Anti-virus programs mean well, but they aren’t always good at their jobs. In 2014, a Symantec executive publicly stated that the technology only detected 45 percent of cyberattacks. This becomes a huge problem for critical systems like industrial control systems or medical systems, in which trust in the computing device becomes paramount.
CyLab researchers have been working on a solution for years, striving to establish what is known as a “root of trust,” under which one can be absolutely certain that no malware exists on a computing device.
In a breakthrough study, “Establishing Root of Trust Unconditionally,” CyLab researchers Virgil Gligor and Maverick Woo present a test that can be run on any computing device to show whether the device has been infected with malware or not. The study was presented at last week’s Network and Distributed Systems Security (NDSS) Symposium in San Diego, California, where it received a Distinguished Paper Award.
This seems important—researchers have sought such solutions for decades.Virgil Gligor, Professor, Electrical and Computer Engineering
The goal of detecting the presence of malware on a computing device with high confidence has never been achieved to date. Part of the difficulty has been rooted in malware existing on device controllers, which are the chips and cards that provide a link between two parts of a computer like a peripheral device and the computer’s memory.
“No anti-virus is going to detect malware in controllers because they have to talk to the controller,” Gligor says. “If the controller is infected, it will say everything is fine.”
Gligor says that an important aspect of their test is that it works “unconditionally,” that is, without secret keys, special hardware modules, and without any assumed limits placed on the adversary's computing power. All one needs for the test to work is to harvest strings of true random bits from nature, such as those produced by widely available quantum random number generators, and the specifications of the device's processors and memory.
“This is the only solution that exists to any security or cryptography problem that's unconditional,” says Gligor. “This seems important—researchers have sought such solutions for decades.”
The test’s effectiveness in finding malware in controllers is very high—close to 100 percent.Virgil Gligor, Professor, Electrical and Computer Engineering
One of the test’s major keys to working, Gligor says, is what he refers to as “space-time optimality.” In essence, the test runs "space-time optimal" computations on the computer in question, and if malware exists anywhere on the computer, the returned results are incorrect. That's because malware cannot hide in a corrupt image of system content, execute the space-time optimal computation on it, and then return a result that matches one for a malware-free image.
“The test’s effectiveness in finding malware in controllers is very high—close to 100 percent,” Gligor says.
The implications of the work are far-reaching, Gligor says. He likens the impact of being able to detect malware on computers with high confidence to testing for cancer of the body.
“Imagine you have cancer on some internal organ, which you don’t yet know about,” Gligor says. “Well, now you have a test that will tell you have cancer in that organ. You don't know what kind, but you know there is something wrong, and you can get it checked out.”
The bulk of this work is currently theoretical, so the researchers’ next step is to conduct more experiments on real-world systems.