Vulkan Runtime and Loader Security on Windows OS

The LunarG Vulkan software development kit (SDK) provides the development and runtime components required to build, run, and debug Vulkan applications. Developers can download the LunarG Vulkan SDK from the LunarXchange website.  This blog post will discuss security as it relates to the Vulkan Runtime and Loader on Windows OS.

VulkanRT and the Vulkan Run Time Libraries on Your System

Some users have been concerned when seeing VulkanRT files on their systems, especially when they’ve not downloaded the SDK themselves.  Please note that VulkanRT is not a virus.  If you have not downloaded the SDK and you see that “Vulkan Run Time Libraries” has suddenly shown up in Programs and Features, do not be concerned as there are other ways the files can end up on your system.

Graphics drivers from your GPU hardware vendor will often install the Vulkan runtime as part of their normal install process to ensure that users have the latest version to run new or updated applications.  An update to your graphics drivers may also result in the Vulkan runtime on your system being updated.  Here’s a diagram showing how the Vulkan loader gets to user systems.

Vulkan Loader

Virus Scanning and False Positives

When LunarG releases a new SDK version, we are careful to avoid releasing any viruses with the SDK. Part of our release process is to test all the installer and uninstaller files on VirusTotal.com and other virus scanning software to make sure our software isn't flagged by normal antivirus programs.

Sometimes virus scanning software will flag a false positive. We have seen false positives with obscure virus scanning software and also from others like Microsoft and Norton.  Eventually false positives disappear once those virus scanning programs are updated with latest false positive signatures.  Virus scanner definitions can change after an SDK or loader is released.  Virus scanning software can see false positives even after LunarG completes our due diligence prior to release.   

Security of the Vulkan Runtime and Loader

Here is some additional information about the security of the Vulkan runtime installer and loader.

  • Despite the use of the word “runtime” in its name, the Vulkan runtime installer does not install any user or kernel services.
  • The installer does drop a dynamic-link library (.dll) file into the Windows system32 directory called vulkan-1.dll that we also refer to as the Vulkan loader. The Vulkan loader is used only by applications using the Vulkan API. Applications that do not use the Vulkan API would not load the Vulkan loader. Similarly, the installer writes a few registry key values, but these are used only by the Vulkan loader. None of these files or registry keys were in use by other software prior to the existence of the Vulkan loader.
  • The Vulkan runtime installer is an installer that is granted by the user access to parts of the file system and registry that normally are protected behind user account control (UAC) elevation. The installer was audited for potential security vulnerabilities and potential vectors of exploit found during the audit were addressed.
  • Anyone can conduct their own security audit of the installer and of the Vulkan loader.  The source for the loader and installer is published on GitHub. In addition, LunarG has been supportive of discussion about their process for building and publishing the Vulkan runtime, and has even provided program database (pdb) files to facilitate the use of certain kinds of security audit tools such as BinScope, a binary analyzer from Microsoft. 

Interaction with Installable Client Drivers

Read the following to learn more about Vulkan runtime installer and loader interaction with independent hardware vendor (IHV) installable client drivers (ICDs).

  • If a malicious application does load the Vulkan loader into an application process, vulkan-1.dll itself does nothing that on its own can result in a privilege escalation. It reads some registry keys, does LoadLibrary of IHV ICD .dll files, and acts as an intermediary for GetProcAddress into the IHV ICD .dll files. The Vulkan loader itself does not talk directly to any privileged services in user or kernel space.
  • The Vulkan loader does load an IHV Vulkan ICD .dll if any are present. IHV ICD .dll files are installed as a byproduct of installing an IHV display driver. If there is a security flaw in an IHV ICD then going through the Vulkan loader is one vector for accessing the IHV ICD .dll. However, that wouldn’t mean that the Vulkan loader is itself vulnerable. A vulnerability in an IHV ICD .dll is the responsibility of the IHV, and it should be taken up with the IHV. It is not even necessary to use the Vulkan loader in order to access an IHV ICD .dll.
  • The Vulkan loader and the registry keys that it reads (in order to find the IHV ICD .dll files) reside in protected locations such that modification of the files or registry keys requires UAC elevation. Likewise, IHV ICD .dll files are supposed to reside in a location with no less protection.  The Vulkan loader does not run with elevated privileges.

Summary

VulkanRT is not a virus.  Sometimes the Vulkan runtime libraries may appear on a user’s system even if the LunarG SDK has not been loaded because graphics drivers may also download the Vulkan runtime files when a new graphics driver from an IHV is loaded or updated.  The Vulkan runtime and loader files are carefully scanned for viruses before distribution.

For additional information about LunarG’s Vulkan SDK and its components, please refer to the docs section on the LunarXchange website:  https://vulkan.lunarg.com/


Next entry: Webinar Recap: WebGL 2.0, What You Need to Know

Previous entry: IWOCL – where you learn the latest on OpenCL


safety