
Attacking the Windows Nvidia  Driver - spaceboy
https://googleprojectzero.blogspot.com/2017/02/attacking-windows-nvidia-driver.html
======
nailer
A lot of people hated the decision, but back when Microsoft refused to support
WebGL, one of the reasons were that the GPU drivers were awful and exposing
them to the internet was dangerous.

The proper solution, of course, i for GPU drivers not to suck but it was still
a legitimate point and this article seems to validate that.

~~~
Eridrus
They were right that it was dangerous, but it became pretty clear that IE was
using them to provide cover for not implementing a feature when they changed
their mind later.

Whereas Chrome implemented a WebGL compiler that reduced the amount of attack
surface WebGL could reach and audited a bunch of popular drivers to fix the
exposed bits.

I think the fact that this blog shows that these vulnerabilities are not
reachable from WebGL is a validation of Chrome's approach there, though it
clearly shows the issues these drivers present for escaping Chrome's sandbox.

~~~
vvanders
I think there's probably still a fair bit of attack surface behind
glReadPixels() and the like. All it takes in a single
backbuffer/texture/surface/etc to not be memzero'd properly and you can start
looking at parts of the system's memory.

GPUs are both really complex and highly secretive about their implementations.
The incentive for GPU vendors is to write fast drivers. Security is pretty far
down on the list, esp when it competes directly against performance.

~~~
edmccard
>fair bit of attack surface behind glReadPixels() and the like...

>...you can start looking at parts of the system's memory

I thought the whole point of using glReadPixels(), as opposed to just
dereferencing a pointer in the system's address space, was that the
framebuffer memory it accesses (whether backed by a texture or a surface or
whatever) is GPU memory, and _not_ system memory?

~~~
vvanders
That's true on split-memory architectures(desktop) but most mobile GPUs(and a
couple consoles) use a unified memory model.

Also most browsers use the GPU to speed up rendering so you can pick out
things from there too potentially.

~~~
louithethrid
I wonder, do you really have to write zero to all the memorycells? Or can you
just stop the refresh cycle in hardware and let squares of memory drain and
die in one or two cycles?

~~~
MertsA
Even without refreshing the cells they actually last quite a lot longer than
you would expect. This is an old research paper on the topic but
unfortunately, it looks like all of the images and videos are broken which is
a shame because it gave you a great mental picture of the "half-life" so to
speak of RAM.

[https://citp.princeton.edu/research/memory/](https://citp.princeton.edu/research/memory/)

The bottom line is that you would need to stop refreshing it for minutes if
not longer to be sure that there wasn't an information leak and if the memory
is cooled down it'll last a great deal longer without being refreshed and even
still keep the majority of the contents after hours of being removed from a
running system if they are cooled using liquid nitrogen. Either way one or two
cycles isn't going to really matter at all.

------
Taylor_OD
I cant prove this but my computer blue screened after a Nvidia driver update.
It took my several hours to get everything working again because it wouldnt
even launch in safe mode. Very frustrating. I wish they had a little more
quality control on their drivers.

~~~
hatsunearu
Oh trust me, they do tons of QA. If you can replicate what problem you have
demonstrably with steps that QA can follow and you submit to the Nvforums or
whatever, someone in the QA team will eventually try it out.

~~~
realharo
I dunno, I have had to live with this bug
([https://forums.geforce.com/default/topic/953432/geforce-
mobi...](https://forums.geforce.com/default/topic/953432/geforce-mobile-
gpus/dxgmms1-sys-bsod-crash-on-recent-windows-10-patches/) ,
[https://answers.microsoft.com/en-
us/windows/forum/windows_10...](https://answers.microsoft.com/en-
us/windows/forum/windows_10-update/kb3163018-causes-bluescreen-in-directx-
dxgmms1sys/84db9eb6-0654-4716-809c-95fc66774985) ) for over half a year now.

~~~
__jal
Yeah, Nvidia rather sucks at cleaning up after themselves, for whatever
reason.

The main reason I'm not buying another card from them is their stance towards
Linux in general and their stance towards PCI virtualization in particular.

I'm currently not upgrading drivers due to the latter; they're trying to
disable the capabilities (dedicating a card to a VM) that are the reason I
bought a second card in the first place.

I can usually deal with either lazy or greedy, but both in conjunction is
infuriating. Screw those guys.

~~~
bonzini
If you're talking about GPU pass-through, they're just trying to make it hard,
but they're not making it impossible.

