research-article

Public Access

Eavesdropping user credentials via GPU side channels on smartphones

Authors:
Boyuan Yang

University of Pittsburgh, USA

University of Pittsburgh, USA

0000-0002-5517-5882
View Profile

,
Ruirong Chen

University of Pittsburgh, USA

University of Pittsburgh, USA

0000-0002-1030-0379
View Profile

,
Kai Huang

University of Pittsburgh, USA

University of Pittsburgh, USA
View Profile

,
Jun Yang

University of Pittsburgh, USA

University of Pittsburgh, USA

0000-0001-8372-6541
View Profile

,
Wei Gao

University of Pittsburgh, USA

University of Pittsburgh, USA

0000-0003-2144-6960
View Profile

ASPLOS '22: Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating SystemsFebruary 2022Pages 285–299https://doi.org/10.1145/3503222.3507757

Published:22 February 2022Publication History

ASPLOS '22: Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems

Pages 285–299

ABSTRACT

Graphics Processing Unit (GPU) on smartphones is an effective target for hardware attacks. In this paper, we present a new side channel attack on mobile GPUs of Android smartphones, allowing an unprivileged attacker to eavesdrop the user's credentials, such as login usernames and passwords, from their inputs through on-screen keyboard. Our attack targets on Qualcomm Adreno GPUs and investigate the amount of GPU overdraw when rendering the popups of user's key presses of inputs. Such GPU overdraw caused by each key press corresponds to unique variations of selected GPU performance counters, from which these key presses can be accurately inferred. Experiment results from practical use on multiple models of Android smartphones show that our attack can correctly infer more than 80% of user's credential inputs, but incur negligible amounts of computing overhead and network traffic on the victim device. To counter this attack, this paper suggests mitigations of access control on GPU performance counters, or applying obfuscations on the values of GPU performance counters.

