Now Cui and his colleagues have developed anti-malware systems they say can work on swathes of embedded computers regardless of what systems they run.
"Ang has identified a serious problem that hasn't been thought about seriously and has provided concrete solutions to try to solve this problem," says security researcher Charlie Miller at Twitter, a former analyst for the National Security Agency well known for publicly revealing vulnerabilities in Apple products such as the iPhone and MacBook Air.
Instead of running within an embedded computer's firmware image, these defenses run outside it, directly on the computer's central processing unit (CPU). A symbiote (pdf)—continuing the biological analogy suggested by computer viruses—continuously scans a large number of random chunks of the firmware image's code to check for anomalies that might suggest an intrusion has occurred. "It took a lot of engineering to make sure the symbiote doesn't crash the CPU by taking too much of its processing power," Cui says.
The fact that a symbiote runs independently of the programs it protects means a symbiote designed for one type of CPU—say, ARM, found in many smart phones, or MIPS, found in many routers—can work on any operating system that might run on those CPUs. "It doesn't need to know how the programs it monitors work, only whether they have been modified," Cui says. They plan to deliver a prototype for U.S. government testing by the end of 2012 and to commercialize their work with a company they founded, Red Balloon Security.
Whereas Stolfo and Cui's approach is "very promising," says Scott Borg, director of the nonprofit U.S. Cyber Consequences Unit, he cautions it remains difficult to tell how readily intruders might circumvent these defenses. For instance, there might be ways to prevent the symbiotes from recognizing destructive programs as malware. "Too many destructive acts can be made to look like normal acts from the vantage point of a computer," Borg says. "A cyber-security measure needs to be kicked around for awhile, conceptually and physically, before it is possible to say with any confidence how effective it will be."
Marc Dacier, a senior director at Symantec Research Labs, called the symbiote "a very beautiful piece of work," but notes a major obstacle it faces is getting companies to actually upgrade all their devices with it. The Pentagon is now pushing for legislation that would require baseline cyber-security standards for critical private sector infrastructure, such as power plants, water treatment centers and gas pipelines. Without such legislation, said Panetta in his October speech, "we are and we will be vulnerable."
These symbiotes may not only serve as immune systems for their devices, but also help reveal the potentially huge ecosystem of malware in embedded computers that no one had any way of noticing until now. "We'd be surprised if these vulnerabilities weren't already exploited in the wild for years and years," Cui says. "We could shed light on an untold chapter of the history of Internet warfare."
Rights & Permissions
See what we're tweeting about
6 Comments
Add CommentThis is part of the arms race between attackers and defenders, and similar to something we in enterprise security have been doing for years on the network. There, we use some passive techniques to detect malicious attacks by silently sending copies of packets off to another device to check against signatures, heuristics, etc. Those systems can then raise an alert when potentially malicious traffic is found and/or save the network stream for later analysis or evidence.
Reply | Report Abuse | Link to thisThe idea presented here is similar: provide an out-of-band (OOB) monitor to check for malicious activity. There is, however, the problem that even the OOB monitor must be updated periodically to update the capabilities or at least let it know when the firmware or microcode has been updated. This presents a potential attack vector on its own, and another point of focus for attacker and defender alike.
The Defender's Dilemma still holds true: The defender must be right every time. The attacker need be right only once.
This may not be printed, but there are a number of points to be made.
Reply | Report Abuse | Link to thisFirst and foremost, to think that it is impossible to design computers so they can't be protected is patently ridiculous. If nothing else, which I have suggested, but which has never been acknowledged I said, is to equip a computer with a duplicate but smaller fully functional system which will harbor and run the questionable software first. Then the contents of the system will be checked and, if found to be damaged or compromised, the software item removed. Or, a program could be devised that will take the code of a piece of software and "run" it by assessing the results of each line of code. Then, if questionable actions are requested or dangerous results like an explosion of hard drive space acquisitions is detected, it could be rejected. This is the same as saying the infrastructure of Iraq showed no signs of the presence of banned weapons systems. It's absolutely true, it's valid, the conclusion is correct and no one but me is recognizing it.
In fact, the evidence is that they deliberately leave back doors in software and systems for "official" acts of mayhem, from bugging someone to even ruining their system to try to stop them. Hackerdon't find weaknesses in the system, they know they're there. And, more than that, they probably put them there.
Too many people fail to realize the cozy little monopoly they've tried to turn the computer industry into. Many if not most know less than 1% the workings of their computer. How many didn't know, for example, that fils are not destroyed when erased, the space containing the information is flagged to re-use, but the contents remain and can be accessed? They've completely done away with the DOS layer of potential control, making everything run solely by software derived solely by the literally pathological C language. They've done everything to divocer the computer from the auspices of its owner! And that is the entire community, the actual programmers, the "hackers", who apparently, if they aren't also working for the software firms, fraternize with software firms' programmers, and likely get "consultant" fees, for putting the back doors in and producing compromising code! They design software and systems to leave computers open to attack, then charge extra to produce software to combat the weaknesses they built in! An ugly secret of the computer industry! They see themselves as getting even for being called "nerds" by trying to thieve from consumers wholesale.
@julianpenrod, "This may not be printed", why do you insist on putting that on everything you post? If it doesn't get posted, that statement means nothing, if it does get posted, it still means nothing. You are appear to be suffering from Paranoid Schizphrenia. Have you gone off your meds?
Reply | Report Abuse | Link to thisThis sounds unnervingly like the intelligent little bots that tied together all of the worlds networked computers and put SkyNet in control in Terminator 3.
Reply | Report Abuse | Link to thisA little dramatic I suppose but code intended to move from computer to computer searching for malware could just as easily be used to plant such malware.
In all seriousness, we cannot stop malware. We can only slow it down. Any hardware or software design makes assumptions regarding how that design is to be used.
Reply | Report Abuse | Link to thisHumans can and do envision ways that these designs can be misused and they can provide protections against that type of misuse but these protections still involve assumptions about the misuse.
Any protection against malware can be defeated. If a human can figure out how to build such protection into a system, then some other human can figure out how to defeat that protection.
All you can really do is invest enough time and money into developing protection strategies that the cost of defeating those strategies exceeds the value to the would-be thief.
For instance, in the old days of video tape, companies spent millions of dollars and months or years of development time trying to create workable copy protection only to have it defeated in a matter of minutes by bright young people who had the time and the motivation to do so.
With all the multi-core processors made by Intel and AMD, it should be possible to add on a security core running its own microcode and its own isolated cache of RAM. A "deluxe" version might be having a security cpu core for each of the higher power x86/64 cores.
Reply | Report Abuse | Link to thisSince all of the x86/64 cores running need to be on the same clock, it could be that the security core could modify the clock pulse to "stretch a clock cycle" on a random sequence and use the "hidden stretches" to examine transactions going on with the main cores.
Another area of concern would be memory management. A lot of that task is now done on a internal subsystem running at CPU speeds to be able to keep up. The security cores ought to keep an eye on RAM registers to be sure malware isn't running in its own mapped RAM zones or running routines looking for targeted applications running in their own RAM mapped zones.