If you're talking about virtual GPUs, where one card is split across multiple
VMs, however, unfortunately that's Tesla only. That said, I worked (as the
maintainer of KVM) with the nVidia driver people working on vGPU, and I was
very impressed. They were very knowledgeable and professional, and they
managed to contribute a generic Linux framework for virtualizing PCI devices
rather than a one-off hack specific to nVidia. Intel is using the same
framework now, in fact.

~~~
yuhong
I think they want to limit it to Quadros to be more precise.

~~~
bonzini
Yes, exactly. But they don't try _that_ hard.

------
mschuster91
What I'd like to see is a "slimmed down" version of the graphics drivers.

Right now my graphics driver carries a boatload of "utilities" of questionable
utility - especially "hand written artisanal shaders" to improve quality in
AAA titles, where NV or ATI optimize the game's original shaders. NVIDIA ships
stuff for 3D glasses.

How about that the driver packages only load these when asked to do so, e.g.
when a game that can be optimized is installed / launched, or when a 3D glass
is added?

~~~
Asooka
Hear hear. Can they also please be less than 100megs in size? I think nVidia's
clock in at 300 right now. I just want the driver and recording/streaming
software. Maybe you could open up the required api to write a third party
Shadow Play...

~~~
mschuster91
Yeah, the NV mobile driver clocks in at 292 MB (W7 x64) right now.

One thing that certainly blows up the size is that the NV driver installer
bundles support for everything from the old NV 8600M - which IIRC was released
in 2007.

If there's one thing I certainly can't whine about in times where phones carry
less than 2 years updateability, then it is that NVidia still provides up-to-
date drivers for a GPU chipset nearing a decade of life time.

~~~
brokenmachine
I agree, but I recently bought a gtx1060, which meant I had to update to the
latest drivers, which unfortunately don't support the other card I have in
that machine (I forget what model, it's either a gt520 or a gt210). I only
wanted to use that other card to connect extra monitors.

You can't run two Nvidia cards off different driver versions.

Anyway, the gtx1060 supports four monitors by itself which is enough but I
needed to buy some cables.

Nvidia drivers are super bloated though.

------
baobrain
I wonder if AMD drivers have the same attack surfaces as the nvidia drivers

Edit: a quick google search turns up CVEs for the old catalyst driver, but
none for the newer crimson drivers.

~~~
digi_owl
Too bad my laptop can't use those crimson drivers, as AMD no longer support
the APU part of the setup that make things like external displays work (and
will you please stop trying to be helpful and silently "upgrading" my drivers,
Microsoft!).

~~~
pixelcloud
You can disable driver updates through group policy.

[https://technet.microsoft.com/en-
us/library/cc730606(v=ws.10...](https://technet.microsoft.com/en-
us/library/cc730606\(v=ws.10\).aspx)

~~~
digi_owl
Could have sworn that MS had disabled GP access on "consumer" grade installs.

------
youdontknowtho
Project Zero is awesome. I'm not normally a fan of the GOOG, but these guys
are doing some seriously good work.

------
rebelwebmaster
Getting these issues fixed in the drivers is great, no doubt. But it's moot if
nobody actually updates to those fixed versions. How hard are nVidia/Microsoft
trying to actually push these out over Windows Update so that end users will
actually benefit from all of this work?

~~~
and0
Anyone who's into gaming probably has GeForce Experience installed, which
manages drivers and gives notifications.

I want to say Microsoft will push them out a little later, but I can't be
entirely sure since I've always used the nVidia path.

EDIT: Unfortunately the GeForce Experience is getting, as is typical, super
invasive. Access to even basic settings requires an account (nVidia or
Facebook account, etc).

~~~
abandonliberty
Recently removed GeForce Experience. Graphics drivers should not require an
account.

Considering that computer configuration is unique enough to enable
fingerprinting across different browsers, I can't even see why it's required.

At least Experience tells you it's being creepy so you can remove it.

------
rhcom2
Can someone give me a layman's definition of an "escape" and why they would be
legitimately needed? Are they needed so callbacks can "escape" and be exposed
to other classes? (does that make any sense?)

~~~
Nacraile
As the article indicates, they're similar to ioctl, which is a system call
that, roughly speaking, allows arbitrary opaque blobs of data to be passed
back and forth between a user-mode -process and a kernel-mode driver. This is
intended as a generic mechanism allowing drivers to expose arbitrary
functionality to user-space. This enables the implementation of functionality
that would not otherwise be possible because it was not foreseen and enabled
by the design of the operating system.

Bear in mind that the system call ABI changes slowly and with much difficulty:
once a version of a kernel is in production, it can stay in use for a long
time; it can take a long time for new functionality to be broadly available,
and breaking back-compat with applications compiled against older ABIs is Not
Done. Dynamically loadable kernel modules and ioctl-like system calls make it
much easier to bring new functionality to all the various kernels running
around in the real world.

Given the complexity and rate of change in graphics tech, it makes perfect
sense for there to be a general-purpose arbitrary functional-call mechanism
for interaction between user-mode and kernel-mode graphics driver components.
Microsoft (or the linux graphics subsystem maintainers, etc) just doesn't know
enough about Nvidia/AMD's current and future requirements to nail down a more
rigorously defined API.

