BONANZA: Virtualized Deception Honeypot for Firmware Boot/Rootkits

Abstract

Modern persistent firmware rootkits [1][2][3] can run undetected by any malware detection installed by the user or provided by the OS (e.g., Windows Defender). Once installed, these rootkits bypass all state-of-the-art defenses deployed inside the OS as they are stored in flash memory containing firmware and compromise the machine from the moment it boots. Not only are such rootkits almost undetectable once installed, but they also remain in place even if one replaces all disks or erases them. Unfortunately, there are no known mechanisms designed to reliably detect installation of such rootkits, as they are only found when manually analyzing firmware.This work will design BONANZA, a new honeypot-based detection framework that can automatically identify both known and unknown rootkits that might exist in the wild undetected. Honeypots are typically virtual environments designed to appear vulnerable and trick malware into installing while the honeypot captures and reports its behavior.BONANZA simulates a vulnerable software/hardware stack inside a virtualized environment tricking adversaries into targeting it. It will allow a virtual #flashing# of the rootkit and detect,record, and simulate associated expected behaviors. As a result, the honeypot will collect and report both the rootkit contents andmalicious operations performed once installed, enabling its fast identification in other, sensitive systems.Further, BONANZA will also allow the identification of other external threats attempting to install these rootkits -- information that can be fed back intointrusion detection and prevention systems.Unfortunately, there are no alternative solutions that detect rootkit deployment at-runtime, pre-install. Existing honeypots only detect attacks targeting the OS or applications (e.g., malware install, OS compromise, etc.) and are not designed to detect firmware rootkits in action. The closest work aims to identify certain rootkits inside firmware images, requiring an already infected system or wide-spread rootkit deployment; also, this would not allow the determination of infection vectors or origins. In contrast, BONANZA may prevent system infection, detect rootkits used in targeted attacks (e.g., adversaries targeting only critical devices) and provide a strong starting point to attack origin tracking (e.g., IP call-home and download addresses, payloads etc.).Overall, discovered boot/rootkit infections [1][3][6] show that significant critical gaps exist in the security of our systems that enable corresponding attacks to go undetected for years. Persistent metastasized undetectable firmware malware, especially when driven by an enemy force, can become endemic and fatally endanger missions at critical moments. This project#s capabilities are direly needed to eliminate such existential threats to systems and missions.Navy and DoD systems are a prime targetfor sophisticated enemies with long lived attack capabilities and firmware attacks are fatal and virtually impossible to eliminate once they take hold. BONANZA will significantly elevate the cyber security posture and protect Navy and DoD systems and missions.

Document Details

Document Type

DoD Grant Award

Publication Date

May 15, 2023

Source ID

N000142312524

Entities

Tags