ABSTRACT
Graphics Processing Unit (GPU) on smartphones is an effective target for hardware attacks. In this paper, we present a new side channel attack on mobile GPUs of Android smartphones, allowing an unprivileged attacker to eavesdrop the user's credentials, such as login usernames and passwords, from their inputs through on-screen keyboard. Our attack targets on Qualcomm Adreno GPUs and investigate the amount of GPU overdraw when rendering the popups of user's key presses of inputs. Such GPU overdraw caused by each key press corresponds to unique variations of selected GPU performance counters, from which these key presses can be accurately inferred. Experiment results from practical use on multiple models of Android smartphones show that our attack can correctly infer more than 80% of user's credential inputs, but incur negligible amounts of computing overhead and network traffic on the victim device. To counter this attack, this paper suggests mitigations of access control on GPU performance counters, or applying obfuscations on the values of GPU performance counters.
- Adam J Aviv, Benjamin Sapp, Matt Blaze, and Jonathan M Smith. 2012. Practicality of accelerometer side channels on smartphones. In Proceedings of the 28th annual computer security applications conference (ACSAC ’12). Association for Computing Machinery, New York, NY, USA. 41–50. https://doi.org/10.1145/2420950.2420957 Google ScholarDigital Library
- Liang Cai and Hao Chen. 2011. TouchLogger: Inferring Keystrokes on Touch Screen from Smartphone Motion. USENIX Summit on Hot Topics in Security (HotSec).Google Scholar
- Sen Chen, Lingling Fan, Guozhu Meng, Ting Su, Minhui Xue, Yinxing Xue, Yang Liu, and Lihua Xu. 2020. An empirical assessment of security risks of global android banking apps. In 2020 IEEE/ACM 42nd International Conference on Software Engineering (ICSE). 1310–1322.Google ScholarDigital Library
- Xiao Chen, Chaoran Li, Derui Wang, Sheng Wen, Jun Zhang, Surya Nepal, Yang Xiang, and Kui Ren. 2019. Android HIV: A study of repackaging malware for evading machine-learning detection. IEEE Transactions on Information Forensics and Security, 15 (2019), 987–1001. https://doi.org/10.1109/TIFS.2019.2932228 Google ScholarDigital Library
- Anupam Das, Nikita Borisov, and Matthew Caesar. 2016. Tracking Mobile Web Users Through Motion Sensors: Attacks and Defenses.. In NDSS.Google Scholar
- Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, and Marcel Winandy. 2010. Privilege escalation attacks on android. In international conference on Information security. 346–360. https://doi.org/10.1007/978-3-642-18178-8_30 Google ScholarCross Ref
- Sanorita Dey, Nirupam Roy, Wenyuan Xu, Romit Roy Choudhury, and Srihari Nelakuditi. 2014. AccelPrint: Imperfections of Accelerometers Make Smartphones Trackable.. In NDSS.Google Scholar
- Mohammad Javad Dousti, Majid Ghasemi-Gol, Mahdi Nazemi, and Massoud Pedram. 2015. ThermTap: An online power analyzer and thermal simulator for Android devices. In IEEE/ACM International Symposium on Low Power Electronics and Design (ISLPED). 341–346. https://doi.org/10.1109/ISLPED.2015.7273537 Google ScholarCross Ref
- Facebook. 2019. Facebook advisory for CVE-2019-3568. https://www.facebook.com/security/advisories/cve-2019-3568Google Scholar
- Freedesktop.org. 2021. The Mesa 3D Graphics Library. https://mesa3d.org/Google Scholar
- Pietro Frigo, Cristiano Giuffrida, Herbert Bos, and Kaveh Razavi. 2018. Grand pwning unit: Accelerating microarchitectural attacks with the GPU. In 2018 IEEE Symposium on Security and Privacy (SP). 195–210. https://doi.org/10.1109/SP.2018.00022 Google ScholarCross Ref
- Dan Ginsburg. 2007. AMD_performance_monitor. https://www.khronos.org/registry/OpenGL/extensions/AMD/AMD_performance_monitor.txtGoogle Scholar
- Daniel Gruss, Erik Kraft, Trishita Tiwari, Michael Schwarz, Ari Trachtenberg, Jason Hennessey, Alex Ionescu, and Anders Fogh. 2019. Page cache attacks. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS ’19). 167–180. isbn:9781450367479 https://doi.org/10.1145/3319535.3339809 Google ScholarDigital Library
