Cloaking malware with the trusted platform module

Proceedings of the 20th USENIX Security Symposium

Volumn , Issue , 2011, Pages 395-410

  Dunn, Alan M ^a   Hofmann, Owen S ^a   Waters, Brent ^a   Witchel, Emmett ^a  

^a UNIVERSITY OF TEXAS AT AUSTIN   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

CRYPTOGRAPHY; HARDWARE SECURITY; TRUSTED COMPUTING;

COMPUTING TECHNOLOGY; ENCRYPTION KEY; HYPERVISOR; MEMORY STATE;

MALWARE;

EID: 85076455369     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (59)

1. MyDoom.C Analysis, 2004. http://www.secureworks. com/research/threats/mydoom-c/.
2. W32/MyDoom@MM, 2005. http://vil.nai.com/vil/ content/v_100983.htm.
3. W32/AutoRun.GM. F-Secure, 2006. http://http: //www.f-secure.com/v-descs/worm_w32_ autorun_gm.shtml.
4. Encryption of Sensitive Unclassified Data at Rest on Mobile Computing Devices and Removable Storage Media, 2007. http://iase.disa.mil/policy-guidance/ dod-dar-tpm-decree07-03-07.pdf.
5. Owning Kraken Zombies, a Detailed Discussion, 2008. http://dvlabs.tippingpoint.com/blog/2008/ 04/28/owning-kraken-zombies.
6. TrouSerS - The open-source TCG Software Stack, 2008. http: //trousers.sourceforge.net.
7. BitLocker Drive Encryption Step-by-Step Guide for Windows 7, 2009. http://technet.microsoft.com/en-us/ library/dd835565(WS.10).aspx.
8. Intel Trusted Execution Technology (Intel TXT)MLE Developer's Guide, 2009.
9. ST Microelectronics, 2010. Private communication.
10. AMD64 Architecture Programmer's Manual, Volume 2: System Programming, 2010.
11. Embedded security. Infineon Technologies, 2010. http:// www.infineon.com/tpm.
12. Intel 64 and IA-32 Architectures Software Developer's Manual, Volume 2B, 2010.
13. Microsoft Security Bulletin Search, 2010. http://www. microsoft.com/technet/security/current.aspx.
14. Trusted Computing Whitepaper. Wave Systems Corporation, 2010. http://www.wave.com/collateral/Trusted_ Computing_White_Paper.pdf.
15. PolarSSL Open Source embedded SSL/TLS cryptographic library, 2011. http://polarssl.org.
16. AH KIM, H., AND KARP, B. Autograph: Toward Automated, Distributed Worm Signature Detection. In USENIX Security (2004).
17. BERGER, S., CACERES, R., GOLDMAN, K. A., PEREZ, R., SAILER, R., AND VAN DOORN, L. vTPM: Virtualizing the Trusted Platform Module. In USENIX Security (2006).
18. BETHENCOURT, J., SONG, D., AND WATERS, B. Analysis-Resistant Malware. In NDSS (2008).
19. BRUMLEY, D., HARTWIG, C., LIANG, Z., NEWSOME, J., SONG, D., AND YIN, H. Automatically Identifying Trigger-based Behavior in Malware. In Botnet Detection. Springer, 2008.
20. CABALLERO, J., POOSANKAM, P., KREIBICH, C., AND SONG, D. Dispatcher: Enabling Active Botnet Infiltration Using Automatic Protocol Reverse-engineering. In CCS (2009).
21. CHEN, L., AND RYAN, M. Attack, Solution, and Verification for Shared Authorisation Data in TCG TPM. vol. 5983 of Lecture Notes in Computer Science. Springer, 2010.
22. CHIEN, E. CodeRed Worm, 2007. http://www.symantec. com/security_response/writeup.jsp?docid= 2001-071911-5755-99.
23. CHRISTODORESCU, M., AND JHA, S. Static Analysis of Executables to Detect Malicious Patterns. In USENIX Security (2003).
24. COMPARETTI, P. M., SALVANESCHI, G., KIRDA, E., KOLBITSCH, C., KRUEGEL, C., AND ZANERO, S. Identifying Dormant Functionality in Malware Programs. In IEEE S&P (2010).
25. DOLEV, D., DWORK, C., AND NAOR, M. Nonmalleable cryptography. SIAM J. Comput. 30, 2 (2000), 391-437.
26. FALLIERE, N., MURCHU, L. O., AND CHIEN, E. W32.Stuxnet Dossier, 2010. Version 1.3 (November 2010).
27. FINNEY, H. PrivacyCA, 2009. http://www.privacyca. com.
28. GENTRY, C. Fully homomorphic encryption using ideal lattices. In STOC (2009), pp. 169-178.