~~~
rhcom2
Thanks, I know nothing about this level of programming but this gives me a lot
of good stuff to google.

------
graycat
Slightly off topic but with all the video expertise in this thread, I want to
ask anyway! :-)

I'm currently selecting parts for my next computer, to be used for continued
development of the Windows .NET software for the Web site for my startup and
also for my first Web server available to beta testers and then to the public
on the Internet.

So, sure, I need a video card. Of course, I will do some routine Web browsing,
maybe watch a movie at YouTube or Netflix. But I have never played a video
game and, trying to get my business going, have no intention of playing a
video game.

So, looking at information on video cards, it appears that maybe the card
should support hardware acceleration of Microsoft's DirectX version 12 and
also maybe some recent version of OpenGL.

Question 1: Why should I move from just VGA, that is, get just a VGA card and
not even get a _graphics_ card? What will I get from a graphics card I really
need and can't get from just VGA?

Question 2: If I get a graphics card, will DirectX 12 hardware acceleration on
a graphics card help for some of Web browsing or movie watching?

Question 3: Same as Question 2 but for OpenGL?

Some people on this tread may have some good answers. As far as I can tell,
good answers on the Internet are like hen's teeth -- it looks like everyone
wants to sell graphics cards for the latest _gaming experience_.

Thanks!

~~~
sherincall
Disclaimer: NVIDIA employee.

First of all, if your CPU has an integrated GPU, and you don't need more
monitors than it supports (usually it's 3x1080p), that will be more than
enough.

> Why should I move from just VGA, that is, get just a VGA card and not even
> get a graphics card?

I don't quite understand what you mean by VGA card. You mean something that
has a VGA adapter and framebuffer(s), but the rendering is done on the CPU?

I wasn't aware those still exist outside some niche markets. I'd guess it'd
cost about as much as an entry level GPU, which will take the load off your
CPU.

My advice, if you don't have any iGPU on your CPU, is to just get the lowest
tier graphics card. Those are <$100 new for the latest generation. You don't
need latest, and probably don't need new.

When it comes to web browsing and watching videos, any remotely recent card
will work fine. You may have issues with some fancy WebGL pages (i.e. browser
games) but that hardly counts as everyday browsing.

Be sure to read a review of the card before purchasing!

~~~
graycat
Thanks. I was slowly beginning to conclude much of that.

The CPU I plan is the AMD FX-8350 with 8 cores running at 4.0 GHz and 125
Watts. So, no it has no _integrated graphics_ support.

For a "VGA card", I just meant a video card supporting all the old VGA
standards but without a _graphics processor_. So, there would be no "hardware
acceleration" of OpenGL 4.5 (or some such) or DirectX 12 (some version of).
Yes, there would be a standard VGA plug (socket, connector, etc.) for the
signal connection to the monitor, but many high end graphics cards also have
that.

Yes, looking, it's possible to find just a VGA card, that uses an old PCI
slot, for about $20. But, a low end _graphics_ card can go for about $30 or
$36 with 1 GB of memory of its own, a _graphics_ processor, and "support",
likely _hardware acceleration_ , of OpenGL and DirectX.

Apparently by Windows 10, DirectX 12 is regarded as a _standard_ part of
Windows.

In my old computer, I assembled in 2007, which apparently due to motherboard
hardware problems, does _blue screen of death_ (BSOD), really, the screen goes
black instead of blue, about five times a day, has an old nVIDIA GX 4000 with
64 MB of memory. As far as I know, the card has been fine. I never knew that
the card had any _graphics_ capabilities until two weeks ago when I ran the
standard Windows utility DXDIAG which showed that the card supports DirectX 9
and the card put up a nice rotating cube of the DirectX logo. Okay. So, maybe
the graphics processor in the card can accept a gazillion triangles in 3D from
the CPU, motherboard, and applications software, do rotations, hidden line
removal, shading, maybe texturing, etc. Okay, but since 2007 that is the first
time I ever saw such a thing!

