Slashdot Mirror
How To Guarantee Malware Detection
itwbennett writes "Dr. Markus Jakobsson, Principal Scientist at PARC, explains how it is possible to guarantee the detection of malware, including zero-day attacks and rootkits and even malware that infected a device before the detection program was installed. The solution comes down to this, says Jakobsson: 'Any program — good or bad — that wants to be active in RAM has no choice but to take up some space in RAM. At least one byte.'"
While it might be true that any application will take up at least a byte of memory, there is no reason malware couldn't masquerade as another binary down to the exact number of bytes.
Hell, Windows is a whole slew of malware that masquerades as the whole OS.
In theory, theory and reality are equivalent. In reality, they are quite different...
Seriously, how could this possibly work for ALL (including undocumented, and hereto unknown) threats? And if it does it by reading straight from RAM (through the kernel), wouldn't a rootkit be able to trivially defeat that?
If a man isn't willing to take some risk for his opinions, either his opinions are no good or he's no good
The hard part is actually finding it.
"I'd just like to emphasise that taking a million years isn't a metaphor here..." -Rich Bradshaw
He is indeed selling something...
<sarcasm>Punting the problem to an "external verifier" is pretty neat. I wish I could do that with my next hard problem.</sarcasm>
That whole bit about swapping, though.... If I write malware and hide it somewhere in execution space, do I really care if it gets swapped out? So the code that steals keystrokes or sniffs for credit card numbers doesn't get executed for short while. Big deal. At some point it will get loaded again (if written properly, that is).
Or am I missing something obvious?
A needle in a haystack wants roughly the same amount of space as a straw - doesn't make it any easier to find (indeed, that's part of the reason it's so hard to find).
Even if this technique has merits, it does nothing to correct the primary reason for computer infection - stupid users.
How about a malware that masquerades as this detector and reports the RAM checksum is OK?
You can't guarantee anything in security. Especially when a human is involved.
And what if the malware lets itself be swapped out of RAM the same as all of the other apps?
I'd love to have an approach to malware that could always detect unwanted processes, I'm just trying to find holes here.
which is totally what she said
Even if this did work in theory, someone would think of a way around it. We'll never be completely safe from malware, no matter what security mechanisms are in place. It's like in physical security, security system companies come up with new locks, and thieves come up with new lock breakers. Unless we brainwash the entire population of the world to be nice and not try to break systems, there will never be a conclusive way to detect malware. Oh, and wouldn't his method for detecting malware be horribly intrusive?
It could be in ROM.
It could be in processor cache.
It could be in the video card's memory.
Could it be in pipelined instructions waiting to be executed?
Go green: turn off your refrigerator.
Yeah you can detect that SOMETHING is there, but how do you determine whether that something is supposed to be there or not?
If you assume all "somethings" are not supposed to be there, you'll have a worse situation than UAC with users being prompted all the time and getting conditioned to click "yes".
After reading the article, it seems no different from doing an offline scan using ClamAV from a LiveCD except maybe slightly more convenient. You boot a "secure" detection mechanism in place of whatever is normally operating on the machine.
The hooks needed to do it as described (which implies a hypervisor-esque antivirus/antimalware solution) would provide malware authors new vectors with which to attack systems, potentially vectors that would allow malware to escape from the likes of an "antivirus on LiveCD" solution.
retrorocket.o not found, launch anyway?
I note that he seems to have missed a rather obvious possibility: there's malware in RAM, but it allows itself to be swapped out with all the other processes. Why wouldn't it? If it got loaded into RAM once, it'll get loaded again by the same vector. In fact, it has to rely on that happening, since at some point the RAM is going to be physically powered down. There's no point in trying to dig in like a tick.
So as far as I can see, his magic technique will only catch malware that attempts to protect itself. I'm not clear on why he thinks this will catch all malware, but I'm sure he'll explain further if I pay him some $$$.
If you were blocking sigs, you wouldn't have to read this.
is that he's saying, in a round-about way, that if we know what everything on the computer is that isn't Malware, then if it's not what we know, then it must be Malware.
That and some test for checking behavior.
The problem which he doesn't seem to resolve is, "How do we know everything that isn't malware?". I mean, I see that he goes on about running this using only in kernel mode, so there should only be kernel memory in RAM, but what if the malware exists hooked in (as many seem to be that I've found) in other programs or window'ing components that don't start up in kernel mode?
Maybe I'm missing something, but it seems that he can only "guarantee" detection of malware when it's already really obvious.
while(1) attack(People.Sandy);
Assume now that we have a detection algorithm that runs in kernel mode, and that swaps out everything in RAM. Everything except itself. Well, malware may interfere, of course, as it often does, and remain in RAM. But if we know how big RAM is, we know how much space should be free. Assume we write pseudo-random bits over all this supposedly free space. Again, a malware agent could refuse to be overwritten. It could store those random bits somewhere else instead... like in secondary storage.
Then, let us compute a keyed hash of the entire memory contents -- both our detection program and all the random bits. Here is what could happen: If there is no malware in RAM, the results will be the expected result. An external verifier checks this, and tells us that the scanned device is clean. Or there could be malware in RAM, and the checksum will be wrong.
Ah ha! All you need is a kernel-mode algorithm that knows exactly what should be in RAM, at all times! In other words, it has to emulate all of the legitimate software you’ll use, because otherwise how would it tell the difference between legitimate software’s use of RAM and malicious software’s use of RAM?
What an idiot.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
either
* the malware is in the kernel, in which case it can provide a false checksum of the memory to the external verifier
or
* the malware is in userspace in which case it gets swapped out, the verifier determines there is no malware in the system, then it gets swapped back in and carries on performing its malicious activities with its user privileges
SURELY NOT!!!!!
Swapping out all RAM then overwriting and hashing?
Sounds crazy? Yes? It's coming to you in OpenBSD 4.7! or not
Trolling is a art,
If the malware is /sbin/halt, you've still got a problem.
Go green: turn off your refrigerator.
Everyone who claims to solve a long-standing problem "guaranteed", does not know all the possibilities that could thwart their solution. Guaranteed.
If $OS=="Windows" Then print "Malware Detected";
When our name is on the back of your car, we're behind you all the way!
