Verifying the System State for the Absence of Malware on Commodity Platforms

Several techniques exist to verify the integrity of the software image to guarantee the absence of malware on commodity computers or embedded platforms based on a hardware- or software-based root of trust. However, as modern embeddedplatforms have become increasingly complex, existing software-based attestation techniques for embedded platforms no longer cover the new hardware features.In addition, malware can infect peripherals’ firmware in a commodity computer. Such malware, once inside a peripheral, may also compromise other peripherals’firmware or the host operating system. Unfortunately, none of the existing techniques provides a mechanism for verifying the integrity of peripherals’ firmware to guarantee the absence of malware. In the first two parts of this thesis, we investigate the feasibility of addressing the following two challenges: (1) establishing a software-only root of trust on an embedded platform to verify the system state of the embedded platform, and (2) verifying the integrity of peripherals’ firmware on commodity computers. For thefirst challenge, we identify three new classes of attacks against existing software based attestation mechanisms and propose countermeasures to detect these attacks.For the second challenge, we propose a software-based scheme enabling a piece of trusted code running on the main CPU, bootstrapped through a hardware- orsoftware-based root of trust, to verify the integrity of peripherals’ firmware. The software stack on commodity computers contains an increasingly largenumber of vulnerabilities. Verifying the integrity of the entire software image on commodity computers in a hostile world is impractical for protecting security sensitiveoperations. To protect security-sensitive operations, e.g., paying bills, shopping online, accessing medical records, establishing an isolated execution environmenton commodity computers for security-sensitive operations with integrity measurement is a desirable functionality. The software-based mechanism for peripheralfirmware integrity verification can be integrated with the isolated execution environment to guarantee the absence of malware in peripherals, providing an isolated malware-free operation environment with trusted peripherals for security sensitive operations. However, one-way protected malware-free operation environment is insufficient in some practical scenarios, e.g., Cloudlets, in which two-way protection isrequired. In the third part of this thesis, we propose MiniBox, the first two-way sandbox for x86 native code that not only protects a benign OS from a misbehavingprogram, but also protects a running program from a malicious OS. To achieve two-way protection, MiniBox verifies the system state including the integrity ofperipherals’ firmware to prevent malware from spreading to either side.