References

Adam J Aviv, Benjamin Sapp, Matt Blaze, and Jonathan M Smith. 2012. Practicality of accelerometer side channels on smartphones. In Proceedings of the 28th annual computer security applications conference (ACSAC ’12). Association for Computing Machinery, New York, NY, USA. 41–50. https://doi.org/10.1145/2420950.2420957 Google ScholarDigital Library
Liang Cai and Hao Chen. 2011. TouchLogger: Inferring Keystrokes on Touch Screen from Smartphone Motion. USENIX Summit on Hot Topics in Security (HotSec).Google Scholar
Sen Chen, Lingling Fan, Guozhu Meng, Ting Su, Minhui Xue, Yinxing Xue, Yang Liu, and Lihua Xu. 2020. An empirical assessment of security risks of global android banking apps. In 2020 IEEE/ACM 42nd International Conference on Software Engineering (ICSE). 1310–1322.Google ScholarDigital Library
Xiao Chen, Chaoran Li, Derui Wang, Sheng Wen, Jun Zhang, Surya Nepal, Yang Xiang, and Kui Ren. 2019. Android HIV: A study of repackaging malware for evading machine-learning detection. IEEE Transactions on Information Forensics and Security, 15 (2019), 987–1001. https://doi.org/10.1109/TIFS.2019.2932228 Google ScholarDigital Library
Anupam Das, Nikita Borisov, and Matthew Caesar. 2016. Tracking Mobile Web Users Through Motion Sensors: Attacks and Defenses.. In NDSS.Google Scholar
Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, and Marcel Winandy. 2010. Privilege escalation attacks on android. In international conference on Information security. 346–360. https://doi.org/10.1007/978-3-642-18178-8_30 Google ScholarCross Ref
Sanorita Dey, Nirupam Roy, Wenyuan Xu, Romit Roy Choudhury, and Srihari Nelakuditi. 2014. AccelPrint: Imperfections of Accelerometers Make Smartphones Trackable.. In NDSS.Google Scholar
Mohammad Javad Dousti, Majid Ghasemi-Gol, Mahdi Nazemi, and Massoud Pedram. 2015. ThermTap: An online power analyzer and thermal simulator for Android devices. In IEEE/ACM International Symposium on Low Power Electronics and Design (ISLPED). 341–346. https://doi.org/10.1109/ISLPED.2015.7273537 Google ScholarCross Ref
Facebook. 2019. Facebook advisory for CVE-2019-3568. https://www.facebook.com/security/advisories/cve-2019-3568Google Scholar
Freedesktop.org. 2021. The Mesa 3D Graphics Library. https://mesa3d.org/Google Scholar
Pietro Frigo, Cristiano Giuffrida, Herbert Bos, and Kaveh Razavi. 2018. Grand pwning unit: Accelerating microarchitectural attacks with the GPU. In 2018 IEEE Symposium on Security and Privacy (SP). 195–210. https://doi.org/10.1109/SP.2018.00022 Google ScholarCross Ref
Dan Ginsburg. 2007. AMD_performance_monitor. https://www.khronos.org/registry/OpenGL/extensions/AMD/AMD_performance_monitor.txtGoogle Scholar
Daniel Gruss, Erik Kraft, Trishita Tiwari, Michael Schwarz, Ari Trachtenberg, Jason Hennessey, Alex Ionescu, and Anders Fogh. 2019. Page cache attacks. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS ’19). 167–180. isbn:9781450367479 https://doi.org/10.1145/3319535.3339809 Google ScholarDigital Library
Berk Gulmezoglu, Thomas Eisenbarth, and Berk Sunar. 2017. Cache-based application detection in the cloud using machine learning. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security (ASIA CCS ’17). 288–300. https://doi.org/10.1145/3052973.3053036 Google ScholarDigital Library
Berk Gulmezoglu, Andreas Zankl, M Caner Tol, Saad Islam, Thomas Eisenbarth, and Berk Sunar. 2019. Undermining user privacy on mobile devices using ai. In Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security (Asia CCS ’19). ACM New York, NY, USA, 214–227. isbn:9781450367523 https://doi.org/10.1145/3321705.3329804 Google ScholarDigital Library
Ben Hawkes and Project Zero. 2020. Project Zero: Attacking the Qualcomm Adreno GPU. https://googleprojectzero.blogspot.com/2020/09/attacking-qualcomm-adreno-gpu.htmlGoogle Scholar
Bo-Jhang Ho, Paul Martin, Prashanth Swaminathan, and Mani Srivastava. 2015. From pressure to path: Barometer-based vehicle tracking. In Proceedings of the 2nd ACM International Conference on Embedded Systems for Energy-Efficient Built Environments. 65–74. https://doi.org/10.1145/2821650.2821665 Google ScholarDigital Library
Google Inc.. 2020. Security-Enhanced Linux in Android. https://source.android.com/security/selinuxGoogle Scholar
Google Inc.. 2021. Google Android fts_driver_test_write Heap-based Buffer Overflow Privilege Escalation Vulnerability. https://www.zerodayinitiative.com/advisories/ZDI-21-279/Google Scholar
