Researchers Set To Work On Malware-Detecting CPUs

Orome1 quotes a report from Help Net Security: Adding hardware protections to software ones in order to block the ever increasing onslaught of computer malware seems like a solid idea, and a group of researchers have just been given a $275,000 grant from the National Science Foundation to help them work on a possible solution: malware-detecting CPUs. This project, titled "Practical Hardware-Assisted Always-On Malware Detection," will be trying out a new approach: they will modify a computer's CPU chip to feature logic checks for anomalies that can crop up while software is running. "The modified microprocessor will have the ability to detect malware as programs execute by analyzing the execution statistics over a window of execution," Ponomarev noted. "Since the hardware detector is not 100-percent accurate, the alarm will trigger the execution of a heavy-weight software detector to carefully inspect suspicious programs. The software detector will make the final decision. The hardware guides the operation of the software; without the hardware the software will be too slow to work on all programs all the time."

Radical idea!

How about making an OS that is secure vs viruses. Don't let programs change other programs data. Don't allow installing of drivers unless booted in a special mode. Don't let programs automatically allow themselves to start up when the computer boots. Don't allow keyboard reading unless the active window. Etc... with the smallest amount of effort in design, you can make your OS highly virus resistant and almost immune like the c64 was which was clean every reboot. The problem is that Windows was made in an era before the Internet, and they put no thought at all into being virus resistant when they designed it, and never did a ground up remake.

Re:Radical idea!

[AmiMoJo]

You can't make a useful OS completely secure. How would you defend against things like the RowHammer attack? Only run interpreted code in a VM maybe, but it would be slow. That's where this malware detecting CPU comes in.

Anyway, since no one and no software is perfect, the best way to secure a system is in layers. Every extra one helps.

Re:Radical idea!

[Mikkeles]

Not a panacea (hardware issues, e.g., row-hammer, can still cause problems), but proof carrying code would be a great step forward.

Re:Radical idea!

'Ada' as a language was an answer, 'Ada' is crazy strict / restrictive. Nobody uses it. See the problem, now we need to find a solution, microcode has never solved the problem, nor will hardware. Although a signed encryption scheme where everything is vetted / written in secure shop A, then will run on machines that contain the proper signing microcode, then becomes a nightmare of security / software support. You know I'm not sure there is a flexible solution here.

Re:Radical idea!

[Yvan256]

Anyway, since no one and no software is perfect, the best way to secure a system is in layers.

What do you mean? Cake layers or onion layers?

Re: Radical idea!

More like nacho layers.
Get it? Cuz they aren't your layers.

Re:Radical idea!

[AHuxley]

AC the security services would just go deeper. Alter the storage control chip or other hardware chips, well away from any deep software OS scan by AV.
Every boot would load up gov malware that the OS and AV would give a free pass to. Recall the US keystroke logging software.
https://en.wikipedia.org/wiki/... efforts.

Re:Radical idea!

Proof-carrying code must be way too expensive to implement or the idea would have caught on by now. Quite an interesting concept though.

Re:Radical idea!

Ogre layers, obviously

made in China

[turkeydance]

outstanding product safety record

Re:made in China

[ELCouz]

outstanding product security record... FTFY

Neat, oh wait what

The software will make the final decision... oh so you mean just like it already does, got it.

No Way

[spaceman375]

In no way is this a good idea. No software is perfect, doubly so for security software. That includes the microcode this hardware is based on. Go ahead, implement it in hardware, which by definition cannot be upgraded or patched. Soon enough someone will find a vulnerability, and then an exploit, and there's nothing you can do to mitigate it beyond just buying newer hardware.

Re:No Way

[Chrontius]

In that case, you could just put the software on a socketed card like a TPM module.

Re:No Way

Hardware could be in theory running a upgradeable microcode. But the bigger problem is that in reality the good application's behavior is unique just as is malware's. If one wants to avoid false alarms, the detection algorithm must be taught by running the good application with all possible states and inputs. And that is not practical. And if there is a intepreter or compiler involved, the problem is even larger. After the funding is spent, this research project will be buried just as were all the similar silver bullet security solutions before it.

Not the first

[campuscodi]

Since 2014 I've been reading about hardware-based detection. I'm starting to think this is just panacea... like those cloud-based antivirus engines that never picked up anything. Here's a bunch of research on the topic: http://www.ieee-security.org/T... http://caslab.eng.yale.edu/wor... http://www.cs.binghamton.edu/~... http://www.cs.binghamton.edu/~...

Re:Not the first

[ausekilis]

Intel tried to do something like this with their acquisition of McAffee.. Only to spin-off (sell) the company a few years later.

Anybody know enough to explain how this is different?

I WANT EVEN IF IT TURNS AN INTEL INTO AN AMD!

I will gladly, and I speak for most, accept AMD-level CPU performance for safety, because when one is unsafe at any speed, it is better to be safe and slow, than to be unsafe and fast. This has been proven throughout history.

Noooooooooo

It will be cracked and own your everything!

fool's errand

[Gravis+Zero]

The second you make hardware look for a pattern, they will design malware to violate that pattern and go undetected. This is a fool's errand.

