what s necessary to establish malware freedom
play

Whats Necessary to Establish Malware Freedom Unconditionally? - PowerPoint PPT Presentation

Dec 20, 2023 •170 likes •397 views

Whats Necessary to Establish Malware Freedom Unconditionally? Virgil D. Gligor ECE and CyLab Carnegie Mellon University Pittsburgh, PA 15213 FCS Workshop Boston June 22, 2020 06/22/2020 1 Outline I. Background - adversary: persistent

  1. What’s Necessary to Establish Malware Freedom Unconditionally? Virgil D. Gligor ECE and CyLab Carnegie Mellon University Pittsburgh, PA 15213 FCS Workshop Boston June 22, 2020 06/22/2020 1

  2. Outline I. Background - adversary: persistent malware & its remote controller - malware-free state? unconditionally ? - a sufficient solution for the cWRAM model II. What’s necessary on real systems ? - external verifiers and challenge functions challenge functions: - optimal space-time bounds (m. t) - unique (m, t) bounds for code - target claw free within (m, t) bounds III. Q & A 06/22/2020 2

  3. I. Background V. Gligor and M. Woo, “ Establishing Software Root of Trust Unconditionally ,” in Proc. of NDSS , San Diego, CA. 2019. (full length paper - CyLab TR 2018 -003 , Nov. 2018) V. Gligor, “ A Rest Stop on the Unending Road to Provable Security ” in Proc. of SPW , Cambridge University, UK, 2019 (article and transcript of discussion) 06/22/2020 3

  4. CPU 0 Baseboard GPU CPU 1 controller Memory 1 Memory 0 CPU R M RAM Bus System CPU 4 CPU 2 remote controller Memory 4 Memory 2 persistent malware NIC CPU 3 - survives power cycles, trusted boots, and re-flashing Disk controller - under security monitors & anti-malware tools Memory 3 Don’t - no observable (hyper)properties USB controller Care 06/22/2020 4

  5. Adversary: persistent malware & its remote controller 06/22/2020 5

  6. persistent malware can - extract all software secrets stored on its computer - modify all SW/FW; e.g., at system initialization - read/write all I/O channels & communicate with remote controller - adaptively modify programs and data & execute any function on chosen input but - cannot access the processors & storage (e.g., random bits) of a connected system remote controller can - exercise all attacks that implant persistent malware on remote system - communicate with & control persistent malware - use unbounded computation power: e.g., break all complexity-based crypto but - cannot predict Nature’s throw of fair dice . . . or random bits of an QRNG - cannot modify a system’s HW 06/22/2020 6

  7. Malware-free states? Unconditionally? 06/22/2020 7

  8. Persistent malware has no externally observable (hyper)properties Q : How can malware-free states be established (w/o taking the system apart) ? A: RoT state (“ all and only chosen content ”) => malware-free state RoT failure => detect malware execution or unaccounted content ` (e.g., malware caused), or both Unconditional Establishment of RoT State - no secrets, no trusted HW modules, no bounds on remote adversary’s power - need only truly random bits & HW specifications 06/22/2020 8

  9. A Sufficient Solution on the cWRAM CPU General Purpose Regs processor state R Device random Specs bits M Initialize m-t optimal code nonce External C m,t v C nonce ß Verifier C nonce ( v )? unique & target claw free t ? OK => RoT on malware-free Device 9 06/22/2020

