Detecting Malicious Code in Firmware
The problem of information security has become critical because of the growing dependence of the economy and the armed forces on complex networked information systems. Of particular concern is malicious code, which has been described as code that is intentionally added to or changed in a software system to cause harm or to subvert the intended function of the system. Examples of malicious code include time-bombs, viruses, worms, and Trojan horses.
Unfortunately, most ongoing security research efforts into type-safe languages, proof-carrying code, static scanning etc. do not address the problem of firmware security, as was noted in a recent report by the Infosec Research Council.
Existing technologies for detecting malicious code such as computer viruses, are generally based on naïve techniques that scan a program looking for surface-structure features such as lexical patterns. These techniques are best suited for looking for viruses that have already been detected by other means. They are not well suited to detecting entirely new viruses or polymorphic viruses which can modify themselves to elude detection. Furthermore, they are entirely unsuitable for detecting other forms of malicious code, such as trojan horses inserted via insider attack.
We believe that only techniques based on inspecting a program's deep structure stand a chance of being effective at helping to reliably detect malicious code. Deep structure representations, such as dependence graphs, capture a program's essential semantics. Once in such a form, malicious code detection is a matter of pattern matching to identify anomalous properties of the graph. Two powerful techniques are are available to help in this task: context-free language reachability, and model checking.
Under an Air Force Research Laboratory SBIR contract, GrammaTech is developing techniques for using context-free language reachability and model checking to detect malicious code in firmware. The proposed system will disassemble/decompile firmware into a high-level representation such as control-flow graphs or C code that can be examined by a security analyst using CodeSurfer. A sophisticated querying mechanism will be used to enable detection of deep-structure patterns indicative of malicious code. A new high-level user interface will permit the analyst to easily access this querying capability to search for tell-tale signs of possibly malicious code, and view the relevant portion of the suspicious firmware. To make the solution scalable to large pieces of firmware, we will leverage existing technology in CodeSurfer, such as slicing and chopping, to reduce the size of code that must be examined when a tell-tale sign is found.