Slashdot Mirror

← Back to Stories (view on slashdot.org)

100kb of Unusual Code Protecting Nuclear, ATC and United Nations Systems

Posted by Soulskill on from the norton-antivirus-from-1991 dept.

An anonymous reader writes: For an ex-academic security company still in the seeding round, startup Abatis has a small but interesting roster of clients, including Lockheed Martin, the Swiss military, the United Nations and customers in the civil nuclear and air traffic control sectors. The company's product, a kernel driver compatible with Windows, Linux and Unix, occupies just 100kb with no dependencies, and reportedly achieves a 100% effectiveness rate against intruders by preventing unauthorized I/O activity. The CEO of Abatis claims, "We can stop zero day malware — the known unknowns and the unknown unknowns." The software requires no use of signature files, white-listing, heuristics or sandboxing, with a separate report from Lockheed Martin confirming very significant potential for energy savings — up to £125,000 per year in a data center with 10,000 servers.

3 of 145 comments (clear)

  1. Re:'Numérotez vos abatis'... by Anonymous Coward · · Score: 5, Informative

    Litteraly : "lèche un très gros pénis" but "suce une très grosse bite" would be a more common way to say it.

  2. Cut the write enable line? by Sangui5 · · Score: 5, Informative

    Chris Howden and John Plumb are the author and approver (respectively) from Lockheed..... Chris and John are lousy scientists.

    The kindest way I can figure it is that the driver simply disables disk IO... hence there may be a small power savings from the lack of writes. Less kindly, they happened to measure lower power, and are reporting experimental noise as a solid result (see www-plan.cs.colorado.edu/diwan/asplos09.pdf for instance). We have no error bars (or even a # of runs), so it really isn't possible to say, but disabling disk writes could conceivably reduce power draw. The methodology section is sketchy enough to make solid conclusions impossible; the reporting of experimental details is worse.

    Of course, this doesn't (and they admit it) stop me from hacking them in RAM... nor does it stop persistent firmware attacks (e.g. http://www.wired.com/2015/02/n...), nor does it stop me from trapping to ring 0, then trapping to SMM, then just ignoring their F*ING CODE BECAUSE I"'M IN SMM MODE BITCH!!! I GOTZ MY OWNZ ATA CODEZ

    Or something.. I'd recommend just cutting the write-enable line on an old IDE drive, or rebooting periodically and running Tripwire from non-writable media (CD?). It's likely cheaper, and probably just as effective.

  3. Re:'Numérotez vos abatis'... by TimothyLawless · · Score: 5, Informative

    Based on the exclusions, it sounds like a Rule-based anomaly detection engine with some sort of self-training module. Ironically, this is one of the first types of IDS systems created, and is counted as one of the first works by Dorthy Denning (http://webpages.cs.luc.edu/~pld/courses/447/sum08/class9/denning.intrusion_detection_model.pdf). The most successful implementations have used the Markov chain based model. Their down side is that they require a degree of 'training' before the IDS model may go active; however, in a well understood environment like that of a windows server running windows applications, its possible the training could be done in the back-end shop and shipped to customers as part of the COTS product.