  10. Overview: cWRAM ISA++ - Constants: w -bit word , up to 2 operands /instruction - Constants: w -bit word , up to 2 operands /instruction instructions execute in unit time ; no cycles, frequency, voltage, current, … instructions execute in unit time ; no cycles, frequency, voltage, current, … - Memory : M words - Memory : M words - Processor registers : GPRs, PC, PSW, Special Processor Registers R - Processor registers : GPRs, PC, PSW, Special Processor Registers R - Addressing : immediate, relative, direct, indirect - Addressing : immediate, relative, direct, indirect - Architecture features: caches, virtual memory, TLBs, pipelining, multi-core processors - Architecture features: caches, virtual memory, TLBs, pipelining, multi-core processors - ISA: all (un)signed integer instructions M M - All Loads, Stores, Register transfers - All Unconditional & Conditional Branches, all branch types - all predicates with 1 or 2 operands - Halt - All Computation Instructions : - addition, subtraction, logic, shift r/l (R i , α), rotate r/l (R i , α), . . . - variable shift r/l (R i , R j ), variable rotate r/l (R i , R j ), . . . - multiplication (1 register output). . . - mod (aka., division-with-remainder) . . . 06/22/2020 10

  11. random What is a nonce? bits C m,t on cWRAM? { r 0 …r k-1 ,x } Z p $ nonce k-1 0 v i ) Ÿ x i (mod p ), s i = Σ r j (i+1) j (mod p ) H r 0 …r k-1 ,x( v ) = Σ + ( s i j = 0 d = | v |-1 i = d k-independent (almost) universal hash functions randomized polynomial family H r 0 …r k-1 ,x( v ) = H d,k,x ( v ) unique m-t optimal bounds on cWRAM code: m = k + 22, t = (6 k - 4)6 d (m’,t’) “<“ ( m , t ) => Pr [ nonce, f , y : f ( y ) = H d,k,x ( v ) | (m’,t’) ] ≤ 3 Ε Ε p target claw free within the m-t bounds 06/22/2020 11

  12. II. What’s necessary on real systems ? untrusted CPU-Memory System trustworthy challenge function executes C nonce Î { C m,t } selection: External nonce on input v Verifier { C m,t } satisfies: measurement: N 1 system response N 2 N 3 N 4 N 1 : existence of external verifier & challenge function N 2 : find a concrete space-time optimal bound: ( m,t ) N 3 : ( m,t ) is unique for program code N 4 : target claw free within ( m,t ) 06/22/2020 12

  13. (un)trusted? no 1. external verifiers system challenge & challenge functions function External proof of Observer malware freedom ? untrusted system 2 Protocols for n Detectable Properties establish => all n systems are trusted untrusted system 1 abort => ≤ n -1 systems are untrusted Detectable malware free? Property system 3 untrusted 13 06/22/2020

  14. (un)trusted? no 1. external verifiers system challenge & challenge functions function External proof of Observer malware freedom ? untrusted system 2 Necessity trustworthy? trustworthy system 1 challenge Unconditionally Detectable External malware function Byzantine Agreement Verifier for Broadcast free? system with probability 1 - ε response malware-free probability ≥ 1 - ε system 3 untrusted Legend : synchronous private channel 14 06/22/2020

  15. (un)trusted? no 1. external verifiers system challenge & challenge functions function External proof of Observer malware freedom ? untrusted system 2 Necessity trustworthy? trustworthy system 1 challenge Unconditionally Detectable External malware function Byzantine Agreement for Verifier Rational Consensus free? system with probability 1 - ε response malware-free probability ≥ 1 - ε system 3 untrusted Legend : synchronous private channel 15 06/22/2020

  16. (un)trusted? no 1. external verifiers system challenge & challenge functions function External proof of Observer malware freedom ? untrusted system 2 Necessity trustworthy? trustworthy system 1 challenge Traditional External malware function Consensus Verifier free? with crashes system response system 3 untrusted Legend : synchronous private channel 16 06/22/2020

  17. 2. find space-time bounds trusted untrusted trustworthy trustworthy system/simulator system challenge challenge External External malware function function Verifier Verifier malware free? baseline actual free C nonce (v) result baseline measurement C nonce (v) = result & = minimum amount of resources used by C nonce baseline = actual? to prevent malware running or hiding const const 37°C current, voltage, frequency, cc, temperature power time E sys ( C nonce ) E sys (C nonce ) measurement accuracy => a specific system initialization & choice of C nonce min E sys (C nonce ) => min. space-time bounds => lower (m,t) bounds = optimal (m,t) bounds min E sys (C nonce ) <≠ optimal (m,t) bounds 06/22/2020 17

