Slashdot Mirror
How To Guarantee Malware Detection
itwbennett writes "Dr. Markus Jakobsson, Principal Scientist at PARC, explains how it is possible to guarantee the detection of malware, including zero-day attacks and rootkits and even malware that infected a device before the detection program was installed. The solution comes down to this, says Jakobsson: 'Any program — good or bad — that wants to be active in RAM has no choice but to take up some space in RAM. At least one byte.'"
While it might be true that any application will take up at least a byte of memory, there is no reason malware couldn't masquerade as another binary down to the exact number of bytes.
Hell, Windows is a whole slew of malware that masquerades as the whole OS.
In theory, theory and reality are equivalent. In reality, they are quite different...
Seriously, how could this possibly work for ALL (including undocumented, and hereto unknown) threats? And if it does it by reading straight from RAM (through the kernel), wouldn't a rootkit be able to trivially defeat that?
If a man isn't willing to take some risk for his opinions, either his opinions are no good or he's no good
A needle in a haystack wants roughly the same amount of space as a straw - doesn't make it any easier to find (indeed, that's part of the reason it's so hard to find).
Even if this technique has merits, it does nothing to correct the primary reason for computer infection - stupid users.
How about a malware that masquerades as this detector and reports the RAM checksum is OK?
You can't guarantee anything in security. Especially when a human is involved.
Sure, malware has to occupy memory. That doesn't mean it has to be its own memory. Buffer overflows are all about corrupting another application's memory space.
His basic argument is that if you want to scan RAM, the kernel can halt all processing except its RAM scanner, and have a go at the RAM safely. If it's particularly insidious malware, it'll try to hide itself in various ways, one of which would be to masquerade the portion of RAM it was using with something legitimate looking (maybe erase that portion of memory). But you know it did this because you can see that memory which was supposed to be free is no longer free. Except the hardware has no concept of free or occupied memory. It just has memory, and the OS keeps track of what's free and not. The OS - the same space where malware is running.
OR, the malware could simply not do this, then its behavior is no different from any legitimate program. So how do you detect it now? You still need definitions that say, "When running in memory, this virus looks like X," then look through memory for that pattern.
Besides, who's to say that the kernel space is guaranteed free of malware itself? Even if you would have successfully identified the threat in RAM, you have no guarantee that the malware hasn't corrupted the identification routine.
It's like someone came along and said, "Hey, you guys are looking for malware wrong. You have to look for it! And I mean really look for it!"
Slay a dragon... over lunch!
Protection from malware should function like the immune system, with many lines of defense and many avenues of detection and counter attack. Prevention will never be perfect by itself.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
I'm not an expert and not sure if I'm missing something obvious here but what is confusing me is the part about "swap everything out except the scanner". Wouldn't you then just be moving the malware too? Into a protected space that you then have to scan and know what to look for?
If it's a zero day infection then you don't know what to look for and you swapped it out of memory for nothing really. I do get that if it tries to protect itself it will look suspicious but what if it looks like a normal program? A service or scheduled task that could be normal. What if it takes on the guise of an adobe update program in size/hash and function until it is time do act? Say a slight change to your systems dns entries. Then goes dormant again.
This may not be possible but I haven't seen why not and it leaves a pretty big hole for zero day infections that this method claims to be able to catch 100%.
) Human Kind Vs Human Creation
) It'd be interesting to see how many humans would survive to serve us.
After reading TFA I'm still not seeing how this is supposed to detect unknown malware.
As far as I can see it would decide that a new install of any kind was a virus.
Sure if you know every program which is supposed to be installed and none of them do wierd things in memory(a big if) then you might be able to spot when some kind of change has been made but if you can do that then you have a situation where you might as well just re-image the machine from ROM every now and then.
I don't see any amazing new ideas in TFA
> have to scan and know what to look for?
;).
If Dr. Markus Jakobsson has solved that, it is strange he hasn't also announced that he has solved the halting problem
Figuring out whether a bunch of bits is or isn't malware is going to be as hard (or harder[1]) to figure out whether a program given a particular input will halt or not.
[1] Especially when that bunch of bits might later on download a new bunch of bits. Yes I know in theory it is impossible to solve the halting problem (no general solution), but in practice some special cases can be solved.