Google Inc.. 2021. include/uapi/linux/msm_kgsl.h - kernel/msm - Git at Google. https://android.googlesource.com/kernel/msm/+/android-7.1.0_r0.2/include/uapi/linux/msm_kgsl.hGoogle Scholar
Google Inc.. 2021. Play Protect | Google Developers. https://developers.google.com/android/play-protectGoogle Scholar
Google Inc.. 2021. Privilege escalation in Google Android. https://source.android.com/security/bulletin/pixel/2021-01-01Google Scholar
Google Inc.. 2021. Reduce overdraw. https://developer.android.com/topic/performance/rendering/overdrawGoogle Scholar
Qualcomm Technologies Inc.. 2021. Qualcomm Adreno GPU Overview. https://developer.qualcomm.com/docs/adreno-gpu/developer-guide/gpu/overview.htmlGoogle Scholar
Akanksha Jain and Calvin Lin. 2019. Cache Replacement Policies. Synthesis Lectures on Computer Architecture, 14, 1 (2019), 1–87. https://doi.org/10.2200/S00922ED1V01Y201905CAC047 Google ScholarCross Ref
Abdul Rehman Javed, Mirza Omer Beg, Muhammad Asim, Thar Baker, and Ali Hilal Al-Bayatti. 2020. AlphaLogger: Detecting motion-based side-channel attack using smartphone keystrokes. Journal of Ambient Intelligence and Humanized Computing, 1–14. https://doi.org/10.1007/s12652-020-01770-0 Google ScholarCross Ref
Elmira Karimi, Zhen Hang Jiang, Yunsi Fei, and David Kaeli. 2018. A timing side-channel attack on a mobile gpu. In 2018 IEEE 36th International Conference on Computer Design (ICCD). 67–74. https://doi.org/10.1109/ICCD.2018.00020 Google ScholarCross Ref
Jari Komppa. 2009. QCOM_performance_monitor_global_mode. https://www.khronos.org/registry/OpenGL/extensions/QCOM/QCOM_performance_monitor_global_mode.txtGoogle Scholar
Sangchul Lee and Jae Wook Jeon. 2010. Evaluating performance of Android platform using native C for embedded systems. In ICCAS 2010. 1160–1163. https://doi.org/10.1109/ICCAS.2010.5669738 Google ScholarCross Ref
Sangho Lee, Youngsok Kim, Jangwoo Kim, and Jong Kim. 2014. Stealing webpages rendered on your browser by exploiting GPU vulnerabilities. In 2014 IEEE Symposium on Security and Privacy. 19–33. https://doi.org/10.1109/SP.2014.9 Google ScholarDigital Library
Moritz Lipp, Daniel Gruss, Raphael Spreitzer, Clémentine Maurice, and Stefan Mangard. 2016. ARMageddon: Cache Attacks on Mobile Devices. In Proceedings of the 25th USENIX Conference on Security Symposium (SEC’16). 549–564.Google Scholar
Chao Luo, Yunsi Fei, and David Kaeli. 2019. Side-channel Timing Attack of RSA on a GPU. ACM Transactions on Architecture and Code Optimization (TACO), 16, 3 (2019), 1–18. issn:1544-3566 https://doi.org/10.1145/3341729 Google ScholarDigital Library
Anindya Maiti, Murtuza Jadliwala, Jibo He, and Igor Bilogrevic. 2015. (Smart) watch your taps: Side-channel keystroke inference attacks using smartwatches. In Proceedings of the 2015 ACM International Symposium on Wearable Computers. 27–30. https://doi.org/10.1145/2802083.2808397 Google ScholarDigital Library
Yan Michalevsky, Aaron Schulman, Gunaa Arumugam Veerapandian, Dan Boneh, and Gabi Nakibly. 2015. Powerspy: Location tracking using mobile device power analysis. In 24th USENIX Security Symposium. 785–800.Google Scholar
Emiliano Miluzzo, Alexander Varshavsky, Suhrid Balakrishnan, and Romit Roy Choudhury. 2012. Tapprints: your finger taps have fingerprints. In Proceedings of the 10th international conference on Mobile systems, applications, and services (MobiSys ’12). 323–336. https://doi.org/10.1145/2307636.2307666 Google ScholarDigital Library
Elizabeth Montalbano. 2020. Facebook Messenger Bug Allows Spying on Android Users. https://threatpost.com/facebook-messenger-bug-spying-android/161435/Google Scholar
Hoda Naghibijouybari, Ajaya Neupane, Zhiyun Qian, and Nael Abu-Ghazaleh. 2018. Rendered insecure: GPU side channel attacks are practical. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS ’18). 2139–2153. isbn:9781450356930 https://doi.org/10.1145/3243734.3243831 Google ScholarDigital Library
Lucky Onwuzurike and Emiliano De Cristofaro. 2015. Danger is my middle name: experimenting with SSL vulnerabilities in Android apps. In Proceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks. 1–6. https://doi.org/10.1145/2766498.2766522 Google ScholarDigital Library
Emmanuel Owusu, Jun Han, Sauvik Das, Adrian Perrig, and Joy Zhang. 2012. Accessory: password inference using accelerometers on smartphones. In Proceedings of the twelfth workshop on mobile computing systems & applications (HotMobile ’12). 1–6. https://doi.org/10.1145/2162081.2162095 Google ScholarDigital Library
Sarah Pearman, Shikun Aerin Zhang, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2019. Why people (don’t) use password managers effectively. In The 15th Symposium on Usable Privacy and Security. 319–338.Google Scholar
