GPU Powered Malware – Daniel Reynaud There is an increasing interest in Graphics Processing Units for general-purpose programming, due to their processing power and massively parallel design. Therefore, most consumer graphics hardware are now fully programmable using either Nvidia’s CUDA toolkit or AMD/ATI Stream SDK.
This presentation will give an analysis of how the GPU can be used by malware as an anti-reverse engineering platform, with examples using the CUDA technology. With CUDA, the GPU is fully programmable in C, but the resulting device program can’t be debugged because Nvidia’s GPUs do not support this feature natively. As a result, a malware analyst has to use static analysis against the device code in order to understand the malware. But this task is harder with GPU code than with traditional binaries since the source of a CUDA program is compiled to undocumented microcode (and therefore unsupported by standard disassemblers such as IDA Pro). Finally, this presentation will also assess the technical feasibility of an unpacker written fully in device code.
Bio: After a 4-years military training in Signals and Electronic Warfare, Daniel Reynaud is now a PhD student in Nancy (France), focusing on the analysis of malware and deobfuscation techniques. He has a background in reverse engineering and finding vulnerabilities in unconventional platforms, such as Java, mobile phones and Firefox extensions. Always looking for new challenges, he is now training to become a cage fighter.
Very interesting article. It wasn’t clear if the problem is simply that there are no disassemblers available or that the hardware cannot support it. Also, certainly possible to use the GPU on purpose, but it’s again not clear what sort of avenue malware might use to run code on infected machines using their GPUs… it seems harder for the malware programmer, at least currently, to know what possible hardware would be available to use when it infects a machine since right now GPUs that can run these codes aren’t ubiquitous or available (unless its being used like the example shown by the presentation as DOS attack.) The presenter ofcourse didn’t imply a worm/virus of any sort, simply that it could be used for bad things.
