Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Intel Security IT

Intel to Develop Hardware Rootkit Detection 178

Jack writes "ITO is running a story on Intel's latest initiative - a hardware rootkit detector: 'Intel is trying to eliminate the human factor when dealing with root-kits detection by developing a new hardware-based technique to discover and notify users when they are downloading unintentionally a root-kit to their computer.'"
This discussion has been archived. No new comments can be posted.

Intel to Develop Hardware Rootkit Detection

Comments Filter:
  • by ackthpt ( 218170 ) * on Thursday December 08, 2005 @08:06PM (#14215558) Homepage Journal

    Warning

    The application you are attempting to execute is extremely suspicious and should be discarded immediately as it has been found to contain x86-64 (AMD64) instructions.

    Seriously, why don't they work with Microsoft to do some kind of checksum and bonk the load when it fails? This 'small chip' smells like something which would persistently degrade memory performance. Why would that be more acceptable than an operating system or BIOS which would block root-kits, i.e. you can only touch this file, this partition, etc, as logged in as root. Oh, right, on Windows processes may run under root authority and be co-opted.

    Gee, seems like it's been 20 years since DEC fixed those bugs in RSTS/E

    • Actually (Score:4, Informative)

      by Anonymous Coward on Thursday December 08, 2005 @08:18PM (#14215641)
      It sounds suspiciously like memory segmentation and/or writeable bit in the page tables. It has been around since the days of the VAX at least, and in Intel chips since the 386 (and the i890 which preceded it, but died).

      But the article is so vague and poorly written that it sounds like either the author didn't know anything about the subject or english was not his first language, or both.
      • Try reading aloud this sentence without having to stop and take a breath. I can't.

        Intel is trying to eliminate the human factor when dealing with root-kits detection by developing a new hardware-based technique to discover and notify users when they are downloading unintentionally a root-kit to their computer.


        The writer's English is quite entertaining though. Not quite a candidate for Engrish.com but close.
    • Pfft! Whats next? (Score:2, Insightful)

      by gcnaddict ( 841664 )
      Whats next? A hardware DRM scheme from Intel? *rolls eyes*
      • by Anonymous Coward
        Actually, this would certainly appear to be a foot in the door for future "enhancements" to the processor along those lines.
    • by Anonymous Coward on Thursday December 08, 2005 @09:03PM (#14215891)
      Remember what the founding fathers said: "Those who give up essential memory bandwidth for temporary safety deserve neither."
    • The first thing... (Score:5, Insightful)

      by paranode ( 671698 ) on Thursday December 08, 2005 @11:16PM (#14216525)
      That I thought of when I read this was 'Winmodem'... another example of a hardware/software mesh that never should have existed. Anyone else think that?
      • Actually, no.... (Score:5, Insightful)

        by cbiltcliffe ( 186293 ) on Thursday December 08, 2005 @11:35PM (#14216609) Homepage Journal
        the first thing I thought was:

        How the hell is it going to know the difference between a rootkit and a security update to the kernel?
        • ...difference between a rootkit and a security update to the kernel?

          What's the difference between IE and a rootkit?
          Nothing - the IE is a wide accepted remote admin tool (l33t speach = rootkit).

          If you update/patch IE you update the kernel because by MS definition, IE is a substantial part of the Windows OS.

        • I acknowledge that it's got it's own potential problems, but perhaps some form of encrypted MS/Intel key before the 'chip' allows a kernel change? Since it's not a change that is performed constantly, a few seconds for verification of a complex key isn't a big deal when waiting for software to patch. Just a suggestion.

          • but perhaps some form of encrypted MS/Intel key before the 'chip' allows a kernel change?
            So what if a computer is running BSD, Linux, Minuet, or OSX? Your suggestion sounds like the worst parts of TCPM, and could very well lead to only Windows being "trusted", because no other system can have rootkits detected.
      • No, but what I did think was "Wow, cool. Hardware rootkit detection. Intel's really on the ball with this one, already thinking about protecting the flashable on-CPU microcode from malicious activity before anyone (that we know of) has developed a rootkit that roots your hardware as opposed to your operating system."

        Then I realized: No, they're not that cool.

        too bad.
  • by Anonymous Coward on Thursday December 08, 2005 @08:09PM (#14215580)
    Who will watch Intel then?
  • According to Intel, their new project involves placing a small chip on a PC's motherboard to monitor persistently programs that might be affected of a malicious attack.

