Researchers need to study malware—undetected. A new technique that speeds up the process earned computer scientist Bo Chen an award at the Annual Computer Security Applications Conference.
In bare metal malware analysis, researchers study a software's malicious functions in a real device with real hardware. The problem is that realness comes with a price: Recovering information takes time.
However, it takes only 2.8 seconds with a new technique developed in part by Chen, an assistant professor of computer science at Michigan Technological University. Chen and his team's work earned the conference's outstanding paper award for “Supporting Transparent Snapshot for Bare-metal Malware Analysis on Mobile Devices,” honored for its relevancy to cybersecurity analysts. As cybercrimes targeting mobile devices increase, so does the need for agile security.
"Malware is more and more difficult to detect and analyze," Chen says. "Likewise, our techniques need to be intelligent, too."
Smarter than a criminal
If cybersecurity is a game of cops and robbers, then studying malware is a police interrogation. And like any savvy criminal, a lot of malware today knows when it's being watched. To poke and prod at software that hides its malicious functions is like asking a suspect to confess a crime with no evidence—they'll plead the fifth. Instead, cybersecurity analysts would prefer to catch malware in the act.
"Malware that isn't being malicious is simply software," Chen says. "From a technical standpoint, there is no distinction."
So, cybersecurity analysts have to create an environment in which the distinction becomes apparent. Waiting for a pickpocket to steal someone's wallet, when no one is around with cameras trained on the suspect, means there will be no theft to document. However, if a thief—or bit of malware—is tempted with an unattended backpack that has been strategically placed and monitored, then it's much easier to observe the nature and process of the crime.
For malware research on mobile cybercrime, that means using a real phone.
Recovering a hacked smartphone is a pain
Salvaging a device after it's hacked is not fun for anyone, but for malware researchers the wasted time affects how much they get to interrogate malware. They've found work-arounds, but the one Chen developed called Bolt outstrips them all.
Bolt is a recovery mechanism that ensures old data is preserved. The process is straightforward: Duplicate a device's internal memory; external storage uses flash memory and ensures some hardware features cannot be overridden. The key is isolation.
As Chen and his team write in their abstract, "Memory snapshot is enabled by an isolated operating system (BoltOS) in the ARM TrustZone secure world, and disk snapshot is accomplished by a piece of customized firmware (BoltFTL) for flash-based block devices." That means both the memory and the disk snapshot are isolated from the malware, even the super sneaky kinds that dig deep into a device's base components. Because they're isolated, the malware cannot corrupt them. By taking advantage of those snapshots, recovering from malware infection can happen in no time. Or rather, in as little as 2.8 seconds.
The result: A reboot-less and stealthy recovery system helps cybersecurity analysts speed up the interrogation of malware suspects, and doing so makes the process more efficient and effective in catching malware-based cybercrime on mobile devices.
Michigan Technological University is a public research university, home to more than 7,000 students from 54 countries. Founded in 1885, the University offers more than 120 undergraduate and graduate degree programs in science and technology, engineering, forestry, business and economics, health professions, humanities, mathematics, and social sciences. Our campus in Michigan’s Upper Peninsula overlooks the Keweenaw Waterway and is just a few miles from Lake Superior.