Abstract
Dark silicon is pushing processor vendors to add more specialized units such as accelerators to commodity processor chips. Unfortunately this is done without enough care to security. In this paper we look at the security implications of integrated Graphical Processor Units (GPUs) found in almost all mobile processors. We demonstrate that GPUs, already widely employed to accelerate a variety of benign applications such as image rendering, can also be used to 'accelerate' microarchitectural attacks (i.e., making them more effective) on commodity platforms. In particular, we show that an attacker can build all the necessary primitives for performing effective GPU-based microarchitectural attacks and that these primitives are all exposed to the web through standardized browser extensions, allowing side-channel and Rowhammer attacks from JavaScript. These attacks bypass state-of-the-art mitigations and advance existing CPU-based attacks: we show the first end-to-end microarchitectural compromise of a browser running on a mobile phone in under two minutes by orchestrating our GPU primitives. While powerful, these GPU primitives are not easy to implement due to undocumented hardware features. We describe novel reverse engineering techniques for peeking into the previously unknown cache architecture and replacement policy of the Adreno 330, an integrated GPU found in many common mobile platforms. This information is necessary when building shader programs implementing our GPU primitives. We conclude by discussing mitigations against GPU-enabled attackers.
Original language | English |
---|---|
Title of host publication | Proceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018 |
Publisher | Institute of Electrical and Electronics Engineers Inc. |
Pages | 195-210 |
Number of pages | 16 |
ISBN (Electronic) | 9781538643525 |
DOIs | |
Publication status | Published - 2018 |
Event | 39th IEEE Symposium on Security and Privacy, SP 2018 - San Francisco, United States Duration: 21 May 2018 → 23 May 2018 |
Conference
Conference | 39th IEEE Symposium on Security and Privacy, SP 2018 |
---|---|
Country/Territory | United States |
City | San Francisco |
Period | 21/05/18 → 23/05/18 |
Funding
We would like to thank our shepherd Simha Sethumadhavan and our anonymous reviewers for their valuable feedbacks. Furthermore, we want to thank Rob Clark for his precious insights throughout the research. This work was supported by the European Commission through project H2020 ICT-32-2014 SHARCS under Grant Agreement No. 644571 and by the Netherlands Organisation for Scientific Research through grant NWO 639.023.309 VICI Dowsing.
Funders | Funder number |
---|---|
European Commission | 644571, H2020 ICT-32-2014 |
Nederlandse Organisatie voor Wetenschappelijk Onderzoek | 639.023.309 |
Keywords
- ARM
- Browser security
- Integrated GPUs
- Microarchitectural attacks
- Mobile security
- Rowhammer
- Side channels