An Inexpensive Plug-and-Play Hardware Security Module to Restore ...

1 downloads 0 Views 628KB Size Report
malware, etc. although about 95% people use antivirus software. Recent studies ... This research was partially supported by Wichita State University College.
An Inexpensive Plug-and-Play Hardware Security Module to Restore Systems from Malware Attacks Abu Asaduzzaman

Muhammad F. Mridh

M. Nazim Uddin

Dept. of Elec. Eng. & Computer Sci. Wichita State University Wichita, Kansas, USA [email protected]

Dept. of Computer Sci. & Eng. University of Asia Pacific Dhanmondi, Dhaka, Bangladesh [email protected]

Design Engineering Services Microchip Technology Inc. Chandler, Arizona, USA [email protected]

Abstract—Despite the booming of cloud computing, people will be using PCs for various good reasons including connecting to the cloud server. According to a 2009 report, more than two million people in every month have had their computer affected by malware, etc. although about 95% people use antivirus software. Recent studies warn that two most terrifying facts regarding malware attacks are (i) attacks intensified by 68% in year 2011 than in year 2010 and (ii) targets shifted towards end-point systems. However, 'there is no legal solution to malware'. Current software-based solution (like anti-virus software) to secure a system from malware attacks or restore a system after attacks is expensive and becomes obsolete very quickly. Contemporary state-of-the-art hardware security modules (HSMs) are not adequate to protect and restore end-user’s computer systems from malware attacks in a hassle-free costeffective way. In this work, we propose an USB memory based solution to restore a full system including operating system (OS), application software, and data files, if needed due to malware attacks. Proposed easy- steps solution is suitable for most systems (old or new), most OSs (Windows or Linux), and all users (novice or moderate or advanced level). Based on our preliminary experience, we are convinced that the proposed system recovery solution is feasible. In fact, proposed user friendly solution has potential to save big money and reduce distress for most users. Keywords—‘Decrypt’ image disk, ‘encrypt’ primary disk, hardware security module, restoring systems, malware attacks

I.

INTRODUCTION

According to a report published in the Telegraph (in UK) in May 2009, more than 12 million people had their computers affected in last 6 months by malware, virus, etc. The results came despite the fact that 95% people claimed that they used antivirus software [1]. The data collected in 2011 regarding malware and virus attacks is frightening. Recent statistics reveal that (i) malware attacks increased by 68% in 2011 when compared to that in 2010, (ii) small organizations were targeted with denial of service (DoS) and distributed denial of service (DDoS) attacks, and (iii) more attackers are aimed to end-users and end-systems [2, 3].

This research was partially supported by Wichita State University College of Engineering (Grant# D11012).

A computer program or a segment of code that manipulate user information in a destructive manner without the authorization of the user is generally defined as a computer virus or malicious software (malware). As the computer usages are increasing, the (software and) malware development is also surging [4, 5]. Although some modern viruses are preventable by using antivirus software, viruses such as Boot sector, Multipartite, Worms, Polymorphic, Rootkits, Metamorphic, and Memory resident virus often cannot be traced by signature scanning or code scanning. Due to attacks of these viruses, the system may need a full restore that includes formatting the hard drive, reinstalling the OS, downloading/reinstalling drivers, downloading/reinstalling update/patch files, and reinstalling application software. Even though some OSs provide the system restore functionality, in an event where boot sector or the entire partition is affected (by Rootkits, Multipartite, etc.), system restore may not work [6-8]. Average users are not erudite enough to handle such intricate issues. As a consequence they have to pay a good amount of money for those services. In order to manage a steadfast computer system without extra cost and training, we propose an inexpensive plug-n-play hardware security module (HSM) based solution. HSMs are also known as hardware cryptographic device and cryptographic module. In general, HSM is defined as a piece of hardware and associated software/firmware that usually attaches to a PC (or server) and provides at least the minimum of cryptographic functions including encryption and decryption. The physical device (i.e., HSM) has a user interface and a programmable interface [9]. In this work, we introduce an USB memory (to hold a light version of customized OS) based HSM solution to restore computer systems from malware attacks in an expensive and easy way. This paper is organized as follows. In Section II, some related surveyed articles are presented. Section III summarizes hardware security modules. In Section IV, proposed USB memory based system recovery solution is introduced. Proposed system recovery approach is evaluated in Section V. Section VI discusses the significance of the proposed solution. Finally, this work is concluded in Section VII.

978-1-4799-0400-6/13/$31.00 ©2013 IEEE

II.

