2008 年,在 CUDA、OpenCL 等通用圖形處理器計算模型相繼被提 出之後,圖形處理器用來執行一般計算任務的現象日趨發達。也開始有 研究朝如何將圖形處理器用於輔助惡意程式進行的方向發展。而圖形處 理器充足的記憶體、強大的運算能力,以及獨立於 CPU 的配置都為惡 意軟體帶來極佳的隱蔽環境。其中,有研究利用這樣的特性,提出圖形 處理器可用於快速將隱藏於程式主體的密文程式碼進行快速加解密,以 躲避掃描軟體的監控的威脅模式。 本研究基於這樣的行為,將圖形處理器解密後的程式碼「植入」系 統中執行的所有可能途徑,歸納出三種媒介,分別為記憶體、檔案系統、 及網路。然後,發展一套能夠適時針對程序使用週邊裝置的情形採取監 控的系統,有效地監控其記憶體及檔案系統行為,然後適時地阻擋應該 被視為「資料」的資訊片段被當成「程式碼」來執行。此系統的效能表 現良好,幾乎不會為程序帶來效能損失。 隨著週邊裝置的計算能力越發強大,這些新型態的攻擊行為及防禦 手法勢必成為資安的新議題,本研究的目標是提出一套對周邊裝置存取 行為給予存取權限的機制,維護系統的完整性。;Since the release of specifications such as OpenCL, CUDA targeting general purpose computing on graphics processing unit on 2008, the use of graphics processing unit to perform general data processing has become a increasing trend. Meanwhile, research has come to assessing the threat that GPU could introduce. Particularly due to the nature of GPU having planty of memory space, high performance cores, and locating independently from CPU, GPU could be a ideal target for malicious software where stealthiness is the first consideration. Among these research, one has come up with an idea that utilizes GPU to decrypt ciphertext malicious code that is embedded in the main program to hide from common malware detections. We propose 3 types of possible approaches that an attacker would implant his GPU-decrypted code onto an infected system based on that reseach. These are memory type, filesystem type and network type. Based on these types, we propose a system that is able to dynamically detect process’s memory and filesystem behavior. It can warn and deny accesses at the moment when a segment of ”data” is either accidently or maliciously misused as executable code. Besides, the system have little incurred over- head on its overall performance. As these device has become more powerful ever than before, we suggest that our reseach goal is to put forth a methodology that in order to keep integrity of a system we have to perform access control based on the use of peripheral device.
