Byte Counting

Counting interface and CPU operations to detect malware

Some of the security exploits I read about add additional bytes of malware onto innocent messages.

It is quite cheap to add read-only physical counters to hardware interfaces, and count every operation of every variety that every interface does.

Hardware can copy the counters to more registers at the start and end of an operation, then compare what the interface does with what it is supposed to do - discrepancies may be merely a flaw in understanding - which should be dispelled during code design. Or it may indicate that something shady is going on. The counters can be available to multiple otherwise-firewalled processes, useful for white-hat traffic analysis without revealing exactly what is said to whom.

The counters can be turned off and zeroed, and such operations can themselves be counted in hardware. Perhaps this can leak information to an adversary, but not much information of the code is designed right. This would be a tool to design such code. Counter visibility can also be disabled until the next reset.

Hardware can also have flaws, of course, but such flaws are difficult to inject with runtime malware. Flaws injected during design and manufacturing are possible, but they are copied by the thousands and millions, and "hold still" for reverse engineering and comparison to gate level specification.

There are subtle ways to inject flaws at the transistor level if you can predict the supply chain and who gets which physical component, but that is very expensive compared to the usual "all parts alike" manufacture and test process.

After some elaboration and development, I hope server sky components will have such counting capabilities to help with security.