A technique known as software-based attestation can provide an alternative defense against malware by performing infection scans periodically and detect the presence of any program that refuses to be inactivated – as well as any inactivated program that is known to be malicious. The scans can be performed each time a user is about to log in to her bank; before she uses her phone to vote in an election; every time she charges her phone, etc. By scanning periodically, as opposed to nearly constantly as traditional AV methods require, battery power is conserved. At the same time, secure software-based attestation methods would guarantee the detection of any unwanted program and achieve retroactive detection of infection, including yet-unknown malicious software. This greatly helps to counter quickly evolving malware threats.
With our products, we have introduced a new and provably secure approach to software-based attestation, suitable for smartphones, smartbooks and netbooks. Our new approach is based on two basic principles:
- Malware must either be active in RAM or passively reside in secondary storage – but only active malware can attempt to avoid detection by attacking the scanning software. Therefore, if one can first make sure that there is no active process in RAM – except for the scanning software itself – then one can proceed to perform the function that needs security, safe in the knowledge that malware cannot corrupt the process. This can be done whether this process is to log in, cast a vote, or scan secondary storage for infections.
- Accessing flash or external resources takes considerably more time than to access RAM – especially if memory is not accessed linearly. That means that if we fill the portion of RAM that should be empty with a pseudo- random string and then compute a special kind of checksum on all of RAM, then active malware will be detected. Namely, it has to be in RAM, and therefore has to displace some part of the pseudo-random string. As any displaced portion is requested by the checksum function, it has to be obtained from somewhere – computed, loaded from flash, or obtained from some external source. This takes longer than simply accessing RAM. By having an external verifier both ask the scanned device for the result of the checksum computation, and time how long it took to compute the checksum, malware will be detected. Note that it does not matter what kind of malware it is, or what it does.
Software-based attestation has been researched for several years by several teams of computer scientists. All prior software-based attestation methods, however, are unsuitable for use on handsets. Solutions designed for embedded devices for example, do not work on handsets. The reason is that a malware agent on an embedded device cannot establish a radio connection to an external resource in order to cheat, whereas a malware agent on a handset can do that. Other solutions require too much computation for handsets, and are only practical on powerful computers. Most of the proposed solutions are heuristic, which means that their security cannot be proven. Indeed, most of them have been found to have some security flaw. Other possible approaches to address the mobile malware problem, referred to as trusted computing, rely on the addition of special-purpose hardware.
FatSkunk offers a tiny embedded software client, which can be freely loaded into the device at the time of it’s manufacture. This client then uses principles of physics to scan the device memory and determine the time it took. The client then talks to a remote server, which can be hosted in anyone’s cloud, and based on timing results, the server determines the security posture of the device, not the device itself. Thus for the first time, a device can truly be trusted since the trust of that device is moved into the host location. FatSkunk client and server products will be commercially available by the third quarter of this year.