- Related Stories
-
Itanium: A cautionary tale
December 7, 2005 -
Intel aims for faster, cooler transistors
December 6, 2005 -
Sony's rootkit fiasco
November 21, 2005 -
Rootkit worm linked to hacker group in Middle East
November 17, 2005 -
Antivirus firms target Sony 'rootkit'
November 9, 2005
(continued from previous page)
Will this technology--you mentioned it includes hardware and firmware, which is software--would this need anything else to run, like a client on the desktop?
Schluessler: No. It really needs just cooperation from the programs that we want to protect.
What does that mean?
Schluessler: We'd need to make sure that the contents of the programs as they run in memory do not get changed.
In order to do that, we have to know what the initial good state of the program is. (It's) similar in concept to what driver signatures do. We need to make sure that the program, in its good state, is what is actually loaded into memory and that it stays that way.
Security threats like rootkits, viruses and worms seem to get more sophisticated by the week. Can your technology protect against future threats, or will it need some kind of an updating mechanism?
Schluessler: This is exactly one of the things we've designed this technology to do--to detect problems that we don't know about yet, what we call in the industry day-zero worms and viruses. Those worms and viruses that come out, and we don't know what they look like.
This technology is simply looking for changes to protected programs. It could be any kind of change--any kind of worm payload or virus payload or rootkit. As long as it changes one of those protected programs or stops one of the security agents that we're monitoring, we can detect it, regardless of what the actual signature is.
You keep mentioning protected programs. Would this protect any application on my PC, or just the operating systems or critical applications?
Schluessler: We would want to use it to protect critical applications on the PC. Like any technology, this is not the Holy Grail. It has limitations. It can be used to protect certain programs. But this isolated execution environment is limited in its view of what the operating system and such is actually doing. It can't view all of the complexities of the OS, like most of your security agents that are already running over there. It is very much complementary to those security agents.
For example, what applications do you see it protecting?
Schluessler: You could use it to protect things like antivirus software or your firewall. Many of today's worms and viruses...will go in and shut down your security agents in order to execute their payload, because the security agents are effective at stopping that. What this System Integrity Services technology can do, is it can actually detect when that occurs, so we can help protect those security agents.
If you're monitoring the system--it sounds like that's what you're doing with this technology--is that going to slow down my computer at all?
Schluessler: Since we're running the checking-off in this isolated execution environment--we call it a security presence--it would not impact the MIPS (million instructions per second, or the the number of operations that a computer can perform in one second) available on your CPU. It does use some of your memory bandwidth.
Could you explain that?
Schluessler: It won't use cycles that your host processor needs for other things. It won't slow down the processing necessarily on your CPU, but it does use some of the bandwidth going to your memory. It has to look at the memory that your program is running in.
How will this impact potential legitimate uses of, for example, rootkit-type technology? If I am an enterprise, and I use rootkit-type technology to maybe hide some security software from my employees on their desktops, how would your technology impact that? Would it stifle that kind of thing?
Schluessler: Not at all. We're only going to detect changes that we don't want to happen. If you define within your system that you want to allow certain types of changes to happen, by all means, the System Integrity Services will allow that kind of change.
What you're telling me sounds a little bit similar to what Microsoft was talking about a couple of years back. Something they called "Palladium" and then "Next Generation Secure Computing Base." Is this similar?
Schluessler: I am not an expert on that technology, so I can't contrast it.
When do you think your technology might be ready?
Schluessler: As a researcher, I don't have visibility into Intel's product plans, but the prototype is up and running and we have demonstrated that it works in protecting device drivers and things like that--against things as advanced as kernel debuggers.
Could you explain a bit more what that prototype looks like? Is it actual functioning hardware, or is it a little plastic thing that doesn't do anything?
Schluessler: It is actually functioning hardware. We have a security presence in the form of an Intel Xscale processor that is able to monitor protected programs running on the host.
3 comments
Join the conversation! Add your comment (Log in or register)
That sounds like DRM, not protection from explits.
Especially it is easy to draw parallels to how Xbox360 is protected from hacking. Digital signing of OS or something like that.
Security problems raise from the fact that application logic is broken and has "holes". If I can convince administration application that I'm admin and I want to format all hard drives - no protection will ever help.
What Intel can do. For now all OSs use two modes: privileged (for administration) and unprivileged (for mere mortals). If somehow CPU can help OS to narrow down what application can do - e.g. which system calls it can do or which kernel memory regions it can access - that might help.
If process needs access to only particular resources - it will have access to only that particular resources. At moment such support on O level is incredibly expensive due to very high CPU overhead when execution goes from one task to another. That's where Intel can truly help - releive OS of that duties and perform them in CPU.
P.S. Or allow OS to micro-program CPU to effectively perform such tasks for OS.
Plus think about this, the reason IE is so unsuccesful is because its buried so deep into the OS that when exploits are created they are serious threats. This follows the basic principle, if someone finds out how to exploit the firmware, then there's no telling what control they could have over the computer...
I just think this is Intel's attempt at trying to beat AMD. Check out CNETs article comparing dual core processors. AMD clearly beats Intel there.
^a10