    Pop the chip off the motherboard and your problem is solved?
    • by hpa ( 7948 ) on Thursday December 08, 2005 @08:23PM (#14215687) Homepage
      Actually, this chip is the same chip that they've been pushing for years for Microsoft's DRM stuff (Palladium.) Yet another attempt at making it sound like you're benefitting, instead of getting raked over the coals.

      • I think you are 100% correct. If we're getting into the business of truly locking down computers, we have to be very careful about who ends up locked out, because it might be us. You can't make idiot-proof security without stripping the user of authority.
  • Skynet!!!! (Score:4, Funny)

    by ZiakII ( 829432 ) on Thursday December 08, 2005 @08:10PM (#14215587)
    *Tinfoil hat on* Its part of skynet to sneak in rootkits when they want...... skynet is not one computer it was all the computers with google toolbars instaled!!
  • by DaveCar ( 189300 ) on Thursday December 08, 2005 @08:11PM (#14215591)
    is this not just treacherous computing by another name? "You're downloading Debian?! That's not allowed! *bleep* *bleep* illegal operation *passing details to NSA*!"

    --
    No, I didn't RTFA. I didn't RTFSummary either.
    • Funny you should mention that.

      The first time I installed redhat on my P2 233, the BIOS's "boot virus detection" freaked out about LILO.
      • As it should. That would happen with Windows too. Boot sector virus detection alerts you when your boot sector is about to be written to, which is very rarely. Usually only when you install an OS. That's when you turn it off.
        • Or whenever you edit the partition table.

          That boot sector virus crap has always given me crap since Win95 onward. The Bios simply can't display its warning when your in Windows. Also, I haven't heard of a new virus that attacks the boot sector since about the same time. As a result, I've left it off since about that time. Why turn on something that can protect against less than 0.1% of the problem but bothers you 3% of the time when a software solution protects against 99% of the problem and doesn't cause a
    • is this not just treacherous computing by another name? "You're downloading Debian?! That's not allowed! *bleep* *bleep* illegal operation *passing details to NSA*!"

      Because this is Slashdot, I, like you brother, did not RTFA. But I concur that this will be used to control what software can and can not be run.

      I will not be able to listen to my Sony music CDs either because the hardware detector will think that it is a rootkit.

      oh wait..

    • "You're downloading Debian?! That's not allowed! *bleep* *bleep* illegal operation *passing details to NSA*!"

      Yeah, everybody knows NSA uses Gentoo.
  • by CyricZ ( 887944 ) on Thursday December 08, 2005 @08:11PM (#14215596)
    I'll just stick to using OpenBSD, Packet Filter, and common sense to keep my systems safe. Far more cost effective than what Intel is proposing.

    • by Sean ( 422 )
      Is it OpenBSD that is keeping you safe, or is it that you have the wisdom to avoid running sketchy programs on your computer combined with the fact that there isn't much malware for OpenBSD out there waiting for you to run?

      If we entered the twilight zone and imagine that OpenBSD was the dominent player in the consumer OS market we would still have tons of zombies doing bad things. Sure, thanks to ProPolice, W^X, and Guard Pages bugs in MSN and Outlook Express for OpenBSD would be less exploitable than is th
  • by LiquidCoooled ( 634315 ) on Thursday December 08, 2005 @08:12PM (#14215598) Homepage Journal
    I don't think they do.
    As the system grows, so the number of entry points which need covering will grow.

    after reading the article, I think they are sneaking in paladium under our noses.
    Using the rootkit news as cover.

    should we tremble?
  • by Josh Triplett ( 874994 ) on Thursday December 08, 2005 @08:13PM (#14215607) Homepage
    This is simply a marketing tactic to attempt to gain acceptance for a technology designed to get humans out of the loop whether they like it or not. There is no useful purpose for a technology designed to "protect" a machine from its owner. This marketing tactic simply tries to propose the "but what if we're trying to protect the owner from their own stupidity" angle; however, that kind of thing could be done in software as well.
    • The difference is that a virus can sabotoge the software, anywhere -- even at the kernel. For a sophisticated virus, you need to look for the virus from a trusted (uninfected) system. Also, software DRM can be easily disabled, for various definitions of easy (eg boot to linux and replace the DRM part with return true). I agree with you that the latter is the real deal.
    • I have to totally agree with the parent poster. This is far less a new Intel technical initiative and far more a new marketing initiative -- for TCPA.

      Considering the history of the Wintel monopolistic hegenomy, why should I as an IT professional accept at face value ANY third party control over the computers I govern, much less a hardware "solution" whose keys are held by whom (besides Intel)?

      I would place far greater trust in an OS that supports memory segmentation between execute-only, read-only, and rea
    • There is no useful purpose for a technology designed to "protect" a machine from its owner.

