Interesting People mailing list archives
Intel Researchers Sneak Up on Rootkits
From: David Farber <dave () farber net>
Date: Wed, 14 Dec 2005 19:21:45 -0500
Begin forwarded message: From: Dewayne Hendricks <dewayne () warpspeed com> Date: December 14, 2005 10:48:10 AM EST To: Dewayne-Net Technology List <dewayne-net () warpspeed com> Subject: [Dewayne-Net] Intel Researchers Sneak Up on Rootkits Reply-To: dewayne () warpspeed com [Note: This item comes from reader Randall. DLH]
From: Randall <rvh40 () insightbb com> Date: December 13, 2005 11:15:18 AM PST To: JMG <johnmacsgroup () yahoogroups com> Cc: Dewayne Hendricks <dewayne () warpspeed com> Subject: Intel Researchers Sneak Up on Rootkits <http://www.eweek.com/print_article2/0,1217,a=167252,00.asp> Intel Researchers Sneak Up on Rootkits December 12, 2005 By John G. Spooner and Ryan Naraine Intel Corp.'s researchers are working to outwit cyber attackers, including those employing stealthy rootkits. The chip maker's Communications Technology Lab, in a project called System Integrity Services, has created a hardware engine to sniff out sophisticated malware attacks by monitoring the way operating systems and critical applications interact with hardware inside computers.By watching a computer's main memory, the System Integrity Services candetect when an attacker takes control of the system—such attacks sever the ties between data loaded into memory by an application and theapplication itself—and can fool a system so as to avoid detection whilepotentially allowing for surreptitious pilfering of data or the perpetration of other attacks. "Our threat model assumes that the attacker gets on the system somehow and has unrestricted access to the system," said Travis Schluessler, a security architect inside Intel's Communications Technology Lab. System Integrity Services "assumes [the attacker] will modify what'srunning in memory to fool anti-virus software or change firewall rules…so as to put the system in state where he can do whatever he wants." The System Integrity Service's hardware, however, can detect those intrusions by monitoring the interactions between the applications and memory.Once it discovers an intrusion, it can issue an alert. Thus it sets thebar much higher for malware being able to compromise system without being detected, Schluessler said. Researchers tested the system with a kernel debugger, an application whose behaviors and ability to make system changes are similar to that of a rootkit, to prove its effectiveness, he said. Although it might not make it to market immediately, Intel's anti-malware research comes at a time when anti-virus vendors arestruggling to cope with the use of stealth rootkits in malware attacks.Using rootkit techniques, malware writers are able to gainadministrative access to compromised machines to silently run updates to the software or reinstall malicious programs after a user deletes them.Click here to read more about where rootkits come from. If it were to be put into a product platform, Intel's System IntegrityServices could be used in conjunction with other elements, including theIntel Active Management Technology for monitoring hardware, and could also be used in concert with other research projects such as Circuit Breaker.Circuit Breaker, a research project that might also someday find its wayinto products regulates an infected computer's access to a network. Such a combination might help quickly head off widespread infections, which can cost companies not only in data theft by also in reduced employee productivity due to computer downtime and heavy use of IT resources to clean them up, the Intel researcher said. Indeed, in one example, "Once System Integrity Services has detected aproblem, it can tell Circuit Breaker to turn [a machine] off the primarynetwork and switch it over to a remediation network," he said. Next Page: A focus on security. The System Integrity Services project is part of a broader focus on security inside Intel's labs. That focus has been brought about by the chip maker's recent shift to designing platforms around devices such as servers or desktop PCs.Unlike when it sold chips individually, the platform design strategy hasIntel creating numerous add-ons, which include features such as virtualization and the Intel Active Management Technology, which are designed to increase the usability and manageability of desktops, notebooks and servers. Many of Intel's more advanced worm and virus detection technology arestill at the research stage today—some of Intel's other projects includeworm signature detectors called autograph and polygraph—but it could easily wind up as features inside Intel's future product platforms.Aside from being used to improve the products for customers, they couldalso be added to bolster Intel's competitiveness versus its rival Advanced Micro Devices Inc. The System Integrity Services' prototype hardware uses one of Intel'sXscale processors, which Schluessler said was overkill, and plugs into aPCI slot. A future version could potentially be built for a relatively small fee and included with Intel platforms, not unlike the way it packageswireless modules with its processors and chipsets for its Centrino- brandnotebooks. "You can tie this technology in with AMT and the CPU [in each machine]and all of a sudden you've got something that's more than the sum of itsparts," Schluessler said.Aside from working with Intel's own platforms, the technologies could bealso tied in with products from Intel's close partners, includingoperating system and application vendors, the company's researchers havesaid. "We said, 'What kind of things can we do to address these challenges?' That has driven a lot of the platform thinking, whether it's VT [Intel Virtualization Technology] or active management, and how all those things work together," said Dylan Larson, network security initiativesmanager at Intel's Communications Technology Lab, in a recent interviewwith Ziff Davis Internet."We've had security expertise and lots of competency in this space for a long time. Now we're looking at this even more from a platform level onhow we can bring these things together to drive new value to customers." The lab is also working on a projects called Autograph and Polygraphprojects, which are designed to help prevent large-scale worm infections altogether by analyzing individual worms and quickly publishing data onhow to detect them. Click here to read more about the damage caused by the Code Red worm.Autograph and Polygraph employ a combination of heuristics and good old sleuthing to track down worms and locate their signatures—or the uniquepattern of data required for its particular exploit—and then notify other systems with those signatures so that they can move to identify and block the worm, said Brad Karp, at Intel Research Pittsburg, a lab located on the campus of Carnegie Mellon University. Autograph's source code has been made available for download via the university's Web site, and Karp and his team are also working on a Polygraph, a similar program which can sniff out so-called polymorphic worms, which change each time they replicate in an effort to cover up their signatures and thwart the defense used in Autograph. The next step for the Systems Integrity Services now lies with Intel's platform development teams, which will make the call on whether or not to add the technology to its future systems, Schluessler said.
Weblog at: <http://weblog.warpspeed.com> ------------------------------------- You are subscribed as lists-ip () insecure org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- Intel Researchers Sneak Up on Rootkits David Farber (Dec 14)