- Berk Gulmezoglu, Thomas Eisenbarth, and Berk Sunar. 2017. Cache-based application detection in the cloud using machine learning. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security (ASIA CCS ’17). 288–300. https://doi.org/10.1145/3052973.3053036 Google ScholarDigital Library
- Berk Gulmezoglu, Andreas Zankl, M Caner Tol, Saad Islam, Thomas Eisenbarth, and Berk Sunar. 2019. Undermining user privacy on mobile devices using ai. In Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security (Asia CCS ’19). ACM New York, NY, USA, 214–227. isbn:9781450367523 https://doi.org/10.1145/3321705.3329804 Google ScholarDigital Library
- Ben Hawkes and Project Zero. 2020. Project Zero: Attacking the Qualcomm Adreno GPU. https://googleprojectzero.blogspot.com/2020/09/attacking-qualcomm-adreno-gpu.htmlGoogle Scholar
- Bo-Jhang Ho, Paul Martin, Prashanth Swaminathan, and Mani Srivastava. 2015. From pressure to path: Barometer-based vehicle tracking. In Proceedings of the 2nd ACM International Conference on Embedded Systems for Energy-Efficient Built Environments. 65–74. https://doi.org/10.1145/2821650.2821665 Google ScholarDigital Library
- Google Inc.. 2020. Security-Enhanced Linux in Android. https://source.android.com/security/selinuxGoogle Scholar
- Google Inc.. 2021. Google Android fts_driver_test_write Heap-based Buffer Overflow Privilege Escalation Vulnerability. https://www.zerodayinitiative.com/advisories/ZDI-21-279/Google Scholar
- Google Inc.. 2021. include/uapi/linux/msm_kgsl.h - kernel/msm - Git at Google. https://android.googlesource.com/kernel/msm/+/android-7.1.0_r0.2/include/uapi/linux/msm_kgsl.hGoogle Scholar
- Google Inc.. 2021. Play Protect | Google Developers. https://developers.google.com/android/play-protectGoogle Scholar
- Google Inc.. 2021. Privilege escalation in Google Android. https://source.android.com/security/bulletin/pixel/2021-01-01Google Scholar
- Google Inc.. 2021. Reduce overdraw. https://developer.android.com/topic/performance/rendering/overdrawGoogle Scholar
- Qualcomm Technologies Inc.. 2021. Qualcomm Adreno GPU Overview. https://developer.qualcomm.com/docs/adreno-gpu/developer-guide/gpu/overview.htmlGoogle Scholar
- Akanksha Jain and Calvin Lin. 2019. Cache Replacement Policies. Synthesis Lectures on Computer Architecture, 14, 1 (2019), 1–87. https://doi.org/10.2200/S00922ED1V01Y201905CAC047 Google ScholarCross Ref
- Abdul Rehman Javed, Mirza Omer Beg, Muhammad Asim, Thar Baker, and Ali Hilal Al-Bayatti. 2020. AlphaLogger: Detecting motion-based side-channel attack using smartphone keystrokes. Journal of Ambient Intelligence and Humanized Computing, 1–14. https://doi.org/10.1007/s12652-020-01770-0 Google ScholarCross Ref
- Elmira Karimi, Zhen Hang Jiang, Yunsi Fei, and David Kaeli. 2018. A timing side-channel attack on a mobile gpu. In 2018 IEEE 36th International Conference on Computer Design (ICCD). 67–74. https://doi.org/10.1109/ICCD.2018.00020 Google ScholarCross Ref
- Jari Komppa. 2009. QCOM_performance_monitor_global_mode. https://www.khronos.org/registry/OpenGL/extensions/QCOM/QCOM_performance_monitor_global_mode.txtGoogle Scholar
- Sangchul Lee and Jae Wook Jeon. 2010. Evaluating performance of Android platform using native C for embedded systems. In ICCAS 2010. 1160–1163. https://doi.org/10.1109/ICCAS.2010.5669738 Google ScholarCross Ref
- Sangho Lee, Youngsok Kim, Jangwoo Kim, and Jong Kim. 2014. Stealing webpages rendered on your browser by exploiting GPU vulnerabilities. In 2014 IEEE Symposium on Security and Privacy. 19–33. https://doi.org/10.1109/SP.2014.9 Google ScholarDigital Library
- Moritz Lipp, Daniel Gruss, Raphael Spreitzer, Clémentine Maurice, and Stefan Mangard. 2016. ARMageddon: Cache Attacks on Mobile Devices. In Proceedings of the 25th USENIX Conference on Security Symposium (SEC’16). 549–564.Google Scholar