Is why didn't Microsoft make the OS files read only way back when?
Make the user give explicit permission to over right system files?
It wouldn't make it impossible to get malware but it sure a shooting could make getting ride of it easier.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
I would love to meet the genius who discovered that any program that wants to be active in RAM uses some RAM...even if it is only 1 byte.
How about we change things in Windows so it actually prevents infection in the first place?
1. Educate users. Microsoft does a piss-poor job of this.
2. STOP DEPENDING ON 3 MAGIC LETTERS TO DETERMINE IF SOMETHING IS CODE OR DATA. COME ON, SERIOUSLY. THIS SHOULD HAVE DIED WITH CP/M.
3. Kill ActiveX - I know of no legitimate website besides Microsoft.com that requires ActiveX.
4. If a file comes in from the outside world - STRIP ITS PERMISSION TO EXECUTE. MAKE THE USER UNPACK IT FROM AN ARCHIVE OR SET ITS PERMISSION.
Really. Seriously.
No, the above won't cover every situation, but it's a pretty good start.
--
BMO
Some processors may have big enough register sets that malware could reside entirely within the CPU.
Nullius in verba
Sure, malware has to occupy memory. That doesn't mean it has to be its own memory. Buffer overflows are all about corrupting another application's memory space.
His basic argument is that if you want to scan RAM, the kernel can halt all processing except its RAM scanner, and have a go at the RAM safely. If it's particularly insidious malware, it'll try to hide itself in various ways, one of which would be to masquerade the portion of RAM it was using with something legitimate looking (maybe erase that portion of memory). But you know it did this because you can see that memory which was supposed to be free is no longer free. Except the hardware has no concept of free or occupied memory. It just has memory, and the OS keeps track of what's free and not. The OS - the same space where malware is running.
OR, the malware could simply not do this, then its behavior is no different from any legitimate program. So how do you detect it now? You still need definitions that say, "When running in memory, this virus looks like X," then look through memory for that pattern.
Besides, who's to say that the kernel space is guaranteed free of malware itself? Even if you would have successfully identified the threat in RAM, you have no guarantee that the malware hasn't corrupted the identification routine.
It's like someone came along and said, "Hey, you guys are looking for malware wrong. You have to look for it! And I mean really look for it!"
Slay a dragon... over lunch!
Still haven't read the article, eh? The technique is to swap everything out except the scanner, then write random bits to the entire memory space, then hash the memory. I could explain it all in greater detail, but, you know, there's this article, already there. Please do try to constrain your criticisms to things that actually apply to the article that was written, you know, the one we can all read. Refuting the imaginary article in your head does nothing for the rest of us.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
All you need is to have the checksum calculated by the verifier for the process you contaminated. Then catch the reading part. A checksum can be small enough that you do not need to swap it out and you can include in the malware. therefore, "Or malware could divert the read requests directed at the place it is stored to the place in secondary storage where it stored the random bits meant for the space it occupies." is IMHO incorrect. You don't need to save much info, maybe 32 bytes+the code to redirect the read. Why swap that out ?
Someone has discovered the white-list.
Please take a number and stand behind the perpetual motion people. When I'm done with them, I will explain the few finite set of cases where this method DOES work, and you can assume that in the infinite number of OTHER cases, this method does NOT work.
Seven puppies were harmed during the making of this post.
Wouldn't it be posisble for malware to intententionally slow down many random bits of ram so that the detector would think that this is just latency?
I mean, malware could divert the checksum of his own memory bytes to the hard-drive and then divert many other bytes there too just to confuse the detector.
1) install malware
2) report that there is malware installed
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
How COULD this work? There is an answer. You can find this answer in a foreign place, known by the mysterious and terrifying name of The Article. Here's what you do: you read it. When you read it, your questions will be answered.
Basically, I can tell from the fact that you are asking irrelevant questions that you have not read the article. And you know what? I'm not going to explain it to you. To be clear, I am not saying, "This technique will work." I am saying "You are not criticizing this technique."
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
A valid criticism. And if the malware is actively resisting the scan, by moving the random bits back in from secondary storage before the hash, the external verifier knows about it because it takes even longer. By design. So, unless you are running a load balanced cluster and can afford to take a server offline for a few minutes when you want to scan, yes, this is a problem with this approach.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
Actually, I did read the article, and I still feel my original objection is valid. They admit in the Article that the program would read Ram through the kernel. So if a rootkit was installed, wouldn't it be able to defeat that (Which was the essence of my OP)? Not to mention that swapping ALL Ram to disk and filling it with "random" information would take a non-trivial amount of time (at least seconds, possibly tens of seconds depending on size of ram and speed of hardware). And is it possible that a legitimate program would want to access said memory in that time span? So I must know (at the risk of baiting), how was I not criticizing the article/technique?
If a man isn't willing to take some risk for his opinions, either his opinions are no good or he's no good
Not only that, but his initial premise is already wrong! Most people conceptualize a program like an application - it's launched, loads into memory, and then does stuff. And while that's typical, it's a grave mistake to think that's the ONLY way to go!
Off the top of my head, I can think of registering malware as a callack handler for a system event. In this case, you have an infected computer without any code running at all, in a context and namespace different than running applications!
Winows just wasn't designed with a multi-user security model. Adding this after the fact is showing itself to be exponentially more difficult!
I have no problem with your religion until you decide it's reason to deprive others of the truth.
This looks a lot like Pioneer:
Seshadri, Arvind, Mark Luk, Elaine Shi, Adrian Perrig, Leendert van Doorn, and Pradeep Khosla.
"Pioneer: Verifying Integrity and Guaranteeing Execution of Code on Legacy Platforms."
In Proceedings of the ACM Symposium on Operating Systems Principles (SOSP), Brighton, United Kingdom, October 2005.
http://sparrow.ece.cmu.edu/~adrian/projects/pioneer.pdf
NOP
http://en.wikipedia.org/wiki/NOP
It is impossible to guarantee the detection of malware by definition. New techniques for malware to hide itself will be developed when new detection techniques are created. This is the way of security.
From the actual paper: "In order to remain on the device, a malware agent either has to be active in RAM or modify legitimate programs in RAM, flash or other storage. Doing the former, we show, introduces significant delays to generate the output expected from our algorithm, and doing the latter causes immediate detection when the memory contents are inspected."
