVANDI , M., AND
M OSHOVOS , A. Demystifying GPU microarchitecture through microbench-
marking. In Performance Analysis of Systems Software (ISPASS), 2010 IEEE
International Symposium on (March 2010), pp. 235–246.
[49] YASSOUR , B.-A., B EN -Y EHUDA , M., AND WASSERMAN , O. On the DMA
mapping problem in direct device assignment. In Proceedings of the 3rd Annual
Haifa Experimental Systems Conference (New York, NY, USA, 2010), SYSTOR,
ACM, pp. 18:1–18:12.
[50] Y U , F. Intel IOMMU Pass Through Support. https://lwn.net/Articles/329174/.
Accessed: May 2016.
[51] Z ADDACH , J., K URMUS , A., BALZAROTTI , D., B LASS , E.-O., FRANCILLON ,
A., G OODSPEED , T., G UPTA , M., AND KOLTSIDAS , I. Implementation and
implications of a stealth hard-drive backdoor. In Proceedings of the Annual Com-
puter Security Applications Conference (ACSAC) (2013), ACM, pp. 279–288.