Forgot your password?
typodupeerror
Intel Security Software IT Technology

Anti-Rootkit Security Beyond the OS 176

Posted by samzenpus
from the building-a-better-wall dept.
Orome1 writes "Cybercriminals know how to evade current operating systems-based security, demanding a new paradigm – security beyond the operating system. On that note, McAfee demonstrated the workings of its new McAfee DeepSAFE technology at the Intel Developer Forum on Tuesday. Co-developed with Intel, it allows McAfee to develop hardware-assisted security products to take advantage of a 'deeper' security footprint. It sits beyond the operating system and close to the silicon, and by operating beyond the OS, it provides a direct view of system memory and processor activity."
This discussion has been archived. No new comments can be posted.

Anti-Rootkit Security Beyond the OS

Comments Filter:
  • Why doesn't McAfee just write an OS?

    • Why doesn't McAfee just write an OS?

      Too busy writing software to destroy performance on Windows. Can't spare any staff otherwise someone out there on a PC infected with^H^H^H^H^H^H^H^H^H^H^H^Hrunning McAfee might get some work done. What if that were the accountant? He might close the company account with McAfee!

    • McAfee running a level below the operating system? Hmm ... What could possibly go wrong? :)
      • by ifrag (984323)
        McAfee is confident this new security implementation will delete system files even less than prior software offerings by preventing access to the disk entirely!
  • Ohhh (Score:2, Informative)

    by Anonymous Coward

    Scary.

  • I think an anti-malware scanner that ran from a boot disk and loaded the OS on the drive into a virtual machine would be an incredibly valuable tool.

    Or we could just switch to cloud based security white-listing and kill the majority of the malware industry overnight.

    • by Microlith (54737)

      we could just switch to cloud based security white-listing

      Explain this, please?

      • by blueg3 (192743) on Wednesday September 14, 2011 @08:43PM (#37405400)

        It means he doesn't understand the problems inherent in computer security.

        • Re: (Score:2, Funny)

          But he does understand how to use buzzwords. That has to count for something, right?
          • But he does understand how to use buzzwords. That has to count for something, right?

            Aye, it does: he won't make for a good administrator, but he'll make for a fine CEO.

        • Wild guess: he means managing the entire software stack on a device using a combination of the iphone walled-garden approach and "running applications in the cloud" (like, say, google docs?).
      • I mean switching from a service that maintains a blacklist for users to a service that maintains a whitelist for users. Lock down systems so that only executables on the whitelist are allowed to run. New or modified executables, (or their hashes) get sent to the central subscription service to check to see if it should or shouldn't be added to the local whitelist. Newly patched Windows file? Allow. Popular program in use by a million subscribers to the whitelist service? Allow. Most other things? Don't allo

        • Sounds great! Open source program? Don't allow. New program from a competitor? Don't allow. In-house software? Charge a fee to allow.
          • Who said it had to be completely closed? User available overrides with scary warnings should keep the average user safe and still allow power users to do what they want.

            Most Slashdotters don't need much security beyond flashblock and noscript anyway.

            • User available overrides with scary warnings should keep the average user safe and still allow power users to do what they want.

              Yup, that's true. After all, it worked perfectly for ActiveX - don't run anything that isn't signed by a Microsoft-signed certificate unless the user clicks past the scary unsafe code warning.

              • Don't pretend those warnings were well written. They boiled down to 'Do you want to run this? y/n", and it taught poorly educated users to just click yes/allow until it ran.

    • by monkyyy (1901940)

      NO!!!, whitelisting the internet is out of the questoin

  • by Anonymous Coward on Wednesday September 14, 2011 @08:00PM (#37405098)

    10 years later..

    "Cybercriminals know how to evade current silicon-based security, demanding a new paradigm - security beyond the hardware and the OS. On that note, McAfee demonstrated the workings of it's new invention - the non-dumb user."

    • by Anonymous Coward

      "On that note, McAfee demonstrated the workings of it's new invention - the non-dumb user."

      Psh... I've had one of those for years now.

      • by c0lo (1497653)

        "On that note, McAfee demonstrated the workings of it's new invention - the non-dumb user."

