100kb of Unusual Code Protecting Nuclear, ATC and United Nations Systems

An anonymous reader writes: For an ex-academic security company still in the seeding round, startup Abatis has a small but interesting roster of clients, including Lockheed Martin, the Swiss military, the United Nations and customers in the civil nuclear and air traffic control sectors. The company's product, a kernel driver compatible with Windows, Linux and Unix, occupies just 100kb with no dependencies, and reportedly achieves a 100% effectiveness rate against intruders by preventing unauthorized I/O activity. The CEO of Abatis claims, "We can stop zero day malware — the known unknowns and the unknown unknowns." The software requires no use of signature files, white-listing, heuristics or sandboxing, with a separate report from Lockheed Martin confirming very significant potential for energy savings — up to £125,000 per year in a data center with 10,000 servers.

100% effectiveness against any unknown attacks

Sounds legit.

Re:100% effectiveness against any unknown attacks

[AmiMoJo]

They actually admit that it's not really very effective:

"You wonâ(TM)t stop processes from running in memory, but you will stop processes writing to disk,â

Rogan admits that in server environments that may not reboot for months, or even years, HGFâ(TM)s write-prohibitions may not be so meaningful, since malign processes can do a lot of damage without writing to disk.

Even that is misleading, because if say an app has a vulnerability that allows arbitrary code execution in its process then that code will be able to write to all the places the app is allowed to write to. That can easily be enough to run numerous malware tasks, and in fact much malware runs on that basis because it doesn't require further exploits to get out of the app's process.

Re:'Numérotez vos abatis'...

on what principles this 'security driver' is based on

I bet on good-old `security through obscurity`, but plain fairy dust is not excluded either.

Sounds like BS

[gweihir]

"Magic" technologies like this usually under-deliver, or do not help at all. In particular, a detection rate of 100% is simply impossible, already from purely theoretical observations and even more so in practice.

Re:'Numérotez vos abatis'...

[monkeyxpress]

It appears to be nothing more than a kernel mode IO monitor that allows you to assign disk IO permissions to processes. In other words, it is basically just doing what any modern kernel does anyway. I don't get the power saving thing though - that sounded very snake oil like. I mean, if your system isn't compromised, what CPU operations is it reducing exactly?

I imagine this thing started out as a legitimate third-party kernel monitor (they refer to watchdog) and then some marketing goons got involved.

Re:'Numérotez vos abatis'...

[GoddersUK]

I'd really like to know on what principles this 'security driver' is based on

From TFS I'm going for homeopathy. It's tiny (less than 100 kb, compared to several GB for an OS installation), has no known mechanism of effectiveness ("the software requires no use of signature files, white-listing, heuristics or sandboxing"), uses meaningless techno-babble to explain how it works ("by preventing unauthorized I/O activity"), makes unrealistic claims of effectiveness ("reportedly achieves a 100% effectiveness rate against intruders ... The CEO of Abatis claims, 'We can stop zero day malware — the known unknowns and the unknown unknowns'") and also claims to save the world (" very significant potential for energy savings").

Re:And its so simple its stunning!

[Anubis+IV]

It just automatically turns the machine off whenever you power it on! Foolproof!

That does go a long way towards explaining the power savings they were discussing...