      Online gamers who suffer from cheaters would disagree. Movie producers who have a $10 million film to finance and want to make it available for download would also disagree.

      People are so paranoid about TCPA, it's funny. Hello people, go read the specs like I did. You'll come away with a different impression.

      The TPM chip is a tool just like encryption is. Like encryption it can be used for both bad and good. Ju

  • Wha? (Score:5, Informative)

    by Godeke ( 32895 ) * on Thursday December 08, 2005 @08:13PM (#14215609)
    Aside from wondering what language the IT Observer Staff speak natively (because it isn't English) I have to wonder why "hardware" is necessary to detect a root-kit. I'm all for being able to flag memory as executable (and thus "read only" to programs) and data (and thus unable to execute code) because the last time I wrote self modifying code for a legitimate purpose was on the C64. But what does "a small chip on a PCs motherboard" have to do with rootkits? A rootkit fools the *operating system*, not the processor.

    Either this is only memory protection (which I thought we could already do in modern processors and thus would make an additional chip redundant) or it is going to "connect the computers directly to the data" which is content free market speak. Or trusted computing, but it that market speak sounds different.
    • Re:Wha? (Score:3, Insightful)

      the last time I wrote self modifying code for a legitimate purpose was on the C64

      I think most architectures now are not guaranteed to maintain cache coherency. I used to write self-modifying code for 3d stuff on a 486's... it seemed to work then, but by all rights shouldn't have!

      • Re:Wha? (Score:2, Insightful)

        by gpw213 ( 691600 )
        the last time I wrote self modifying code for a legitimate purpose was on the C64

        I think most architectures now are not guaranteed to maintain cache coherency. I used to write self-modifying code for 3d stuff on a 486's... it seemed to work then, but by all rights shouldn't have!

        Newer architectures do not tend to guarantee cache coherency. However, if there is no hardware cache coherency, then there must be a cache flush instruction. It is needed.

        While we don't tend to think of it that way, dynamic

    • A rootkit fools the *operating system*, not the processor.



      Actually, a rootkit fools the *user* into thinking he still is root, while he actually isn't.

  • by dfjunior ( 774213 ) on Thursday December 08, 2005 @08:17PM (#14215639)
    ...dealing with root-kits detection...

    ...monitor persistently programs that might be affected of a malicious attack...

    ...doesnt expect its project to replace various protect software...

    The project is timidly scheduled...

  • ...for big buisness to enslave us. All it'll do is report competitors stuff as 'rootkits', while we are keeping our system 'secure'.
  • How would it know... (Score:2, Interesting)

    by Niraj59 ( 935921 )
    ... the difference between a desired rootkit (encrypted magic folders, which hides and password-protects certain files, for example) and an intruding one? How would it respond? If it can't tell the difference then I hope the response wouldn't be to shut it down or stop it from working but some sort of warning. This seems a little weird though - stopping a software issue with hardware. Does that even make sense?
  • vaporware (Score:2, Funny)

    by FudRucker ( 866063 )
    until Intel has a product to offer the masses that is all it is

    vaporware
    • Not in this case. It is Trusted Computing, not vaporware. Lots of big businesses are asking for this (for DRM, not anti-virus), and it *will* be offered. Just get ready to give it the proverbial kick in the balls when it comes.
  • by oztiks ( 921504 ) on Thursday December 08, 2005 @08:32PM (#14215723)
    The only way i can see such a device operating successfully is if the system has a read ahead feature on the currently running Code Segment, which may spark inefficencies in the system. Or perhaps when the system is loading the binary in memory do the checks then, again inefficencies would crop up.

    Then there are going to be applications which will need to utilise the same patterns of operation that malicious programs use, E.G Uninstallers which wipe considerable amount of data off block devices for instance.

    Perhaps such a system could be implemented on a software level on the OS's buffer cache, sort of like the way the Linux Secure Journalling system was going to operate, but this was thrown out the window because of inefficencies.

    Maybe i should RTFA
    • You know, it occurs to me that the hardware does not know what software is being run - it only knows what instructions it needs to execute. It then begs the question as to how the chip knows that these instructions should not be run.

      Any hints? (No, I didn't RTFA, if it's in there, just tell me that)

      • The thing ive been thinking about is that a rootkit these days can mean allot (almost pretty much anything malicious) BUT essentally RK was something designed to allow remote access back into a system for expoit, this was its origninal purpose and hence the coined term ROOT KIT. E.G a fake su that would operate normally but enable the user to use the program to gain root again or a fake telnetd which would do the same.

