DIMACS TR: 2010-03

Assured Detection of Malware With Applications to Mobile Platforms



Authors: Markus Jakobsson and Karl-Anders Johansson

ABSTRACT

We introduce the first software-based attestation approach with provable security properties, and argue for its importance as a component in a new Anti-Virus paradigm. Our new method is practical and efficient. It enables detection of any malware (that does not commit suicide to remain undetected) - even if the infection occurred before our security measure was loaded. Our new approach works independently of computing platform, and is eminently suited to address the threat of mobile malware, for which the current Anti-Virus paradigm is poorly suited.

Our approach is based on memory-printing of client devices. Memory-printing is a novel and light-weight cryptographic construction whose core property is that it takes notably longer to compute a function if given less RAM than for which it was configured. This makes it impossible for a malware agent to remain active (e.g., in RAM) without being detected, when the function is configured to use all space that should be free after all active applications are swapped out. Our approach is based on inherent timing differences for random access of RAM, flash, and other storage; and the time to communicate with external devices.

Paper Available at: http://dimacs.rutgers.edu/archive/TechnicalReports/TechReports/2010/2010-03.pdf
DIMACS Home Page