GPGPU and threat analysis

Takashi Katsuki Symantec

  download slides (PDF)

The CPU clock speed wars are now over, and multicore CPUs are now standard. For specialized processing, though, the most affordable and readily available devices are now Graphics Processing Units (GPUs). Devices including the Geforce from nVidia and Radeon from AMD have hundreds of cores in a single package, and following vendors' recent release of development kits under the umbrella term GPGPU (General-Purpose computing on Graphics Processing Units), the power of these resources is now ready to be harnessed.

The GPGPU approach has already been taken advantage of for some security-related fields such as password brute-forcing and hash collision attacks. In this abstract I would like to introduce the potential of GPGPU use in the reverse engineering of malware.

Finding hidden data is important during manual sample analysis and also for automation. Often malware or documents that attempt to exploit vulnerabilities contain encrypted data; this may be something as simple as a URL or an entire encapsulated executable. At this point the problem is how to decrypt the hidden data without manual analysis of the decryption routine(s). In many cases the encryption method used is a combination of bitwise and arithmetic operations ('add', 'sub', 'xor', and so on), and rotations of byte, word, and dword.

Given that the structure of both URLs and PEs is well understood, with enough computational force these kinds of obfuscation can be brute-forced. When this brute-forcing is broken down into smaller and parallelizable operations, GPGPU comes into its own.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.