SURVEY

A few selected published articles closely related to hardware security modules and malware attacks are discussed in this section. A summary of computer threats faced in 2011 monitored by Europe based Redscan on its customers in Europe and Worldwide is discussed in [1]. In 2011, Redscan Network Box Security Response issued more than 8 signatures per second (that is 26% more than the previous year). As shown in Table I, hacktivist attacks are more (and growing); 56% of the total attacks in 2011. This report also reveals that hackers are targeting more small businesses and end-users with denial of service (DoS) and distributed DoS using malware. TABLE I. ATTACKS IN YEAR 2011 Type of Attack

Percentage (%)

Hacktivist attacks using malware, etc.

56

ICS and SCADA vulnerabilities

17

Mobile device attacks

11

Network breaches

11

SSL vulnerabilities

5

Malware was considered more of a proof of concept software program than a tool to be used for data theft until the early 1990s. The situation has changed dramatically in the last two decades. Using malware is a natural evolution for cyberattacks. Among all kind of malwares, memory parser malware led the way, accounting for 45% of all investigated by SpiderLabs in 2010 [3]. As point-of-sale (POS) systems are widely used for convenience and very vulnerable, criminals use them to obtain the data necessary to commit payment card fraud. New malware found in 2010 was a POS applicationspecific malware. Much of what is call ‘convenience’ (even though the consequences may be very inconvenient) is a considerable part of the reason malware is so widespread in this world. Unfortunately, 'there is no legal solution to malware' [10]. Therefore, computer users need to be careful about what they are doing. Also, there should be inexpensive and easy solutions for average users to recovery their systems, when needed. Most common practice to recover an infected PC include the following steps: (i) logon in safe mode – Microsoft's Safe Mode loads only the minimum required programs and services, (ii) delete temporary files – doing this may speed up the virus scanning and even get rid of some malware, and (iii) run antivirus software like Malwarebytes – examine any detected suspect files, and remove any suspect files [11]. In some cases when the malware cannot be removed or the PC does not function properly, useful documents are copied to external disk(s) before re-installing the OS. In the worst case, the PC (i.e., OS) cannot be turned on properly. The only solution to

this problem is reformatting the hard drive and reinstalling the OS, which is time-consuming, troublesome, and can be expensive. Reformatting hard drive and reinstalling OS expect administrator level skill and required software. In this work, we propose a HSM based cool and cheap solution for full system recovery (including OS, application software, and data files), if needed due to malware attacks. III. HARDWARE SECURITY MODULE A hardware security module is a piece of hardware and associated software/firmware that are usually attached to a PC or server and provides at least the minimum of cryptographic functions (like encryption and decryption). It is helpful to have the basic knowledge of HSM to understand our proposed approach. Therefore, we briefly discuss HSM functions, usages, and some drawbacks in this section. A. HSM Functions An HSM provides accelerated cryptographic operations such as encryption, digital signatures, and hashing. We use encryption technique in our solution. In cryptography, encryption is a process of obscuring information so that it cannot be read without a ‘special key’. This is typically done for secrecy. We use encryption for security and compression. B. Usages of HSM An HSM has a number of different uses. Generally HSMs are implemented for the following usages: • • •

To securely encrypt sensitive data for storage in a relatively non-secure location such as a database. To aid in authentication by verifying digital signatures. To generate secure key for smartcard production.

C. Pitfalls of HSM The biggest drawbacks to using an HSM are associated to cost, user friendliness, and upgrading. The price can range from under a thousand dollars each to many thousands, depending on the level of required functionality and security. HSM vendors typically withhold a lot of information about how their security products work. Between HSMs and software, HSMs are difficult to upgrade. IV.

PROPOSED SYSTEM RECOVERY APPROACH

Instead of traditional Tom-and-Jerry type solutions (virus, anti-virus software, new/improved virus, new/improved antivirus software, so on and so forth), we propose a hardware security module based solution to re-establish (and thus protect) computer systems from malware attacks. Required functionalities (modified light OS and software) are built and loaded into an USB memory (hardware). A. Proposed System Architecture According to the proposed hardware/software based HSM solution, the computer system requires two discrete hard disks

and one USB memory. When security is concerned, the presence of two physical hard disks in a system has a greater advantage over the logical partitions. Logical partitions can be affected with viruses even though the user does not access it. Schematic in Figure 1 illustrates our proposed system architecture. Here, one disk (usually the internal disk) should act as the Primary Drive and the other one (external or internal) as a Backup Drive. The bootable ‘Hot USB Memory’ contains special software. The functionalities of the proposed failsafe solution are controlled by the specially developed software loaded into the USB memory. This software is the updated edition of an open-source light-version Linux OS; it is carefully designed to perform the ‘Encrypt’ (discussed later) and ‘Decrypt’ (discussed later) commands.

