Shulou(Shulou.com)11/24 Report--

Thanks to CTOnews.com netizen Alejandro86 for the clue delivery! Unexpectedly, GPU can still reveal the password these days.

Products from six mainstream companies, from Nvidia Intel AMD to Qualcomm Apple ARM, have not run away.

And not in dealing with AI, big data tasks when leaking, but in dealing with graphics tasks when rendering web pages.

The new attack method, called pixel theft (pixel stealing), was proposed by a team of researchers such as the University of Texas at Austin.

The research will be presented at the 45th IEEE Security and Privacy Symposium in 2024, but the paper and code are now open source.

The proof-of-concept attack developed by researchers for compressing data is called GPU.zip.

The method is to embed an iframe tag in the malicious website to obtain the content of the embedded website, such as user name, password image and other sensitive data.

Generally speaking, the same origin policy of the browser prevents this behavior.

However, a data compression method almost commonly used in modern GPU is not subject to this restriction.

The main purpose of this compression method is to save video memory bandwidth and improve performance, without the participation of the application, so it is not limited by the rules of the application.

After the research team reverse-engineered the compression algorithms of different GPU, they could "decompress" the data again.

The attack idea is wonderful, measuring the rendering time or cache state changes of the applied filter.

If the target pixel is white, the filter result is incompressible and the rendering time is long; if it is black, it is compressible and the rendering time is short.

The color of the target pixel is judged by the time difference, and the cross-domain pixel acquisition is completed. Finally, all the pixels can be obtained one by one to reconstruct the complete information of the damaged page.

In the experiment, the target pixel can be rendered with 97% accuracy in 30 minutes on the AMD Ryzen 7 4800U.

The Intel i7-8700 takes 215 minutes with an accuracy of 98.3%.

Must be very accurate, not afraid of system noise interference, but fortunately, the attack takes a long time.

Nvidia, Qualcomm: it is not under our control to achieve this attack, the browser still needs to meet three conditions.

Allow cookies to be loaded across source iframe

Allow rendering of SVG filters on iframe

Hand over the rendering task to GPU

The more dangerous ones in mainstream browsers that meet all the conditions are Chrome and Edge,Safari and Firefox immune to this attack.

Based on this, both Nvidia and Qualcomm said they had no plans to make any repairs.

A spokesman for Nvidia said, "We have evaluated the findings provided by the researchers and determined that the root cause is not in our GPU, but in third-party software."

"this issue is not in our threat model because it affects browsers more directly and can be resolved by browser applications if necessary, so there are no plans to make any changes at this time," a Qualcomm spokesman said. "

As of press time, Nvidia, Apple, AMD and ARM had yet to provide official comment.

Google Chrome has not decided whether to fix it, saying only that it is communicating with the research team and actively participating.

For website developers, if you want to avoid this attack, you need to restrict sensitive pages from being embedded across source sites.

You can set X-Frame-Options or Content-Security-Policy attainment in the HTTP response header.

So should users be worried about this kind of attack?

Researchers have found that most sensitive sites have refused to be embedded in cross-source sites, and large vulnerable sites have been found to have Wikipedia.

Some netizens have also put forward a more thorough solution. Anyway, the use of iframe is getting less and less, so why not cancel it?

Paper address:

Https://www.hertzbleed.com/gpu.zip/

Reference link:

[1] https://arstechnica.com/security/2023/09/gpus-from-all-major-suppliers-are-vulnerable-to-new-pixel-stealing-attack/

[2] https://news.ycombinator.com/item?id=37663159

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.