Anti-Rootkit Security Beyond the OS 176
Orome1 writes "Cybercriminals know how to evade current operating systems-based security, demanding a new paradigm – security beyond the operating system. On that note, McAfee demonstrated the workings of its new McAfee DeepSAFE technology at the Intel Developer Forum on Tuesday. Co-developed with Intel, it allows McAfee to develop hardware-assisted security products to take advantage of a 'deeper' security footprint. It sits beyond the operating system and close to the silicon, and by operating beyond the OS, it provides a direct view of system memory and processor activity."
So I have to ask (Score:2)
Why doesn't McAfee just write an OS?
Too busy with current commitments (Score:2)
Why doesn't McAfee just write an OS?
Too busy writing software to destroy performance on Windows. Can't spare any staff otherwise someone out there on a PC infected with^H^H^H^H^H^H^H^H^H^H^H^Hrunning McAfee might get some work done. What if that were the accountant? He might close the company account with McAfee!
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
either some hard ware that double checks everything and slows everything down to a standstill,
or a bootloader
cant be sure they are using vague marketing terms
Re: (Score:2)
Re: (Score:2, Insightful)
1) a pseudo-OS shimmed in between the OS and the hardware
2) Another another vulnerability point that can be compromised
Re: (Score:2)
Im sure its well coded and quite fast, though-- after all, this IS McAfee.
Re: (Score:2)
Ohhh (Score:2, Informative)
Scary.
We need scanners that run the OS in VM. (Score:2)
I think an anti-malware scanner that ran from a boot disk and loaded the OS on the drive into a virtual machine would be an incredibly valuable tool.
Or we could just switch to cloud based security white-listing and kill the majority of the malware industry overnight.
Re: (Score:2)
Explain this, please?
Re:We need scanners that run the OS in VM. (Score:4, Insightful)
It means he doesn't understand the problems inherent in computer security.
Re: (Score:2, Funny)
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
I mean switching from a service that maintains a blacklist for users to a service that maintains a whitelist for users. Lock down systems so that only executables on the whitelist are allowed to run. New or modified executables, (or their hashes) get sent to the central subscription service to check to see if it should or shouldn't be added to the local whitelist. Newly patched Windows file? Allow. Popular program in use by a million subscribers to the whitelist service? Allow. Most other things? Don't allo
Re: (Score:2)
Re: (Score:2)
Who said it had to be completely closed? User available overrides with scary warnings should keep the average user safe and still allow power users to do what they want.
Most Slashdotters don't need much security beyond flashblock and noscript anyway.
Re: (Score:2)
User available overrides with scary warnings should keep the average user safe and still allow power users to do what they want.
Yup, that's true. After all, it worked perfectly for ActiveX - don't run anything that isn't signed by a Microsoft-signed certificate unless the user clicks past the scary unsafe code warning.
Re: (Score:2)
Don't pretend those warnings were well written. They boiled down to 'Do you want to run this? y/n", and it taught poorly educated users to just click yes/allow until it ran.
Re: (Score:1)
NO!!!, whitelisting the internet is out of the questoin
And then.... (Score:3, Funny)
10 years later..
"Cybercriminals know how to evade current silicon-based security, demanding a new paradigm - security beyond the hardware and the OS. On that note, McAfee demonstrated the workings of it's new invention - the non-dumb user."
Re: (Score:1)
"On that note, McAfee demonstrated the workings of it's new invention - the non-dumb user."
Psh... I've had one of those for years now.
Re: (Score:2)
"On that note, McAfee demonstrated the workings of it's new invention - the non-dumb user."
Psh... I've had one of those for years now.
Keep it safe, preferable in a cryogenic enclosure. The species is going extinct, we'll need the DNA for cloning in the near future.
Re: (Score:3)
Re: (Score:2)
"McAffee today announced that they purchased Intel and AMD so that they can add their security scanner directly INTO the silicon."
lower level added latency (Score:2, Insightful)
now you've got your silicon running under the assumption that the OS is not implicitly trusted, but for some reason, some other OS should be trusted and should process every bit of information a 2nd time before anything is accomplished.
#dumb
Re: (Score:2, Funny)
That just sounds like another level to infect (Score:2, Informative)
Just like ring 0 and ring -1 have been abuse, I'm pretty sure that in a few years, we'll read headlines "New persistent rookit infects McAfee DeepSafe"!
better idea (Score:2, Informative)
hammer a nail through the cpu it'll kill all the vira, and it will still have more computing power left than if it was running McAfee ...