        If keeping to these levels of standard a _proper_ RK doesnt do anything really out of the
  • Won't it go off as soon as it finds its own fritz chip?
  • by putko ( 753330 ) on Thursday December 08, 2005 @08:36PM (#14215743) Homepage Journal
    How will they decide what a rootkit is?

    It looks like they'll have to err on the side of rejecting programs that just happen to look like rootkits. What would those be?

    If the OS vendor wants to release a patch or extension, won't it look "evil" to the detector chip? It will be altering the OS -- so maybe it is a rootkit.

    It seems like the marketing is running things here. With the trusted boot stuff that was a different story -- that has a good theoretical basis.
    • by DaveCar ( 189300 ) on Thursday December 08, 2005 @08:57PM (#14215851)
      It's just another meaningless press hype tactic.

      For some time I thought that "podcasting" might be an ingenious way of linking mobile music players through an ad-hoc wireless networking scheme which allowed one to disseminate an audio stream through a multicasting protocol which would utilise some kind of peer-to-peer filesharing technique to reduce end-to-end bandwidth.

      Imagine my disappointment when I learned it meant "putting an mp3 file on your homepage". And for those those still caught up in the rapture of tech-newspeak, a "blog" is what we used to call a "homepage". Believe me, renaming them has not made them more interesting.
  • You mean a massive, global corporation decided NOT to exploit the consumers through lies, deceit, and borderline-illegal business tactics?! That's crazy! There has to be an ulterior motive.
  • Dumb idea (Score:5, Insightful)

    by obeythefist ( 719316 ) on Thursday December 08, 2005 @08:48PM (#14215804) Journal
    This has little or nothing to do with security and everything to do with Intel PR.

    Intel has been smarting since AMD beat them to the punch with the NX bit.

    The only thing a Rootkit will do that any other software install won't usually is over-write and modify a lot more system files than it should. Hardware can't be aware of which version of hal.dll you're supposed to be running (heck, it shouldn't even know you're running windows!). This really is something the O/S should be doing.

    Which it does. If you follow best security practices, well, heck, you're not logged on with admin privelege anyway. So how is the rootkit going to overwrite your stuff anyway? Or has your system been compromised by a hacker through an open port exploit? So your firewall failed you and you haven't patched up your O/S, and if the hacker is installing the rootkit, there's no point stopping the rootkit, because he's already in and he's just installing his zombie housekeeping tools. It'll just slow him down a bit.
  • ...maybe "rootkit can become a word too [prnewswire.com]?
  • I have heard of some hair-brained (whatever that means) schemes to stop or annoy people from changing the default setup, but this is just takes the cake. A hardware detection of software?
  • Sony (Score:2, Funny)

    by Locarius ( 798304 )
    I am sure Sony is highly against this new campaign by Intel.
    • Sony need not worry. I'm sure Intel will happily sell vendors of such "legitimate" software a key to the system. It's you and me that needs to worry.

      More and more, hackers and pirates are looking like a lesser threat than those who claim to want to protect us from them.
  • Which OS? (Score:4, Interesting)

    by Harker ( 96598 ) on Thursday December 08, 2005 @09:02PM (#14215882)
    Any bets on which OS it'll support, or rather, which it won't work with?

    I thought not.

    H.
    • If it's the TPM chip they're talking about (likely) then it'll work with any OS : the specification is open and there are Linux drivers in the kernel already.
  • MS comments (Score:3, Funny)

    by this great guy ( 922511 ) on Thursday December 08, 2005 @09:46PM (#14216111)
    Intel to Develop Hardware Rootkit Detection

    A Microsoft spokesperson was heard commenting on this news: "When we release Windows Vista, we intend to make it so secure that we fully believe it will render such technology totally unnecessary."

  • Updates? (Score:3, Insightful)

    by pimpsoftcom ( 877143 ) on Thursday December 08, 2005 @09:46PM (#14216112) Journal

    Will it come with automatic updates over the internet? The ability to detect new rootkits? The ability to let users run code they know is safe but still trips the alarm? Not slow the computer to the speed of the chip itself?

    This sounds like a really bad idea from a bunch of people who are supposed to be really smart.

  • How the hell can you design a chip to monitor a general-purpose CPU and decide if the CPU is being used for a specific subclass of operation?

    How can it do this without being intimately tied to the OS?

    I mean, a multi-tasking, networked operating system with devices doing DMA and everything else, how the heck can it know what is dodgy?

  • It's good to see such healthy skepticism. For once, I came into a discussion about "safety" mods "for our own good" and didn't have to confront 5000 drooling zombies chanting, "Yes, Corporation! We hear and obey, Corporation! All who disagree are infidels who hate us for our freedom!"