  18. 2. find space-time bounds trusted trustworthy system/simulator challenge External function Verifier malware baseline free C nonce (v) baseline measurement min E sys for single core CPUs [DeVogeleer, et al. 2017] ~ mem size const ε const 0 0 E sys,i = (P cpu,i + P drop,i + P back ) · cc i · (1/(f – f k ) + β). for specific system initialization & choice of C nonce E sys (C nonce ) = Σ i E sys,i = ( P cpu,i + P back ) · cc i · (1/f + ε ) const min E sys (C nonce ) => min cc i & min mem size => lower (m,t) bounds = optimal (m,t) bounds min E sys (C nonce ) <≠ optimal (m,t) bounds of C nonce 06/22/2020 18

  19. 3. unique m-t bounds for C m,t program code execution execution time time verifier requests cWRAM initialization T T C m,T C m,T code code malware performs time C mem,time its initialization t+δt code t C M,t M – m C M,t input u’ input u code on disk code mem m +|u| M +|u| m M memory memory space space 3 space-time optimal program families C M,t δt = time to transfer M – m to/from disk T / t > 1 + δ , 0 < δ < 1; T / t > 3 in practice a) single choice : C m,t ; e.g., ( M,t ) b) C m,t = second pre-image free: u’ ≠ u => C nonce (u’) ≠ C nonce (u), whp . c) C m,t code identity in (m,t) : C nonce code in v => C nonce ( v ) is unique in (m,t), whp . 06/22/2020 19

  20. 4. target claw-free in (m,t) untrusted system nonce persistent malware remote adversary y round-trip C nonce Î { C m,t } time T v trustworthy f nonce input v C nonce ( v ) = r External C nonce response Verifier v r r, (m,t) C nonce Î { C m,t } f i , f j Î { F }, not arbitrary x j poly time f j => hardness conjectures f i and/or secrets x i r on any system 06/22/2020 20

Recommend

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

540 views • 42 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

570 views • 22 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Overview Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer immunization Kjell Jrgen Hole Simula@UiB 4. Epidemiological model 5. Malware halting analysis 6. Malware halting method Last updated

672 views • 29 slides
How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement Yoshihiro Oyama University of Tsukuba 1 Background Many malware programs execute operations for analysis evasion Detection of

346 views • 31 slides
Elements of Typographic Freedom A GUIDE FOR FONT USERS Degrees of Typographic Freedom

Elements of Typographic Freedom A GUIDE FOR FONT USERS Degrees of Typographic Freedom

CHRISTOPHER ADAMS NEW YORK Elements of Typographic Freedom A GUIDE FOR FONT USERS Degrees of Typographic Freedom AVAILABILITY, FOR SALE e.g. ITC, BITSTREAM Freedom to Own GRATIS FONTSHOP, STORM TYPE Freedom to Use PDF, WEBFONTS

671 views • 23 slides
Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware malware that evades analysis 2 logistics: LEX homework detect push ret pattern using fmex probably easier than TRICKY 3 upcoming exam next Wednesday

496 views • 48 slides
Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware

Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware

DeepSec IDSC Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware Adventures Agenda INTRODUCTION ANDROID MALWARE COMMAND &amp; CONTROL QUESTIONS &amp; ANSWERS 2 1 2 3 4 Android Malware

1.01k views • 64 slides
Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of

Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of

Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of Computer and Information Science Linkping University Malware Defense Agenda 2 Two lectures Lecture I : Malware basics, malware on the PC,

621 views • 40 slides
FIGHTING MALWARE WITH MACHINE LEARNING Edward Raff Jared Sylvester Mark McLean Need ML for

FIGHTING MALWARE WITH MACHINE LEARNING Edward Raff Jared Sylvester Mark McLean Need ML for