- Chao Luo, Yunsi Fei, and David Kaeli. 2019. Side-channel Timing Attack of RSA on a GPU. ACM Transactions on Architecture and Code Optimization (TACO), 16, 3 (2019), 1–18. issn:1544-3566 https://doi.org/10.1145/3341729 Google ScholarDigital Library
- Anindya Maiti, Murtuza Jadliwala, Jibo He, and Igor Bilogrevic. 2015. (Smart) watch your taps: Side-channel keystroke inference attacks using smartwatches. In Proceedings of the 2015 ACM International Symposium on Wearable Computers. 27–30. https://doi.org/10.1145/2802083.2808397 Google ScholarDigital Library
- Yan Michalevsky, Aaron Schulman, Gunaa Arumugam Veerapandian, Dan Boneh, and Gabi Nakibly. 2015. Powerspy: Location tracking using mobile device power analysis. In 24th USENIX Security Symposium. 785–800.Google Scholar
- Emiliano Miluzzo, Alexander Varshavsky, Suhrid Balakrishnan, and Romit Roy Choudhury. 2012. Tapprints: your finger taps have fingerprints. In Proceedings of the 10th international conference on Mobile systems, applications, and services (MobiSys ’12). 323–336. https://doi.org/10.1145/2307636.2307666 Google ScholarDigital Library
- Elizabeth Montalbano. 2020. Facebook Messenger Bug Allows Spying on Android Users. https://threatpost.com/facebook-messenger-bug-spying-android/161435/Google Scholar
- Hoda Naghibijouybari, Ajaya Neupane, Zhiyun Qian, and Nael Abu-Ghazaleh. 2018. Rendered insecure: GPU side channel attacks are practical. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS ’18). 2139–2153. isbn:9781450356930 https://doi.org/10.1145/3243734.3243831 Google ScholarDigital Library
- Lucky Onwuzurike and Emiliano De Cristofaro. 2015. Danger is my middle name: experimenting with SSL vulnerabilities in Android apps. In Proceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks. 1–6. https://doi.org/10.1145/2766498.2766522 Google ScholarDigital Library
- Emmanuel Owusu, Jun Han, Sauvik Das, Adrian Perrig, and Joy Zhang. 2012. Accessory: password inference using accelerometers on smartphones. In Proceedings of the twelfth workshop on mobile computing systems & applications (HotMobile ’12). 1–6. https://doi.org/10.1145/2162081.2162095 Google ScholarDigital Library
- Sarah Pearman, Shikun Aerin Zhang, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2019. Why people (don’t) use password managers effectively. In The 15th Symposium on Usable Privacy and Security. 319–338.Google Scholar
- Bahman Rashidi and Carol J Fung. 2015. A Survey of Android Security Threats and Defenses.. J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl., 6, 3 (2015), 3–35. https://doi.org/10.22667/JOWUA.2015.09.31.003 Google ScholarCross Ref
- Jose Ribeiro, Firooz B Saghezchi, Georgios Mantas, Jonathan Rodriguez, and Raed A Abd-Alhameed. 2020. Hidroid: prototyping a behavioral host-based intrusion detection and prevention system for android. IEEE Access, 8 (2020), 23154–23168. https://doi.org/10.1109/ACCESS.2020.2969626 Google ScholarCross Ref
- Jong-hyuk Roh, Sung-Hun Lee, and Soohyung Kim. 2016. Keystroke dynamics for authentication in smartphone. In 2016 International Conference on Information and Communication Technology Convergence (ICTC). 1155–1159. https://doi.org/10.1109/ICTC.2016.7763394 Google ScholarCross Ref
- Martin Peres Samuel Pitoiset. 2014. Expose NVIDIA’s performance counters to the userspace for NV50/Tesla. https://www.x.org/wiki/Events/XDC2014/XDC2014PitoisetNouveau/talk-perf.pdfGoogle Scholar
- Andrea Saracino, Daniele Sgandurra, Gianluca Dini, and Fabio Martinelli. 2016. Madam: Effective and efficient behavior-based android malware detection and prevention. IEEE Transactions on Dependable and Secure Computing, 15, 1 (2016), 83–97. https://doi.org/10.1109/TDSC.2016.2536605 Google ScholarCross Ref
- Asaf Shabtai, Uri Kanonov, Yuval Elovici, Chanan Glezer, and Yael Weiss. 2012. “Andromaly”: a behavioral malware detection framework for android devices. Journal of Intelligent Information Systems, 38, 1 (2012), 161–190. https://doi.org/10.1007/s10844-010-0148-x Google ScholarDigital Library