        Psh... I've had one of those for years now.

        Keep it safe, preferable in a cryogenic enclosure. The species is going extinct, we'll need the DNA for cloning in the near future.

    • by Baloroth (2370816)
      I'm pretty sure that would destroy McAfee's entire business model.
    • by tigersha (151319)

      "McAffee today announced that they purchased Intel and AMD so that they can add their security scanner directly INTO the silicon."

  • it is ignorant hypocrisy to assume your product deserves to be trusted to process everything because another product is vulnerable to exploit.

    now you've got your silicon running under the assumption that the OS is not implicitly trusted, but for some reason, some other OS should be trusted and should process every bit of information a 2nd time before anything is accomplished.

    #dumb

    • Re: (Score:2, Funny)

      by Anonymous Coward
      (marking this day in the calendar. The first post in a while from MichaelKristopeit that does make some common sense. Maybe there's still hope in this world?).
  • by Anonymous Coward

    Just like ring 0 and ring -1 have been abuse, I'm pretty sure that in a few years, we'll read headlines "New persistent rookit infects McAfee DeepSafe"!

  • better idea (Score:2, Informative)

    by Anonymous Coward

    hammer a nail through the cpu it'll kill all the vira, and it will still have more computing power left than if it was running McAfee ...

    • by c0lo (1497653)

      hammer a nail through the cpu it'll kill all the vira, and it will still have more computing power left than if it was running McAfee ...

      Vira?! Why don't you stick with "viruses"? ("virus" is a mass-noun in Latin - means "venom" - doesn't support plural forms. Using the contorted neo-latin "vira" is pretty much like you'd use "malwares" in English - maybe not incorrect, but doesn't sounds good to me).

      • by djdanlib (732853)

        I have often seen "virii" used as the plural.

        But yes, using "viruses" as the plural of the word "virus" just works better. It's even specified in the dictionary, actually.

        • by c0lo (1497653)

          I have often seen "virii" used as the plural.

          Which is weird, given there's no "virius" as a noun (which would have the virii as the plural form)

  • Just great... (Score:5, Insightful)

    by Hylandr (813770) on Wednesday September 14, 2011 @08:08PM (#37405164) Homepage

    Now the hardware can be ground to a halt without ever loading an OS.

    Given the choice of McAfee or malware at this level, I would choose the malware.

    - Dan.

    • I think the only reason McAfee still exists is because of their deals with ISPs and product placement at WalMart. Certainly not because of their reputation in the security industry.

      Oh, and because they just get bought out ... by Intel. Yeah. And here we all thought (hoped) Intel would let McAfee die quietly in the corner.

      Is this a more annoying version of data execute prevention? Maybe call it DERP?
  • turtles (Score:3, Informative)

    by Anonymous Coward on Wednesday September 14, 2011 @08:12PM (#37405198)

    it's turtles all the way down!

    • It means it's Windows all the way down. Linux would be indistinguishable from malware in a hard coded, unflashable, secure chip. MS can lock up large vendor machines by claiming security, and letting Intel do the dirty work. Does anyone honestly think they'll hard code every alternative OS? Unless it is specific, it's useless. Malware can run a rootkit as a linux kernel. Also, what's to say that it wouldn't block a new kernel release even if it was whitelisted.

      Goodbye Tux, we barely knew you.

  • by dsanfte (443781) on Wednesday September 14, 2011 @08:17PM (#37405228) Journal

    With a core operating system in ROM, mounted as a system disk. Flash your new OS like a BIOS.

    That'd stop a lot of this rootkit crap cold, wouldn't it?

    • by Solandri (704621)
      That's what I was thinking. A SATA/USB3 adapter I bought [newegg.com] has a jumper to make the drive read-only. That got me thinking - why can't we have a hardware toggle switch to make the boot drive read-only? You can't root it if you can't modify any of the bootable system files, or if you do manage it a reboot will clear it up. Yeah you'd have to toggle the drive writeable to install new software or update. But is there really any point to leaving the boot drive writeable when you're not updating or installing?
      • by jafac (1449)

        Well; for something as simple as a CA Cert list, that could be updated pretty frequently (these days, LOL!) - you'd be popping that jumper on and off every Tuesday.

