Now Cui and his colleagues have developed anti-malware systems they say can work on swathes of embedded computers regardless of what systems they run.
"Ang has identified a serious problem that hasn't been thought about seriously and has provided concrete solutions to try to solve this problem," says security researcher Charlie Miller at Twitter, a former analyst for the National Security Agency well known for publicly revealing vulnerabilities in Apple products such as the iPhone and MacBook Air.
Instead of running within an embedded computer's firmware image, these defenses run outside it, directly on the computer's central processing unit (CPU). A symbiote (pdf)—continuing the biological analogy suggested by computer viruses—continuously scans a large number of random chunks of the firmware image's code to check for anomalies that might suggest an intrusion has occurred. "It took a lot of engineering to make sure the symbiote doesn't crash the CPU by taking too much of its processing power," Cui says.
The fact that a symbiote runs independently of the programs it protects means a symbiote designed for one type of CPU—say, ARM, found in many smart phones, or MIPS, found in many routers—can work on any operating system that might run on those CPUs. "It doesn't need to know how the programs it monitors work, only whether they have been modified," Cui says. They plan to deliver a prototype for U.S. government testing by the end of 2012 and to commercialize their work with a company they founded, Red Balloon Security.
Whereas Stolfo and Cui's approach is "very promising," says Scott Borg, director of the nonprofit U.S. Cyber Consequences Unit, he cautions it remains difficult to tell how readily intruders might circumvent these defenses. For instance, there might be ways to prevent the symbiotes from recognizing destructive programs as malware. "Too many destructive acts can be made to look like normal acts from the vantage point of a computer," Borg says. "A cyber-security measure needs to be kicked around for awhile, conceptually and physically, before it is possible to say with any confidence how effective it will be."
Marc Dacier, a senior director at Symantec Research Labs, called the symbiote "a very beautiful piece of work," but notes a major obstacle it faces is getting companies to actually upgrade all their devices with it. The Pentagon is now pushing for legislation that would require baseline cyber-security standards for critical private sector infrastructure, such as power plants, water treatment centers and gas pipelines. Without such legislation, said Panetta in his October speech, "we are and we will be vulnerable."
These symbiotes may not only serve as immune systems for their devices, but also help reveal the potentially huge ecosystem of malware in embedded computers that no one had any way of noticing until now. "We'd be surprised if these vulnerabilities weren't already exploited in the wild for years and years," Cui says. "We could shed light on an untold chapter of the history of Internet warfare."