From: Randall <rvh40@xxxxxxxxxxxxx>
Date: December 13, 2005 11:15:18 AM PST
To: JMG <johnmacsgroup@xxxxxxxxxxxxxxx>
Cc: Dewayne Hendricks <dewayne@xxxxxxxxxxxxx>
Subject: Intel Researchers Sneak Up on Rootkits
<http://www.eweek.com/print_article2/0,1217,a=167252,00.asp>
Intel Researchers Sneak Up on Rootkits
December 12, 2005
By John G. Spooner and Ryan Naraine
Intel Corp.'s researchers are working to outwit cyber attackers,
including those employing stealthy rootkits.
The chip maker's Communications Technology Lab, in a project called
System Integrity Services, has created a hardware engine to sniff out
sophisticated malware attacks by monitoring the way operating systems
and critical applications interact with hardware inside computers.
By watching a computer's main memory, the System Integrity Services
can
detect when an attacker takes control of the system—such attacks sever
the ties between data loaded into memory by an application and the
application itself—and can fool a system so as to avoid detection
while
potentially allowing for surreptitious pilfering of data or the
perpetration of other attacks.
"Our threat model assumes that the attacker gets on the system somehow
and has unrestricted access to the system," said Travis Schluessler, a
security architect inside Intel's Communications Technology Lab.
System Integrity Services "assumes [the attacker] will modify what's
running in memory to fool anti-virus software or change firewall
rules…
so as to put the system in state where he can do whatever he wants."
The System Integrity Service's hardware, however, can detect those
intrusions by monitoring the interactions between the applications and
memory.
Once it discovers an intrusion, it can issue an alert. Thus it sets
the
bar much higher for malware being able to compromise system without
being detected, Schluessler said.
Researchers tested the system with a kernel debugger, an application
whose behaviors and ability to make system changes are similar to that
of a rootkit, to prove its effectiveness, he said.
Although it might not make it to market immediately, Intel's
anti-malware research comes at a time when anti-virus vendors are
struggling to cope with the use of stealth rootkits in malware
attacks.
Using rootkit techniques, malware writers are able to gain
administrative access to compromised machines to silently run
updates to
the software or reinstall malicious programs after a user deletes
them.
Click here to read more about where rootkits come from.
If it were to be put into a product platform, Intel's System Integrity
Services could be used in conjunction with other elements,
including the
Intel Active Management Technology for monitoring hardware, and could
also be used in concert with other research projects such as Circuit
Breaker.
Circuit Breaker, a research project that might also someday find
its way
into products regulates an infected computer's access to a network.
Such a combination might help quickly head off widespread infections,
which can cost companies not only in data theft by also in reduced
employee productivity due to computer downtime and heavy use of IT
resources to clean them up, the Intel researcher said.
Indeed, in one example, "Once System Integrity Services has detected a
problem, it can tell Circuit Breaker to turn [a machine] off the
primary
network and switch it over to a remediation network," he said.
Next Page: A focus on security.
The System Integrity Services project is part of a broader focus on
security inside Intel's labs.
That focus has been brought about by the chip maker's recent shift to
designing platforms around devices such as servers or desktop PCs.
Unlike when it sold chips individually, the platform design
strategy has
Intel creating numerous add-ons, which include features such as
virtualization and the Intel Active Management Technology, which are
designed to increase the usability and manageability of desktops,
notebooks and servers.
Many of Intel's more advanced worm and virus detection technology are
still at the research stage today—some of Intel's other projects
include
worm signature detectors called autograph and polygraph—but it could
easily wind up as features inside Intel's future product platforms.
Aside from being used to improve the products for customers, they
could
also be added to bolster Intel's competitiveness versus its rival
Advanced Micro Devices Inc.
The System Integrity Services' prototype hardware uses one of Intel's
Xscale processors, which Schluessler said was overkill, and plugs
into a
PCI slot.
A future version could potentially be built for a relatively small fee
and included with Intel platforms, not unlike the way it packages
wireless modules with its processors and chipsets for its Centrino-
brand
notebooks.
"You can tie this technology in with AMT and the CPU [in each machine]
and all of a sudden you've got something that's more than the sum
of its
parts," Schluessler said.
Aside from working with Intel's own platforms, the technologies
could be
also tied in with products from Intel's close partners, including
operating system and application vendors, the company's researchers
have
said.
"We said, 'What kind of things can we do to address these challenges?'
That has driven a lot of the platform thinking, whether it's VT [Intel
Virtualization Technology] or active management, and how all those
things work together," said Dylan Larson, network security initiatives
manager at Intel's Communications Technology Lab, in a recent
interview
with Ziff Davis Internet.
"We've had security expertise and lots of competency in this space
for a
long time. Now we're looking at this even more from a platform
level on
how we can bring these things together to drive new value to
customers."
The lab is also working on a projects called Autograph and Polygraph
projects, which are designed to help prevent large-scale worm
infections
altogether by analyzing individual worms and quickly publishing
data on
how to detect them.
Click here to read more about the damage caused by the Code Red worm.
Autograph and Polygraph employ a combination of heuristics and good
old
sleuthing to track down worms and locate their signatures—or the
unique
pattern of data required for its particular exploit—and then notify
other systems with those signatures so that they can move to identify
and block the worm, said Brad Karp, at Intel Research Pittsburg, a lab
located on the campus of Carnegie Mellon University.
Autograph's source code has been made available for download via the
university's Web site, and Karp and his team are also working on a
Polygraph, a similar program which can sniff out so-called polymorphic
worms, which change each time they replicate in an effort to cover up
their signatures and thwart the defense used in Autograph.
The next step for the Systems Integrity Services now lies with Intel's
platform development teams, which will make the call on whether or not
to add the technology to its future systems, Schluessler said.