    • by djdanlib (732853)

      Well, yes, until some malware author reverse engineered the updater software, learned how to duplicate the bypass-the-write-protect-mechanism code that allows flashing, and then used that to inject his own code. That would take all of the next day after it hit the store shelves, at most. Have you heard of malware that alters the BIOS? There are a few prior examples of such a thing. CIH was doing that in 1998, for example. Mebromi does that today.

      So, no, it wouldn't stop it, unless you had to purchase and in

  • Yet another technology to confuse the end users. There will be countless 3rd party versions of this, due to anti-competition legislations, a significant portion which will be "free" or "lower cost alternatives" and not do what it promises to do.

    Nothing should get between the OS and the metal. The OS should be smart enough to watchdog all processes.

  • OK, this is another layer to slow the system down before the OS is even loaded.

    Where's the UI? Via the OS? Is McCaffee writing a UI for NT, Mac OS, Linux...? Fine, so develop a sandbox then they write the circumvention saving the script kiddies the bother...

  • What a waste of bits. The article didn't talk about much more than what was in the summary.
  • by garcia (6573) on Wednesday September 14, 2011 @08:32PM (#37405328) Homepage

    Beginning back in 2003 [slashdot.org] I talked about the future of computing which will include DRM in the BIOS. I have posted numerous times about it and even once noted DRM'd BIOSs will eventually be required to connect to the "safe" Internet [slashdot.org].

    We're one step closer now with this... Oh looky, we have the perfect way to stop this from happening. A totally secure DRM'd BIOS. Just use our product and the secure Internet won't have any spyware/malware/etc.

    Oh, and in order to do online banking, pay the electric bill, connect to webmail from Google, etc will all require you to have a DRM-enabled BIOS.

    IPs may not point to an individual computer but the DRM'd BIOS sure will.

    • Yeah, true. Unfortunately, it won't solve the problem. Someone'll just get control of one of the signing keys, and then we'll have non-removable, trusted malware!

    • http://en.wikipedia.org/wiki/Trusted_Platform_Module [wikipedia.org]

      Not a new idea at all. Heck, many existing mother boards support it.

    • by c0lo (1497653)

      We're one step closer now with this... Oh looky, we have the perfect way to stop this from happening. A totally secure DRM'd BIOS. Just use our product and the secure Internet won't have any spyware/malware/etc.

      Secured BIOS doesn't automatically mean the sky is falling on a DRM-ed world (I can have one of the OpenBIOS [wikipedia.org] variant secured).

  • by Sarusa (104047) on Wednesday September 14, 2011 @08:36PM (#37405358)

    'it provides a direct view of system memory and processor activity, allowing McAfee products to gain an additional vantage point in the computing stack'

    So it's visible from the OS. Now we have another vector of attack. How long before it's exploited to create even deeper rootkits, eh? Unless it's completely uncrackable, like the PS3.

    • by v1 (525388)

      It may simply be something that runs on a parallel level with the main processor, that has access (read/write) to the main system, but that cannot be modified (or even detected) by the main system. Not a bad place for AV software really. But as several have pointed out, it has to allow the user at some point to make changes/updates to it, and that means users will be letting zero-day nasties get into the protected space and then you're hosed good.

      • Any new layer of software like this will be complex enough to be hackable and has to be maintained, so it has to have ways to get into it. Even with TPM or some similar scheme there are ALWAYS weaknesses, timing attacks, back doors, bad implementation, etc.

    • I dunno. Sitting between the processor and the OS... Sounds a lot like a Linux system running Windows in a VM. And, they are right, that *would* improve matters, thanks to snapshots and virtual hardware. :P

      • by Sarusa (104047)

        I'm not reading this as a hypervisor (though it's a good idea) - it certainly could be, but they're not providing enough detail and there are already hypervisors out there.

        The FAQ on this thing isn't really a FAQ, it's just marketing bullshit, but they keep talking about the DeepSAFE hardware working in concert with the MacAfee software - there might not even be any anti-virus software as such running on the DeepSAFE hardware itself.

