Your VRAM might be leaking confidential data

[SIGSEGV]

Source: https://hsmr.cc/palinopsia/

tl;dr: VRAM is often not cleared and because of this running the proof of concept code can let the attacker see what you were doing.

3 out of 4 tested laptops did not erase or overwrite their VRAM upon reboot! This offers a potential attack surface for an attacker trying to read confidential information from a locked computer he has physical access to. A possible attack on a Windows-machine might look like this:

The user works on a confidential document and locks their screen

The attacker gains physical access and reboots the system (from the lockscreen) into a live system of their choice

The attacker reads out the VRAM and recovers screenshots of the document

This scenario was tested on a Lenovo Thinkpad W500 with a ATI Radeon HD3750 graphics card. Below is a screenshot from within the Windows system, with a mock-up confidential document:

"screenshot" of the same document after rebooting into a Xubuntu live system and running the proof of concept code:

While the document is not entirely readable due to fragmentation and interlacing, the color coding shows us that the entirety of the screen might still be recoverable from VRAM. There are also clearly readable fragments.

Most alarmingly perhaps is the fact that this can be executed from a guest OS to grab information from the host:

If the "3D-Acceleration" feature of VirtualBox is activated, running the proof-of-concept code from inside the VM provides the ability to read framebuffers from the host system.

The following experiment was conducted to demonstrate this behaviour:

The host system (arch linux on a laptop running a ATI HD4350/4550 card) is booted

Wikipedia and Youtube are opened in Chromium

A VirtualBox VM running Ubuntu 14.04 is booted

The proof of concept code is executed. The recovered frames belong to the host system and clearly show the visited websites

[Firearm2112]

inb4 nvidia's ram gate 0.5 of slower ram is used to send your data to the NSA

[werto165]

"On a laptop with an Intel HD4000 and a dedicated nVidia card where the OS can switch between cards, one has to force the usage of the dedicated card to read from VRAM. The internal graphics card seems to be unaffected at the moment. Tests showed that in this setup only programs forced to run on the dedicated card will leak data to VRAM." that's a little promising. But still scary. Also is this a just a laptop specific thing? 

[Jobbe03]

Right but you basically need physical acces to the PC itself tho... 

[Notional]

Just get a 970, then you will secure 1/8th of the Vram.

[werto165]

Right but you basically need physical acces to the PC itself tho... 

"It might be possible to leak the content of the VRAM of hardware-accelerated server systems that run thin client 

infrastructures. In the scariest possible way this means that an attacker could read the memory of any machine running in a company. This could also affect big players providing virtual desktops in the cloud." 

[qwertywarrior]

jokes on them

i do all my hackzoring on integrated gpu using system memory

[Jobbe03]

 

"It might be possible to leak the content of the VRAM of hardware-accelerated server systems that run thin client 

infrastructures. In the scariest possible way this means that an attacker could read the memory of any machine running in a company. This could also affect big players providing virtual desktops in the cloud." 

 

[werto165]

@Jobbe03 I'm sorry please dont kill me. 

[Miguel Sensacion]

I'm lovin' the 970 jokes...  :angry:  :angry:  :angry:  :angry:  :angry:

[SIGSEGV]

"It might be possible to leak the content of the VRAM of hardware-accelerated server systems that run thin client 

infrastructures. In the scariest possible way this means that an attacker could read the memory of any machine running in a company. This could also affect big players providing virtual desktops in the cloud."

It will be very likely possible for things like nVidia GRID though

[Opcode]

So that's why the GTX 970 has a separate portion of VRAM.

[deviant88]

Its your fault for using linux in the first place.

[LOLPhilips]

Anybody actually able to read whatever was on that test document deserves a prize.

[LePawel]

Considering how damaged these "screenshots" are, chances of capturing useful information is tiny. You may be lucky to get random ID number to something. But if those are fragments from multiple frames the whole post should be just "VRAM has leftover frame pieces".

[DildorTheDecent]

HUR HUR HUR COMMENT ABOUT THE 970. 

 

Nice work kids. Get ready for the next round. 

[SIGSEGV]

Anybody actually able to read whatever was on that test document deserves a prize.

Enlarge it (click on it), a large portion of it is readable. And anyways, it wouldn't be too hard to piece it together to reconstruct some of it.

[SIGSEGV]

Its your fault for using linux in the first place.

They're only using Linux to exploit the VRAM, not as the test OS, the test OS is windows 7

[Godlygamer23]

I'm lovin' the 970 jokes...  :angry:  :angry:  :angry:  :angry:  :angry:

The jokes are getting so old - people find something funny and then overdo it. It's not funny anymore people. Shut up about it.

[Kamina]

No hacker has access to my PC.

[Lewellyn]

Enhance! ENHANCE!

[Sanctuary2808]

 

Below is a screenshot from within the Windows system

 

Looks more like Xubuntu 14.04 =/

 

Oh, it's in a VM.

[ComradeHX]

Better run boku no pico a few times before turning off PC, then.

[Doobeedoo]

So new GPUs with more VRAM, they can see so much haha.

[imthewalrus]

Won't be seeing much, after all the only reason why my computer restarts is because my r9 290x overheats and crashes.