- Yuru Shao, Xiapu Luo, and Chenxiong Qian. 2014. Rootguard: Protecting rooted android phones. Computer, 47, 6 (2014), 32–40. https://doi.org/10.1109/MC.2014.163 Google ScholarDigital Library
- Ki-Cheol Son and Jong-Yeol Lee. 2011. The method of android application speed up by using NDK. In 2011 3rd International Conference on Awareness Science and Technology (iCAST). 382–385. https://doi.org/10.1109/ICAwST.2011.6163104 Google ScholarCross Ref
- Raphael Spreitzer, Felix Kirchengast, Daniel Gruss, and Stefan Mangard. 2018. Procharvester: Fully automated analysis of procfs side-channel leaks on android. In Proceedings of the 2018 on Asia Conference on Computer and Communications Security (ASIACCS ’18). 749–763. isbn:9781450355766 https://doi.org/10.1145/3196494.3196510 Google ScholarDigital Library
- Raphael Spreitzer, Gerald Palfinger, and Stefan Mangard. 2018. Scandroid: Automated side-channel analysis of android apis. In Proceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile Networks (WiSec ’18). 224–235. https://doi.org/10.1145/3212480.3212506 Google ScholarDigital Library
- Elizabeth Stobert and Robert Biddle. 2015. Expert password management. In International Conference on Passwords. 3–20. https://doi.org/10.1007/978-3-319-29938-9_1 Google ScholarCross Ref
- Jeff Vander Stoep. 2015. ioctl command whitelisting in SELinux. http://kernsec.org/files/lss2015/vanderstoep.pdfGoogle Scholar
- Daimeng Wang, Ajaya Neupane, Zhiyun Qian, Nael B Abu-Ghazaleh, Srikanth V Krishnamurthy, Edward JM Colbert, and Paul Yu. 2019. Unveiling your keystrokes: A Cache-based Side-channel Attack on Graphics Libraries. In NDSS.Google Scholar
- Davey Winder. 2020. Qualcomm Snapdragon Bugs Leave 40% Of World’s Smartphones Exposed To Spying Threat. https://www.forbes.com/sites/daveywinder/2020/08/06/hundreds-of-millions-of-android-phones-can-spy-on-users-as-400-snapdragon-security-flaws-confirmed-qualcomm-google-lg-samsung-oneplus/Google Scholar
- Dmitrijs Zaparanuks, Milan Jovic, and Matthias Hauswirth. 2009. Accuracy of performance counter measurements. In 2009 IEEE International Symposium on Performance Analysis of Systems and Software. 23–32. https://doi.org/10.1109/ISPASS.2009.4919635 Google ScholarCross Ref
- Hang Zhang, Dongdong She, and Zhiyun Qian. 2015. Android root and its providers: A double-edged sword. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. 1093–1104. https://doi.org/10.1145/2810103.2813714 Google ScholarDigital Library
- Xiaoyong Zhou, Soteris Demetriou, Dongjing He, Muhammad Naveed, Xiaorui Pan, XiaoFeng Wang, Carl A Gunter, and Klara Nahrstedt. 2013. Identity, location, disease and more: Inferring your secrets from android public resources. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. 1017–1028. https://doi.org/10.1145/2508859.2516661 Google ScholarDigital Library
Index Terms
- Eavesdropping user credentials via GPU side channels on smartphones
Recommendations
Protecting Enclaves from Intra-Core Side-Channel Attacks through Physical Isolation
CYSARM'20: Proceedings of the 2nd Workshop on Cyber-Security Arms RaceSystems that protect enclaves from privileged software must consider software-based side-channel attacks. Our system isolates enclaves on separate secure cores to stop attackers from running on the same core as the victim, which mitigates intra-core ...
Walls Have Ears: Eavesdropping User Behaviors via Graphics-Interrupt-Based Side Channel
Information SecurityAbstractGraphics Processing Units (GPUs) are now playing a vital role in many devices and systems including computing devices, data centers, and clouds, making them the next target of side-channel attacks. Unlike those targeting CPUs, existing side-...
Towards Accurate GPU Power Modeling for Smartphones
MobiGames '15: Proceedings of the 2nd Workshop on Mobile GamingWith the increasingly high power consumption of smartphone GPUs, accurate GPU power modeling is desirable for mobile game developers to optimize the power performance of their game code. However, existing GPU power models for smartphones simply use only ...
Comments