        That sounds more like a JTAG-type debugger for the CPU that lets software r

        • My take on it is that it is in fact some sort of hypervisor. The "hardware assist" they refer to is probably nothing more than VT-X/VT-D (or possibly some minor variation thereof). I find it a pretty big stretch to believe that Intel would spend a lot of effort developing a major new hardware feature just to accommodate McAfee.
          • by Sarusa (104047)

            I was thinking this was for Ivy Bridge or Haswell - Intel /bought/ McAfee, so adding extra future hardware support is somewhat plausible.

            But now I see a 'The technology is expected to launch in products later in 2011' line, and Ivy Bridge isn't till 2012, so you're probably right.

        • It'd also be great for breaking any sort of drm that relies on privledged apps in the OS. Great!

    • It's simply a layer under the OS, and (hopefully) read only, but it will still have bugs and exploits, and these are ones the OS can do nothing about ... ...and what's the betting that if someone decides that is malware, you can do nothing about it ...

      My machine is mine, not Microsoft's, not McAffee's ...

  • What is going to be different about this software layer?

    Is it going to be written in some new magical language that prevents programmers from fucking up and having buffer overflow/underflow or other common problems that you see in C and C++, the most likely languages that this kind of software would be written in?

    Just today there was an article on ./ about BIOS infections. Isn't the BIOS a layer between the OS and "silicon". Sure, the BIOS wasn't written to be a security layer but just because a softw
  • I rootkitted your rootkit so you can rootkit while you rootkit.
  • by i_ate_god (899684) on Wednesday September 14, 2011 @09:08PM (#37405560) Homepage

    Considering the vast majority of attacks relies on human stupidity, why don't we try to solve that problem first. Security should be part of the educational package in high schools. How to be secure with your digital life.

    But rather than call it security, just call it safety. Kids have to be taught how to be safe in all sorts of situations, computers shouldn't be any different.

  • by airfoobar (1853132) on Wednesday September 14, 2011 @09:13PM (#37405576)
    FYI, Intel owns McAfee now. This sounds like something between Trend ChipAwayVirus, a hardware debugger and draconian DRM.
  • Pre-Boot Antivirus (Score:4, Interesting)

    by a_nonamiss (743253) on Wednesday September 14, 2011 @09:17PM (#37405596)
    I use an Ubuntu USB drive that I created for the specific purpose of scanning systems before they boot into the OS. It won't detect malware in real-time, but it should, in theory, catch a root kit that's well hidden from being detected within the OS. What I don't understand is why there's not something commercial out there that does this. With my home-made drive, I can boot, mount a truecrypt volume (all our computers are truecrypted) and scan a Windows file system with several different free tools. The only problem is, since they are free, they tend to be not very good. I scanned a system I was working with yesterday, and ClamAV, Avast!, BitDefender and AVG all missed a boot sector virus. The system was clearly infected, judging by all the BSODs and other strange behavior, but all these tools came up clean. They were also slow as hell. Each scan took hours. Finally, I attached the hard drive to a Windows machine and ESET picked up the virus right away, although it wasn't able to clean it. Had to download a separate tool from Kaspersky to do that.

    What I'm saying is most of the stuff I did is not accessible to the unwashed masses. On top of that, I would actually pay good money for a tool that I could use and not have to screw with 5 different immature anti-virus platforms that could be used to remove rootkits. Nothing about this virus was particularly fancy, once you got it outside of the OS. (It loaded kernel mode drivers to prevent it from being seen within Windows.) Why don't one of the major players start looking into something like this? Bootable, able to update definitions over the Internet and fast. I, and probably my company, would pay really good money for that.
    • by TubeSteak (669689)

      The system was clearly infected, judging by all the BSODs and other strange behavior, but all these tools came up clean.

      Malware writers do one of two things:
      1) Write custom code and/or
      2) Use off the shelf encryptors

      Then they submit their code to multiple scanners until it comes up clean.
      And there's a brisk business in encryptors that will hide your code from the 20~30 most common virus scanners.

