Vulnerability in Thunderbolt allows unlimited memory access

Discussion in 'Frontpage news' started by Hilbert Hagedoorn, Mar 4, 2019.

  1. Hilbert Hagedoorn

    Hilbert Hagedoorn Don Vito Corleone Staff Member

    Messages:
    38,251
    Likes Received:
    6,887
    GPU:
    AMD | NVIDIA
  2. longest

    longest Member

    Messages:
    26
    Likes Received:
    3
    GPU:
    1080 Ti Aorus
    hot take: nobody uses thunderbolt devices. less than 0.01% of pc users and less than 0.5% of mac users. thunderbolt is pcie, what did they expect? this has also been discovered years ago, why is it a thing again?
     
  3. DeskStar

    DeskStar Master Guru

    Messages:
    897
    Likes Received:
    125
    GPU:
    EVGA 2080Ti FTW3 HC
    I personally never heard of it, so I'm glad it was spoken up about again.

    Hardware vulnerabilities are a big thing these days and I truly never thought it would be this bad. Software is what i always thought was the mess up, but i guess even after the bios' being corrupted/attacked years ago it was only a matter of time.
     
  4. longest

    longest Member

    Messages:
    26
    Likes Received:
    3
    GPU:
    1080 Ti Aorus

  5. reix2x

    reix2x Master Guru

    Messages:
    355
    Likes Received:
    53
    GPU:
    HIS 4870 1GB
    if i have to chose a diabolic device, that red diabolic card looks the best!
     
  6. schmidtbag

    schmidtbag Ancient Guru

    Messages:
    5,034
    Likes Received:
    1,698
    GPU:
    HIS R9 290
    With USB C becoming more common, TB is kinda obsolete these days anyway. I'm sure TB has better latency but not enough to be worth the vulnerabilities.
     
    airbud7 likes this.
  7. longest

    longest Member

    Messages:
    26
    Likes Received:
    3
    GPU:
    1080 Ti Aorus
    might as well throw your video card away since it has direct memory access and a supposed MALICIOUS driver could steal all your info. you have to plug in an extremely shady device to have anything like that happen.
     
  8. schmidtbag

    schmidtbag Ancient Guru

    Messages:
    5,034
    Likes Received:
    1,698
    GPU:
    HIS R9 290
    Not really a good comparison. GPUs are output devices only. TB is an I/O interface.
     
    airbud7 likes this.
  9. Picolete

    Picolete Master Guru

    Messages:
    294
    Likes Received:
    76
    GPU:
    R9 290 Sapphire Tri-x
    Didnt FireWire had the same problem?
     
  10. K.S.

    K.S. Ancient Guru

    Messages:
    2,280
    Likes Received:
    614
    GPU:
    EVGA RTX 2080 Ti XC
    "thunderclap" ? hahahahaha
     
    airbud7, RavenMaster and user1 like this.

  11. tsunami231

    tsunami231 Ancient Guru

    Messages:
    10,416
    Likes Received:
    559
    GPU:
    EVGA 1070Ti Black
    breaking news there are flaws in human brains "hw" that allows others to control our minds and what we remember and what we dont.

    Where is the outlash from this and fix for it??!!

    :D

    Old news recycled as new news
     
  12. user1

    user1 Ancient Guru

    Messages:
    1,550
    Likes Received:
    522
    GPU:
    hd 6870
    Wat

    (Thunderbolt is pcie, gpus do writes and reads memory from system memory via pcie. They are not output only, they are accelerator boards, they can process data given to them and give back results )
     
  13. schmidtbag

    schmidtbag Ancient Guru

    Messages:
    5,034
    Likes Received:
    1,698
    GPU:
    HIS R9 290
    I understand all of that, but my point is GPUs don't acquire data from external sources; they depend on the CPU to feed them data. In other words, if someone is going to hack your system memory, they need CPU access first, in which case you don't need the GPU at all. In other words, that's kind of like trying to breach the security of a house when you're already inside it.
     
  14. user1

    user1 Ancient Guru

    Messages:
    1,550
    Likes Received:
    522
    GPU:
    hd 6870
    you do realize that if you were able to put a malicious payload into a gpu and execute it (you load data into the gpu everytime you do anything with hw aceleration, whether thats a game or a webrowser) , the gpu would be able to read all of the system memory , it breaks the sandbox, You dont need explicit cpu access for this type of thing to be exploited.

