Malware Detection by Hardware

             Malware detected by Hardware – and how does it work?

Hackers develop malware to attack cyber-security. It is an eternal battle. Or isn’t it?

What actually is malware? Certainly, viruses, Trojans, worms and ransom-ware are part of the constant onslaught on cyber-security, but equally so are all  other program snippets, which  are capable to exploit weak  spots in software. But is there a comprehensive definition? You can read it up on Wikipedia. A short and pointed definition might be this one:

Malware is software, which is inserted into a system against the intent of its user.

This definition does not only meet the mentioned species of malware, but also dormant malware, which may be activated by some more or less random event, fileless malware lurking in your device’s RAM and encrypted malware, independent of the type of encryption.

For hardware to detect malware, is it at all necessary to guess the thoughts – to know the intention – of a user/hacker? Not at all. It is sufficient two follow two distinct basic principles to catch malware at the hardware level:

  • Have confidence in the user’s intentions – and that he acts accordingly and correctly.
  • Prevent software installation by all other persons.

Regarding the first principle: Users of IT-systems have by and large been incapacitated to this respect: software providers  determine the state of software as it is installed at a given moment, as the user once purchased it. Companies and organizations, which rely on their multitude of workstations running the same software configuration,  experience  deviations in the internal software stack, even causing  incompatibilities.  One simple cause for deviations in the software stack may be  due to extended and uncoordinated periods of down time, during that users do not use  the devices.  Asynchronous updates are also a consequence of late trends in the software market: Whereas historically software was sold as contents on a  data carrier, now this is done online over the internet.  Upgrade cycles are provided in short time spans – historically, data carriers with  software-upgrades were released in  much larger intervals.

Regarding the second principle: As above, users are  left with little choice: they  have to purchase whatever the market place has to offer.  Apart from special equipment these are commodity computers,  which can be loaded with software and data using different interfaces, over local links to other equipment, online, or using external storage media. And herein lies a systemic weakness: this load process  does not distinguish between software and data to be processed. Exactly this detail enables hackers to easily apply their  wicked trade: A little chunk of software, hidden in data or e-mail-attachments, will cause harm, sometimes only after having downloaded further malware, undetected by the user. Anti-virus- and similar software is power-less: The variability of malware is so immense that no single one of these programs recognizes the latest versions of malware, not to mention their capability to retaliate much faster. Up to date, malware is as sophisticated  that it only needs one strike to achieve its objective; a repeated attack employing the same means against the same system is unnecessary.

What can ultimately be done to prevent damage caused by malware? A paradigm-shift in the way that software is provided to computing devices and how the software stack is separated from “data-flow” is called for.

Cyber security may be achieved by logically combining both principles: Warrant control during software installation  and prevent software alterations by all others! As above, only two requirements have to be met, and both may be implemented in hardware:

  • Provide the user with a specialized interface for software installation only, and only provide it to the user. This might be a software carrier, a plug, or a jack which is sufficiently different from others, that no confusion with others is possible.
  • Design the storage of the computer in a way, which clearly separates software from data to be processed. If malware is inserted into the system, it cannot be processed as malicious application, it can only be processed as harmless data, following only the data definitions of the processing software.

Remaining risks are with the user. To become an internal offender, the user has to misuse his access to the hardware to install malware. However, following the above definition of malware, it is not malware any more, as the offender has installed it intendedly. So the saboteur did not only corrupt his own system, but also the comprehensive definition above.

Do software providers now need to refrain from convenient and customary over-the-air-updates? Not necessarily, but software providers do no longer have control  over the effective time of update. This is now strictly under user  control. When he decides that the time for updating his software suite has come, he has to consciously transfer the update, which is available to him as data only, into a format, which is suitable to install it as software. The received software updates differ from malware only by the fact that they have a legitimation: The user has contracted them with his provider, and thus they were inserted intendedly and on purpose.

How does Hardware recognize Malware?

Recognizing malware in software has proven feckless. Defending against malware needs innovation. If malware-handling is allocated to the hardware level, it is not at all necessary to recognize malware as such! Malware is simply seen as data, and probably, there is no  software to process it. This also implicates that an intruder  cannot hide the traces after  inserting  malware into the system.

A reward winning hardware architecture has been designed under the principles described above, which is capable of successfully defending malware. It is patented and arbitrarily named CySCoS.


June 2018