Digital deconstruction: Cadets conduct research in Academy's anti-malware lab

  • Published
  • By Don Branum
  • Air Force Academy Public Affairs
Imagine for a moment a laboratory dedicated to studying computer viruses much the same way as biocontainment labs study infectious diseases, and you'll have a good picture of the Air Force Academy's anti-malware lab.

Nestled within Fairchild Hall, a team of two Intel Corporation employees and four cadets break malware down into its component parts on so they can study ways to detect and prevent computer virus outbreaks. Although they don't have to wear pressurized suits, they work on a computer network that is physically isolated from the rest of the Academy's network infrastructure, and malware samples are physically contained in a vault separated from the rest of the lab.

The anti-malware lab was established in June 2012 through an agreement by the Homeland Security Department and Intel by way of the Center of Innovation here, said Maj. Matt Ross, an instructor with the Academy's Computer Science Department and the department's liaison to the anti-malware lab.

Jason Upchurch, a security research scientist for Intel, said the lab is the only one of its kind.

"The problem with Intel ... forming a partnership with the government has always been the intellectual property," Upchurch explained. "Intel has billions of dollars of research money invested in their products, and until this particular effort, the intellectual property release requirements that the government requested were too much to overcome. You don't want to bring in a $10 billion chip and lose the rights to it because you used it in research."

The COI's agreement allowed Intel to keep the rights to any hardware used in research while the government kept the security research rights, Upchurch said.

The Academy benefits by allowing cadets to do complex research in partnership with a major corporation, Ross said.

"The cadets who come through here will have a unique opportunity ... to perform research that has a good, solid element of challenge," he said.


Cadets 1st Class Luke Jones and Frank Adkins are working alongside Upchurch on methods to determine the provenance, or origin, of a piece of malware code. It's much more time-consuming than genetic sequencing, because unlike DNA, which has four base pairs, malware can consist of any combination of 250 machine language instructions.

That means every component of malware's "DNA" has to be compared against every possible combination of instructions in every other piece of malware in order to determine the code's parentage. The number of possible combinations -- 625 quintillion, or 625 followed by 18 zeroes -- is staggering.

But Jones and Adkins have found ways to simplify the data set, Upchurch said. Their efforts have reduced the amount of time required to compare 100 samples from almost an hour to less than two minutes.

"Think of it as looking for plagiarism in papers," Upchurch explained. "Take a paper and remove all the uninteresting words -- all the pronouns and prepositions -- and compress it into just meaningful verbs and meaningful nouns with no punctuation." Then, statistically, any set of seven straight matching words would throw up a red flag.

Analyzing the provenance of a piece of malware is one part of determining attribution, a cross-disciplinary effort that also involves legal and intelligence efforts, Ross said. Attribution, in turn, would allow experts to identify which individuals or state actors wrote the virus.


Cadets 1st Class Mike Winstead and Nate Hart, along with Rodney Lykins, are researching ways to identify and block return-oriented programming, or ROP, attacks. These are generally only seen in software designed to "jailbreak" smart phones and in research environments, Upchurch said.

"They're notoriously difficult to set up, and the general rule of laziness is, if you don't have to do it, you won't," he said. "But we anticipate if we cut off all other avenues of exploiting ... privilege escalation, then what will follow will be a ROP attack."

Return-oriented programming refers to a method of using software already in a device's operating system to break the system, Upchurch said.

"Instead of pushing code that you want to execute (through a code injection), you push a bunch of addresses. These addresses tell those functions ... which function to go to next."

Those instructions, processed in the proper order, set up the device's memory in a way that allows the attacker to turn off any security checks. Winstead, Hart and Lykins hope to identify a ROP attack through the software's "jumping" behavior.

"Since a ROP (attack) bounces everywhere ... every time it bounces out of one memory page into another memory page, that throws an interrupt on the processor. They're looking to monitor those interrupts to see if they can detect ROP attacks," Upchurch said.


The Defense Department and DHS may benefit from the cadets' research with Intel.

"DHS has a unique problem," Upchurch said. "They're in charge of protecting systems they don't own, and that's a difficult situation. So DHS's point of view is, if they can apply a tiny bit of direction to the Intel research engine and get products to market that would benefit the systems they have to protect that they don't own, then that's a good thing. ... So the government applies a little bit of funding, and they get all of Intel's backing at Intel Labs plus Rob and I and some machines."

The fundamental science and engineering research can then lend itself to products that will benefit the government a few years later, Upchurch said.

"The malware similarity is just software similarity, so there's intellectual property (applications) and all sorts of things that it could be used for," he said. Preventing ROP attacks would make both personal computers and portable devices like smartphones more secure.

The Air Force will benefit through gaining officers who have substantial understanding of an increasingly contested cyberspace environment, Ross said.

"The Computer Science Department encourages people to do this kind of research," he said. "To have our cadets be able to do this ... is something special."