FIGHTING MALWARE WITH MACHINE LEARNING Edward Raff Jared Sylvester Mark McLean Need ML for Malware Amount of malware is growing exponentially Anti-virus and signature based approaches are reactionary, dont work for novel malware

127 views • 11 slides
thought, persons religion or belief in worship, observance, practice and teaching,

thought, persons religion or belief in worship, observance, practice and teaching,

Freedom of religion and freedom of expression: Balancing rights Carolyn Evans, Vice-Chancellor (1) Everyone has the right to freedom of thought, conscience, religion or belief including a) A freedom to have or adopt a Section 20:

1.08k views • 13 slides
CO 445H MALWARE AND VIRUSES Dr. Benjamin Livshits Malware: Different Types 2 Spyware is

CO 445H MALWARE AND VIRUSES Dr. Benjamin Livshits Malware: Different Types 2 Spyware is

CO 445H MALWARE AND VIRUSES Dr. Benjamin Livshits Malware: Different Types 2 Spyware is software that aids in gathering A virus is a computer program that is information about a person or organization capable of making copies of itself

716 views • 56 slides
CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane

CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane

CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane kaneca@mail.uc.edu January 24, 2017 Why Classification is Important Malware classification helps us in multiple ways. Here are a couple key ways:

787 views • 16 slides
On Static Malware Detection Tayssir Touili LIPN, CNRS &amp; Univ. Paris 13 Motivation: Malware

On Static Malware Detection Tayssir Touili LIPN, CNRS &amp; Univ. Paris 13 Motivation: Malware

On Static Malware Detection Tayssir Touili LIPN, CNRS &amp; Univ. Paris 13 Motivation: Malware Detection The number of new malware exceeds 75 million by the end of 2011, and is still increasing. The number of malware that produced

1.34k views • 91 slides
Preventing Conflict and Development Cooperation: linking freedom from want and freedom from fear

Preventing Conflict and Development Cooperation: linking freedom from want and freedom from fear

Preventing Conflict and Development Cooperation: linking freedom from want and freedom from fear Sakiko Fukuda-Parr Tokyo, September 2007 SCJ Conference: International Cooperation for Development In Larger Freedom United Nations, 2003 In

516 views • 37 slides
Introduction to Security Malware Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow Learning

Introduction to Security Malware Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow Learning

Introduction to Security Malware Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow Learning Objectives By the end of this week, you will be able to: Describe types of malware See certain malware behaviors Scan and analyze malware

883 views • 25 slides
Freedom Oil &amp; Gas Investor Presentation Houston, August 5, 2018: Freedom Oil and Gas Ltd (ASX:

Freedom Oil &amp; Gas Investor Presentation Houston, August 5, 2018: Freedom Oil and Gas Ltd (ASX:

Freedom Oil &amp; Gas Investor Presentation Houston, August 5, 2018: Freedom Oil and Gas Ltd (ASX: FDM, US OTC: FDMQF) is pleased to release the presentation to be delivered by Freedom Executive Chairman and Chief Executive Officer J. Michael

574 views • 19 slides
Lecture 12 Malware Defenses Stephen Checkoway University of Illinois at Chicago CS 487

Lecture 12 Malware Defenses Stephen Checkoway University of Illinois at Chicago CS 487

Lecture 12 Malware Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Baileys ECE 422 Malware review How does the malware start running? Logic bomb? Trojan horse? Virus?

470 views • 27 slides
Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal and Wenke Lee College of Computing Georgia Institute of Technology Agenda l Background l Defeating Automated Malware Analysis Host

1.28k views • 28 slides
More Malware Last Class Worms: Morris Worm Stuxnet Conficker Web-based

More Malware Last Class Worms: Morris Worm Stuxnet Conficker Web-based

More Malware Last Class Worms: Morris Worm Stuxnet Conficker Web-based malware: Exploit kits Fake AV Ransomware Today (continuation) How Malware Spreads Adware Computer Virus A type of malicious

647 views • 23 slides

More recommend