Specifically: "doing the latter causes immediate detection when the memory contents are inspected"
Who are they kidding. No algorithm exists today for immediately detecting the presence of malware in an arbitrary memory dump or even disk image. If it did, A/V would be 100% effective.
As has been repeated stated, if the malware simply allows itself to be swapped out and waits to resume it will, in all likelihood be fine. After all, all the other applications from which it wants to steal keystrokes have also been swapped out and so are making no progress either.
One big mistake from the article is:
2) Any program -- good or bad -- that wants to be active in RAM has no choice but to take up some space in RAM. At least one byte, right?
Wrong. Do the steganography thing to a live programs data. Find a .jpeg in outlook and insert the encrypted executable code into the pix. There are other interesting alternatives involving modification of the stack and stack pointers. Even things like the map for virtual memory can be messed with to store a wee little bit of data.
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
I read practically every response here on Slashdot as well as the ones posted by everyone on the article itself. Everyone knows the article is crap, and shoots so many holes in that its not even worthy to be listed here on Slashdot. I'm not one to make direct personal attacks and like to give people the benefit of the doubt but whoever posted this article should have known this article is without technical merit, or they were just asleep at the helm. Either way they should apologize and remove the article from rotation.
In response to your post below, acknowledged that the time concern is valid, but that is not what you presented in the post above, is it? You obviously read the article in between the post above and the one below.
However, the article DOES address your other concern, which is why I questioned whether you read it. We know how much RAM we have, right? Assume we have a rootkit. We ask the OS to overwrite ALL RAM execpt the scanner. The rootkit can either let itself be overwritten, or it can write those random bits to secondary storage, and read them back in when computing the checksum. But that would take quite a bit more time, which is what the external verifier is looking for.
Get overwritten. Store the random bits to secondary storage and read them back in, which takes time. Those are the only two options for computing a valid checksum here, right?
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
Spherical Cow
As far as I can tell, the technique requires that you postulate the existence of some element of the system which operates completely outside of system memory and OS image space, with complete incorruptibility and inviolability, and with complete authority to examine the entire contents of the system at any time necessary.
Terrific. The closest we have ever come to that is native-processor hypervisors, and they can be escaped using current malware techniques; or external security chips.
The former is already busted. And the latter? If industry trends can be trusted, such technology will not be primarily used to protect users against malware, but to protect content providers from users.
Welcome to the Panopticon. Used to be a prison, now it's your home.
From the article:
Reading through the kernel and reading in kernel mode aren't the same thing.
Unfortunately this system relies on an 'external verifier' to verify the amount of RAM and processor speed. What this probably really means is that the person running the detection utility must double check that the values provided by the utility match the numbers in BIOS. This method of an 'external verifier' is extremely prone to being faulty. Beyond that, god forbid the malware got into the BIOS, what do you do then? Maybe we have read the article but we don't take on faith that it is the word of a 'god'.
a dummy with slashdot id of oxygen_deprived claims that he can guarantee breaking 256 bit AES in 3 seconds given the following
a. A piece of known plaintext
b. A piece of cipher text corresponding to the known plaintext
c. An external encryptocomparer (yeah , I made that up, also, patent pending in some country ) that can generate , compute and compare 2^256 keys per second
I tried reading TFA a few times. First time, utter confusion. Second, third times, no better. I can't make any sense out of these points:
>1) There are absolutely only three things malware can do when you scan for it. One: be active in RAM, maybe trying to interfere with the detection algorithm. Two: not be active in RAM, but store itself in secondary storage. It cannot interfere with the detection algorithm then, quite obviously. And option number three: erase itself.
Absolutely, not. There are many other things malware could be doing. Inactive in RAM, compressed and inactive in RAM, encoded as plausible-looking entries in the File Name Table or the Virtual Memory map.
>2) Any program -- good or bad -- that wants to be active in RAM has no choice but to take up some space in RAM. At least one byte, right?
No, it could be sleeping, existing only as an entry in the swapped-out process table. Or in unused space below a thread stack.
>Assume now that we have a detection algorithm that runs in kernel mode, and that swaps out everything in RAM. Everything except itself.
Whoah there fella. Everything? Are you going to turn off all timers and interrupt enables so their service routines don't get called?
Hard to do without mucking up all the device drivers. Are you going to swap out the kernel too, as malware is quite capable of infesting kernel space. And what about device drivers? They're constantly mucking with their internal tables and I/O buffers.
And if you turn off all device drivers, you lose, as there's nothing stopping malware from masquerading as a device driver. Many do.
>>But if we know how big RAM is, we know how much space should be free.
Whoa there again, big guy. There are plenty of machines with RAM at places not generally known to the OS, such as video RAM, graphics polygon RAM, network card RAM buffers, and kernel stacks.
>> Assume we write pseudo-random bits over all this supposedly free space. Again, a malware agent could refuse to be overwritten.
You don't need a checksum test to do this-- each page of virtual memory has R/W control bits.
And you're foiled here again, as there are plenty of system areas that are write-protected, such as pre code areas and the VM tables themselves.
>>Then, let us compute a keyed hash of the entire memory contents -- both our detection program and all the random bits. Here is what could happen: If there is no malware in RAM, the results will be the expected result. An external verifier checks this, and tells us that the scanned device is clean.
Nooo, that just tells you that either you overwrote the malware, so you'll never find it, or the malware during your two sweeps did not change any RAM contents. Quite possible as most malware just sits around most of the time.
>> Or there could be malware in RAM, and the checksum will be wrong.
Well, no, unless you disabled all interrupts and stopped all kernel tasks, there will still be system timers and interrupts and device drivers changing their state in RAM.
>> The external verifier would notice and conclude that the device must be infected.
Or some part of the system or some device driver is still running. Huge chance of false positives.
This essay seems to have been written by someone with only a glancing familiarity with hardware and system software.
Your questions indicate that, although you may have read the article, you didn't understand it. I'm not saying this technique will work. I'm just looking for some decent criticism of the actual technique, but no one seems to have taken the time to understand it.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
Personally I think prevention is the best solution. You'll never get Malware, if you never connect to the internet and never install anything.