      The specific terminology escapes me because it's been so long.
      I just vaguely remember it all this from one guy who hung out on IRC and liked to talk about his botnet.
      He'd spend hours combing malware forums for the latest encryptor tha

    • "What I don't understand is why there's not something commercial out there that does this."

      There is no point.

      The developers of malware, spyware, virii, etc. all use a base-pack of popular AV software as quality control filters--if anything in the pack catches what they just wrote, it's back to the drawing board until it DOES pass. Any commercial package would be used for the same purpose and would quickly be what AV is today--one step behind the bad guys. The reason I say all of them use such tactics is qui

    • I use a Dr Web LiveCD. That cleans out a hefty chunk of the rubbish people manage to infest their machine with.

      Saying that, I've found no better antivirus tool than NOD32. I've not tried loading it on a BartPE LiveCD, but it's tempting. If I can make that a bootable USB stick, all the better.
  • Why don't they make a bootable antirootkit like bitdefender? That's the easiest solution to the problem. Getting closer to the metal is an uphill battle because eventually malware writers will figure out how to get there themselves, and the situation just becomes worse. In fact, as antivirus software get more and more privileges they beacome more and more like viruses. Cannot be closed, always running in the background, inspects/modifies/deletes files without your permission. Sometimes I wonder if the reaso
    • by c0lo (1497653)

      Why don't they make a bootable antirootkit like bitdefender?

      How could McAfee slow down your OS if you boot from CD?

      • by TubeSteak (669689)

        How could McAfee slow down your OS if you boot from CD?

        By forcing your CD drive and HD to run in PIO mode?

        • by c0lo (1497653)

          How could McAfee slow down your OS if you boot from CD?

          By forcing your CD drive and HD to run in PIO mode?

          PIO mode? Well, that's blinding fast. They'd better do something with the bytes they a readying one-by-one into CPU registries - like scanning them for malware... multiple times... reading them again when they fail to find a certain piece of malware...

  • Bah. Back around the turn of the century I constructed the most hack-proof OS install ever. My FreeBSD-running-Squid solution mounted the entire OS off of a CD-ROM, created a 2MB RAM disk, mounted it as /etc and copied the entire /etc directory from floppy disk. After booting, it unmounted the floppy disk and I called the NOC to eject it, creating a 1cm air gap between the read-write heads of the floppy drive to the floppy disk contents. The collocation space and bandwidth were free and the floppies and

    • by itsme1234 (199680)

      Nope.
      Immutable means no updates = nothing to prevent the malware from getting back in once you rebooted the box. Unless your idea of security is pulling the cord and leave it like that.
      There were worms that used RAM-only and would not survive a reboot, for example http://en.wikipedia.org/wiki/Witty_(computer_worm) [wikipedia.org] (this would only destroy data on hdd but not install there).

  • why can't people just stop allowing themselves to be tricked. Trust the internet like you'd trust any stranger and you'll be OK.
  • by ka9dgx (72702) on Thursday September 15, 2011 @01:10AM (#37406724) Homepage Journal

    As I pointed out less than 24 hours ago [slashdot.org] in response to a similar story... (mods in brackets)

    I keep watch on "security" threads like this one, hoping to find sanity in at least one answer prior to mine.... and keep getting disappointed.

    You're all wrong, so far. [Well, all but about 5 of you... progress is being made]

    Why? It's simple, it's not a [Trusted Platform / Virus scanning] issue, it's an Operating System design issue.

    The default permit environment present in everything except IBM's VM is the root cause of 99% of our problems. [Yes, including this one, trusting something not to install a rootkit once it gets past the virus scanner]

    Instead of giving each PROCESS a list of resources and permissions, Linux, OS-X, Windows, and pretty much everything else, does it at the USER level. (Yes, I know about app-armor, but that's a special case[, and isn't dynamic enough to do a proper job of capabilities])

    This means that all of the defenses are pointed in the wrong direction. (Imagine building a fort with 10 foot thick perimeter wall as its sole defense in the age of paratroopers and helicopters to get an idea of the scale of the problem). [In this case, they claim to have better walls]

    It doesn't matter how careful or professionally trained the application programmers are, nor how safe the programming language used to write the application is, when the OS isn't even designed to limit what they can do. All programs have bugs, you shouldn't have to trust them not to have them.

