Slashdot Mirror
Intel to Develop Hardware Rootkit Detection
Jack writes "ITO is running a story on Intel's latest initiative - a hardware rootkit detector: 'Intel is trying to eliminate the human factor when dealing with root-kits detection by developing a new hardware-based technique to discover and notify users when they are downloading unintentionally a root-kit to their computer.'"
Seriously, why don't they work with Microsoft to do some kind of checksum and bonk the load when it fails? This 'small chip' smells like something which would persistently degrade memory performance. Why would that be more acceptable than an operating system or BIOS which would block root-kits, i.e. you can only touch this file, this partition, etc, as logged in as root. Oh, right, on Windows processes may run under root authority and be co-opted.
Gee, seems like it's been 20 years since DEC fixed those bugs in RSTS/E
A feeling of having made the same mistake before: Deja Foobar
Who will watch Intel then?
*Tinfoil hat on* Its part of skynet to sneak in rootkits when they want...... skynet is not one computer it was all the computers with google toolbars instaled!!
is this not just treacherous computing by another name? "You're downloading Debian?! That's not allowed! *bleep* *bleep* illegal operation *passing details to NSA*!"
--
No, I didn't RTFA. I didn't RTFSummary either.
I'll just stick to using OpenBSD, Packet Filter, and common sense to keep my systems safe. Far more cost effective than what Intel is proposing.
Cyric Zndovzny at your service.
I don't think they do.
As the system grows, so the number of entry points which need covering will grow.
after reading the article, I think they are sneaking in paladium under our noses.
Using the rootkit news as cover.
should we tremble?
liqbase
Who will watch Intel then?
Why... Sony, of course.
...Rob
The American Dream isn't an SUV and a house in the suburbs; it's Don't Tread On Me.
This is simply a marketing tactic to attempt to gain acceptance for a technology designed to get humans out of the loop whether they like it or not. There is no useful purpose for a technology designed to "protect" a machine from its owner. This marketing tactic simply tries to propose the "but what if we're trying to protect the owner from their own stupidity" angle; however, that kind of thing could be done in software as well.
Aside from wondering what language the IT Observer Staff speak natively (because it isn't English) I have to wonder why "hardware" is necessary to detect a root-kit. I'm all for being able to flag memory as executable (and thus "read only" to programs) and data (and thus unable to execute code) because the last time I wrote self modifying code for a legitimate purpose was on the C64. But what does "a small chip on a PCs motherboard" have to do with rootkits? A rootkit fools the *operating system*, not the processor.
Either this is only memory protection (which I thought we could already do in modern processors and thus would make an additional chip redundant) or it is going to "connect the computers directly to the data" which is content free market speak. Or trusted computing, but it that market speak sounds different.
Sig under construction since 1998.
...dealing with root-kits detection...
...monitor persistently programs that might be affected of a malicious attack...
...doesnt expect its project to replace various protect software...
The project is timidly scheduled...
It sounds suspiciously like memory segmentation and/or writeable bit in the page tables. It has been around since the days of the VAX at least, and in Intel chips since the 386 (and the i890 which preceded it, but died).
But the article is so vague and poorly written that it sounds like either the author didn't know anything about the subject or english was not his first language, or both.
Whats next? A hardware DRM scheme from Intel? *rolls eyes*
Viable Slashdot alternatives: https://pipedot.org/ and http://soylentnews.org/
... the difference between a desired rootkit (encrypted magic folders, which hides and password-protects certain files, for example) and an intruding one? How would it respond? If it can't tell the difference then I hope the response wouldn't be to shut it down or stop it from working but some sort of warning. This seems a little weird though - stopping a software issue with hardware. Does that even make sense?
Actually, this chip is the same chip that they've been pushing for years for Microsoft's DRM stuff (Palladium.) Yet another attempt at making it sound like you're benefitting, instead of getting raked over the coals.
until Intel has a product to offer the masses that is all it is
vaporware
Politics is Treachery, Religion is Brainwashing
The only way i can see such a device operating successfully is if the system has a read ahead feature on the currently running Code Segment, which may spark inefficencies in the system. Or perhaps when the system is loading the binary in memory do the checks then, again inefficencies would crop up.
