Secure Coding mailing list archives
Intel turning to hardware for rootkit detection
From: ljknews at mac.com (ljknews)
Date: Tue, 13 Dec 2005 15:47:05 -0500
At 9:28 AM -0800 12/13/05, Ron Forrester wrote:
On 12/13/05, Kenneth R. van Wyk <Ken at krvw.com> wrote:The detection mechanism seems to primarily be looking primarily for non-OS software modifying OS inhabited memory blocks. Wonder how they're definining (and maintaining the definition) of each... I also wonder how it'll impact near-OS software installations like, say, device drivers, authentication plug-ins, and other things that need to poke pretty deeply into the OS in order to install.I have to admit, when I initially read about this I immediately dismissed it as nothing but marketing hype -- what little details they gave for the solution seemed to me to be less than practical and certainly would have issues adapting to targeted attempts to deceive the mechanism. I'd love to hear other peoples thoughts on the matter.
For a test of their generalized characterization of the problem, consider how well they might do analyzing VMS running on Itanium. If the "non-OS software" attempted to trick the "OS software" into doing something from an inner mode, their external approach seems intractable. On the other hand, "non-OS software" calls to "OS software" regularly result in changes to memory protected against outer mode access. -- Larry Kilgallen
Current thread:
- Intel turning to hardware for rootkit detection Kenneth R. van Wyk (Dec 13)
- Intel turning to hardware for rootkit detection ljknews (Dec 13)
- Intel turning to hardware for rootkit detection Gadi Evron (Dec 13)
- Intel turning to hardware for rootkit detection Ron Forrester (Dec 13)
- Intel turning to hardware for rootkit detection ljknews (Dec 13)
- Intel turning to hardware for rootkit detection David Eisner (Dec 13)
- Intel turning to hardware for rootkit detection Greenarrow 1 (Dec 13)
- <Possible follow-ups>
- Intel turning to hardware for rootkit detection Steven M. Bellovin (Dec 13)
- Intel turning to hardware for rootkit detection Michael S Hines (Dec 13)
- Intel turning to hardware for rootkit detection mudge (Dec 13)
- Intel turning to hardware for rootkit detection Crispin Cowan (Dec 14)
- Intel turning to hardware for rootkit detection ljknews (Dec 14)
- Intel turning to hardware for rootkit detection Michael S Hines (Dec 14)
- Intel turning to hardware for rootkit detection Michael S Hines (Dec 13)
- Intel turning to hardware for rootkit detection ljknews (Dec 13)
- Intel turning to hardware for rootkit detection ljknews (Dec 14)