Slashdot Mirror

← Back to Stories (view on slashdot.org)

Intel to Develop Hardware Rootkit Detection

Posted by CowboyNeal on from the safety-first dept.

Jack writes "ITO is running a story on Intel's latest initiative - a hardware rootkit detector: 'Intel is trying to eliminate the human factor when dealing with root-kits detection by developing a new hardware-based technique to discover and notify users when they are downloading unintentionally a root-kit to their computer.'"

20 of 178 comments (clear)

  1. Warning, Will Robinson by ackthpt · · Score: 5, Interesting

    Warning

    The application you are attempting to execute is extremely suspicious and should be discarded immediately as it has been found to contain x86-64 (AMD64) instructions.

    Seriously, why don't they work with Microsoft to do some kind of checksum and bonk the load when it fails? This 'small chip' smells like something which would persistently degrade memory performance. Why would that be more acceptable than an operating system or BIOS which would block root-kits, i.e. you can only touch this file, this partition, etc, as logged in as root. Oh, right, on Windows processes may run under root authority and be co-opted.

    Gee, seems like it's been 20 years since DEC fixed those bugs in RSTS/E

    --

    A feeling of having made the same mistake before: Deja Foobar
    1. Re:Warning, Will Robinson by Anonymous Coward · · Score: 5, Funny

      Remember what the founding fathers said: "Those who give up essential memory bandwidth for temporary safety deserve neither."

  2. Skynet!!!! by ZiakII · · Score: 4, Funny

    *Tinfoil hat on* Its part of skynet to sneak in rootkits when they want...... skynet is not one computer it was all the computers with google toolbars instaled!!

  3. trusted computing, surely by DaveCar · · Score: 5, Funny

    is this not just treacherous computing by another name? "You're downloading Debian?! That's not allowed! *bleep* *bleep* illegal operation *passing details to NSA*!"

    --
    No, I didn't RTFA. I didn't RTFSummary either.

  4. Do all Operating systems work the same way? by LiquidCoooled · · Score: 4, Insightful

    I don't think they do.
    As the system grows, so the number of entry points which need covering will grow.

    after reading the article, I think they are sneaking in paladium under our noses.
    Using the rootkit news as cover.

    should we tremble?

    --
    liqbase :: faster than paper
    1. Re:Do all Operating systems work the same way? by Urusai · · Score: 4, Funny

      Who needs a software rootkit when Intel will provide a hardware one?

  5. Re: Intel to Develop Hardware Rootkit Detection by rbochan · · Score: 5, Funny

    Who will watch Intel then?

    Why... Sony, of course.

    --
    ...Rob
    The American Dream isn't an SUV and a house in the suburbs; it's Don't Tread On Me.
  6. How to market restrictive TCPA technology to users by Josh+Triplett · · Score: 5, Interesting

    This is simply a marketing tactic to attempt to gain acceptance for a technology designed to get humans out of the loop whether they like it or not. There is no useful purpose for a technology designed to "protect" a machine from its owner. This marketing tactic simply tries to propose the "but what if we're trying to protect the owner from their own stupidity" angle; however, that kind of thing could be done in software as well.

  7. Wha? by Godeke · · Score: 4, Informative

    Aside from wondering what language the IT Observer Staff speak natively (because it isn't English) I have to wonder why "hardware" is necessary to detect a root-kit. I'm all for being able to flag memory as executable (and thus "read only" to programs) and data (and thus unable to execute code) because the last time I wrote self modifying code for a legitimate purpose was on the C64. But what does "a small chip on a PCs motherboard" have to do with rootkits? A rootkit fools the *operating system*, not the processor.

    Either this is only memory protection (which I thought we could already do in modern processors and thus would make an additional chip redundant) or it is going to "connect the computers directly to the data" which is content free market speak. Or trusted computing, but it that market speak sounds different.

    --
    Sig under construction since 1998.
  8. Article this translated use to what software? by dfjunior · · Score: 5, Funny

    ...dealing with root-kits detection...

    ...monitor persistently programs that might be affected of a malicious attack...

    ...doesnt expect its project to replace various protect software...

    The project is timidly scheduled...

  9. Actually by Anonymous Coward · · Score: 4, Informative

    It sounds suspiciously like memory segmentation and/or writeable bit in the page tables. It has been around since the days of the VAX at least, and in Intel chips since the 386 (and the i890 which preceded it, but died).

    But the article is so vague and poorly written that it sounds like either the author didn't know anything about the subject or english was not his first language, or both.

  10. How is it going to work? by oztiks · · Score: 4, Interesting

    The only way i can see such a device operating successfully is if the system has a read ahead feature on the currently running Code Segment, which may spark inefficencies in the system. Or perhaps when the system is loading the binary in memory do the checks then, again inefficencies would crop up.

    Then there are going to be applications which will need to utilise the same patterns of operation that malicious programs use, E.G Uninstallers which wipe considerable amount of data off block devices for instance.