I have been concerned about statements, e.g., that some graphics card needed
for the PC's power supply to have capacity 300 Watts or more. Gads! That's a
lot of power! Looking in more detail, apparently such graphics cards actually
draw a maximum of only 25-40 Watts at 12 Volts, that is, <= 3.3 Amperes, which
seems acceptable enough for the 650 Watt power supply I'm planning, the case
cooling I'm planning, etc. I will be sure to use some of the standard ASUS
software to monitor the 12 Volt lines from the power supply -- I doubt that
the voltage will ever fall significantly below 12 Volts. The 12 Volts lines
from the power supply are used for what, just the cooling fans, the hard disk
drives, maybe the power on the USB ports, and, apparently, power to the PCI-
Express slots? Gee, the pulse width modulation (PWM) of three of the cooling
fans will put some fluctuation on the 12 Volt lines that will mess up a
graphics card? I doubt that!

You are correct about WebGL -- I doubt I will be visiting Web sites that use
that. I'm less clear about _scalable vector graphics_ (SVG). I don't see even
from 50,000 feet up how ordinary Web browsing, say, displaying JPG or PNG
still images or playing MPG4, YouTube or Netflix, or DVD videos could be
helped by having a graphics processor -- tough to find such explanations. Do
graphics processors routinely help display fonts faster?

I will have a 2 TB hard drive for bootable partitions. I will install Windows
7 Professional 64 bit on two boot drive partitions, say, drive letters C and
D, and use one of those for my remaining software development for my Web site.
Using likely the standard Windows utility NTBACKUP, which I like (e.g., it
will backup a bootable partition while it is running, likely much like how
relational database does a backup of a database while it is executing
transactions and I can save it to any disk drive I want just by an ordinary
copy operation) I will save both bootable partitions to a second hard drive.
Then if, say, partiton D gets _sick_ and the usual Windows _restore_ is not
good enough, I will boot partition C and restore the sick partition D from one
of my NTBACKUPs on the second drive.

Some years ago when I was trying to install an Express (free) version of
Microsoft's SQL Server, my boot partition contents were corrupted, really,
destroyed, and I had to reinstall everything starting with an empty partition.
Bummer. I want NEVER to have to do that again: Before I do any possibly
dangerous _maintenance_ , installations, or _upgrades_ to a bootable
partition, I will just save the whole partition with NTBACKUP. Then, if the
partition gets messed up, I will just boot another bootable partition and
restore the backup from NTBACKUP and try again.

Then I will install, again on two partitions, some version of Windows Server,
likely 2012, and SQL Server of about the same vintage, and that will be the
basis of my Web site as I go for beta testing and live on the Internet.

The Web site HTML sent to my users will be only just dirt simple HTML, say, up
to date as of about 10 years ago, with just a little, simple CSS and nearly no
JavaScript, no pop-ups, roll-overs, pull-downs, over-lays, or icons and no
HTML <div> _elements_ ( _tags_?) -- dirt simple. I will have a simple logo
graphics PNG I developed with just Microsoft's PhotoDraw, and that will be the
only use of graphics. Net, for the Web site, I see no need for any _graphics
hardware_ , for development, server, or clients.

I see from both nVIDIA and ATI graphics cards $30-$40 with 1 GB memory,
OpenGL, DirectX 12 that use a PCI-Express x16 version 2.1 slot. The Asus
motherboard I have in mind has a PCI Express x16 2.0 slot which I suspect one
way or another will work well enough with a card that wants version 2.1. I
suspect I will make a decision today.

I'm still not very clear on just why I need a _graphics_ card instead of just
an old VGA card, but for just another $16 I'm going to spend the money, accept
whatever system management mud wrestling I have to do to get an appropriate
device driver working, quit worrying about the card, and get on with the more
important work.

Thanks for the info.

------
ndesaulniers
> Most of the vulnerabilities found ... were very basic mistakes, such as
> writing to user provided pointers blindly, disclosing uninitialised kernel
> memory to user mode, and incorrect bounds checking.

It's not just Windows drivers with these problems...

~~~
sherincall
Some specific numbers:

The patches from Tuesday fixed a total of 16 CVEs. 11 are Windows only, 4 are
Windows+Unix[1], 1 is Unix only. 3 of those (Windows) CVEs were reported
externally.

[http://nvidia.custhelp.com/app/answers/detail/a_id/4398](http://nvidia.custhelp.com/app/answers/detail/a_id/4398)

Older bulletins: [http://www.nvidia.com/object/product-
security.html](http://www.nvidia.com/object/product-security.html)

[1]: Unix in NVIDIA-speak generally means Linux+Solaris+FreeBSD

