Slashdot Mirror
Anti-Rootkit Security Beyond the OS
Orome1 writes "Cybercriminals know how to evade current operating systems-based security, demanding a new paradigm – security beyond the operating system. On that note, McAfee demonstrated the workings of its new McAfee DeepSAFE technology at the Intel Developer Forum on Tuesday. Co-developed with Intel, it allows McAfee to develop hardware-assisted security products to take advantage of a 'deeper' security footprint. It sits beyond the operating system and close to the silicon, and by operating beyond the OS, it provides a direct view of system memory and processor activity."
Why doesn't McAfee just write an OS?
I sat down to write a new sig tonight and all I did was make the chair warm.
Scary.
10 years later..
"Cybercriminals know how to evade current silicon-based security, demanding a new paradigm - security beyond the hardware and the OS. On that note, McAfee demonstrated the workings of it's new invention - the non-dumb user."
now you've got your silicon running under the assumption that the OS is not implicitly trusted, but for some reason, some other OS should be trusted and should process every bit of information a 2nd time before anything is accomplished.
#dumb
Just like ring 0 and ring -1 have been abuse, I'm pretty sure that in a few years, we'll read headlines "New persistent rookit infects McAfee DeepSafe"!
hammer a nail through the cpu it'll kill all the vira, and it will still have more computing power left than if it was running McAfee ...
Now the hardware can be ground to a halt without ever loading an OS.
Given the choice of McAfee or malware at this level, I would choose the malware.
- Dan.
~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
it's turtles all the way down!
With a core operating system in ROM, mounted as a system disk. Flash your new OS like a BIOS.
That'd stop a lot of this rootkit crap cold, wouldn't it?
occultae nullus est respectus musicae - originally a Greek proverb
Yet another technology to confuse the end users. There will be countless 3rd party versions of this, due to anti-competition legislations, a significant portion which will be "free" or "lower cost alternatives" and not do what it promises to do.
Nothing should get between the OS and the metal. The OS should be smart enough to watchdog all processes.
OK, this is another layer to slow the system down before the OS is even loaded.
Where's the UI? Via the OS? Is McCaffee writing a UI for NT, Mac OS, Linux...? Fine, so develop a sandbox then they write the circumvention saving the script kiddies the bother...
Operation Guillotine is in effect.
Beginning back in 2003 I talked about the future of computing which will include DRM in the BIOS. I have posted numerous times about it and even once noted DRM'd BIOSs will eventually be required to connect to the "safe" Internet.
We're one step closer now with this... Oh looky, we have the perfect way to stop this from happening. A totally secure DRM'd BIOS. Just use our product and the secure Internet won't have any spyware/malware/etc.
Oh, and in order to do online banking, pay the electric bill, connect to webmail from Google, etc will all require you to have a DRM-enabled BIOS.
IPs may not point to an individual computer but the DRM'd BIOS sure will.
'it provides a direct view of system memory and processor activity, allowing McAfee products to gain an additional vantage point in the computing stack'
So it's visible from the OS. Now we have another vector of attack. How long before it's exploited to create even deeper rootkits, eh? Unless it's completely uncrackable, like the PS3.
Is it going to be written in some new magical language that prevents programmers from fucking up and having buffer overflow/underflow or other common problems that you see in C and C++, the most likely languages that this kind of software would be written in?
Just today there was an article on
From TFA:
(bold tags added by me)
Bullshit. Just like normal AV has minimal performance impact now.
Besides all of the obvious reasons that this is just another gimmick by McAfee to get more $$ from corporate IT departments with MBA directors that don't even know what the "silicon" in the marketing press release, sorry "article" means, when this gets exploited and there are viri for this layer I bet McAfee will have a AV for this layer to sell.
It means he doesn't understand the problems inherent in computer security.
Considering the vast majority of attacks relies on human stupidity, why don't we try to solve that problem first. Security should be part of the educational package in high schools. How to be secure with your digital life.
But rather than call it security, just call it safety. Kids have to be taught how to be safe in all sorts of situations, computers shouldn't be any different.
I'm god, but it's a bit of a drag really...
FYI, Intel owns McAfee now. This sounds like something between Trend ChipAwayVirus, a hardware debugger and draconian DRM.
