Grand Pwning Unit: Accelerating Microarchitectural Attacks with the GPU

Research output: Chapter in Book / Report / Conference proceedingConference contributionAcademicpeer-review

Abstract

Dark silicon is pushing processor vendors to add more specialized units such as accelerators to commodity processor chips. Unfortunately this is done without enough care to security. In this paper we look at the security implications of integrated Graphical Processor Units (GPUs) found in almost all mobile processors. We demonstrate that GPUs, already widely employed to accelerate a variety of benign applications such as image rendering, can also be used to 'accelerate' microarchitectural attacks (i.e., making them more effective) on commodity platforms. In particular, we show that an attacker can build all the necessary primitives for performing effective GPU-based microarchitectural attacks and that these primitives are all exposed to the web through standardized browser extensions, allowing side-channel and Rowhammer attacks from JavaScript. These attacks bypass state-of-the-art mitigations and advance existing CPU-based attacks: we show the first end-to-end microarchitectural compromise of a browser running on a mobile phone in under two minutes by orchestrating our GPU primitives. While powerful, these GPU primitives are not easy to implement due to undocumented hardware features. We describe novel reverse engineering techniques for peeking into the previously unknown cache architecture and replacement policy of the Adreno 330, an integrated GPU found in many common mobile platforms. This information is necessary when building shader programs implementing our GPU primitives. We conclude by discussing mitigations against GPU-enabled attackers.

Original languageEnglish
Title of host publicationProceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages195-210
Number of pages16
ISBN (Electronic)9781538643525
DOIs
Publication statusPublished - 2018
Event39th IEEE Symposium on Security and Privacy, SP 2018 - San Francisco, United States
Duration: 21 May 201823 May 2018

Conference

Conference39th IEEE Symposium on Security and Privacy, SP 2018
CountryUnited States
CitySan Francisco
Period21/05/1823/05/18

Fingerprint

Reverse engineering
Mobile phones
Particle accelerators
Program processors
Hardware
Silicon

Keywords

  • ARM
  • Browser security
  • Integrated GPUs
  • Microarchitectural attacks
  • Mobile security
  • Rowhammer
  • Side channels

Cite this

Frigo, P., Giuffrida, C., Bos, H., & Razavi, K. (2018). Grand Pwning Unit: Accelerating Microarchitectural Attacks with the GPU. In Proceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018 (pp. 195-210). [8418604] Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/SP.2018.00022
Frigo, Pietro ; Giuffrida, Cristiano ; Bos, Herbert ; Razavi, Kaveh. / Grand Pwning Unit : Accelerating Microarchitectural Attacks with the GPU. Proceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018. Institute of Electrical and Electronics Engineers Inc., 2018. pp. 195-210
@inproceedings{7b0e577233364195b2b1c021d8b6b1da,
title = "Grand Pwning Unit: Accelerating Microarchitectural Attacks with the GPU",
abstract = "Dark silicon is pushing processor vendors to add more specialized units such as accelerators to commodity processor chips. Unfortunately this is done without enough care to security. In this paper we look at the security implications of integrated Graphical Processor Units (GPUs) found in almost all mobile processors. We demonstrate that GPUs, already widely employed to accelerate a variety of benign applications such as image rendering, can also be used to 'accelerate' microarchitectural attacks (i.e., making them more effective) on commodity platforms. In particular, we show that an attacker can build all the necessary primitives for performing effective GPU-based microarchitectural attacks and that these primitives are all exposed to the web through standardized browser extensions, allowing side-channel and Rowhammer attacks from JavaScript. These attacks bypass state-of-the-art mitigations and advance existing CPU-based attacks: we show the first end-to-end microarchitectural compromise of a browser running on a mobile phone in under two minutes by orchestrating our GPU primitives. While powerful, these GPU primitives are not easy to implement due to undocumented hardware features. We describe novel reverse engineering techniques for peeking into the previously unknown cache architecture and replacement policy of the Adreno 330, an integrated GPU found in many common mobile platforms. This information is necessary when building shader programs implementing our GPU primitives. We conclude by discussing mitigations against GPU-enabled attackers.",
keywords = "ARM, Browser security, Integrated GPUs, Microarchitectural attacks, Mobile security, Rowhammer, Side channels",
author = "Pietro Frigo and Cristiano Giuffrida and Herbert Bos and Kaveh Razavi",
year = "2018",
doi = "10.1109/SP.2018.00022",
language = "English",
pages = "195--210",
booktitle = "Proceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
address = "United States",

}

Frigo, P, Giuffrida, C, Bos, H & Razavi, K 2018, Grand Pwning Unit: Accelerating Microarchitectural Attacks with the GPU. in Proceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018., 8418604, Institute of Electrical and Electronics Engineers Inc., pp. 195-210, 39th IEEE Symposium on Security and Privacy, SP 2018, San Francisco, United States, 21/05/18. https://doi.org/10.1109/SP.2018.00022

Grand Pwning Unit : Accelerating Microarchitectural Attacks with the GPU. / Frigo, Pietro; Giuffrida, Cristiano; Bos, Herbert; Razavi, Kaveh.

Proceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018. Institute of Electrical and Electronics Engineers Inc., 2018. p. 195-210 8418604.

Research output: Chapter in Book / Report / Conference proceedingConference contributionAcademicpeer-review

TY - GEN

T1 - Grand Pwning Unit

T2 - Accelerating Microarchitectural Attacks with the GPU

AU - Frigo, Pietro

AU - Giuffrida, Cristiano

AU - Bos, Herbert

AU - Razavi, Kaveh

PY - 2018

Y1 - 2018

N2 - Dark silicon is pushing processor vendors to add more specialized units such as accelerators to commodity processor chips. Unfortunately this is done without enough care to security. In this paper we look at the security implications of integrated Graphical Processor Units (GPUs) found in almost all mobile processors. We demonstrate that GPUs, already widely employed to accelerate a variety of benign applications such as image rendering, can also be used to 'accelerate' microarchitectural attacks (i.e., making them more effective) on commodity platforms. In particular, we show that an attacker can build all the necessary primitives for performing effective GPU-based microarchitectural attacks and that these primitives are all exposed to the web through standardized browser extensions, allowing side-channel and Rowhammer attacks from JavaScript. These attacks bypass state-of-the-art mitigations and advance existing CPU-based attacks: we show the first end-to-end microarchitectural compromise of a browser running on a mobile phone in under two minutes by orchestrating our GPU primitives. While powerful, these GPU primitives are not easy to implement due to undocumented hardware features. We describe novel reverse engineering techniques for peeking into the previously unknown cache architecture and replacement policy of the Adreno 330, an integrated GPU found in many common mobile platforms. This information is necessary when building shader programs implementing our GPU primitives. We conclude by discussing mitigations against GPU-enabled attackers.

AB - Dark silicon is pushing processor vendors to add more specialized units such as accelerators to commodity processor chips. Unfortunately this is done without enough care to security. In this paper we look at the security implications of integrated Graphical Processor Units (GPUs) found in almost all mobile processors. We demonstrate that GPUs, already widely employed to accelerate a variety of benign applications such as image rendering, can also be used to 'accelerate' microarchitectural attacks (i.e., making them more effective) on commodity platforms. In particular, we show that an attacker can build all the necessary primitives for performing effective GPU-based microarchitectural attacks and that these primitives are all exposed to the web through standardized browser extensions, allowing side-channel and Rowhammer attacks from JavaScript. These attacks bypass state-of-the-art mitigations and advance existing CPU-based attacks: we show the first end-to-end microarchitectural compromise of a browser running on a mobile phone in under two minutes by orchestrating our GPU primitives. While powerful, these GPU primitives are not easy to implement due to undocumented hardware features. We describe novel reverse engineering techniques for peeking into the previously unknown cache architecture and replacement policy of the Adreno 330, an integrated GPU found in many common mobile platforms. This information is necessary when building shader programs implementing our GPU primitives. We conclude by discussing mitigations against GPU-enabled attackers.

KW - ARM

KW - Browser security

KW - Integrated GPUs

KW - Microarchitectural attacks

KW - Mobile security

KW - Rowhammer

KW - Side channels

UR - http://www.scopus.com/inward/record.url?scp=85049340818&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85049340818&partnerID=8YFLogxK

U2 - 10.1109/SP.2018.00022

DO - 10.1109/SP.2018.00022

M3 - Conference contribution

SP - 195

EP - 210

BT - Proceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018

PB - Institute of Electrical and Electronics Engineers Inc.

ER -

Frigo P, Giuffrida C, Bos H, Razavi K. Grand Pwning Unit: Accelerating Microarchitectural Attacks with the GPU. In Proceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018. Institute of Electrical and Electronics Engineers Inc. 2018. p. 195-210. 8418604 https://doi.org/10.1109/SP.2018.00022