    Now, those skills and language enhancements are useful for building the operating system, especially when constructing the micro-kernel to run everything, so it's not wasted effort. [However... virus scanners are a waste, as we shouldn't need them at all]

    I predict we'll see stories like this for at least 10 more years [well... that's #2 in the first 24 hours], regardless of the effort or money put in, because we haven't [corrected] our approach yet. It's going to take a few more years until the cognitive dissonance gets loud enough in peoples heads to prompt them to find a better OS, and a few more years to actually have something reasonably solid available. Until then, buckle up... it's going to be a VERY bumpy ride.

    • It doesn't matter how careful or professionally trained the application programmers are, nor how safe the programming language used to write the application is, when the OS isn't even designed to limit what they can do. All programs have bugs, you shouldn't have to trust them not to have them.

      By extension, it doesn't matter how careful or professionally trained the operating system programmers are, because all operating systems have bugs. I completely agree.

      It's time to start requiring formal verifica
      • by ka9dgx (72702)

        The whole operating system doesn't need formal verification, just the kernel. If it does its job, then there is no point at which a rootkit will be given access to the underlying hardware, and thus it won't be installed.

        • If your disk driver isn't formally verified, it can overwrite the boot sector.
          If your video driver isn't formally verified, it can overwrite any location in memory.
          If your (insert just about anything here) driver that supports DMA isn't formally verified, it can also overwrite any location in memory.
          If your BIOS flashing driver isn't formally verified, the next time you boot you have a rootkit.
          If your file system driver isn't formally verified, it can modify the operating system files.
          If your window ma
          • by ka9dgx (72702)

            The only thing that MUST be verified is the OS kernel, the rest can be dealt with as untrusted code. L4 is at this stage.

            If your disk driver isn't formally verified, it can overwrite the boot sector.

            If your file system driver isn't formally verified, it can modify the operating system files.

            The OS doesn't have to trust the boot sector, it can verify the information using cryptographic signatures. If you treat the block devices as untrusted, you will do things like using checksums, CRCs, ECC, etc... don't forget that hard drives typically get 1 out of 10^15 blocks wrong in the normal course of doing business.

            You can also encrypt/sign the drivers so the OS can check for modifi

            • The OS doesn't have to trust the boot sector, it can verify the information using cryptographic signatures. If you treat the block devices as untrusted, you will do things like using checksums, CRCs, ECC, etc... don't forget that hard drives typically get 1 out of 10^15 blocks wrong in the normal course of doing business.

              DRM is not the same as formal correctness. I can probabilistically trust public key methods to protect probabilistically correct code, or I can fully trust formally proven code. Given
  • There... translated the ambiguous abbreviation in teh summery for ya.... oh, sure... we had a rootkit in UNIX before, but its such rare treat its actually quite valuable. For all intensive purposes, the OP should have just said "Windows," but its likely he's never heard of any other OS. So, again, in the summary,

    OS = Microsoft Windows
  • Make the first thing that happens during boot or a windows-install, the set-up of a VM. Let the VM monitor the OS.

  • ALAN: It's called Tron. It's a security program itself, actually. Monitors all the contacts between our system and other systems... If it finds anything going on that's not scheduled, it shuts it down. I sent you a memo on it.

    DILLINGER: Mmm. Part of the Master Control Program?

    ALAN: No, it'll run independently. It can watchdog the MCP as well.

    DILLINGER: Ah. Sounds good. Well, we should have you running again in a couple of days, I hope...

    Alan rises, goes to the door. As soon as he leaves:

    The Master Control

  • This is completely vapourware at this point, so the article is worthless for most slashdotters at this point.

    But the article is significant, in that this marks the beginning of the battle for ring -1 in the security products market. Personally I am 'root'ing for QubesOS to show the way, but having any COTS product on the market for Windows would be a good thing. Why? Because if you have a processor with the VT-x capability and you are not loading in a ring -1 hypervisor then one can be inserted under you

The meta-Turing test counts a thing as intelligent if it seeks to devise and apply Turing tests to objects of its own creation. -- Lew Mammel, Jr.

Working...