EVERY TIME a new device reaches a certain level of computing power someone predicts that it will become a vector for malware. The most obvious candidate currently is mobile phones. But Sotiris Ioannidis, a principal researcher at the Foundation for Research and Technology at Hellas in Herakleon, Crete, looked at today's computing systems and saw another possibility.
"I was working with a student on using GPUs for intrusion detection," he says, "and wondering…" GPUs are, he says, quite energy-efficient compared to other types of processors and – as any gamer knows – have lots of computing power. Those characteristics were the reason to consider them for use in intrusion detection systems, since those are processor-intensive.
GPUs have a different instruction set from CPUs, Ioannidis says, but, "The companies that promote them are trying to get more and more of a piece of the action from Intel, so they're cramming more and more instructions and operations into them. In some respects they're already a generic processor." GPUs already handle some computations that were traditionally the province of CPUs. So, he wondered, was it possible that someone could exploit the GPU's power in the interests of malware?
The result was a proof-of-concept paper (PDF), published late last year, that concluded that yes, malware could run unpacking and run-time polymorphism routines on the GPU to evade detection more effectively. Today's security researchers, the paper argues, are generally unfamiliar with the inner workings of GPUs, giving malware writers additional scope.
Ioannidis stresses that the paper was merely a demonstration intended to raise awareness. "I don't expect to see a widespread use of such viruses any time soon," he says, though he agrees it's not unlikely that some group of malware writers will try to take advantage of his work. "The more generic and independent GPUs become, the more likely it becomes that we will see viruses like these."
He has, he says, had inquiries from a couple of anti-virus companies asking for code or more details.
Ioannidis's early training was in systems – networks and operating systems – but by the time he began work on his PhD at the University of Pennsylvania his interests had shifted to security. "I wanted to do more hands-on things that matter in the real world," he says. He returned to Crete in 2005 after completing his dissertation on security policy.
"Greece can't compete against China or Germany in manufacturing, but it can in hi-tech. We prove that every day around the world," he says. FORTH is a group of research institutes most of whose funding comes from competitive projects in the EU. Ioannidis works for the Institute of Computer Science. Among other recent projects, FORTH-ICS was one of six research groups across the EU to participate in the FORWARD series of workshops examining emerging cybersecurity threats.
The resulting white book incorporates a number of scenarios for future attacks, a few of which happened within months. Some of the areas of concern have been frequently discussed: electronic voting, for example, and the vulnerability introduced by keeping a life's worth of personal and business data in a single smart phone – or worse, having it turned into a spy device surveilling the owner remotely. Others are new, such as the smart grid, which takes a legacy system built with no need for more than physical security and adds a new range of vulnerability by adding wireless smart meters.
Of the threats in that paper, the two that Ioannidis mentions as his biggest concerns are back doors in hardware, as manufacturing moves to ever-cheaper locations, and social networks. "The next thing I'm expecting to see is exploitation of the social networks to get a lot of personal information and use it for blackmail," he says. "It would be a fairly simple attack to carry out on a large scale."
A lot depends on how society's standards move. It's possible that people could become more tolerant of each others' foibles, but it's not what Ioannidis expects. "I do think that people who are posting things now will find they come back and bite them in 20-plus years. Right now, they don't care." But fast-forward 20 years: "There are so many people, and some are going to have positions in key places. You don't need to attack everyone. If you can get some of them, then you're good to go."
Ioannidis has done several projects investigating just how much information you can find about people. A little over a year ago, for example, the Greek government put up a Web site intended to make it easy for people to find out whether they had the Greek equivalent of a social security number assigned to them and what it was. The data required was the person's name, parents' first names and date of birth. It turned out to be quite easy to find this amount of information online for all sorts of people. Similarly, requirements to put public authorities' decisions online may include posting the details of everyone who's been hired: what they're paid, home address, taxpayer ID and so on.
"So the next thing will be data mining," he says. Security experts have been warning about this kind of thing for years, but it continues to happen. "If politicians want to get something done. they will do it, no matter what others say." µ