6

How secure is the host operating system from the guest virtual machine's OS when using GPU passthrough (using the methods described here)?

If the guest is compromised, can it permanently infect the GPU and its firmware? If it's possible, what could this compromised GPU do?

  • Even though VT-d/IOMMU is designed to securely contain devices to the virtual machine, could the guest use the GPU to compromise the host (OS or any other devices)?
  • If the GPU is suspected compromised, what should be the ideal course of action? If the computer's host OS is reinstalled, would the GPU be able to attack and infect it?
    (Moved to separate question)

I'm looking for a general answer, but if it's relevant, assume Linux host with KVM and Windows guest.

user220850
  • 101
  • 5
  • 1
    There is a proof-of-concept [GPU rootkit jellyfish](https://github.com/x0r1/jellyfish) on github. It survives reboot, but not a shutdown. – mviereck Jun 24 '17 at 00:18

1 Answers1

2

  • If the guest is compromised, can it permanently infect the GPU and its firmware?

According to OpenStack documentation, yes.

Many hypervisors offer a functionality known as PCI passthrough. This allows an instance to have direct access to a piece of hardware on the node. For example, this could be used to allow instances to access video cards or GPUs offering the compute unified device architecture (CUDA) for high performance computation.

This feature carries two types of security risks: direct memory access and hardware infection.

Direct memory access is only relevant to device passthrough not using IOMMU.

  • Even though VT-d/IOMMU is designed to securely contain devices to the virtual machine, could the guest use the GPU to compromise the host (OS or any other devices)?

Possibly, if the device is used by the host.

A hardware infection occurs when an instance makes a malicious modification to the firmware or some other part of a device. As this device is used by other instances or the host OS, the malicious code can spread into those systems. The end result is that one instance can run code outside of its security domain. This is a significant breach as it is harder to reset the state of physical hardware than virtual hardware, and can lead to additional exposure such as access to the management network.

user220850
  • 101
  • 5
  • Is the device "used" by the host after VM shutdown? Or at any other time? – user220850 Jun 17 '17 at 19:18
  • At the very least the device is "used" by the BIOS when the host machine is next rebooted and it tries to figure out what devices are in the system. – Peter Green Jun 17 '17 at 21:00
  • I think hardware infection requires access to PCI configuration space (to write option ROMs). I don't think CUDA is sufficient to actually "infect" a GPU with persistent code. – forest Jul 21 '18 at 02:28