Re: (Score:2)
hammer a nail through the cpu it'll kill all the vira, and it will still have more computing power left than if it was running McAfee ...
Vira?! Why don't you stick with "viruses"? ("virus" is a mass-noun in Latin - means "venom" - doesn't support plural forms. Using the contorted neo-latin "vira" is pretty much like you'd use "malwares" in English - maybe not incorrect, but doesn't sounds good to me).
Re: (Score:2)
I have often seen "virii" used as the plural.
But yes, using "viruses" as the plural of the word "virus" just works better. It's even specified in the dictionary, actually.
Re: (Score:2)
I have often seen "virii" used as the plural.
Which is weird, given there's no "virius" as a noun (which would have the virii as the plural form)
Re: (Score:2)
Just great... (Score:5, Insightful)
Now the hardware can be ground to a halt without ever loading an OS.
Given the choice of McAfee or malware at this level, I would choose the malware.
- Dan.
Re: (Score:2)
Oh, and because they just get bought out
Is this a more annoying version of data execute prevention? Maybe call it DERP?
Re:Just great... (Score:5, Insightful)
Given the choice of McAfee or malware at this level, I would choose the malware.
- Dan.
Tell me again what the difference is?
You can remove malware.
Re: (Score:2)
Mod prent funny... but true.
Re: (Score:2)
ditto, I wish I had mod points. Nice zing there.
Re: (Score:2)
Given the choice of McAfee or malware at this level, I would choose the malware.
- Dan.
Tell me again what the difference is?
TCO.
turtles (Score:3, Informative)
it's turtles all the way down!
Worse, much much worse! (Score:2)
It means it's Windows all the way down. Linux would be indistinguishable from malware in a hard coded, unflashable, secure chip. MS can lock up large vendor machines by claiming security, and letting Intel do the dirty work. Does anyone honestly think they'll hard code every alternative OS? Unless it is specific, it's useless. Malware can run a rootkit as a linux kernel. Also, what's to say that it wouldn't block a new kernel release even if it was whitelisted.
Goodbye Tux, we barely knew you.
Might as well just return to the Tandy 1000 days (Score:3)
With a core operating system in ROM, mounted as a system disk. Flash your new OS like a BIOS.
That'd stop a lot of this rootkit crap cold, wouldn't it?
Re: (Score:2)
Re: (Score:2)
Well; for something as simple as a CA Cert list, that could be updated pretty frequently (these days, LOL!) - you'd be popping that jumper on and off every Tuesday.
Re: (Score:2)
Well, yes, until some malware author reverse engineered the updater software, learned how to duplicate the bypass-the-write-protect-mechanism code that allows flashing, and then used that to inject his own code. That would take all of the next day after it hit the store shelves, at most. Have you heard of malware that alters the BIOS? There are a few prior examples of such a thing. CIH was doing that in 1998, for example. Mebromi does that today.
So, no, it wouldn't stop it, unless you had to purchase and in
Re: (Score:2)
Windows on a cartridge sure would deter piracy...
Re: (Score:2)
It's our only sure defense against the Cylon menace!
Re: (Score:2)
Jut because it is a jumper now, doesn't mean it needs to stay that way.
Social Engineering (Score:2)
Yet another technology to confuse the end users. There will be countless 3rd party versions of this, due to anti-competition legislations, a significant portion which will be "free" or "lower cost alternatives" and not do what it promises to do.
Nothing should get between the OS and the metal. The OS should be smart enough to watchdog all processes.
Problems: (Score:2)
OK, this is another layer to slow the system down before the OS is even loaded.
Where's the UI? Via the OS? Is McCaffee writing a UI for NT, Mac OS, Linux...? Fine, so develop a sandbox then they write the circumvention saving the script kiddies the bother...
Not much of an article (Score:2)
We're heading for the days of DRM everything... (Score:5, Interesting)
Beginning back in 2003 [slashdot.org] I talked about the future of computing which will include DRM in the BIOS. I have posted numerous times about it and even once noted DRM'd BIOSs will eventually be required to connect to the "safe" Internet [slashdot.org].
We're one step closer now with this... Oh looky, we have the perfect way to stop this from happening. A totally secure DRM'd BIOS. Just use our product and the secure Internet won't have any spyware/malware/etc.