If the system (i.e., Primary Drive) is infected by malware/virus and anti-virus software fails to fix it, ‘Decrypt’ process should be used to rebuild a clean system without losing any important applications and data files. At the beginning of the ‘Decrypt’ process, user can scan any files/folders from the primary disk and store them (into the USB memory). Then, ‘Decrypt’ function formats the primary disk and reinstates a clean system from the backup disk to the primary disk. After that, user may copy files/folders, as appropriate, from the USB memory to the primary disk. Finally, user should shut down the system completely, disconnect the backup disk and USB memory, and re-start the system. Again, system should normally start from the Primary Drive.

Fig. 1 Proposed system architecture.

B. Key Functionalities There are three key functionalities of the proposed approach; they are: (i) ‘Encrypt’, (ii) ‘Decrypt’, and (iii) Close as shown in Figure 2. ‘Encrypt’ refers to the process of creating a bootable image of an existing clean system including OS, application software, and selected data files (from the Primary Drive) and store it in a Backup Drive. ‘Decrypt’ refers to the process of reinstating a clean system to the Primary Drive from the previously generated/saved image in the Backup Drive. The program can be terminated, if needed, at any time by using the Close option. C. Proposed Workflow The USB memory should have the highest boot priority (i.e., if the system is started or re-started when USB memory is connected, it should start from the USB memory). The workflow of the proposed system recovery solution is presented in Figure 2. To ‘Encrypt’ a clean (not infected by malware) system, user should make sure that the backup disk is physically connected (if external) and enabled so that the basic input/output system (BIOS) recognizes it. Then, ‘Encrypt’ function formats it; create image from the primary disk and write it directly to the backup disk, simultaneously. Once create/write image is completed, it is important that the user shut down the system completely, disconnect the backup disk(s) and USB memory, and re-start the system. System should normally start from the Primary Drive. It should be noted that user may create multiple backup images on multiple backup disks.

Fig. 2 Proposed functionalities and workflow.

V.

EVALUATION

As a preliminary effort, we develop the initial version of the software using open-source Xubuntu (Lightweight Ubuntu Linux) [12] and test it using Intel i386 personal computers with Windows 7 and Linux Fedora 14 OSs. In the following subsections, we briefly discuss assumptions, hardware and software used, and important observations. A. Assumptions Important assumptions include the following.



It is assumed that one extra hard disk (for the Backup Drive) is available to implement the proposed system recovery solution.



It should be noted that the solution software should be available via an USB memory. No extra USM memory is needed.



The USB drive has the highest boot priority. So, if the PC is started when USB memory is connected, the system should start from the USB memory.

B. Hardware and Software Requirement We use one 40 Gigabyte hard disk and one 4 Gigabyte USB memory in our experiment. These numbers may vary depending on the OS, application software, and data files. C. Important Observations We conduct our experiment using two Intel i386 PCs (one for Windows and one for Linux). In our test, we successfully ‘Encrypt’ and ‘Decrypt’ both Windows 7 and Linux Fedora 14 OSs. After the completion of ‘Encrypt’ and ‘Decrypt’ processes, newly reinstated system works normally. Based on our preliminary experience, we are convinced that the proposed solution is capable of carrying on the system recovery functionalities in case of severe malware attacks. We summarize our observations by comparing the proposed approach with traditional anti-virus solutions in Table II. Our proposed approach will require a USB memory which should cost less than USD 10. However, traditional anti-virus software may cost more than USD 100. Chances of data lost are extremely high in traditional anti-virus solution if it fails to protect the system. There is zero or very low chances to loose data using the proposed solution. TABLE II. COMPARISON OF TRADITIONAL SOLUTIONS WITH PROPOSED APPROACH Consideration

A Traditional Anti-Virus Solution

Proposed Approach

Cost

Expensive

Cheap

Chances of Data Loss

High

Zero or very Low

Usability

Difficult

Easy

Suffering

Very High

Very Low

Hardware/Software Requirement Skill Level Required

High (OS CD/DVD, applications, etc.)