As good as this technique may or may not be, it's not security. It's damage control
If damage control occurs in real time with 100% accuracy, do you care about prevention?
HA! I just wasted some of your bandwidth with a frivolous sig!
Four major problems:
One: The malware can simply let itself be swapped out like a good little program, and be swapped back in when the detector is done. Now the only way you'll find it is look for a malware pattern again, with all the limitations that implies.
Two: The malware can infect the system routines so that the system *lies* to the detector about what's in RAM.
Three: The system has to be brought to a complete halt to do this, with obvious repercussions to performance.
Four: Most operating systems have parts of the kernel that CANNOT be swapped out. So you can't swap out everything but the detector anyways.
We know how much RAM we have, right? Assume we have a rootkit.
Read those two statements again. If the second is true, the first may not be.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
You have already lost. Maybe you'll be able to detect it, assuming the malware chooses to allow you to look for things before it does bad stuff. Maybe. But the point of the malware is do to bad stuff when it runs. Detecting running malware is like Missile Command telling you "Game Over" after your cities are destroyed by nukes. Writing programs to detect that you have lost, is a solution to the wrong problem. The only problem that really matters, is "how do you prevent malware from being run?" How do you not lose?
Since you understand it so well, and I obviously do not, then it would be a simple matter to explain it to me. How is the 'external verifier' not the magic black box that is supposed to make this thing really work? How would this utility detect BIOS malware? How could this utility verify other system devices like the GPU and network peripherals aren't hiding malware? Me thinks you are a shill and too self absorbed to directly address the questions.
Read the article. If we have a rootkit, it has two choices. Let itself get swapped out, in which case it can not cover its tracks. Or write the pattern that is to be checksummed to secondary storage, in which case the verifier will notice the time lag. The rootkit could be lying about the total amount of RAM, sure, but that won't help if we have started from a known clean machine.
The author claims this technique will work on already infected machines, but I don't see how that is possible. If starting from a known clean machine, though, this technique seems pretty foolproof.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
One of the problems of computer security is that it's hard to be sure the level at which you're operating is secure. Your app may think it's secure, but the OS can view its memory. The OS may think it's secure, but it might be virtualized or running on a rootkit or boot sector virus. You might have a malicious BIOS update. It's almost impossible to verify from any level if the level below you is infected or not.
This is a neat, though probably impractical, way of trying to understand what the lower levels of the system are doing and judge the trustworthiness of those levels.
//TODO: signature
The external verifier just looks at time. If it takes too long, then there must be malware swapping out the random bits. Basically, either malware let's itself get swapped out, in which case it can not hide its memory footprint, or it can try to hide, in which case the time lag will give it away.
I'm not a shill, I've acknowledged valid criticisms in other places, the time it all takes, for instance. I just hate it when idiots refuse to read or understand the article and criticize their own imaginary straw men. It adds nothing of value to the discussion and wastes everyone's time.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
I read the article. I understand what he's proposing. However, the method is simply a way of finding things that are hiding in memory. By swapping out the hider-app, you disable its ability to hide. Your RAM + random bits hash will then expose things that were messing with RAM.
This doesn't detect malware itself, it simply allows you to determine if something is altering RAM to hide itself, which most likely would turn out to be malware. If you're simply taking a hash of the whole RAM space, I'm not even sure you'd be able to find out where the problematic bits were located (which would point to the swapped-out culprit).
While it would be nice to know if something is covertly tinkering with your memory, this test alone won't find the actual malware. It also relies on a lot of things, like the external verifier and that the scanner itself is not compromised. It's a nice theory, but I'm not sure how much practical value it has.
It's really very simple. A machine with no writable storage and no network connection.
The problem, that also exists for the proposed detection solution, is that the result isn't necessarily very useful in a real world scenario. So, he detects malware swapping itself out by noticing a delay? What about false positives? Heavy system load -> your machine must be infected. Real time software (scada, dcs etc) -> your machine must be infected. And then what? You've been told that your machine is infected, and that somewhere in the 4GB of RAM is a piece of malware. What do you do? Waste a day hunting for the non-existent Wolf? And then what, after you've found nothing? Put the machine back online with a Hope and a Prayer? Leave it offline and useless? People will simply learn to ignore these alerts, and the whole solution becomes useless.
At least with the cat and mouse game that we have now (AV and anti-spyware software) when they flag something it becomes actionable. Even false positives are actionable because you're looking for the specific piece of malware that flagged. People get to tell their boss either "Yes, I found and disinfected Foo..." or "It was a false positive that appeared to be Foo but wasn't", either of which generally reassures their bosses that their employees know what they are doing. The answer "I don't know what it was, it might or might not be an infection, I'll never know for sure... and btw, do you want to turn that control system back on?" tends to lead to unhappy bosses.
Besides which, I'm not sure it's even technically possible. How long would it take to hash the entire memory? Can it even be done without writing to memory?
How do you guarantee that the OS that you THINK you are running on is not just a virtual machine running in hardware supported virtual space? Any attempt to scribble or read bits over/across either of these is only doomed to failure because you can never be absolutely sure what exactly you are writing too. Is it physical memory or is it actually being written to cache in a VM disk somewhere? Even using the on-board 'hardware' clock could be hacked/virtualized so your hope of using latency issues as mentioned don't work either. Go Google for 'blue pill rootkit' if you think its that easy.
In short, there are some forms of malware that can control the very infrastructure that you depend on to judge whether you are infected, so they therefore by extension control your own perception of the results of those tests. Writing to 'all' the memory that you think you see doesn't accomplish much if you are not seeing all of it in the first place.
I'm finding more and more that whenever I hear things like 'Any program — good or bad — that wants to be active in RAM has no choice but to take up some space in RAM. At least one byte.' I immediately think "yeah, until they change/patch/fix/rewrite/figure a way around that."
I suggest you re-read the article. The 'external verifier' needs to verify that the reported amount of RAM is the actual amount of RAM available on the system, and that the reported clock speed is the actual clock speed of the system. This either requires human intervention or some very specialized hardware. As for my other questions, you left them unanswered. People are rightfully very skeptical of this article because it makes a ridiculous absolute statement.
