Researchers Set To Work On Malware-Detecting CPUs

Orome1 quotes a report from Help Net Security: Adding hardware protections to software ones in order to block the ever increasing onslaught of computer malware seems like a solid idea, and a group of researchers have just been given a $275,000 grant from the National Science Foundation to help them work on a possible solution: malware-detecting CPUs. This project, titled "Practical Hardware-Assisted Always-On Malware Detection," will be trying out a new approach: they will modify a computer's CPU chip to feature logic checks for anomalies that can crop up while software is running. "The modified microprocessor will have the ability to detect malware as programs execute by analyzing the execution statistics over a window of execution," Ponomarev noted. "Since the hardware detector is not 100-percent accurate, the alarm will trigger the execution of a heavy-weight software detector to carefully inspect suspicious programs. The software detector will make the final decision. The hardware guides the operation of the software; without the hardware the software will be too slow to work on all programs all the time."

Re:

[AmiMoJo]

You can't make a useful OS completely secure. How would you defend against things like the RowHammer attack? Only run interpreted code in a VM maybe, but it would be slow. That's where this malware detecting CPU comes in.

Anyway, since no one and no software is perfect, the best way to secure a system is in layers. Every extra one helps.

Re:

[Yvan256]

Anyway, since no one and no software is perfect, the best way to secure a system is in layers.

What do you mean? Cake layers or onion layers?

Re:

[Mikkeles]

Not a panacea (hardware issues, e.g., row-hammer, can still cause problems), but proof carrying code [wikipedia.org] would be a great step forward.

Re:

[AHuxley]

AC the security services would just go deeper. Alter the storage control chip or other hardware chips, well away from any deep software OS scan by AV.
Every boot would load up gov malware that the OS and AV would give a free pass to. Recall the US keystroke logging software.
https://en.wikipedia.org/wiki/... [wikipedia.org] efforts.

made in China

[turkeydance]

outstanding product safety record

Re:

[ELCouz]

outstanding product security record... FTFY

Neat, oh wait what

[Anonymous Coward]

The software will make the final decision... oh so you mean just like it already does, got it.

No Way

[spaceman375]

In no way is this a good idea. No software is perfect, doubly so for security software. That includes the microcode this hardware is based on. Go ahead, implement it in hardware, which by definition cannot be upgraded or patched. Soon enough someone will find a vulnerability, and then an exploit, and there's nothing you can do to mitigate it beyond just buying newer hardware.

Re:

[Chrontius]

In that case, you could just put the software on a socketed card like a TPM module.

Not the first

[campuscodi]

Since 2014 I've been reading about hardware-based detection. I'm starting to think this is just panacea... like those cloud-based antivirus engines that never picked up anything. Here's a bunch of research on the topic: http://www.ieee-security.org/T... [ieee-security.org] http://caslab.eng.yale.edu/wor... [yale.edu] http://www.cs.binghamton.edu/~... [binghamton.edu] http://www.cs.binghamton.edu/~... [binghamton.edu]

Re:

[ausekilis]

Intel tried to do something like this with their acquisition of McAffee.. Only to spin-off (sell) the company a few years later.

Anybody know enough to explain how this is different?

fool's errand

[Gravis Zero]

The second you make hardware look for a pattern, they will design malware to violate that pattern and go undetected. This is a fool's errand.

Re:

[Some nick or other]

1. Make a program that asks the CPU if it's malware.
2. Have the program do malwary stuff if the CPU says it's not malware, and do benign stuff otherwise.
3. Profit! (Or laugh.)

Re:

[_merlin]

In the early days of SElinux on Fedora I got alerts all the time, but it's never been a problem on RHEL7. They seem to have fixed the misbehaving tools and problematic policies some time in between. (I still think SElinix is a horrible hack - adding a layer to fake role-based privileges with massive black/whitelists. It all comes back to POSIX permissions being far too couarse-grained for what they're forced to protect.)

Now this is good

[sonamchauhan]

This is the sort of stuff Intel should have developed with their McAfee acquisition.

Companies seem to think innovation starts and ends with 'identifying potential synergies', 'acquisition', then "....profit!!!".

For instance, eBay + Skype. They could have done something snazzy -- say, eBay seller webminars with combining web video+VoIP (downstream), and landline/mobile audio (conversation/questions sent upstream asynchronously. So the landline carries part of the audio spectrum). Instead, they just went 'BAU

Back to a cartridge system

[AHuxley]

Some form of cartridge system with a flap on the top. Externally flash chip and the user has a read only chip with new definitions and behavioural analysis.
Fast, protected and total over view of all the hardware and software of the computer, network and OS.
Display checksums of every upgradable part of the hardware and software.

Re:

[Gavagai80]

I presume websites will be replaced with mail order catalogs from which appropriate site cartridges will arrive in 4-6 weeks?

Kill it with fire

[Anonymous Coward]

This idea has everything to do with vendor lock-in & DRM; don't let it get outta the gate.

No it doesn't

[darkHanzz]

Adding hardware protections to software ones in order to block the ever increasing onslaught of computer malware seems like a solid idea
No it doesn't. Fix the real problem

Re:

[Alain Williams]

So are you asserting that Microsoft will never get Windows to run on this CPU ?