The instruction set of the x86 is too complicated

When reading the report of an exploit by a security firm, one invariably finds x86 assembly code. I would stumble on xbegin mayEnd cmp mutex, 0 jz weAreDone xabort $0xff and not be sure what it did. Long ago I had programmed other chips in assembly, so I felt a day or two would give me some idea of the assembly language for the Intel chips.…

Keep reading

It takes days to find it

To find something anomalous one needs to be able to describe what is common. At PermissionBit we do that by recording every interaction between the CPU and the hardware (every system call). That gives us enough data to identify hacking, malware, and misuse.…

Keep reading

What is your computer doing?

Over four years ago one of our clients from IPS came to us with a cyber security problem. We were asked to take their task not as a symptom to alleviate, but as a reflection of a deeper problem to solve.…

Keep reading

High accuracy AI for malware classification

On Tuesday the paper Computer activity learning from system call time series that Curt and I wrote was posted to the Arxiv. It explains how we used machine learning to create a minute-by-minute description of what is happening on a computer.…

Keep reading

General malware detectors are impossible

It is impossible to write a general purpose malware detector. Not hard, not difficult, impossible. The argument for the impossibility relies on building an odd program. We may not write such a program in practice, but it does arise as a combination of things we do write — things like Perl-like regular expressions and input parsers — and carefully crafted inputs.…

Keep reading