It seems to me the authors are trying to accomplish 2 main goals:
1) Creating a clean state where it can be known that either there is only the kernel/detector loaded in memory, or
if there is also malware present that was not swapped out from memory.
2) Off-loading state information to another machine to analyse the other contents of memory. They seem to be
primarily interested in mobile computing, where traditional virus scanners require too much resource.
If the first goal is achieved, then the mobile device could use that state to execute sensitive processing. This would
be similar to a sandbox where one could perform banking with more confidence of security.
Afterwards, memory could be restored (malware and all) and one could go on watching youtube.:)
Since the authors envision the detector as an integrated part of the kernel, it could be used as proof to the verifying party
that it is in a safe state. (Proof being their claim---I haven't read carefully enough to convince myself either way.)
It could also load/check known programs based on hashes which would seem to be a useful thing.
Basically, just being able to achieve a known good state is a good thing. Especially for mobile devices where there is
no booting from network or CD.
Slashdot Mirror
It seems to me the authors are trying to accomplish 2 main goals:
:)
1) Creating a clean state where it can be known that either there is only the kernel/detector loaded in memory, or if there is also malware present that was not swapped out from memory.
2) Off-loading state information to another machine to analyse the other contents of memory. They seem to be primarily interested in mobile computing, where traditional virus scanners require too much resource.
If the first goal is achieved, then the mobile device could use that state to execute sensitive processing. This would be similar to a sandbox where one could perform banking with more confidence of security. Afterwards, memory could be restored (malware and all) and one could go on watching youtube.
Since the authors envision the detector as an integrated part of the kernel, it could be used as proof to the verifying party that it is in a safe state. (Proof being their claim---I haven't read carefully enough to convince myself either way.)
It could also load/check known programs based on hashes which would seem to be a useful thing. Basically, just being able to achieve a known good state is a good thing. Especially for mobile devices where there is no booting from network or CD.