Low (only the Hot USB memory) Any (novice-moderateadvanced)

Advenced

Target PC Systems

(Mainly) New

Any (old-new)

Target Operating System Types Target Operating System Versions

Specific to Windows (or others)

Any (Windows-Linux)

(Mainly) New

Any (old-new)

Target Users

(Mainly) Enterprise

(Mainly) individuals with older PCs and OSs

Considering expense, data recovery, user friendliness, target PC and OS systems, target users, computer skill required, etc., our proposed solution is a better choice. VI.

SIGNIFICANCE OF THIS WORK

As cloud computing is expected to grow (when people will rent resources, software, and applications), the usages of PCs and other computing devices are also supposed to increase. Each user will need a PC/system to connect to the cloud server. According to recent reports, the number of malware attacks will increase and infect more end-user systems. The only obvious solution to the problem when a system cannot be started after a malware attack is reformatting the hard drive and reinstalling the OS. Needless to point out that this is not a happy solution. It is associated with multiple painful considerations like (i) cost for OS and applications, (ii) chances of data loss, (iii) reinstalling required updates and third-party software, and (iv) mental stress. Considering thousands to millions of malware attacks every day and average users’ low computer skill, we strongly believe that proposed cheap (almost free) and easy system recovery solution has enormous potential to make millions of people happy by relieving their agony and saving millions of dollars. We also believe that this solution should offer a strong rally against cyber criminals. VII. CONCLUSIONS Recent studies scarily indicate that malware and virus attacks are drastically growing and targeting more end-user systems. Certain malware and viruses will disrupt, even may destroy, the computer system regardless of the presence of antivirus software and/or the system restore program. In order to overcome this situation in an easy and inexpensive way, we propose a simple but effective solution to restore computing systems if needed. For an ordinary system, all it needs is one (extra) 40-GB hard disk and one 4-GB USB memory (loaded with proposed solution software). We develop and experiment the initial version of proposed solution in our laboratory. According to the experimental results, we are confident to state that the proposed cheap and cool solution is capable of recovering systems from malware/virus attacks in a sophisticated way by saving significant amount of money and frustration. It should be noted that the proposed solution is not a replacement of the current anti-virus software solution. However, proposed solution provides an easy way to recover an infected system. Thus, this USB memory based solution gives average users more confidence to use computers at any time. Considering price, usability, and effectiveness, our proposed solution is affordable for most users (especially for the individuals with older PCs and OSs). We plan to investigate power-aware core allocation strategy for multicore architecture in our next endeavor.

ACKNOWLEDGEMENT We sincerely acknowledge Chok M. Yip (M.S. student in Computer Networking in the Department of Electrical Engineering and Computer Science at Wichita State University) for his efforts to verify the results and to review the earlier drafts of this paper. REFERENCES [1]

U. Khan, “12 million people suffered a computer virus attack in the last six months,” in the Telegraph, May 13, 2009. [2] S. Heron, “Looking Back: A Review of Threats Faced in 2011,” infosecisland, February 02, 2012. [3] C. Henderson, “2011 Global Security Statistics and Trends,” Trustwave SpiderLabs, 2011. [4] U. Mishra, “An introduction to Computer Viruses,” Social Science Electronic Publishing, Inc., 2010. [Onlone]. Available: http://ssrn.com/abstract=1916631 [5] H.J. Li, et al., “AOS: An optimized sandbox method used in behaviorbased malware detection,” in the International Conference on Machine Learning and Cybernetics (ICMLC'11), Vol. 1, pp. 404-409, 2011. [6] R.R. Branco and U. Shamir, “Architecture for automation of malware analysis,” in the 5th International Conference on Malicious and Unwanted Software (MALWARE'10), pp. 106-112, 2010. [7] M.J. Chen, et al., “An ASIC for SMTP Intrusion Prevention System,” in IEEE International Symposium on Circuits and Systems (ISCAS'09), pp. 1847-1850, 2009. [8] K. Zhang, et al., “Reconfigurable security protection system based on NetFPGA and embedded soft-core technology,” in the International Conference on Computer Design and Applications (ICCDA'10), Vol. 5. pp. 540-544, 2010. [9] J. Attridge, “An Overview of Hardware Security Modules,” SANS Institute, January 14, 2002. [10] C. Perrin, “There is no legal solution to malware,” techrepublic, April 29, 2009. [11] E. Geier, “How to recover your PC from a malware attack,” itbusiness.ca, November 17, 2011. [12] “Xubuntu 11.10 (Oneiric Ocelot), Lightweight Ubuntu,” 2011. [Online]. Available: http://mirror.anl.gov/pub/ubuntu-iso/CDs-Xubuntu/11.10/ release/