Slashdot Mirror
Intel to Develop Hardware Rootkit Detection
Jack writes "ITO is running a story on Intel's latest initiative - a hardware rootkit detector: 'Intel is trying to eliminate the human factor when dealing with root-kits detection by developing a new hardware-based technique to discover and notify users when they are downloading unintentionally a root-kit to their computer.'"
Seriously, why don't they work with Microsoft to do some kind of checksum and bonk the load when it fails? This 'small chip' smells like something which would persistently degrade memory performance. Why would that be more acceptable than an operating system or BIOS which would block root-kits, i.e. you can only touch this file, this partition, etc, as logged in as root. Oh, right, on Windows processes may run under root authority and be co-opted.
Gee, seems like it's been 20 years since DEC fixed those bugs in RSTS/E
A feeling of having made the same mistake before: Deja Foobar
Who will watch Intel then?
*Tinfoil hat on* Its part of skynet to sneak in rootkits when they want...... skynet is not one computer it was all the computers with google toolbars instaled!!
is this not just treacherous computing by another name? "You're downloading Debian?! That's not allowed! *bleep* *bleep* illegal operation *passing details to NSA*!"
--
No, I didn't RTFA. I didn't RTFSummary either.
I'll just stick to using OpenBSD, Packet Filter, and common sense to keep my systems safe. Far more cost effective than what Intel is proposing.
Cyric Zndovzny at your service.
I don't think they do.
As the system grows, so the number of entry points which need covering will grow.
after reading the article, I think they are sneaking in paladium under our noses.
Using the rootkit news as cover.
should we tremble?
liqbase
Who will watch Intel then?
Why... Sony, of course.
...Rob
The American Dream isn't an SUV and a house in the suburbs; it's Don't Tread On Me.
This is simply a marketing tactic to attempt to gain acceptance for a technology designed to get humans out of the loop whether they like it or not. There is no useful purpose for a technology designed to "protect" a machine from its owner. This marketing tactic simply tries to propose the "but what if we're trying to protect the owner from their own stupidity" angle; however, that kind of thing could be done in software as well.
Aside from wondering what language the IT Observer Staff speak natively (because it isn't English) I have to wonder why "hardware" is necessary to detect a root-kit. I'm all for being able to flag memory as executable (and thus "read only" to programs) and data (and thus unable to execute code) because the last time I wrote self modifying code for a legitimate purpose was on the C64. But what does "a small chip on a PCs motherboard" have to do with rootkits? A rootkit fools the *operating system*, not the processor.
Either this is only memory protection (which I thought we could already do in modern processors and thus would make an additional chip redundant) or it is going to "connect the computers directly to the data" which is content free market speak. Or trusted computing, but it that market speak sounds different.
Sig under construction since 1998.
...dealing with root-kits detection...
...monitor persistently programs that might be affected of a malicious attack...
...doesnt expect its project to replace various protect software...
The project is timidly scheduled...
It sounds suspiciously like memory segmentation and/or writeable bit in the page tables. It has been around since the days of the VAX at least, and in Intel chips since the 386 (and the i890 which preceded it, but died).
But the article is so vague and poorly written that it sounds like either the author didn't know anything about the subject or english was not his first language, or both.
Actually, this chip is the same chip that they've been pushing for years for Microsoft's DRM stuff (Palladium.) Yet another attempt at making it sound like you're benefitting, instead of getting raked over the coals.
The only way i can see such a device operating successfully is if the system has a read ahead feature on the currently running Code Segment, which may spark inefficencies in the system. Or perhaps when the system is loading the binary in memory do the checks then, again inefficencies would crop up.
Then there are going to be applications which will need to utilise the same patterns of operation that malicious programs use, E.G Uninstallers which wipe considerable amount of data off block devices for instance.
Perhaps such a system could be implemented on a software level on the OS's buffer cache, sort of like the way the Linux Secure Journalling system was going to operate, but this was thrown out the window because of inefficencies.
Maybe i should RTFA
Huh? Rootkits certainly do exist for Linux. In fact the term comes from Unix, "root". A rootkit is code that is installed to hide itself, *after* security has been compromised somehow. The ability to write a rootkit has nothign to do with the ability to compromise security. In fact I'm sure it is easier to write a Linux rootkit than a Windows one, just because in general it is easier to write system software for Linux.
Oh, that is definitly wrong. I have yet to encounter a rootkit on a Windows machine but the linux machines I administer, I have seen a few.
