Slashdot Mirror


How To Guarantee Malware Detection

itwbennett writes "Dr. Markus Jakobsson, Principal Scientist at PARC, explains how it is possible to guarantee the detection of malware, including zero-day attacks and rootkits and even malware that infected a device before the detection program was installed. The solution comes down to this, says Jakobsson: 'Any program — good or bad — that wants to be active in RAM has no choice but to take up some space in RAM. At least one byte.'"

3 of 410 comments (clear)

  1. Theory and hand-waving by Lord+Grey · · Score: 3, Interesting

    Assume now that we have a detection algorithm that runs in kernel mode, and that swaps out everything in RAM. Everything except itself. Well, malware may interfere, of course, as it often does, and remain in RAM. But if we know how big RAM is, we know how much space should be free. Assume we write pseudo-random bits over all this supposedly free space. Again, a malware agent could refuse to be overwritten. It could store those random bits somewhere else instead... like in secondary storage.

    Then, let us compute a keyed hash of the entire memory contents -- both our detection program and all the random bits. Here is what could happen: If there is no malware in RAM, the results will be the expected result. An external verifier checks this, and tells us that the scanned device is clean. Or there could be malware in RAM, and the checksum will be wrong. The external verifier would notice and conclude that the device must be infected. Or malware could divert the read requests directed at the place it is stored to the place in secondary storage where it stored the random bits meant for the space it occupies. That would result in the right checksum... but a delay. This delay would be detected by the external verifier, which would conclude that the device is infected.

    <sarcasm>Punting the problem to an "external verifier" is pretty neat. I wish I could do that with my next hard problem.</sarcasm>

    That whole bit about swapping, though.... If I write malware and hide it somewhere in execution space, do I really care if it gets swapped out? So the code that steals keystrokes or sniffs for credit card numbers doesn't get executed for short while. Big deal. At some point it will get loaded again (if written properly, that is).

    Or am I missing something obvious?

    --
    // Beyond Here Lie Dragons
  2. register by bugs2squash · · Score: 4, Interesting

    Some processors may have big enough register sets that malware could reside entirely within the CPU.

    --
    Nullius in verba
  3. Redeeculous idea. by Ancient_Hacker · · Score: 4, Interesting

    I tried reading TFA a few times. First time, utter confusion. Second, third times, no better. I can't make any sense out of these points:

    >1) There are absolutely only three things malware can do when you scan for it. One: be active in RAM, maybe trying to interfere with the detection algorithm. Two: not be active in RAM, but store itself in secondary storage. It cannot interfere with the detection algorithm then, quite obviously. And option number three: erase itself.

    Absolutely, not. There are many other things malware could be doing. Inactive in RAM, compressed and inactive in RAM, encoded as plausible-looking entries in the File Name Table or the Virtual Memory map.

    >2) Any program -- good or bad -- that wants to be active in RAM has no choice but to take up some space in RAM. At least one byte, right?

    No, it could be sleeping, existing only as an entry in the swapped-out process table. Or in unused space below a thread stack.

    >Assume now that we have a detection algorithm that runs in kernel mode, and that swaps out everything in RAM. Everything except itself.

    Whoah there fella. Everything? Are you going to turn off all timers and interrupt enables so their service routines don't get called?
    Hard to do without mucking up all the device drivers. Are you going to swap out the kernel too, as malware is quite capable of infesting kernel space. And what about device drivers? They're constantly mucking with their internal tables and I/O buffers.
    And if you turn off all device drivers, you lose, as there's nothing stopping malware from masquerading as a device driver. Many do.

    >>But if we know how big RAM is, we know how much space should be free.

    Whoa there again, big guy. There are plenty of machines with RAM at places not generally known to the OS, such as video RAM, graphics polygon RAM, network card RAM buffers, and kernel stacks.

    >> Assume we write pseudo-random bits over all this supposedly free space. Again, a malware agent could refuse to be overwritten.

    You don't need a checksum test to do this-- each page of virtual memory has R/W control bits.
    And you're foiled here again, as there are plenty of system areas that are write-protected, such as pre code areas and the VM tables themselves.

    >>Then, let us compute a keyed hash of the entire memory contents -- both our detection program and all the random bits. Here is what could happen: If there is no malware in RAM, the results will be the expected result. An external verifier checks this, and tells us that the scanned device is clean.

    Nooo, that just tells you that either you overwrote the malware, so you'll never find it, or the malware during your two sweeps did not change any RAM contents. Quite possible as most malware just sits around most of the time.

    >> Or there could be malware in RAM, and the checksum will be wrong.

    Well, no, unless you disabled all interrupts and stopped all kernel tasks, there will still be system timers and interrupts and device drivers changing their state in RAM.

    >> The external verifier would notice and conclude that the device must be infected.

    Or some part of the system or some device driver is still running. Huge chance of false positives.

    This essay seems to have been written by someone with only a glancing familiarity with hardware and system software.