Re:fool's errand

[Some+nick+or+other]

1. Make a program that asks the CPU if it's malware.
2. Have the program do malwary stuff if the CPU says it's not malware, and do benign stuff otherwise.
3. Profit! (Or laugh.)

Re:fool's errand

The second you make hardware look for a pattern, they will design malware to violate that pattern and go undetected. This is a fool's errand.

As you say, pattern matching is almost useless. However, that's not the only way to stop malicious instructions. Most modern operating systems already enforce some type of protected memory, but these types of systems are often complicated to implement completely in software and thus prone to bugs or configuration errors. I'm no hardware expert, but if there's anything that chip makers can do to help operating systems better manage common security concerns, like enforcing protected memory, process or thread isolation and the like then it's probably worth doing if it's not already being done. The computing world today is much different now than it was 10 or 20 years ago in terms of security. Things have gotten nastier and more hostile as individuals, governments and corporations are all looking to exploits, hacks and other underhanded tactics to gain the upper hand in business, warfare or relationships. It's time for hardware makers to provide more and better services to software running on top that implements security measures.

obligatory IT crowd reference

http://stream1.gifsoup.com/view7/4053429/the-it-crowd-o.gif

Re:Will it detect SECURE BOOT and DRM as malware?

you're an asshole. You and bill gates.

Hope it's not going to be like SElinux

That breaks so many normal things I just ended up turning it off. Hard enough to debug things without yet one other variable thrown in. Prime Example: getting nginx configured

Re:Hope it's not going to be like SElinux

[_merlin]

In the early days of SElinux on Fedora I got alerts all the time, but it's never been a problem on RHEL7. They seem to have fixed the misbehaving tools and problematic policies some time in between. (I still think SElinix is a horrible hack - adding a layer to fake role-based privileges with massive black/whitelists. It all comes back to POSIX permissions being far too couarse-grained for what they're forced to protect.)

Now this is good

[sonamchauhan]

This is the sort of stuff Intel should have developed with their McAfee acquisition.

Companies seem to think innovation starts and ends with 'identifying potential synergies', 'acquisition', then "....profit!!!".

For instance, eBay + Skype. They could have done something snazzy -- say, eBay seller webminars with combining web video+VoIP (downstream), and landline/mobile audio (conversation/questions sent upstream asynchronously. So the landline carries part of the audio spectrum). Instead, they just went 'BAU'.

The Microsoft + Skype business fit isn't that bad - but not that good either -- versions everywhere, with MS office plugins that offer nothing different from the market.

Back to a cartridge system

[AHuxley]

Some form of cartridge system with a flap on the top. Externally flash chip and the user has a read only chip with new definitions and behavioural analysis.
Fast, protected and total over view of all the hardware and software of the computer, network and OS.
Display checksums of every upgradable part of the hardware and software.

Re:Back to a cartridge system

[Gavagai80]

I presume websites will be replaced with mail order catalogs from which appropriate site cartridges will arrive in 4-6 weeks?

Kill it with fire

This idea has everything to do with vendor lock-in & DRM; don't let it get outta the gate.

50% of world economy is hidden...

Good idea but as many people if not more want malware, scam ware to succeed and will/are already recruiting engineers to workaround detection techniques. It is a big business!

No it doesn't

[darkHanzz]

Adding hardware protections to software ones in order to block the ever increasing onslaught of computer malware seems like a solid idea
No it doesn't. Fix the real problem

Do They Detect WIndows?

Windows appears to be the most prevalent malware out there.

Re:Do They Detect WIndows?

[Alain+Williams]

So are you asserting that Microsoft will never get Windows to run on this CPU ?

Fix first the obvious things

I mean: the elephant in the room is IoT things with a default password... the user is expected to change. A user who barely knows what a password is, let alone that his/her new "thing" has an IP address, whatever *that* is. Then comes UPnP routers, which willingly poke holes in their already crappy firewall at the request of a... lightbulb.

Let's first fix that, then think about CPUs. The latter is rather meant to control the sheeple out there anyway (What? You want to install an OPERATING SYSTEM on your device? Are you nuts?). Not where I want to go, thanks.

hardware fix

What? Hardware cannot fix a software thing. Maybe the microcode could, but the microcode will not be perfect....
So a lot of money, hype and dscussion about a new thng that should not be needed.
Software bugs and vulnerabilities are the problem. The OS and the applications.
Some by design (language designed that way), others because of programmer shortcomings, some hidden in the layers and layers of abstraction.
So the geniuses have a possible new soluton - and it is not in the users view/control.
I have to ask myself: Who is paying, who profits, and what are the ramifications/uses of such a thing?
The answers will probably point at any ulterior motives.

Good

By the way, will this replace UEFI, NX bit, signed apps and other failed security crap?

Or is it going to be yet another fuck up on top of the pile of previous fuck ups?

Intel CET?

See subject: It's mirrored shadow stack stopping buffer overflow exploits, stack smashing etc. (via CPU) http://blog.checkpoint.com/201...

* It stops "ROP" gadgets (fish around ram to get past ASRL protections) finding "return oriented programming" call areas & overwriting them...

APK

P.S.=> It's a great idea I've noted here before after stumbling on it https://it.slashdot.org/commen... - imo, it'd work... apk