    Easy to break into the house if you let people inside first lol.

    edit: point is the gpu is a perfectly fine example to use, if not the most likely pcie device to be exploited
     
    Last edited: Mar 6, 2019
  15. schmidtbag

    schmidtbag Ancient Guru

    Messages:
    5,034
    Likes Received:
    1,698
    GPU:
    HIS R9 290
    Supposing the GPU can actually access all system memory (or, to give you the benefit of the doubt, manage to modify the system RAM without the CPU knowing), how exactly is the hacker supposed to get that information without the CPU? As far as I'm concerned, the GPU has no ability to directly talk to any other peripheral, most importantly, a NIC. Therefore, the CPU still must be involved for the hacker to succeed, at which point, their efforts can still be detected. It doesn't matter how much the GPU can do on it's own, it can't be 100% independent.
    Sure, using a GPU in this very difficult manner would dramatically decrease your chances of detection vs accomplishing your goal strictly through CPU, but...:
    Doesn't really change my point: if you already have enough system access to break into the GPU in the first place, you might as well use your time wisely and skip it altogether. Compiling your program and sending data over the PCIe bus wastes too much time.
    A GPU is a stretch of a worst-case scenario.
     
    Last edited: Mar 6, 2019

  16. user1

    user1 Ancient Guru

    Messages:
    1,550
    Likes Received:
    522
    GPU:
    hd 6870
    There are reasons why chrome black lists certain gpu drivers from hw acceleration, privilege escalation is one of them ( there are many documented CVEs on this matter). this DMA exploit is an attack vector for gaining access to system memory.

    It is not a stretch.

    The senario is, you load a webpage, it uses hwaceleration for something(say webgl for instance) it loads a malicious program into your gpu, now this alone doesn't mean your data is at risk, since the gpu is supposed to be a box on its own, but with the dma exploit , it can now read and write system memory, which has the potential to allow you to escalate your attack. that is far more likely to take place than malicious thunderbolt dongles IMO, that type of thing is for targeted attacks(like stealing company data). the risk to the average user is minimal, compared to a gpu based attack.


    If your computer loads a webpage, it is executing code from outside of your computer, that is why it is pointless to say that "you need to have system access" you expose your computer to javascript and other modes of execution from external sources every day. what makes your computer "safe" is execution privileges, userland code is not supposed to be able to access all of your memory, and this dma expoit breaks part of the trust, which is why it creates risk.
     
  17. schmidtbag

    schmidtbag Ancient Guru

    Messages:
    5,034
    Likes Received:
    1,698
    GPU:
    HIS R9 290
    I must be too used to being a Linux user because I otherwise don't know where the DMA exploit would come from. That being said, I'm guessing this is mostly a Windows issue? I have a hard time believing Chrome devs could let something like that slip by so easily and for so long where their solution is to just blacklist something, because as you said, userland code shouldn't have full DMA.

    That being said, if a DMA exploit is involved, really anything can go. Like why stop with the GPU? Might as well go full spectre and meltdown.

    As a side note, to my understanding, Linux GPU drivers are blacklisted in Chrome due to apparent functionality issues, rather than security, but I digress.
     
  18. user1

    user1 Ancient Guru

    Messages:
    1,550
    Likes Received:
    522
    GPU:
    hd 6870
    chrome blacklists drivers until the drivers are fixed usually, on nvidia's side there have been many CVEs to do with hardwareacceleration, I would assume since nvidia uses a proprietary binary on linux, that it would also apply there.

    here you can take a look at CVEs for web gl, https://nvd.nist.gov/vuln/search/re...lts_type=overview&query=webgl&search_type=all, and CVE's for nvidia's driver https://nvd.nist.gov/vuln/search/re...ts_type=overview&query=nvidia&search_type=all ,

    GPUs have a large attack surface.

    also i will include this https://www.cs.utexas.edu/users/witchel/pubs/zhu17gpgpu-security.pdf
    This is also a good source for a more technical understanding as to what is going on internally in the context of security in regards to gpus
     
    Last edited: Mar 6, 2019

Share This Page