In contrast it's harder to solve the malware problem when you assume they can fetch new instructions and data, and from an active hostile party.
Sandboxing is the way to go. Sandboxing is analogous to avoiding the halting problem by having a time limit on the program.
No need to figure out whether the program is malware or not. Just make sure it can't do what you don't want it to do. Let the OS sandbox it.
"detect unknown malware... a new install of any kind was a virus"
Yes, unless the new software is authorized, it should be considered malware.
"I don't see any amazing new ideas in TFA"
Also, yes. Shockingly, unauthorized software is unauthorized; and you can inspect a running system externally without being owned by that system.
There are 1.1... kinds of people.
From TFA:
His “solution”:
Create a sandbox consisting of all available RAM which definitely contains no “good” programs except for the scanner. Scan the sandbox to detect any “bad” programs that remained (by looking for the malicious action of attempting to mask its process RAM). Then scan the hard disk for sequences of bits that are found in programs that are known to be bad (but which are not commonly found in good programs).
Thus, it is subject to exactly the same limitations that he was trying to improve upon.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
Unless, of course, the infected system is lying to you about the memory allocations.
"As good as this technique may or may not be, it's not security."
Ehhh, you could have been a sailor. Back in the day, we had "security alert" drills, to deal with "intruders" all the time. But, that's all we ever had, were drills. The REAL security was focused OUTSIDE! If some boat, ship, helicopter, or even a frogman came close to our ship, we just blew them out of the water or sky. There was never a need to look for an intruder INSIDE the ship!
The most likely time and place any intruder might get aboard, was when we were tied up to a pier. Social engineering MIGHT cause some young fool to bring a malevalent guest aboard. But, the OOD, the POOW, and the duty section were all there to screen for potential bad people.
Trying to find the bad guy AFTER he comes aboard would be utterly ridiculous. He only needs a minute or two to plant his bomb, his bug, or whatever the hell he was there to do.
Security means killing it before it gets here. So, yeah, I like the way you think. Now, the problem is, convincing others to think that way. Most especially, those others at Microsoft.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
Suffice it to say, you haven't understood it yet.
I think these people have all understood the article quite well, and are pointing out real flaws with this scanning method.
The #1 flaw is the assumption that an exact byte count of what is running can be known if malware is also running on the system.
If malware is actively running, then if scanning code calls any outside functions, the results must be considered tainted. Since there is no way for code that does not query the OS to even guess about what else is loaded in RAM, sufficiently intelligent malware will be able to hide itself from any scan. Hell, you can't even determine how much RAM is in a computer running in x86 protected mode without calling some OS or BIOS function, either of which can be hooked by the malware.
One of the other assumptions is that the time it takes to compute a hash of RAM on a particular machine can be known with enough precision to detect that it is being "delayed" by malware.
Last, there is one piece of code that can never be swapped out to disk, and will likely show up as malware as it refuses to be overwritten: the code that swaps and restores pages to/from disk.
No, YOU are the one who doesn’t understand the concept of what is happening.
Looking for “space” that is occupied by malware in this manner will only detect malware that attempts to hide itself. There are multiple ways of defeating this scan, not the least of which is simply to not attempt to hide, allowing itself to be swapped out of memory like any other application.
In which case, you would not be “guaranteed” to detect all malware, because you’d be scanning it in the swap file like any other application and you’d be depending on your signature database to find the malicious code. It didn’t do the one malicious action that you were relying on to give away its presence.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
If we start from a known clean machine
By doing this, there's really no reason to run any high-tech malware detector, as this assumes you have two machines that are identical in every way except one might have malware while the other is known to be clean. If that's the case, just clone the one that is known to be clean and you now have two known clean machines.
In other words, there is no way to use an external machine to assist you in determining things like memory used by a process because you can't have both a clean machine and one infected by malware and have them identical enough to get a meaningful comparison.
There is no 'empty space' in a rpogram's code segment.
There very often is, as pages are 4096 bytes (at least, normal pages on x86 are this size), and it's rare to have code completely fill the page.
Since all the protections on x86 are at the page level, malware can hide in the bytes after the real executable. This type of technique has been used for years (malware used to hide in the file slack on floppy disks).