This looks like snake oil. On desktop machines, it's quite impractical to swap everything out and then do a scan. And how do you distinguish between malware and non-malware? All programs take up space, whether they're malware or not.
This may work for completely-constrained embedded devices that have rigid controls over what gets installed. But then again, how likely are such devices to be malware vectors?
Let itself get swapped out, in which case it can not cover its tracks.
If it isn’t in your virus signature database yet, it doesn’t need to cover its tracks. You won’t detect it even if you scan it.
Or write the pattern that is to be checksummed to secondary storage, in which case the verifier will notice the time lag.
A rootkit could just as easily detect you and take action to thwart your scan, such as:
* overwrite your checksums right before you compare them, making it seem that the scan was clean;
* give false timings when your scanner checks, hiding the amount of extra time it took to access the secondary storage;
* insert strategic delays when accessing the normal memory, to hide the extra time it will take to access the secondary storage when the virus gets scanned;
* last but not least, it could simply kill your scanner altogether and replace it with a dummy function that does nothing but report that the scan succeeded.
The rootkit could be lying about the total amount of RAM, sure, but that won't help if we have started from a known clean machine.
You don’t need to scan the RAM of a known clean machine.
The author claims this technique will work on already infected machines, but I don't see how that is possible.
It isn’t.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
One of the things that occurred to me is, if you are 'swapping out everything but the scanner and the kernel', unless the malware for some reason prevents you from swapping it out, too, (I guess the theory is that if the malware is running in kernel space, it won't get swapped out, while everything else will), then you won't detect it, because it'll just 'unload' when you swap everything out, then when you swap everything else back into RAM, it'll get swapped right back in, right?
Now, in the case of a kernel-module type of malware, what's to keep it from 'looking' like a legitimate kernel module/driver? In most modern OSes, code is loaded into the kernel at runtime for all sorts of device drivers, operating system extensions (like virus scanners), etc. How does this 'universal malware detector' know that one kernel module is 'legiimate', while another is not, when it doesn't have a 'rule' to identify that module as a 'known bad' module?
Well, that's not necessarily true. The root kit could copy the ram to CPU cache eliminating the need to "swap" itself or the newly written data to disk. Or it could do the converse (When the kernel tries to write to the malware's ram segment, write that part to cache instead). That would eliminate the big time delay needed to swap. Besides, a modern drive with write through cache should be trivially slower than Ram for that part of swapped data anyway (assuming that nothing significant was written to disk after that swap). So even if it did swap that random memory segment (which it could do asynchronously on write, so you couldn't detect the write), when it went to read it the disk would find that most recent piece of data in the drives cache, and return it. Sure, there would be a delay to that (it's much slower than ram)... But you're forgetting two things. Since this whole process takes a non-trivial amount of time (Even just reading from memory would take between 1/3 of a second and 3/4 of a second (depending on the ram type used) at full bandwidth, without doing anything with the data), the extra 1 or 2 ms needed for the drive to return the value from cache would be barely noticeable (The
And that's based on the assumption that this "black box" external monitor is not influencable by the kernel (meaning it's a dedicated piece of hardware, or on an external machine). If the external process is running on the computer being scanned, it becomes even easier to fool the system...
My whole point with my OP, is that claiming a "Guarantee" is foolish at best. It's only a marketing claim. Any engineer worth their pay wouldn't dare make such a claim, because ANYTHING can be worked around. It only matters how important it is to the bad guys. The only truly secure computer, is one that was never built in the first place. You can make a computer more secure, but someone with enough resources and determination will do what they want with it. All "security" does, is try to make it hard enough to deter all but the most motivated... And if you think ANY security measure is 100% fool proof, you should find another line of work...
If a man isn't willing to take some risk for his opinions, either his opinions are no good or he's no good
1. Install Windows. 2. Connect to the Internet. 3. Blink. 4. Malware detected!
"I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
The guy is wrong becuase his principal assumption is wrong.
Principal assumption: Malware must take up at least one byte of RAM.
Refutation: Malware hidden in the firmware (ROM) does not need any dedicated bytes of RAM.
I know. I've done it...
If I don't even know I'm infected, how can I remove the malware? If I know that I've been rooted, worst case scenario, I format my hard drive and do a clean install of the OS, apps, and data. Yes, it's better to prevent the infection in the first place, but knowing you *are* infected at least can help you to take actions to do something about the situation. In truth, if an infection can be detected, it can *usually* be removed without requiring a format, so detection is the first step in cleaning up a problem.
"Unless... you were scanning from a boot CD."
If you were scanning from a boot CD, the malware would have never loaded into RAM in the first place (unless the boot cd is itself infected, at which point the GP's points apply again), so why would you try to scan ram for malware if you loaded from a boot CD? That really makes no sense.
It *would* make sense to use a boot CD to then scan your hard drive for malware which are installed on disk but which are dormant because you didn't boot from the HD, but that is NOT what the original article is talking about.
This writer is yet another brillant idiot who has found a great way of generating ad revenue. Spewing crap out of his head and putting it on the internet claiming he has the knowledge to solve problems he clearly knows nothing about. These people make me sick. We need a web site about morons like these guys. He must have worked at best buy before becoming a journalist.
Here's the real paper. This gives a better idea of what they have in mind.
They're proposing this for mobile phones, not general-purpose computers. Specifically, they're thinking of phones where the software is entirely determined by the mobile carrier. So the carrier's server knows exactly what's supposed to be in the phone's memory. The problem is then to determine if, in fact, the contents of memory in the phone match the image back at the server, even if the phone has been corrupted.
That's a solveable problem, and their rather complex solution might actually work for that. The "reliable external checking agent" is at the carrier's server farm, not within the phone. The key idea is that while malware might try to fake the appropriate responses to the checking agent, it can't do so within time limits imposed by the checking agent. This is because some cryptographic tricks make the faking job computationally expensive.
In the phone environment, if the carrier detects that the phone has been compromised, they can limit what the phone can talk to, since they control the channel. Worst case, they could just de-authorize the phone, which limits it to 911 calls and customer service calls. This is the default state of an unregistered phone.
It's not clear how useful this would be for phones which can download applications. The paper punts on this issue. On page 5, item 5, they write "[The verification policy] is beyond the scope of this paper."
