Intel turning to hardware for rootkit detection

[ljknews at mac.com (ljknews)]

At 9:28 AM -0800 12/13/05, Ron Forrester wrote:
> On 12/13/05, Kenneth R. van Wyk <Ken at krvw.com> wrote:
> > The detection mechanism seems to primarily be looking primarily for non-OS
> > software modifying OS inhabited memory blocks.  Wonder how they're definining
> > (and maintaining the definition) of each...  I also wonder how it'll impact
> > near-OS software installations like, say, device drivers, authentication
> > plug-ins, and other things that need to poke pretty deeply into the OS in
> > order to install.
>
> I have to admit, when I initially read about this I immediately
> dismissed it as nothing but marketing hype -- what little details they
> gave for the solution seemed to me to be less than practical and
> certainly would have issues adapting to targeted attempts to deceive
> the mechanism.
>
> I'd love to hear other peoples thoughts on the matter.

For a test of their generalized characterization of the problem,
consider how well they might do analyzing VMS running on Itanium.

If the "non-OS software" attempted to trick the "OS software" into
doing something from an inner mode, their external approach seems
intractable.  On the other hand, "non-OS software" calls to "OS
software" regularly result in changes to memory protected against
outer mode access.
-- 
Larry Kilgallen