Award: Phase I for OSD09-IA2

Clear Hat has been awarded a Phase I contract for the topic SBIR topic OSD09-IA2 Countermeasures to Covert Access Methods to Reduce Attack Susceptibility and Ensure Trust. The primary objective of this project is to develop software and data protection technologies that provide countermeasures to sophisticated covert access methods on critical end node computer systems.

Malware techniques tend to exhibit an adaptive, co-evolutionary pattern in response to security software and hardware advancements. Improvements in kernel malware detection and the emergence of hardware virtualization technology have motivated attackers (and security researchers) to develop increasingly covert and sophisticated low level offensive techniques. These techniques highlight a paradigm shift from reliance upon the Operating System to the exploitation of lower level Operating System Independent attack vectors.

In general, sophisticated Operating System Independent attacks can be characterized by their exploitation of one or more low level system resources. These resources include, but are not limited to, System Management Mode, the System BIOS, PCI Option ROMs, DMA capabilities, the ACPI Power Management Interface, and Virtualization technologies. They are further characterized by their ability to compromise the security of the system without making any detectable changes to the Operating System itself. Traditional approaches to software protection have often focused upon protecting the Operating System kernel and / or critical applications while excluding, or conveniently ignoring, the fact that many of the low level resources their “protected” OS relies upon remain subject to exploitation. Rather than viewing kernel protection as the end goal, we feel that the OS kernel should be viewed as one of many equally critical resources. For example, an attacker typically has to run kernel driver code within the Operating System in order to launch a low level exploit and Operating System dependent kernel rootkits are far more prevalent “in the wild” than sophisticated, low level BIOS or SMM malware. We suggest that an effective security solution must simultaneously and equally address both Operating System Dependent and Operating System Independent attack vectors because the problems are inter-twined.

We believe that machine learning algorithms can be applied to low level data streams in order to detect and prevent sophisticated, covert cyber attacks. Machine learning algorithms have been successfully applied to the problem of network based intrusion detection, however, little research has been done toward applying them to other types of intrusive behavior that manifests in lower level non network based data streams. Furthermore, we believe that our approach has the potential to significantly advance the current state of technology for detecting sophisticated covert or intrusive system behavior. Anticipated benefits include a method of dealing with the false positive problem that plagues heuristic malware detection methods and the development of a generic detection platform applicable to both Operating System Dependent attacks like kernel rootkits and more sophisticated Operating System Independent attacks like SMM / BIOS rootkits. If successful, the end goal of this effort will be a unified framework capable of detecting both types of attack.