I could see this as being very useful in military communication systems and in embedded systems, where you know what's supposed to be in the device and want to make sure the device at the other end of a link hasn't been compromised. It's a way to check whether a locked-down environment is still locked down.
In other words, it's not going to help in the Windows world.
Even if this scheme worked as described, it useless. In the case of malware resident in RAM, it would do absolutely nothing to identify what malware is present or how got loaded into RAM.
In the case of malware resident on disk, it presents no solution at all for detection. The author evidently believes that 100% effective malware scanners exist, and that if malware is stored on disk it is "gauranteed" to be detected.
An effective anti-malware detection scheme is going to have to do a hell of a lot more than produce a one-byte boolean report.
Crap... /. cut out part of my post. After "(The" should have been:
(The less than %1 percent difference from swapping a few KB of RAM would likely not be outside of the statistical error range for reading from RAM). Heck, I'd be surprised if it could reliably detect the 10ms it would take for a drive to seek and read a few KB off disk. It'd probably take several megabytes of continuously swapped data (Depending on quality of the system) or multiple segments of swapped data to detect swapping when reading multiple gigs of data from RAM. I'm not saying it's not possible to think that it swapped. I'm saying that it's MUCH harder to tell with any kind of accuracy.
If a man isn't willing to take some risk for his opinions, either his opinions are no good or he's no good
From the Our Solutions page:
A technique known as software-based attestation can provide an alternative defense against malware by performing infection scans periodically and detect the presence of any program that refuses to be inactivated – as well as any inactivated program that is known to be malicious.
So, it can detect malware that refuses to be inactivated which is a tiny (vanishingly-tiny?) percentage of malware, as well as inactivated software that is known to be malicious (eg, because of a known virus signature.)
So what's the advantage over signature-based virus-scanners? Well, you get to detect completely hypothetical software that (somehow) refuses to allow the kernel to swap it out (and how that is possible is never explained) at the cost of hugely-expensive computations.
Great.
Here's a simple example to show why the author of the paper is a fraud or a fool (or both):
the malware - presumably sitting in ram with admin privileges, will simply detect the scanner being loaded,
overwrite it's "is infected? Y/N" code with "is infected? N/N" code, and be done with it.
This is even glossing over all the different kinds of magic you can do with page table manipulation and exploiting the fact that a scanner cannot check all bytes in RAM at the same time. No flaky "timer delay detection" is going to fix that either, since presumably other processes will be allowed to run during the scan.
Once a machine has been compromised, you're out of luck when it comes to guarantees. Anyone who claims otherwise is either an idiot, a liar, or both.
where you know what's supposed to be in the device and want to make sure the device at the other end of a link hasn't been compromised. How do you know that whatever software you are using to verify the memory contents of the remote device hasn't also been compromised?
I've abandoned my search for truth; now I'm just looking for some useful delusions.
This idea has already been invented... by Shampoo
Wanted: witty unique signature. Must be willing to relocate.
OK, so we have this verifier. It swaps everything out but itself. It verifies the system, and it all comes up good.
Now what? It has to swap everything back IN. Including potential malware which made no attempt to evade the verifier. Sure, it prevented the malware from running for a time. But only at the cost of preventing anything else from running either. That's less than useful.
in which case it can not hide its memory footprint
Suppose it does allow itself to be swapped out, and yes, it cannot hide its memory footprint.
How do you detect it, then?
Answer: conventional scanning, with a virus signature database, which is not 100% reliable and in no way “guarantees” malware detection.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
The idea here is of course not able to detect all malware, even though the article claims that it is. It is designed to counter a specific technique malware can use to avoid detection: to interfere with the normal processing of a malware detector. E.g. it can intercept kernel calls and lie to the malware detector (or any other software) about what the content of memory is. This is something the malware has to be actually running at the time of the scan to do, and to be able to run it has to be in memory. So if you swap out all code except the malware scanner (including drivers and so on), and you nuke all memory except the scanner's own code, then either the malware has to allow itself to be overwritten, or it has to remain in memory by intercepting the calls that would overwrite it. The idea in the article is to use a hardware check-sum function that cannot be intercepted. At that point the malware scanner will be able to tell that the real, hardware checksum of the memory does not match the check-sum it computed on its own, so there must be a piece of software still running and lying about the content of memory. Only malware would do that, so this technique defeats the malware technique of lying to a malware scanner about what is in memory.
Unfortunately the malware can of course still intercept the entire running of the malware scanner by not actually doing any scan at all and just displaying a message to the user that the malware scanner would normally display if there is no malware. That is still a half victory, though, as then the malware has to know about all the malware detectors that are out there and will be out there, which is a huge amount of work that the malware authors may not be able to keep up with. It could also just always display a message box saying "everything was fine" or it could crash the scanner, but then the user would possibly be able to tell that the something is wrong. A more sophisticated tactic would be to scan the scanner executable (before it runs) for the instructions that trigger the hardware mechanism, and replace those by different instructions that simply report the hash as it would be if there was no malware. Maybe you could obfuscate that somehow, perhaps by having the scanner generate the instructions it runs in memory instead of having them all in the executable directly, and at that points it becomes yet another arms race where now it is the malware authors trying to detect something and it is the anti-malware people trying to hide.
Unfortunately the type of scan proposed requires a hardware check-sum mechanism, it requires the OS to be able to swap every single part of itself to disk for an extended period of time (it then won't be able to respond to interrupts) and it still is not flawless. Still, it does make life more difficult for malware authors.
Did you miss the part about the external verifier? It sounds like a lot of handwaving, but done right it could detect any of the avenues of attack you've mentioned here.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
"Protection from malware should function like the immune system, with many lines of defense and many avenues of detection and counter attack. Prevention will never be perfect by itself.' - by spun (1352) on Monday March 15, @11:58AM (#31483716)
Which is EXACTLY why I wrote up this guide (mostly for end-users that aren't aware of the concept you're putting out, & yes: Even the more "techie ones")!
----
HOW TO SECURE Windows 2000/XP/Server 2003, & even VISTA/Windows 7 (+ make it "fun-to-do" via CIS Tool Guidance & beyond):
http://www.tcmagazine.com/forums/index.php?s=568d95985ad83ef4add94de09f6026d3&showtopic=2662
----
It works, & is based on the concept you lay out via your quoted words above - what computer security folks the past few years have been calling "LAYERED SECURITY"...