Bahman Rashidi and Carol J Fung. 2015. A Survey of Android Security Threats and Defenses.. J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl., 6, 3 (2015), 3–35. https://doi.org/10.22667/JOWUA.2015.09.31.003 Google ScholarCross Ref
Jose Ribeiro, Firooz B Saghezchi, Georgios Mantas, Jonathan Rodriguez, and Raed A Abd-Alhameed. 2020. Hidroid: prototyping a behavioral host-based intrusion detection and prevention system for android. IEEE Access, 8 (2020), 23154–23168. https://doi.org/10.1109/ACCESS.2020.2969626 Google ScholarCross Ref
Jong-hyuk Roh, Sung-Hun Lee, and Soohyung Kim. 2016. Keystroke dynamics for authentication in smartphone. In 2016 International Conference on Information and Communication Technology Convergence (ICTC). 1155–1159. https://doi.org/10.1109/ICTC.2016.7763394 Google ScholarCross Ref
Martin Peres Samuel Pitoiset. 2014. Expose NVIDIA’s performance counters to the userspace for NV50/Tesla. https://www.x.org/wiki/Events/XDC2014/XDC2014PitoisetNouveau/talk-perf.pdfGoogle Scholar
Andrea Saracino, Daniele Sgandurra, Gianluca Dini, and Fabio Martinelli. 2016. Madam: Effective and efficient behavior-based android malware detection and prevention. IEEE Transactions on Dependable and Secure Computing, 15, 1 (2016), 83–97. https://doi.org/10.1109/TDSC.2016.2536605 Google ScholarCross Ref
Asaf Shabtai, Uri Kanonov, Yuval Elovici, Chanan Glezer, and Yael Weiss. 2012. “Andromaly”: a behavioral malware detection framework for android devices. Journal of Intelligent Information Systems, 38, 1 (2012), 161–190. https://doi.org/10.1007/s10844-010-0148-x Google ScholarDigital Library
Yuru Shao, Xiapu Luo, and Chenxiong Qian. 2014. Rootguard: Protecting rooted android phones. Computer, 47, 6 (2014), 32–40. https://doi.org/10.1109/MC.2014.163 Google ScholarDigital Library
Ki-Cheol Son and Jong-Yeol Lee. 2011. The method of android application speed up by using NDK. In 2011 3rd International Conference on Awareness Science and Technology (iCAST). 382–385. https://doi.org/10.1109/ICAwST.2011.6163104 Google ScholarCross Ref
Raphael Spreitzer, Felix Kirchengast, Daniel Gruss, and Stefan Mangard. 2018. Procharvester: Fully automated analysis of procfs side-channel leaks on android. In Proceedings of the 2018 on Asia Conference on Computer and Communications Security (ASIACCS ’18). 749–763. isbn:9781450355766 https://doi.org/10.1145/3196494.3196510 Google ScholarDigital Library
Raphael Spreitzer, Gerald Palfinger, and Stefan Mangard. 2018. Scandroid: Automated side-channel analysis of android apis. In Proceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile Networks (WiSec ’18). 224–235. https://doi.org/10.1145/3212480.3212506 Google ScholarDigital Library
Elizabeth Stobert and Robert Biddle. 2015. Expert password management. In International Conference on Passwords. 3–20. https://doi.org/10.1007/978-3-319-29938-9_1 Google ScholarCross Ref
Jeff Vander Stoep. 2015. ioctl command whitelisting in SELinux. http://kernsec.org/files/lss2015/vanderstoep.pdfGoogle Scholar
Daimeng Wang, Ajaya Neupane, Zhiyun Qian, Nael B Abu-Ghazaleh, Srikanth V Krishnamurthy, Edward JM Colbert, and Paul Yu. 2019. Unveiling your keystrokes: A Cache-based Side-channel Attack on Graphics Libraries. In NDSS.Google Scholar
Davey Winder. 2020. Qualcomm Snapdragon Bugs Leave 40% Of World’s Smartphones Exposed To Spying Threat. https://www.forbes.com/sites/daveywinder/2020/08/06/hundreds-of-millions-of-android-phones-can-spy-on-users-as-400-snapdragon-security-flaws-confirmed-qualcomm-google-lg-samsung-oneplus/Google Scholar
Dmitrijs Zaparanuks, Milan Jovic, and Matthias Hauswirth. 2009. Accuracy of performance counter measurements. In 2009 IEEE International Symposium on Performance Analysis of Systems and Software. 23–32. https://doi.org/10.1109/ISPASS.2009.4919635 Google ScholarCross Ref
Hang Zhang, Dongdong She, and Zhiyun Qian. 2015. Android root and its providers: A double-edged sword. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. 1093–1104. https://doi.org/10.1145/2810103.2813714 Google ScholarDigital Library
Xiaoyong Zhou, Soteris Demetriou, Dongjing He, Muhammad Naveed, Xiaorui Pan, XiaoFeng Wang, Carl A Gunter, and Klara Nahrstedt. 2013. Identity, location, disease and more: Inferring your secrets from android public resources. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. 1017–1028. https://doi.org/10.1145/2508859.2516661 Google ScholarDigital Library