Oh, and in order to do online banking, pay the electric bill, connect to webmail from Google, etc will all require you to have a DRM-enabled BIOS.
IPs may not point to an individual computer but the DRM'd BIOS sure will.
Re: (Score:2)
Yeah, true. Unfortunately, it won't solve the problem. Someone'll just get control of one of the signing keys, and then we'll have non-removable, trusted malware!
Uhhh, you mean TPM! (Score:3)
http://en.wikipedia.org/wiki/Trusted_Platform_Module [wikipedia.org]
Not a new idea at all. Heck, many existing mother boards support it.
Re: (Score:2)
We're one step closer now with this... Oh looky, we have the perfect way to stop this from happening. A totally secure DRM'd BIOS. Just use our product and the secure Internet won't have any spyware/malware/etc.
Secured BIOS doesn't automatically mean the sky is falling on a DRM-ed world (I can have one of the OpenBIOS [wikipedia.org] variant secured).
Re: (Score:2)
It doesn't matter if it's really more secure. It only matters if it is perceived as being more secure. If you don't believe it, go to the next airport.
Re: (Score:2)
It doesn't matter if it's really more secure. It only matters if it is perceived as being more secure. If you don't believe it, go to the next airport.
The thing is, people don't even believe that is more secure. The problem is that they believe that the people doing those stupid things in the airports are genuinely trying to make things more secure. If we can get people to understand that the TSA is not trying to make airports more secure (the TSA is merely trying to get people to think they are trying to make airports more secure), then we can perhaps get them on board to fixing the problem (both the problem of making the airport more secure and the prob
Re: (Score:2)
"You've been fearmongering for 8 years about something that will never happen."
Steam and free2play games online are already happening (enlosure) through simply having new generations grow up with things being that way. Most kids don't give a shit about DRM. They just want to play.
One more thing to pwn! (Score:3)
'it provides a direct view of system memory and processor activity, allowing McAfee products to gain an additional vantage point in the computing stack'
So it's visible from the OS. Now we have another vector of attack. How long before it's exploited to create even deeper rootkits, eh? Unless it's completely uncrackable, like the PS3.
Re: (Score:2)
It may simply be something that runs on a parallel level with the main processor, that has access (read/write) to the main system, but that cannot be modified (or even detected) by the main system. Not a bad place for AV software really. But as several have pointed out, it has to allow the user at some point to make changes/updates to it, and that means users will be letting zero-day nasties get into the protected space and then you're hosed good.
Yeah, exactly (Score:2)
Any new layer of software like this will be complex enough to be hackable and has to be maintained, so it has to have ways to get into it. Even with TPM or some similar scheme there are ALWAYS weaknesses, timing attacks, back doors, bad implementation, etc.
Re: (Score:2)
I dunno. Sitting between the processor and the OS... Sounds a lot like a Linux system running Windows in a VM. And, they are right, that *would* improve matters, thanks to snapshots and virtual hardware. :P
Re: (Score:2)
I'm not reading this as a hypervisor (though it's a good idea) - it certainly could be, but they're not providing enough detail and there are already hypervisors out there.
The FAQ on this thing isn't really a FAQ, it's just marketing bullshit, but they keep talking about the DeepSAFE hardware working in concert with the MacAfee software - there might not even be any anti-virus software as such running on the DeepSAFE hardware itself.
That sounds more like a JTAG-type debugger for the CPU that lets software r
Re: (Score:2)
Re: (Score:2)
I was thinking this was for Ivy Bridge or Haswell - Intel /bought/ McAfee, so adding extra future hardware support is somewhat plausible.
But now I see a 'The technology is expected to launch in products later in 2011' line, and Ivy Bridge isn't till 2012, so you're probably right.
Re: (Score:2)
It'd also be great for breaking any sort of drm that relies on privledged apps in the OS. Great!
Re: (Score:2)
It's simply a layer under the OS, and (hopefully) read only, but it will still have bugs and exploits, and these are ones the OS can do nothing about ... ...and what's the betting that if someone decides that is malware, you can do nothing about it ...
My machine is mine, not Microsoft's, not McAffee's ...
Cat and Mouse (Score:2)
Is it going to be written in some new magical language that prevents programmers from fucking up and having buffer overflow/underflow or other common problems that you see in C and C++, the most likely languages that this kind of software would be written in?