29. HALDERMAN, J. A., SCHOEN, S. D., HENINGER, N., CLARKSON, W., PAUL, W., CAL, J. A., FELDMAN, A. J., AND FELTEN, E. W. Lest we remember: Cold boot attacks on encryption keys. In USENIX Security (2008).
30. HU, X., CKER CHIUEH, T., AND SHIN, K. G. Large-scale Malware Indexing Using Function-call Graphs. In CCS (2009).
31. KASSLIN, K., AND FLORIO, E. Your Computer is Now Stoned (.Again!). The Rise of the MBR Rootkits, 2008. http://www.f-secure.com/weblog/archives/ Kasslin-Florio-VB2008.pdf.
32. KAUER, B. OSLO: Improving the security of trusted computing. In USENIX Security (2007).
33. KIVITY, A. kvm: The Linux Virtual Machine Monitor. In Ottawa Linux Symposium (2007).
34. KNOWLES, D., AND PERRIOTT, F. W32.Blaster.Worm, 2003. http://www.symantec.com/security_response/ writeup.jsp?docid=2003-081113-0229-99.
35. KOLBITSCH, C., COMPARETTI, P. M., KRUEGEL, C., KIRDA, E., ZHOU, X., AND WANG, X. Effective and Efficient Malware Detection at the End Host. In USENIX Security (2009).
36. KOLBITSCH, C., HOLZ, T., KRUEGEL, C., AND KIRDA, E. Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries. In IEEE S&P (2010).
37. KURSAWE, K., SCHELLEKENS, D., AND PRENEEL, B. Analyzing Trusted Platform Communication. In ECRYPT Workshop, CRASH CRyptographic Advances in Secure Hardware (2005).
38. MATROSOV, A., RODIONOV, E., HARLEY, D., AND MALCHO, J. Stuxnet Under the Microscope, 2010. Revision 1.2.
39. MCCUNE, J. M., LI, Y., QU, N., ZHOU, Z., DATTA, A., GLIGOR, V., AND PERRIG, A. TrustVisor: Efficient TCB Reduction and Attestation. In IEEE S&P (2010).
40. MCCUNE, J. M., PARNO, B., PERRIG, A., REITER, M. K., AND ISOZAKI, H. Flicker: An Execution Infrastructure for TCB Minimization. In EuroSys (2008).
41. MCCUNE, J. M., PERRIG, A., AND REITER, M. K. Safe passage for passwords and other sensitive data. In NDSS (2009).
42. MITCHELL, C. J., Ed. Trusted Computing. Institution of Electrical Engineers, 2005.
43. NAZARIO, J. The Conficker Cabal Announced, 2009. http://asert.arbornetworks.com/2009/02/ the-conficker-cabal-announced/.
44. O'DEA, H. The Modern Rogue - Malware with a Face. In Virus Bulletin Conference (2009).
45. PORRAS, P., SAIDI, H., AND YEGNESWARAN, V. An Analysis of Conficker's Logic and Rendezvous Points, 2009. http:// mtc.sri.com/Conficker/.
46. POST, A. W32.Storm.Worm, 2007. http://www.symantec. com/security_response/writeup.jsp?docid= 2001-060615-1534-99.
47. PREDA, M. D., CHRISTODORESCU, M., JHA, S., AND DEBRAY, S. A Semantics-based Approach to Malware Detection. In POPL (2007).
48. SACCO, A. L., AND ORTEGA, A. A. Persistent BIOS Infection. In CanSecWest Applied Security Conference (2009). http://www.coresecurity.com/content/ Persistent-Bios-Infection.
49. SINGH, S., ESTAN, C., VARGHESE, G., AND SAVAGE, S. Automated Worm fingerprinting. In OSDI (2004).
50. STRASSER, M., STAMER, H., AND MOLINA, J. TPM Emulator, 2010. http://tpm-emulator.berlios.de/.
51. TARNOVSKY, C. Hacking the Smartcard Chip. In Black Hat (2010).
52. TRUSTED COMPUTING GROUP. TPM Main Specification, 2007.
53. WHEELER, D. A. SLOCCount. http://www.dwheeler. com/sloccount/, 2001.
54. WOJTCZUK, R. Exploiting large memory management vulnerabilities in Xorg server running on Linux. Invisible Things Lab, 2010.
55. WOJTCZUK, R., RUTKOWSKA, J., AND TERESHKIN, A. Another Way to Circumvent Intel Trusted Execution Technology. Invisible Things Lab, 2009.
56. WOJTCZUK, R., AND TERESHKIN, A. Attacking Intel BIOS. Invisible Things Lab, 2010.
57. WONG, C., BIELSKI, S., MCCUNE, J. M., AND WANG, C. A Study of Mass-mailing Worms. In ACM Workshop On Rapid Malcode (2004).
58. YIN, H., SONG, D., EGELE, M., KRUEGEL, C., AND KIRDA, E. Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis. In CCS (2007).
59. YOUNG, A., AND YUNG, M. Malicious Cryptography: Exposing Cryptovirology. Wiley, 2004.