Proofs to its efficacy?
Ok, some quoted testimonials:
----
http://www.xtremepccentral.com/forums/showthread.php?s=672ebdf47af75a0c5b0d9e7278be305f&t=28430&page=2
"I recently, months ago when you finally got this guide done, had authorization to try this on simple work station for kids. My client, who paid me an ungodly amount of money to do this, has been PROBLEM FREE FOR MONTHS! I haven't even had a follow up call which is unusual." - THRONKA, user of my guide @ XTremePcCentral
AND
"APK, thanks for such a great guide. This would, and should, be an inspiration to such security measures. Also, the pc that has "tweaks": IS STILL GOING! NO PROBLEMS!" - THRONKA, user of my guide @ XTremePcCentral
AND
http://www.xtremepccentral.com/forums/showthread.php?s=672ebdf47af75a0c5b0d9e7278be305f&t=28430&page=3
"Its 2009 - still trouble free! I was told last week by a co worker who does active directory administration, and he said I was doing overkill. I told him yes, but I just eliminated the half life in windows that you usually get. He said good point. So from 2008 till 2009. No speed decreases, its been to a lan party, moved around in a move, and it still NEVER has had the OS reinstalled besides the fact I imaged the drive over in 2008. Great stuff! My client STILL Hasn't called me back in regards to that one machine to get it locked down for the kid. I am glad it worked and I am sure her wallet is appreciated too now that it works. Speaking of which, I need to call her to see if I can get some leads. APK - I will say it again, the guide is FANTASTIC! Its made my PC experience much easier. Sandboxing was great. Getting my host file updated, setting services to system service, rather than system local. (except AVG updater, needed system local)" - THRONKA, user of my guide @ XTremePcCentral
AND
"the use of the hosts file has worked for me in many ways. for one it stops ad banners, it helps speed up your computer as well. if you need more proof i am writing to you on a 400 hertz computer and i run with ease. i do not get 200++ viruses and spy ware a month as i use to. now i am lucky if i get 1 or 2 viruses a month. if you want my opinion if you stick to what APK says in his article about securing your computer then you will be safe and should not get any viruses or spy ware, but if you do get hit with viruses and spy ware then it will your own fault.
keep up the good fight APK." - Kings Joker, user of my guide @ THE PLANET
----
(Those results are only a SMALL SAMPLING TOO, mind you - I can produce more such results, upon request, from other users & sites online)
HOWEVER - There's ONLY 1 WEAKNESS TO IT: Human beings, & they not being 'disciplined' about th
Yes, an extra “black box” hardware device could theoretically solve all of the problems I mentioned. If you invented one, that is, and bothered to install it.
At that point, though, it’s easier to just boot from a live CD with an antivirus suite.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
"Assume now that we have a detection algorithm that runs in kernel mode, and that swaps out everything in RAM. Everything except itself. Well, malware may interfere, of course, as it often does, and remain in RAM. But if we know how big RAM is, we know how much space should be free."
The author seems to assume malware only lives in areas which are not reserved. But there's different kinds of malware: some which actually run rather like normal applications, reserve memory just like any other application, and then there's the malware that lives inside memory reserved by other applications. In both cases the memory is actually allocated and will not be considered "free" by the OS. Thus, the malware would just get swapped out, ignored by the detection routine, and swapped back in.
No, this method was dead already before its arrival.
Wake those workstations nightly with WOL, PXE boot to linux, run checksum tests against hard disk. If infected do second PXE boot which reloads clean image from server. By morning all computers are clean.
After reading the article a couple of times, it seems that this is a tool that needs to be coupled with a scanner. This is a method that determines malware is trying to disguise itself or intefere with a scanner. Therefore a simple attack method would be to be a normal program and not try to disguise itself. The only way it could be detected would be for a scanner to already have a signature for that malware program. Hence this is a tool that should be incorporated in already existing anti-malware programs and not a standalone detector. Do I understand this correctly? And if so I am underwhelmed. I need a tool that can detect zero day attacks and this does not seem to be that. Julian
I go out of my way to complicate the simple things, so that I can simplify the complicated things.
The people critical of this process are missing some of the point. The claim of catching everything including 0 day exploits is a bit grandiose, but that doesn't mean it isn't a good idea. An approach like this will pick up malware infections because they cloak their processes. If this forces them to stop cloaking, it makes it much easier for standard malware scanning to be effective.
The author claims his system can detect 0-days, on a pre-infected system. Can't do that with signature scanning. I think he's full of it.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
I don't think it is feasible to swap out everything from memory. If an interrupt occurs and the handler is not in memory, Windows will blue-screen. The scanner would need certain O/S functions to perform the scan, not to mention to write/read the swapped RAM to/from disk.
The author claims this technique will work on already infected machines, but I don't see how that is possible. If starting from a known clean machine, though, this technique seems pretty foolproof.
The author assumes that you can detect malware if it is not in memory corrupting your scan. The author then presents a way to prove that your memory is not corrupted by a virus.
The rootkit could be lying about the total amount of RAM, sure, but that won't help if we have started from a known clean machine.
The external verifier (which verifies the hash) takes care of that. If the rootkit lies about the amount of RAM to the process which writes pseudo-random data, then the checksum will fail when the external verifier computes it.
The only way you can't lose, is by not playing.
If you are going to respond, respond to what I wrote, not what you imagined I wrote. You just explained to me what I've been explaining to other people for HOURS now. See, I already GET all that.
However...
The author claims his techniques will detect 0-day exploits that were on the machine before the scanner was installed. Go ahead and explain how that would work with conventional malware detection.
THAT was the point I was just making.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
I did respond to what you wrote. You seem to have forgotten what you wrote. Nowhere in that post did you mention 0-days. If that was your point, you failed miserably in making it.
Or the CPU cache, actually.
Also, instead of "hiding", they could know about your program and simply alter the results after the fact. If you can modify memory, so can they. You'll detect them just fine. But then they'll change that "infection found!" to "no infection found!"
Assume now that we have a detection algorithm that runs in kernel mode, and that swaps out everything in RAM. Everything except itself.