Then there are going to be applications which will need to utilise the same patterns of operation that malicious programs use, E.G Uninstallers which wipe considerable amount of data off block devices for instance.
Perhaps such a system could be implemented on a software level on the OS's buffer cache, sort of like the way the Linux Secure Journalling system was going to operate, but this was thrown out the window because of inefficencies.
Maybe i should RTFA
How will they decide what a rootkit is?
It looks like they'll have to err on the side of rejecting programs that just happen to look like rootkits. What would those be?
If the OS vendor wants to release a patch or extension, won't it look "evil" to the detector chip? It will be altering the OS -- so maybe it is a rootkit.
It seems like the marketing is running things here. With the trusted boot stuff that was a different story -- that has a good theoretical basis.
http://www.thebricktestament.com/the_law/when_to_
Huh? Rootkits certainly do exist for Linux. In fact the term comes from Unix, "root". A rootkit is code that is installed to hide itself, *after* security has been compromised somehow. The ability to write a rootkit has nothign to do with the ability to compromise security. In fact I'm sure it is easier to write a Linux rootkit than a Windows one, just because in general it is easier to write system software for Linux.
Oh, that is definitly wrong. I have yet to encounter a rootkit on a Windows machine but the linux machines I administer, I have seen a few.
Infact, if you do a search for root kits on google, I am willing to bet that 90% of what google returns will be about linux/unix based rootkits. Why? Because they make it easier to over-take a server and we all know that most -big servers- are linux machines. Those are the ones that the little script kiddies want so they can take advantage of big pipes and try to DDoS their schools or something -- whatever the hell these 12 year olds are doing these days.
So yes, in this case, "Windows is the problem" doesn't really fly. Any OS is technically open to an attack from a rootkit. It all depends on the author of said rootkit to be persistant.
Don't get me wrong - I'm a linux lover and don't really like Windows that much (even though I use it) but the whole Linux Vs Windows argument isn't going to fly very far in this case. Infact, if I'm correct in thinking (Think I am, correct me if I'm not) the first rootkit was on AT&T unix (?) and did much of the same things todays rootkits do; replace core commands such as ls, ps, top, etc. They're just now morphing over to Windows.
What if I want to run a program that behaves like rootkit due to company policy?
What sort of program would that be? Oh yeah, "It's a Sony!"(TM)
What time is it/will be over there? Check with my iPhone app!
Rootkits are rarely seen on linux boxes
Rainwulf is not misinformed, I simply posted that message after I rooted his box.
This has little or nothing to do with security and everything to do with Intel PR.
Intel has been smarting since AMD beat them to the punch with the NX bit.
The only thing a Rootkit will do that any other software install won't usually is over-write and modify a lot more system files than it should. Hardware can't be aware of which version of hal.dll you're supposed to be running (heck, it shouldn't even know you're running windows!). This really is something the O/S should be doing.
Which it does. If you follow best security practices, well, heck, you're not logged on with admin privelege anyway. So how is the rootkit going to overwrite your stuff anyway? Or has your system been compromised by a hacker through an open port exploit? So your firewall failed you and you haven't patched up your O/S, and if the hacker is installing the rootkit, there's no point stopping the rootkit, because he's already in and he's just installing his zombie housekeeping tools. It'll just slow him down a bit.
I am government man, come from the government. The government has sent me. -- G.I.R.
I am sure Sony is highly against this new campaign by Intel.
Any bets on which OS it'll support, or rather, which it won't work with?
I thought not.
H.
When VCR's are outlawed, only outlaws will have VCR's.
Im scared of Trapper Keeper!
Who watches them now?
"I do."
--- Sam Vimes, Terry Prachett's Discworld
I have no
Damn no mod points - I love it when something simple says so much. When it comes down to it, at some level, you're gonna have to trust someone. Might as well be the entity at the bottom - that'd be Intel, at the hardware level. Fact is, unless a human is hacking around in Intel''s hardware (a true unbiased third party) we just sort of inherently (sp?) trust Intel, AMD, ABit, ATrend, NVidia, etc. right now. Some extra protection against rootkits is hardly a bad thing.
