
Attacking the Qualcomm Adreno GPU - archimag0
https://googleprojectzero.blogspot.com/2020/09/attacking-qualcomm-adreno-gpu.html
======
baybal2
Guang Gong keeps disclosing many remote Chromium/Android zero click vulns,
every year, which could've earned him millions on zerodium, and even more if
put to real use.

Deserves respect at least.

~~~
person_of_color
He will be getting the same at GPZ, trust me.

------
guerby
"We can offer a few additional recommendations: Transparency and openness:
(...) More generally, the competitive benefits of a closed platform approach
to hardware internals should be reassessed in 2020. This balance may have been
historically appropriate when the GPU was not in the critical path for
security, but today billions of users are relying on the GPU to uphold the
operating system security model. "

This.

------
panpanna
At least the GPU stuff is getting some scrutiny.

Their modem code is a security nightmare and outside Qualcomms modem teams
nobody is allowed to see it.

~~~
octoberfranklin
Yeah I think it is pretty nuts that people are willing to use CPUs that have
those modems on the same die.

~~~
londons_explore
The simple solution is memory isolation - let the modem be as insecure as you
like, but anyone who breaks into the modem can only see your network traffic
(hopefully all encrypted anyway) and nothing else.

Sadly todays qualcomm hardware has no real memory isolation at all - any bit
of on-chip hardware can see all memory.

It isn't perfect, but it's far easier to do that than properly secure a multi-
million lines of code codebase with a substantial amount of unpatchable
hardware...

~~~
baybal2
There is an IOMMU on snapdragons, as the article says, but it is the IOMMU
mapping itself which they attack.

This itself is kind of mind boggling how they let the device overwrite its own
IOMMU configuration, effectively nullifying IOMMU's purpose, and its provided
safeties.

It's like fencing your house with 10 meter high walls, but leaving the key
lying in front of the gate.

~~~
octoberfranklin
So, like you say: they don't have an IOMMU, although they have some dingus
which is called an "IOMMU".

------
nl
Next time Project Zero finds an iOS bug and people suggest it is a commercial
hitjob, point them at this.

Qualcomm (and all Android vendors) look like they have been screwed by this.
(To be clear - they are screwed because their processes are to slow to get
security updates out).

~~~
panpanna
Maybe you have not used Android lately?

I have two phones and a tablet, all mid-range devices from 3 different vendors
and all are on Android 10 with at least August patches.

Edit: both phones are also more than 2 years old.

~~~
nl
I have a Pixel.

My comment referred to the timeline outlined in the post, in particular this
part:

 _Qualcomm gives an update on the progress of a microcode based fix. The plan
is that the fix will be available for OEMs by September 7, but Qualcomm will
request an extension to patch integration and testing by OEMs.allow more time
for patch integration and testing by OEMs._

and for their multiple subsequent requests for an extension and/or grace
period.

Your August patches don't fix this - Qualcomm only notified OEMs on 4 August
and their plan was to get fixes to OEMs by 7 Sep.

~~~
panpanna
I am fine with this schedule.

Unless someone is actively exploiting devices I would prefer a well tested
patch to a rushed patch.

Note that this whole issue is due a previously rushed patch.

~~~
nl
It wasn't due to a rushed patch - the patch just gave the Project Zero
researcher an idea for where he should look.

There's no real way of being sure if it is being exploited. I guess no
exploits had _been detected_ a couple of days ago, but it's not uncommon for
the way it gets detected it for someone to find the exploit software
somewhere. That's how Project Zero found these iOS issues for example[1].

[1] [https://googleprojectzero.blogspot.com/2019/08/a-very-
deep-d...](https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-
into-ios-exploit.html)