Infact, if you do a search for root kits on google, I am willing to bet that 90% of what google returns will be about linux/unix based rootkits. Why? Because they make it easier to over-take a server and we all know that most -big servers- are linux machines. Those are the ones that the little script kiddies want so they can take advantage of big pipes and try to DDoS their schools or something -- whatever the hell these 12 year olds are doing these days.
So yes, in this case, "Windows is the problem" doesn't really fly. Any OS is technically open to an attack from a rootkit. It all depends on the author of said rootkit to be persistant.
Don't get me wrong - I'm a linux lover and don't really like Windows that much (even though I use it) but the whole Linux Vs Windows argument isn't going to fly very far in this case. Infact, if I'm correct in thinking (Think I am, correct me if I'm not) the first rootkit was on AT&T unix (?) and did much of the same things todays rootkits do; replace core commands such as ls, ps, top, etc. They're just now morphing over to Windows.
Rootkits are rarely seen on linux boxes
Rainwulf is not misinformed, I simply posted that message after I rooted his box.
This has little or nothing to do with security and everything to do with Intel PR.
Intel has been smarting since AMD beat them to the punch with the NX bit.
The only thing a Rootkit will do that any other software install won't usually is over-write and modify a lot more system files than it should. Hardware can't be aware of which version of hal.dll you're supposed to be running (heck, it shouldn't even know you're running windows!). This really is something the O/S should be doing.
Which it does. If you follow best security practices, well, heck, you're not logged on with admin privelege anyway. So how is the rootkit going to overwrite your stuff anyway? Or has your system been compromised by a hacker through an open port exploit? So your firewall failed you and you haven't patched up your O/S, and if the hacker is installing the rootkit, there's no point stopping the rootkit, because he's already in and he's just installing his zombie housekeeping tools. It'll just slow him down a bit.
I am government man, come from the government. The government has sent me. -- G.I.R.
It's just another meaningless press hype tactic.
For some time I thought that "podcasting" might be an ingenious way of linking mobile music players through an ad-hoc wireless networking scheme which allowed one to disseminate an audio stream through a multicasting protocol which would utilise some kind of peer-to-peer filesharing technique to reduce end-to-end bandwidth.
Imagine my disappointment when I learned it meant "putting an mp3 file on your homepage". And for those those still caught up in the rapture of tech-newspeak, a "blog" is what we used to call a "homepage". Believe me, renaming them has not made them more interesting.
Any bets on which OS it'll support, or rather, which it won't work with?
I thought not.
H.
When VCR's are outlawed, only outlaws will have VCR's.
Actually, this would certainly appear to be a foot in the door for future "enhancements" to the processor along those lines.
Im scared of Trapper Keeper!
Who watches them now?
You're being dumb on purpose, right? Why in the world are you making such definitive statements that are so definitively false?
Anyway, look here, or if not:This was written by Mark Russinovich, the guy that found the Sony rootkit.
Also, Wikipedia has some good info on rootkits, like this:Hmmm, it appears this is a *nix problem that has migrated to Windows.
"What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
/)
I dunno... Coast Guard?
Will it come with automatic updates over the internet? The ability to detect new rootkits? The ability to let users run code they know is safe but still trips the alarm? Not slow the computer to the speed of the chip itself?
This sounds like a really bad idea from a bunch of people who are supposed to be really smart.
- d
That I thought of when I read this was 'Winmodem'... another example of a hardware/software mesh that never should have existed. Anyone else think that?
the first thing I thought was:
How the hell is it going to know the difference between a rootkit and a security update to the kernel?
"City hall" in German is "Rathaus" Kinda explains a few things......
So, while I'm not entirely qualified to implement this, I have thought about something in the wake of the 'sony evil'. Basically, I've often wondered if it would be possible to physically separate all core OS files in a separate storage medium. This separate space would be, on the hardware level, read only most of the time. In order to install/update/patch the core OS portions, one would have to exit the running of the OS, and 'boot' into a specific mode that has permission(again on the hardware level) to write to the OS data space.
Using a physical switch or key on the machine to set this mode would work, and wouldn't be possible to boot the OS if write mode was enabled. A form of automation would also work, in that you could have it unset this switch upon exiting the update mode of the system. Something along these lines, neh? Then you would be limited to user space corruption/exploitation/etc. True, this is a fine line to care much about, but at least you couldn't exploit a buffer overflow or some such to modify system files.
Just my 2 coppers.