SonicWall spots Meltdown exploits with machine learning tech

SonicWall says its new deep memory inspection technology, which powers the vendor's Capture Cloud sandbox service, can block Meltdown threats and other zero-day attacks.

Exploitation of Meltdown and Spectre vulnerabilities is difficult to detect, but one security vendor believes it's found a way to identify and stop potential Meltdown exploits.

SonicWall recently unveiled a new engine for its Capture Cloud platform, which is a cloud-based sandbox service for detecting and blocking zero-day threats. The engine uses what the company calls Real-Time Deep Memory Inspection (RTDMI), patent-pending technology that uses machine learning to block and analyze unknown threats.

SonicWall CTO John Gmuender said RTDMI is similar to SonicWall's patented Reassembly-Free Deep Packet Inspection technology; just as deep packet inspection can penetrate SSL-encrypted traffic to look for threats, Sonicwall's RTDMI can analyze malware payloads that are often protected by a layer of custom encryption.

"We ended up building a system that allows us to take the malware, spill out its parts and rebuild it in a way that allows us to control it," Gmuender told SearchSecurity. "And through controlling it, we can cause the malware to expose itself. The engine allocates memory, decrypts the malicious code into that memory, marks the code as executable and then runs it for less than 100 nanoseconds and then wipes the memory."

Once the threat is analyzed and wiped, the Capture Cloud platform quickly communicates the results to SonicWall firewalls and other products in order to block any instances of the threat. The engine also uses machine learning to study the malicious code and its behavior and compare it against previously captured malware in order to better anticipate and identify future threats.

"Malware writers end up launching many, many different variants of malware every day, but they're not rewriting the code from scratch every time," Gmuender said. "In the past, researchers could maybe take a few days and study malware caught in a sandbox, but it was very hard to do in real time. But now, with machine learning technology, you can do a large analysis of these threats much quicker."

SonicWall CEO Bill Conner said the RTDMI engine was in development for several years before it was deployed in the Capture Cloud platform in December. In the span of about a month, the RTDMI engine caught approximately 500 previously unidentified threats, including Meltdown exploits. Conner said the company originally planned to announce the new technology at a later date this year, but the discovery of Meltdown exploits changed SonicWall's plan. "We wouldn't have caught any of those 500 new attacks without [RTDMI]," Conner said. "Our goal was to identify malware in a real-time, automated way so we can stop zero days and new threats like Meltdown."

Gmuender said Meltdown exploits require specific instructions, such as Intel's Transactional Synchronization Extensions, to access the memory, and those instructions were identified by SonicWall's RTDMI technology and are now built into the Capture Cloud platform. "These are unique instructions going after unique memory," he said. "If a piece of malware is going to take advantage of Meltdown, this will catch it."

Currently, the only Meltdown threats SonicWall has captured are "test-flight" malware samples built largely around the proof-of-concept exploits created by the Meltdown and Spectre research teams, Gmuender said. SonicWall said it has not yet identified any Spectre exploits and that its Capture Labs threat researchers are "still actively analyzing various Spectre vulnerabilities."

The RTDMI engine is currently active for SonicWall's Capture Cloud platform and joins three existing engines for the platform that provide virtualized sandboxing, hypervisor-level analysis and full system emulation.

Dig Deeper on Threat detection and response