Intel turning to hardware for rootkit detection

[cradle at umd.edu (David Eisner)]

Ron Forrester wrote:
> On 12/13/05, Kenneth R. van Wyk <Ken at krvw.com> wrote:
>   
> > The detection mechanism seems to primarily be looking primarily for non-OS
> > software modifying OS inhabited memory blocks.  Wonder how they're definining
> > (and maintaining the definition) of each...  I also wonder how it'll impact
> > near-OS software installations like, say, device drivers, authentication
> > plug-ins, and other things that need to poke pretty deeply into the OS in
> > order to install.
> >     
>
> I have to admit, when I initially read about this I immediately
> dismissed it as nothing but marketing hype -- what little details they
> gave for the solution seemed to me to be less than practical and
> certainly would have issues adapting to targeted attempts to deceive
> the mechanism.    
>   

A bit more detail:

  
http://www.intel.com/technology/magazine/research/runtime-integrity-1205.htm 

  
http://www.intel.com/technology/comms/download/system_integrity_services.pdf

I haven't read these carefully, but it reminds me a bit of trusted 
computing [1].  In fact, one of the authors (first link) is a member of 
the Trusted Computing Group. Wouldn't it be funny if proposed rootkit 
"cures" turn out to provide a good platform for more formidable DRM 
technology?

-David

[1] http://www-personal.si.umich.edu/~rwash/projects/trusted/