True Bare Metal (TBMTM)

True Bare Metal (TBMTM) is a comprehensive malware analysis sandbox like no other. This disruptive innovation is a patent-pending solution combining proprietary hardware and software that gives un-paralleled visibility into the operation of every aspect of a computer (hardware and software). At the same time, it is completely invisible to malware, unlike VM- and even emulator -based sandboxes. TBMTM powers our cloud-based malware analysis sandbox services.

Firmware Infections

Existing AV systems and malware analysis sandboxes on the market are all but blind to the entire class of firmware-targeting malware because they have very limited reach outside of the operating system. Many people do not realize that between the moment a computer is turned on and when the operating system is loaded, an astonishing number of programs run.

The first is the system’s BIOS, but that is just the beginning. A standard PC contains many small computers (microcontrollers) inside it, each of which could be infected by malware. There are microcontrollers running their own firmware in disk controllers, graphics cards, USB devices, and network interfaces.

Firmware runs unnoticed by traditional debuggers and analysis tools because these tools don't even start until after the operating system loads—well after damage may have been done by infected firmware. However, TBMTM is fundamentally different. TBMTM technology's custom hardware gives it complete insight into every aspect of the machine from the instant the power is turned on. For example, TBMTM can tell when BIOS is being reflashed by malware. TBMTM can detect when a NIC is exfiltrating data before the OS has even started to load. TBMTM can see when a keyboard tries to modify a computer’s BIOS security settings. The possibilities are endless with firmware-based malware, but only TBMTM sandboxes can find them.

Windows...and Beyond

The vast majority of malware does not target firmware; they target operating systems. Windows is the most commonly targeted operating system, so our initial release concentrates there. We use proprietary dynamic analysis techniques and heuristics coupled with True Bare Metal to achieve unmatched visibility of everything happening inside Windows. Unlike other malware analysis platforms, TBMTM is impervious to anti-virtualization and anti-emulation techniques that are increasingly common in Windows malware.

In the near future, TBMTM technology will be applied to other operating systems and platforms.