A technique known as software-based attestation can provide an alternative defense against malware by performing infection scans periodically and detect the presence of any program that refuses to be inactivated – as well as any inactivated program that is known to be malicious. The scans can be performed each time a user is about to log in to her bank; before she uses her phone to vote in an election; every time she charges her phone, etc. By scanning periodically, as opposed to nearly constantly as traditional AV methods require, battery power is conserved. At the same time, secure software-based attestation methods would guarantee the detection of any unwanted program and achieve retroactive detection of infection, including yet-unknown malicious software. This greatly helps to counter quickly evolving malware threats.

We introduce a new and provably secure approach to software-based attestation, suitable for smartphones, smartbooks and netbooks. Our new approach is based on two basic principles:

1. Malware must either be active in RAM or passively reside in secondary storage – but only active malware can attempt to avoid detection by attacking the scanning software. Therefore, if one can first make sure that there is no active process in RAM – except for the scanning software itself – then one can proceed to perform the function that needs security, safe in the knowledge that malware cannot corrupt the process. This can be done whether this process is to log in, cast a vote, or scan secondary storage for infections.
2. Accessing flash or external resources takes considerably more time than to access RAM – especially if memory is not accessed linearly. That means that if we fill the portion of RAM that should be empty with a pseudo- random string and then compute a special kind of checksum on all of RAM, then active malware will be detected. Namely, it has to be in RAM, and therefore has to displace some part of the pseudo-random string. As any displaced portion is requested by the checksum function, it has to be obtained from somewhere – computed, loaded from flash, or obtained from some external source. This takes longer than simply accessing RAM. By having an external verifier both ask the scanned device for the result of the checksum computation, and time how long it took to compute the checksum, malware will be detected. Note that it does not matter what kind of malware it is, or what it does.

Software-based attestation has been researched for several years by several teams of computer scientists. All prior software-based attestation methods, however, are unsuitable for use on handsets. Solutions designed for embedded devices for example, do not work on handsets. The reason is that a malware agent on an embedded device cannot establish a radio connection to an external resource in order to cheat, whereas a malware agent on a handset can do that. Other solutions require too much computation for handsets, and are only practical on powerful computers. Most of the proposed solutions are heuristic, which means that their security cannot be proven. Indeed, most of them have been found to have some security flaw. Other possible approaches to address the mobile malware problem, referred to as trusted computing, rely on the addition of special-purpose hardware.

What do we guarantee?

Ask for more information

Request whitepapers