Further assume that this detection algorithm, running in kernel mode, must be loaded into memory itself.
Then further assume that the compromised kernel on which it is running has not modified the detection algorithm. (Because noone writes kernel malware)
Then further further assume that no one will spot this really obvious flaw before publishing it.
I don't see how this would work. Even if Windows would allow itself to be swapped out (which it won't) for the test, the virus would simply allow itself to be swapped out as well, and then re-load itself through whatever infected .DLL or media player codex that it was initially loaded from in the first place.
You buy a toaster, it toasts. If it doesn't work, you throw it away and get a new one. You buy a TV, maybe it works maybe it stops working, maybe lightning strikes it, but if you push the channel button and it doesn't work, you get it fixed or replace it. Dishwasher stops working, you call someone and have it fixed.
Computer... I can't just click something I want to click, I have to unpack it and set it to be executable. I have to think? I don't want to think, I just want Farmville to work. If I can't match these 3 jewels together, someone is going to have to fix this for me what's this box? OK. OK, goddammit just go away! You're blocking my jewels! Fucking, OK, okay? O MUTHER FUCKING KAY, I get it. UNUUNUNNNGNGNGHGHGHGNFNG!
Customer calls tech support.
Tech: What were you doing when this happened?
Customer: I don't know, I was playing my game and some strange things just started happening.
Tech: Such as?
Customer: I was trying to play a game and these boxes came up that had nothing to do with the game. It was broken.
Tech: You broke it by installing a virus, that's what you did when you clicked OK.
Customer: You don't know anything about computers. Were you even listening? It was doing stupid shit BEFORE I CLICKED OK!
Tech: No, those windows were trying to alert you to a security problem
Customer: Why would there be a security problem if it wasn't already broken dipshit?
Tech: That was Windows, asking if you wanted to allow something
Customer: I wanted to allow it to play MY FUCKING GAME that it wouldn't let me play.
Tech: You installed a virus.
Customer: I'm going to bash you head in with a box of Cheerios.
Customer's mom: So what was all that about?
Customer: That guy was pretending to be a computer nerd so he could ask me out or something, and he had herpes or something, I don't know. He didn't know anything about computers and wasn't listening to me and didn't believe me.
Customer's mom: Hello, Police? I'd like to report a crime...
It can perfectly well live in the cache, busmaster devices, buffers, etc.
Any sufficiently advanced intelligence is indistinguishable from stupidity.
There are a dozen different ways that the rootkit could hijack the process if it intimately knew how the scanner worked.
For example.
Pseudo-random data is reproduceable. Rather than caching the large amount of data to the disk, it could simply sniff out the randomizer’s seed and return the appropriate data when it re-scans the memory to compute the checksum after writing to it. This would avoid a lengthy delay in writing and reading the hard disk.
The rootkit could also, even more easily, overwrite your entire scanner with NOPs and then set the detection to false. Nothing to see here, move along. This is so obvious it’s trivial.
Or it could overwrite your checksums with identical values right before you compare them. The comparison matches; nothing to see.
It could even adjust the system timers so that the scanner wouldn’t be able to detect the added delay of write/read operations to the hard disk when only memory operations should have been performed.
Really the only way you’re going to be able to ensure that your scan is reliable is by using an external (trusted) device, whether it be a black box that tells you the true amount of RAM, or that keeps an accurate time, or seeds your randomizer, or whatever, or a whole separate computer to which you attach your secondary storage devices and scan them. But at this point you really might as well just boot the infected system from a clean boot CD and scan it with RAM that is 100% certain to be clean.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
This thing is pretty dumb, a better way to do it is boot off a CD or something and scan the disc, which would mean that you don't have to swap out the memory because *it is already clean*
Our GPU are becoming more and more multi-purpose every day.
But that is not the real threat... Suppose I install my crap in your network interface's firmware and just drop packages I don't want you to see (think "rocket incoming" or "stock falling"). Yes, those are high-level examples and yes, this approach is more or less 'outside' the system.
But if I just feed crap into your system, are you _sure_ every device driver is hardened? And what context do device drivers run in? Kernel context? Oups...
The way windows can patch itself is malware in action. As soon as I have some 'legal' way to change the baseline, I also have a way of installing illegal software surreptitiously. It would only work on something that never needs updating.
Really the only way you’re going to be able to ensure that your scan is reliable is by using an external (trusted) device, whether it be a black box that tells you the true amount of RAM, or that keeps an accurate time, or seeds your randomizer, or whatever, or a whole separate computer to which you attach your secondary storage devices and scan them.
The article mentions using an external verifier.
Yes, which is usually going to involve more expense, hassle, and time than simply booting from a live CD.
Apparently TFA’s own source was actually talking about cell phones, in which case this possibly could be made to work. The cell phone provider would be the external verifier, and the software on the phone would be quite limited so that whitelisting would be more practical. However even then the scan could give a false negative if you broke the randomness of the pseudo-random data. A rootkit could also subvert the communications to the carrier to make the carrier/phone think the scan was clean (this would depend on the implementation, but I see a few ways that it could take place).
For a personal computer (as the author of TFA incorrectly seemed to think)? Not practical in the least.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
This is why the App Store is a good idea.
Some people don't deserve digital freedom.
--
BMO
Defending against adversarial strategy 4 – modify detection code. The security against adversarial strategy 4 follows directly from assumption 2 (code optimality), with the exception of a “kamikaze strategy” in which the adversary corrupts the execution of some of the steps (as described in section 3), and then willingly loads legitimate code and removes itself. Such an adversary could only corrupt step 1 of the process, as it will have to be overwritten during step 2 to avoid detection. Moreover, it needs to correctly perform the setup in step 1; this means that the only harm it can do is to cause an incorrect state to be swapped out in step 1. It can write anything it wants to to swap space. It can place a copy of itself in the swap space, or a copy of a legitimate but vulnerable application, with an input triggering an opportunity for malware to be loaded. However, the swap space will be scanned along with all other memory during step 5, and any known malicious configuration will be detected.
If an adversary corrupts stage 1, there is no stage 2, just a fake stage 2.
Holy shit. Seriously. Did this guy also certify the DRM for Ass Creed 2?