    Perhaps such a system could be implemented on a software level on the OS's buffer cache, sort of like the way the Linux Secure Journalling system was going to operate, but this was thrown out the window because of inefficencies.

    Maybe i should RTFA

  11. Re:Its an OS thing.. by bioteq · · Score: 4, Interesting

    Oh, that is definitly wrong. I have yet to encounter a rootkit on a Windows machine but the linux machines I administer, I have seen a few.

    Infact, if you do a search for root kits on google, I am willing to bet that 90% of what google returns will be about linux/unix based rootkits. Why? Because they make it easier to over-take a server and we all know that most -big servers- are linux machines. Those are the ones that the little script kiddies want so they can take advantage of big pipes and try to DDoS their schools or something -- whatever the hell these 12 year olds are doing these days.

    So yes, in this case, "Windows is the problem" doesn't really fly. Any OS is technically open to an attack from a rootkit. It all depends on the author of said rootkit to be persistant.

    Don't get me wrong - I'm a linux lover and don't really like Windows that much (even though I use it) but the whole Linux Vs Windows argument isn't going to fly very far in this case. Infact, if I'm correct in thinking (Think I am, correct me if I'm not) the first rootkit was on AT&T unix (?) and did much of the same things todays rootkits do; replace core commands such as ls, ps, top, etc. They're just now morphing over to Windows.

  12. Re:Its an OS thing.. by DaveCar · · Score: 4, Funny

    Rootkits are rarely seen on linux boxes

    Rainwulf is not misinformed, I simply posted that message after I rooted his box.

  13. Dumb idea by obeythefist · · Score: 5, Insightful

    This has little or nothing to do with security and everything to do with Intel PR.

    Intel has been smarting since AMD beat them to the punch with the NX bit.

    The only thing a Rootkit will do that any other software install won't usually is over-write and modify a lot more system files than it should. Hardware can't be aware of which version of hal.dll you're supposed to be running (heck, it shouldn't even know you're running windows!). This really is something the O/S should be doing.

    Which it does. If you follow best security practices, well, heck, you're not logged on with admin privelege anyway. So how is the rootkit going to overwrite your stuff anyway? Or has your system been compromised by a hacker through an open port exploit? So your firewall failed you and you haven't patched up your O/S, and if the hacker is installing the rootkit, there's no point stopping the rootkit, because he's already in and he's just installing his zombie housekeeping tools. It'll just slow him down a bit.

    --
    I am government man, come from the government. The government has sent me. -- G.I.R.
  14. Re:Aren't there some limits? by DaveCar · · Score: 4, Insightful

    It's just another meaningless press hype tactic.

    For some time I thought that "podcasting" might be an ingenious way of linking mobile music players through an ad-hoc wireless networking scheme which allowed one to disseminate an audio stream through a multicasting protocol which would utilise some kind of peer-to-peer filesharing technique to reduce end-to-end bandwidth.

    Imagine my disappointment when I learned it meant "putting an mp3 file on your homepage". And for those those still caught up in the rapture of tech-newspeak, a "blog" is what we used to call a "homepage". Believe me, renaming them has not made them more interesting.

  15. Re: Intel to Develop Hardware Rootkit Detection by mslinux · · Score: 5, Insightful

    Who watches them now?

  16. Re:Its an OS thing.. by nmb3000 · · Score: 4, Insightful
    Rootkits are rarely seen on linux boxes, but always seen on windows box

    You're being dumb on purpose, right? Why in the world are you making such definitive statements that are so definitively false?

    Anyway, look here, or if not:
    Root kits have been around since the early 1990s but were solely the domain of Unix variants until the late '90s, when the Windows developer community began exploring root kit techniques and several programmers published root kit toolkits that other programmers could modify and extend.
    This was written by Mark Russinovich, the guy that found the Sony rootkit.

    Also, Wikipedia has some good info on rootkits, like this:
    The term "rootkit" (also written as "root kit") originally referred to a set of recompiled Unix tools such as "ps", "netstat", "w" and "passwd" that would carefully hide any trace of the intruder that those commands would normally display, thus allowing the intruders to maintain "root" on the system without the system administrator even seeing them.

    Generally now the term is not restricted to Unix based operating systems, as tools that perform a similar set of tasks now exist for non-Unix operating systems such as Microsoft Windows (even though such operating systems may not have a "root" account).
    Hmmm, it appears this is a *nix problem that has migrated to Windows.
    --
    "What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
    /)
  17. The first thing... by paranode · · Score: 4, Insightful

    That I thought of when I read this was 'Winmodem'... another example of a hardware/software mesh that never should have existed. Anyone else think that?

  18. Actually, no.... by cbiltcliffe · · Score: 4, Insightful

    the first thing I thought was:

    How the hell is it going to know the difference between a rootkit and a security update to the kernel?

    --
    "City hall" in German is "Rathaus" Kinda explains a few things......