I use an Ubuntu USB drive that I created for the specific purpose of scanning systems before they boot into the OS. It won't detect malware in real-time, but it should, in theory, catch a root kit that's well hidden from being detected within the OS. What I don't understand is why there's not something commercial out there that does this. With my home-made drive, I can boot, mount a truecrypt volume (all our computers are truecrypted) and scan a Windows file system with several different free tools. The only problem is, since they are free, they tend to be not very good. I scanned a system I was working with yesterday, and ClamAV, Avast!, BitDefender and AVG all missed a boot sector virus. The system was clearly infected, judging by all the BSODs and other strange behavior, but all these tools came up clean. They were also slow as hell. Each scan took hours. Finally, I attached the hard drive to a Windows machine and ESET picked up the virus right away, although it wasn't able to clean it. Had to download a separate tool from Kaspersky to do that.
What I'm saying is most of the stuff I did is not accessible to the unwashed masses. On top of that, I would actually pay good money for a tool that I could use and not have to screw with 5 different immature anti-virus platforms that could be used to remove rootkits. Nothing about this virus was particularly fancy, once you got it outside of the OS. (It loaded kernel mode drivers to prevent it from being seen within Windows.) Why don't one of the major players start looking into something like this? Bootable, able to update definitions over the Internet and fast. I, and probably my company, would pay really good money for that.
-Arthur
Cave ne ante ullas catapultas ambules
http://en.wikipedia.org/wiki/Trusted_Platform_Module
Not a new idea at all. Heck, many existing mother boards support it.
"Malo periculosam, libertatem quam quietam servitutem." -- Jefferson
why on Earth would they do something so drastic as put themselves out of a job?
Operation Guillotine is in effect.
Why don't they make a bootable antirootkit like bitdefender? That's the easiest solution to the problem. Getting closer to the metal is an uphill battle because eventually malware writers will figure out how to get there themselves, and the situation just becomes worse. In fact, as antivirus software get more and more privileges they beacome more and more like viruses. Cannot be closed, always running in the background, inspects/modifies/deletes files without your permission. Sometimes I wonder if the reason of not fixing OS bugs is that Microsoft is afraid to make AVs incompatible.
Bah. Back around the turn of the century I constructed the most hack-proof OS install ever. My FreeBSD-running-Squid solution mounted the entire OS off of a CD-ROM, created a 2MB RAM disk, mounted it as /etc and copied the entire /etc directory from floppy disk. After booting, it unmounted the floppy disk and I called the NOC to eject it, creating a 1cm air gap between the read-write heads of the floppy drive to the floppy disk contents. The collocation space and bandwidth were free and the floppies and CD-Rs cost $.10 each. If I ever suspected rootkits I would just shut the machine down as I had half a dozen of these 1U servers, at $100 each off eBay! Take that cloud computing and McAfee ROMs!
Diplomacy is the art of saying "nice doggy" until you can find a rock.
why can't people just stop allowing themselves to be tricked. Trust the internet like you'd trust any stranger and you'll be OK.
Never say never. Ah!! I did it again!
But he does understand how to use buzzwords. That has to count for something, right?
But he does understand how to use buzzwords. That has to count for something, right?
Aye, it does: he won't make for a good administrator, but he'll make for a fine CEO.
As I pointed out less than 24 hours ago in response to a similar story... (mods in brackets)
I keep watch on "security" threads like this one, hoping to find sanity in at least one answer prior to mine.... and keep getting disappointed.
You're all wrong, so far. [Well, all but about 5 of you... progress is being made]
Why? It's simple, it's not a [Trusted Platform / Virus scanning] issue, it's an Operating System design issue.
The default permit environment present in everything except IBM's VM is the root cause of 99% of our problems. [Yes, including this one, trusting something not to install a rootkit once it gets past the virus scanner]
Instead of giving each PROCESS a list of resources and permissions, Linux, OS-X, Windows, and pretty much everything else, does it at the USER level. (Yes, I know about app-armor, but that's a special case[, and isn't dynamic enough to do a proper job of capabilities])
This means that all of the defenses are pointed in the wrong direction. (Imagine building a fort with 10 foot thick perimeter wall as its sole defense in the age of paratroopers and helicopters to get an idea of the scale of the problem). [In this case, they claim to have better walls]
It doesn't matter how careful or professionally trained the application programmers are, nor how safe the programming language used to write the application is, when the OS isn't even designed to limit what they can do. All programs have bugs, you shouldn't have to trust them not to have them.
Now, those skills and language enhancements are useful for building the operating system, especially when constructing the micro-kernel to run everything, so it's not wasted effort. [However... virus scanners are a waste, as we shouldn't need them at all]
I predict we'll see stories like this for at least 10 more years [well... that's #2 in the first 24 hours], regardless of the effort or money put in, because we haven't [corrected] our approach yet. It's going to take a few more years until the cognitive dissonance gets loud enough in peoples heads to prompt them to find a better OS, and a few more years to actually have something reasonably solid available. Until then, buckle up... it's going to be a VERY bumpy ride.