Researchers Want To Use Hardware To Fight Computer Viruses
Source: Jef Cozza
Fighting computer viruses isn't just for software anymore. Binghamton University researchers will use a grant from the National Science Foundation to study how hardware can help protect computers too.
"The impact will potentially be felt in all computing domains, from mobile to clouds," said Dmitry Ponomarev, professor of computer science at Binghamton University, State University of New York. Ponomarev is the principal investigator of a project titled "Practical Hardware-Assisted Always-On Malware Detection."
More than 317 million pieces of new malware--computer viruses, spyware, and other malicious programs--were created in 2014 alone, according to work done by Internet security teams at Symantec and Verizon. Malware is growing in complexity, with crimes such as digital extortion (a hacker steals files or locks a computer and demands a ransom for decryption keys) becoming large avenues of cyber attack.
"This project holds the promise of significantly impacting an area of critical national need to help secure systems against the expanding threats of malware," said Ponomarev. "[It is] a new approach to improve the effectiveness of malware detection and to allow systems to be protected continuously without requiring the large resource investment needed by software monitors."
Countering threats has traditionally been left solely to software programs, but Binghamton researchers want to modify a computer's central processing unit (CPU) chip--essentially, the machine's brain--by adding logic to check for anomalies while running a program like Microsoft Word. If an anomaly is spotted, the hardware will alert more robust software programs to check out the problem. The hardware won't be right about suspicious activity 100 percent of the time, but since the hardware is acting as a lookout at a post that has never been monitored before, it will improve the overall effectiveness and efficiency of malware detection.
"The modified microprocessor will have the ability to detect malware as programs execute by analyzing the execution statistics over a window of execution," said Ponomarev. "Since the hardware detector is not 100-percent accurate, the alarm will trigger the execution of a heavy-weight software detector to carefully inspect suspicious programs. The software detector will make the final decision. The hardware guides the operation of the software; without the hardware the software will be too slow to work on all programs all the time."
The modified CPU will use low complexity machine learning--the ability to learn without being explicitly programmed--to classify malware from normal programs, which is Yu's primary area of expertise.
"The detector is, essentially, like a canary in a coal mine to warn software programs when there is a problem," said Ponomarev. "The hardware detector is fast, but is less flexible and comprehensive. The hardware detector's role is to find suspicious behavior and better direct the efforts of the software."
Much of the work--including exploration of the trade-offs of design complexity, detection accuracy, performance and power consumption--will be done in collaboration with former Binghamton professor Nael Abu-Ghazaleh, who moved on to the University of California-Riverside in 2014.
Lei Yu, associate professor of computer science at Binghamton University, is a co-principal investigator of the grant.
Grant funding will support graduate students that will work on the project both in Binghamton and California, conference travel and the investigation itself.
The most expensive security systems running on the most advanced devices can now be circumvented using nothing more than a $5 tool and access to a USB port. Even password-protected machines are at risk as there's little they can do to prevent the attack besides filling their USB ports with cement.
The attack was developed by hacker and security researcher Samy Kamkar, who built the tool using only some code and a Raspberry Pi Zero. PoisonTap, as he's dubbed the device, is able to siphon cookies, expose internal routers and install Web backdoors on even locked machines.
Web-Based Backdoor
When plugged into a locked or password-protected PC, PoisonTap is able to momentarily take over all Internet traffic by spoofing the IP addresses of the top 1 million Web sites. It then siphons and stores all the HTTP cookies placed by those Web sites on the target machine.
The tool also exposes the internal network router, making it accessible to the attacker remotely. It then installs a Web-based backdoor in HTTP cache for hundreds of thousands of domains. That backdoor persists even after the device is removed, giving the attacker the ability to hijack the machine remotely at a later time.
PoisonTap works by emulating an Ethernet-over-USB device. The computer than attempts to make a DHCP (Dynamic Host Configuration Protocol) request to the device, which returns an IP address while making it appear as though almost all IP addresses on the Internet are actually part of the LAN (local area network). The response forces the target computer to route its Internet traffic to PoisonTap instead of the actual Internet.
The strategy allows PoisonTap to exploit any browser running on a machine, even in cases where it is running in the background. Any automatic HTTP requests made by an advertisement, AJAX request, or dynamic Web content, causes PoisonTap to respond with attack code that is then interpreted by the browser. Once executed, the code launches 1 million hidden iframes to the top Web sites, stealing all the cookies being sent.
Use File System Encryption
There is little device users can currently do to protect their computers against the PoisonTap attack other than enabling file system encryption and putting their machines to sleep whenever other users can gain physical access to them. Only the Web servers can defend against a PoisonTap attack by using the secure flag on cookies and only allowing the HTTPS protocol to be used, instead of HTTP.
The device also poisons the cache of each domain, indefinitely force caching a Web-based backdoor that produces a Web socket to a command and control server run by the attacker. Whenever the socket is open, the attacker can remotely send commands to the target machine and force its browser to execute JavaScript code.
The attacker can also make requests from Web sites as the victim, with the user's cookies, and view the responses from the site without the victim being aware of the penetration.
| }
|