From the Our Solutions page:
A technique known as software-based attestation can provide an alternative defense against malware by performing infection scans periodically and detect the presence of any program that refuses to be inactivated – as well as any inactivated program that is known to be malicious.
So, it can detect malware that refuses to be inactivated which is a tiny (vanishingly-tiny?) percentage of malware, as well as inactivated software that is known to be malicious (eg, because of a known virus signature.)
So what's the advantage over signature-based virus-scanners? Well, you get to detect completely hypothetical software that (somehow) refuses to allow the kernel to swap it out (and how that is possible is never explained) at the cost of hugely-expensive computations.
Great.
I have a hard time believing a technique that starts with "swap out everything in RAM" could ever be used for real-time detection.
We hope your rules and wisdom choke you / Now we are one in everlasting peace
No. Symantec is the scanner.
"Still haven't read the article, eh?"
I did. The relevant parts:
"Any program -- good or bad -- that wants to be active in RAM has no choice but to take up some space in RAM. At least one byte, right?"
More news from Captain Obvious Dept.: any program -- good or bad -- that wants to be resilient between cold bootups has not choice but to take up some space in persistent storage. At least one byte, right?
"All we need is the help of an external verifier that knows how much RAM a device we want to protect has, and how fast its processor is. And ways to avoid latency variance when we measure the time to compute the checksum.
This tells us a few interesting things. We can guarantee detection of malware. And that includes zero-day attacks and rootkits. We can even guarantee that we will detect malware that infected a device before we installed our detection program. Think about it. Or read more here and here."
What does it add to current solutions? My answer: almost nothing to absolutly nothing.
1) By trashing out everything from RAM you effectlively have disrupted the service so it's no advantage from other stablished disruptive means like... scanning the disk out of a cold boot.
2) By just cleanning RAM you will have only the ability, even if your system is 100% guaranteed, to detect *only* the malware that was in RAM by the time of the scan. A simple script running from cron will be absolutly undetectable unless it happens to be running by the time the scan was scheduled.
3) No, it won't work on already compromised systems: even if it's run from kernel mode the execution space will already be tainted: think about a virtual server and a virtualized box.
4) As I already said, for a system to survive cold boots it needs to go to persistent storage. If I can know what the RAM contents are expected to be I certainly can easilyl know what the HDD (or BIOS EEPROM, or any other persistent storage) should look like too, so I can compare checksums.
5) Oh! but the system used to get a clean checksum can be compromised! So does the system used to provide the RAM space.
So, in the end this system offers absolutly nothing from the "standard" off-line verification scenario: on a home system boot from CD and check the hard disk; on a corporate system boot from PXE and check the hard disk.
But it offers nothing either on the real time field: TPM can offer just the same only in real time so while it only inspects RAM it inspects RAM at every moment, so the moment the malware is trying to get into RAM it's the time it gets revealed.
Ok, so you want serious criticisms?
1. They assume that the read back from external storage doesn't overlap with computation. This is not true of any DMA-based transfer that is asynchronous. This breaks their argument as I can hide the time to do a memory / storage swap by using DMA during calculation of the hash of a different region.
2. It is brittle. It depends on a very narrow margin between computation time and retrieval time. There are many things that could cause this margin to change but their complete avoidance of cache variations would kill it (yes I've read it, no their "worst-case measurement" doesn't cut it).
3. As many other people have pointed out it requires a trusted third-party to do the verification. If we allow a trusted party then installing a TPM is much simpler way to do it.
4. If the malware allows itself to be swapped out (i.e it has infected a callback hook) then the system must drop back to standard scanning techniques. These are not guaranteed because of the halting problem - so the author's claim that this method gives guaranteed detect is a crock of shit.
5. Although they've cited Naccahe's paper they've not really done it justice. His approach was much more elegant as it did not require a trusted party, and it got bonus points for using Quines in a serious research setting.
Slashdot: where don knuth is an idiot because he cant grasp the awesome power of php
See people? If you read the article, you can offer cogent criticisms. If you don't you can offer irrelevant criticisms you will then have to spend the next several hours massaging and defending.
I think number 4 is the most cogent. The author claims his system can detect 0-day malware that was on the system before the scanner was installed. Maybe, if the malware tries to interfere. But if it doesn't, you have no signatures or checksums to fall back on, how could this system work?
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton