Grand Pwning Unit: Accelerating Microarchitectural Attacks with the GPU

Pietro Frigo, Cristiano Giuffrida, Herbert Bos, Kaveh Razavi

Research output: Chapter in Book / Report / Conference proceedingConference contributionAcademicpeer-review

551 Downloads (Pure)

Abstract

Dark silicon is pushing processor vendors to add more specialized units such as accelerators to commodity processor chips. Unfortunately this is done without enough care to security. In this paper we look at the security implications of integrated Graphical Processor Units (GPUs) found in almost all mobile processors. We demonstrate that GPUs, already widely employed to accelerate a variety of benign applications such as image rendering, can also be used to 'accelerate' microarchitectural attacks (i.e., making them more effective) on commodity platforms. In particular, we show that an attacker can build all the necessary primitives for performing effective GPU-based microarchitectural attacks and that these primitives are all exposed to the web through standardized browser extensions, allowing side-channel and Rowhammer attacks from JavaScript. These attacks bypass state-of-the-art mitigations and advance existing CPU-based attacks: we show the first end-to-end microarchitectural compromise of a browser running on a mobile phone in under two minutes by orchestrating our GPU primitives. While powerful, these GPU primitives are not easy to implement due to undocumented hardware features. We describe novel reverse engineering techniques for peeking into the previously unknown cache architecture and replacement policy of the Adreno 330, an integrated GPU found in many common mobile platforms. This information is necessary when building shader programs implementing our GPU primitives. We conclude by discussing mitigations against GPU-enabled attackers.

Original languageEnglish
Title of host publicationProceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages195-210
Number of pages16
ISBN (Electronic)9781538643525
DOIs
Publication statusPublished - 2018
Event39th IEEE Symposium on Security and Privacy, SP 2018 - San Francisco, United States
Duration: 21 May 201823 May 2018

Conference

Conference39th IEEE Symposium on Security and Privacy, SP 2018
Country/TerritoryUnited States
CitySan Francisco
Period21/05/1823/05/18

Funding

We would like to thank our shepherd Simha Sethumadhavan and our anonymous reviewers for their valuable feedbacks. Furthermore, we want to thank Rob Clark for his precious insights throughout the research. This work was supported by the European Commission through project H2020 ICT-32-2014 SHARCS under Grant Agreement No. 644571 and by the Netherlands Organisation for Scientific Research through grant NWO 639.023.309 VICI Dowsing.

FundersFunder number
European Commission644571, H2020 ICT-32-2014
Nederlandse Organisatie voor Wetenschappelijk Onderzoek639.023.309

    Keywords

    • ARM
    • Browser security
    • Integrated GPUs
    • Microarchitectural attacks
    • Mobile security
    • Rowhammer
    • Side channels

    Fingerprint

    Dive into the research topics of 'Grand Pwning Unit: Accelerating Microarchitectural Attacks with the GPU'. Together they form a unique fingerprint.

    Cite this