Excuse my speling.
Making The Bar Project
You're being dumb on purpose, right? Why in the world are you making such definitive statements that are so definitively false?
Anyway, look here, or if not:This was written by Mark Russinovich, the guy that found the Sony rootkit.
Also, Wikipedia has some good info on rootkits, like this:Hmmm, it appears this is a *nix problem that has migrated to Windows.
"What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
/)
I dunno... Coast Guard?
A Microsoft spokesperson was heard commenting on this news: "When we release Windows Vista, we intend to make it so secure that we fully believe it will render such technology totally unnecessary."
Will it come with automatic updates over the internet? The ability to detect new rootkits? The ability to let users run code they know is safe but still trips the alarm? Not slow the computer to the speed of the chip itself?
This sounds like a really bad idea from a bunch of people who are supposed to be really smart.
- d
Who will watch Intel then?
Why... Sony, of course.
While being funny, I think it underscorses a unique point about this proprosal that deserves some thought. It's all fine and dandy to check for rootkits and be big on security. If it was fair and labelled a rootkit as a rootkit, I wouldn't see too much problem with it. In a world of viruses, trojans, spyware/adware, etc... it would be nice to have one less thing to guard against.
But I see this as yet another way to bully the small guy who might be eroding a big corps market share ("Your software hurts us financially, shareholders blah blah blah, we'll throw a bunch of money at Intel and threaten them with out patent portfolio unless they mark it as a rootkit so it won't install."). Then at the same time allowing Sony to pull their rootkit crap and call it a "feature" and since it passed the "Intel Test" you could be sued for defamation of character or some such thing for daring to call a spade a spade.
Pete...
Hmmm, it appears this is a *nix problem that has migrated to Windows.
Oh dear, you've fallen into the trap of being as daft as the person you're responding to. Rootkits are a response to system security, not a sign of a badly designed system. The reason that *nix had rootkits and Windows didn't was that early versions of Windows had no security, especially not a separate administrative account. The reason we now of rootkits for MS systems is that these systems now have some of the security measures that *nix systems have had for many years, and with the advent of XP all new Windows systems are now NT based rather than DOS based, and so have the potential to be made more secure, so long as the user doesn't run as admin by default.
Unfortunately so many programs that the typical home user wants require admin privileges, that even those users that understand the need for a seperate admin account often eschew best practise, and the default setup is borked anyway. So there isn't a real need for rootkits for Windows, because those breaking into machines on an individual basis tend to attack *nix machines for the greater power they give to privileged accounts to mount further attacks on third party systems.What we have seen in the Windows world, is various forms of malware hide themselves from uninstall programs and malware detection programs. It just so happened that the way that the Sony CD's did this provided a mechanism for obscuring further attacks and so provided a sort of half baked rootkit. In a sense the parent is correct, it is probably now the case that rootkits are now more common on Widows machines than *nix ones. As a Linux user I am not immune to resourceful cracker, but ar least I won't get rooted by an audio CD.
That I thought of when I read this was 'Winmodem'... another example of a hardware/software mesh that never should have existed. Anyone else think that?
the first thing I thought was:
How the hell is it going to know the difference between a rootkit and a security update to the kernel?
"City hall" in German is "Rathaus" Kinda explains a few things......
So, while I'm not entirely qualified to implement this, I have thought about something in the wake of the 'sony evil'. Basically, I've often wondered if it would be possible to physically separate all core OS files in a separate storage medium. This separate space would be, on the hardware level, read only most of the time. In order to install/update/patch the core OS portions, one would have to exit the running of the OS, and 'boot' into a specific mode that has permission(again on the hardware level) to write to the OS data space.
Using a physical switch or key on the machine to set this mode would work, and wouldn't be possible to boot the OS if write mode was enabled. A form of automation would also work, in that you could have it unset this switch upon exiting the update mode of the system. Something along these lines, neh? Then you would be limited to user space corruption/exploitation/etc. True, this is a fine line to care much about, but at least you couldn't exploit a buffer overflow or some such to modify system files.
Just my 2 coppers.