Index Terms

Eavesdropping user credentials via GPU side channels on smartphones
1. Human-centered computing
  1. Ubiquitous and mobile computing
2. Security and privacy
  1. Systems security

Recommendations

Protecting Enclaves from Intra-Core Side-Channel Attacks through Physical Isolation
CYSARM'20: Proceedings of the 2nd Workshop on Cyber-Security Arms Race

Systems that protect enclaves from privileged software must consider software-based side-channel attacks. Our system isolates enclaves on separate secure cores to stop attackers from running on the same core as the victim, which mitigates intra-core ...
Read More
Walls Have Ears: Eavesdropping User Behaviors via Graphics-Interrupt-Based Side Channel
Information Security
Abstract
Graphics Processing Units (GPUs) are now playing a vital role in many devices and systems including computing devices, data centers, and clouds, making them the next target of side-channel attacks. Unlike those targeting CPUs, existing side-...
Read More
Towards Accurate GPU Power Modeling for Smartphones
MobiGames '15: Proceedings of the 2nd Workshop on Mobile Gaming

With the increasingly high power consumption of smartphone GPUs, accurate GPU power modeling is desirable for mobile game developers to optimize the power performance of their game code. However, existing GPU power models for smartphones simply use only ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
ASPLOS '22: Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems
February 2022
1164 pages
ISBN:9781450392051
DOI:10.1145/3503222
General Chairs:
Babak Falsafi
EPFL, Switzerland
,
Michael Ferdman
Stony Brook University, USA
,
Program Chairs:
Shan Lu
University of Chicago, USA
,
Tom Wenisch
University of Michigan, USA / Google, USA
Copyright © 2022 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 22 February 2022
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Badges
- Artifacts Evaluated & Functional / v1.1
- Artifacts Available / v1.1
Author Tags
Input Eavesdropping
Mobile GPU
Performance Counters
Side Channel
Smartphones
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate535of2,713submissions,20%
Upcoming Conference
ASPLOS '25

Sponsor:

sigarch

sigarch

sigarch

29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems

March 30 - April 3, 2025

Rotterdam , Netherlands
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 1
  Total Citations
  View Citations
- 1,553
  Total Downloads
- Downloads (Last 12 months)508
- Downloads (Last 6 weeks)55
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Eavesdropping user credentials via GPU side channels on smartphones

ASPLOS '22: Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems

ABSTRACT

References

Cited By

Index Terms

Recommendations

Protecting Enclaves from Intra-Core Side-Channel Attacks through Physical Isolation

Walls Have Ears: Eavesdropping User Behaviors via Graphics-Interrupt-Based Side Channel

Towards Accurate GPU Power Modeling for Smartphones