    Dang, I think I'm ready to *bless* Sony! It's good we have a shake-down every now and then; keeps the community on it's toes!

    By the way, not only do I run FOSS on every box, but I have a policy of just upgrading my hardware

  • ALAN: It's called Tron. It's a security program itself, actually. Monitors all the contacts between our system and other systems... If it finds anything going on that's not scheduled, it shuts it down. I sent you a memo on it.

    DILLINGER: Mmm. Part of the Master Control Program?

    ALAN: No, it'll run independently. It can watchdog the MCP as well.

    --Tron (1982)

  • by urikkiru ( 801560 ) on Friday December 09, 2005 @01:11AM (#14217045) Journal
    So, while I'm not entirely qualified to implement this, I have thought about something in the wake of the 'sony evil'. Basically, I've often wondered if it would be possible to physically separate all core OS files in a separate storage medium. This separate space would be, on the hardware level, read only most of the time. In order to install/update/patch the core OS portions, one would have to exit the running of the OS, and 'boot' into a specific mode that has permission(again on the hardware level) to write to the OS data space.

    Using a physical switch or key on the machine to set this mode would work, and wouldn't be possible to boot the OS if write mode was enabled. A form of automation would also work, in that you could have it unset this switch upon exiting the update mode of the system. Something along these lines, neh? Then you would be limited to user space corruption/exploitation/etc. True, this is a fine line to care much about, but at least you couldn't exploit a buffer overflow or some such to modify system files.

    Just my 2 coppers.
  • Actualy, I want a new OS, something like plan 9 updated with.....APPLICATIONS.

    Bottom line we use computers to run applications, and realy shouldn;t have to get tied down running an OS. My atari ST works fine, OS in BIOS, not many rootkits on that. Now application rootkits that root the application, that another area of concern as applications sit on the OS so if a hacker gains access to your system at the level you deal with then they will get all the juice they need.

    TCB, naaaaaa i'd never install an OS if
  • To use AMD chips.

    (Although personally I'd prefer to avoid the whole x86 thing altogether. I compromise with x86-64, and some older PPC and Sparc boxes.)
  • So we will get one more chip to watch over our shoulders. We will get to the point where the damn mobo will have more chips to watch over us than chips to do our jobs.

    My point is, it's good (?) to have rootkit-protection. Still, an automated rootkit-detector will never ever in this life work flawlessly, on all OSes and for all kernels. How many times will it bother people unnecessarily. How many times will it block software because it falsely thinks it's malicious ?

    Maybe I'm nuts, but I never trust any

  • if (manufacturerIsSony(manufacturer, os)) {
    avoidLawSuite(os);
    }

    public void avoidLawSuite(os) {
    die(os)
    }

    public void die(os) {
    if (osFromMicrosoft(os)) {
    haltWithShinyBlueScreenOfDeath();
    } else { // Code won't come here
    segFault();
    }
    }
  • After very careful consideration, I have found that it is quite possible and highly likely that Intel is in reality run by Illuminati terrorists and are partly guilty of the terrorist attacks who took place 11. September 2001! http://en.xiando.org/Illuminati_logos [xiando.org] This IS a VERY serious accusation, so it is very important that good and honest people consider the accusation and more importantly: The evidence! Evidence available at http://torrentchannel.com/ [torrentchannel.com] documents how the US government for decades have us
  • All the solutions so far (the NX bit, the chip the article refers to, etc) are partial solutions to the problem of componentisation of compiled software running directly on a processor. Even microkernels based on message passing are a solution for this problem. The real solution is this:

    The memory map.

    Just as each process has/can have its own page table, each software component in memory should have its own memory map. Each address in the memory map would lead to a new active memory map when jumped to

  • Its nice to see that geeks are effected by the natural progression of media too.

    First there is the problem, which is real.
    Then there is response, which is real.
    Then there is FUD. Which is unwarrented.
    Then there is marketting, which is amusing but unnescissary.

    Root kits have been around for awhile, and this is the first one that has seen much attention. Just because of the former part of the proposition doesn't make them a huge threat. But the lay person will not see this, and thus think that Intel is sav
  • The only way hardware will prevent a rootkit is if they get smart and have the OS installed to a flash RAM that has the write function protected by a physical key. The OS would only be able to boot off the flash RAM. The OS could only be updated by the person holding the key. System libraries could be replaced AFTER the system was up, but with a know secure version sitting in secured memory, it would be easy to watch over them.

Someday somebody has got to decide whether the typewriter is the machine, or the person who operates it.

Working...