Just today there was an article on
xzibit (Score:1)
Wrong problem to solve (Score:3)
Considering the vast majority of attacks relies on human stupidity, why don't we try to solve that problem first. Security should be part of the educational package in high schools. How to be secure with your digital life.
But rather than call it security, just call it safety. Kids have to be taught how to be safe in all sorts of situations, computers shouldn't be any different.
Co-developed with Intel (Score:3)
Pre-Boot Antivirus (Score:4, Interesting)
What I'm saying is most of the stuff I did is not accessible to the unwashed masses. On top of that, I would actually pay good money for a tool that I could use and not have to screw with 5 different immature anti-virus platforms that could be used to remove rootkits. Nothing about this virus was particularly fancy, once you got it outside of the OS. (It loaded kernel mode drivers to prevent it from being seen within Windows.) Why don't one of the major players start looking into something like this? Bootable, able to update definitions over the Internet and fast. I, and probably my company, would pay really good money for that.
Re: (Score:2)
The system was clearly infected, judging by all the BSODs and other strange behavior, but all these tools came up clean.
Malware writers do one of two things:
1) Write custom code and/or
2) Use off the shelf encryptors
Then they submit their code to multiple scanners until it comes up clean.
And there's a brisk business in encryptors that will hide your code from the 20~30 most common virus scanners.
The specific terminology escapes me because it's been so long.
I just vaguely remember it all this from one guy who hung out on IRC and liked to talk about his botnet.
He'd spend hours combing malware forums for the latest encryptor tha
Re: (Score:2)
"What I don't understand is why there's not something commercial out there that does this."
There is no point.
The developers of malware, spyware, virii, etc. all use a base-pack of popular AV software as quality control filters--if anything in the pack catches what they just wrote, it's back to the drawing board until it DOES pass. Any commercial package would be used for the same purpose and would quickly be what AV is today--one step behind the bad guys. The reason I say all of them use such tactics is qui
Re: (Score:2)
Saying that, I've found no better antivirus tool than NOD32. I've not tried loading it on a BartPE LiveCD, but it's tempting. If I can make that a bootable USB stick, all the better.
Why not just boot from CD? (Score:2)
Re: (Score:3)
Why don't they make a bootable antirootkit like bitdefender?
How could McAfee slow down your OS if you boot from CD?
Re: (Score:2)
How could McAfee slow down your OS if you boot from CD?
By forcing your CD drive and HD to run in PIO mode?
Re: (Score:2)
How could McAfee slow down your OS if you boot from CD?
By forcing your CD drive and HD to run in PIO mode?
PIO mode? Well, that's blinding fast. They'd better do something with the bytes they a readying one-by-one into CPU registries - like scanning them for malware... multiple times... reading them again when they fail to find a certain piece of malware...
Immutable OSes (Score:2)
Bah. Back around the turn of the century I constructed the most hack-proof OS install ever. My FreeBSD-running-Squid solution mounted the entire OS off of a CD-ROM, created a 2MB RAM disk, mounted it as /etc and copied the entire /etc directory from floppy disk. After booting, it unmounted the floppy disk and I called the NOC to eject it, creating a 1cm air gap between the read-write heads of the floppy drive to the floppy disk contents. The collocation space and bandwidth were free and the floppies and
Re: (Score:2)
Nope.
Immutable means no updates = nothing to prevent the malware from getting back in once you rebooted the box. Unless your idea of security is pulling the cord and leave it like that.
There were worms that used RAM-only and would not survive a reboot, for example http://en.wikipedia.org/wiki/Witty_(computer_worm) [wikipedia.org] (this would only destroy data on hdd but not install there).
sheesh (Score:2)
You're all wrong. for the second time in 24 hours (Score:3)
As I pointed out less than 24 hours ago [slashdot.org] in response to a similar story... (mods in brackets)
I keep watch on "security" threads like this one, hoping to find sanity in at least one answer prior to mine.... and keep getting disappointed.
You're all wrong, so far. [Well, all but about 5 of you... progress is being made]
Why? It's simple, it's not a [Trusted Platform / Virus scanning] issue, it's an Operating System design issue.
The default permit environment present in everything except IBM's VM is the root cause of 99% of our problems. [Yes, including this one, trusting something not to install a rootkit once it gets past the virus scanner]
Instead of giving each PROCESS a list of resources and permissions, Linux, OS-X, Windows, and pretty much everything else, does it at the USER level. (Yes, I know about app-armor, but that's a special case[, and isn't dynamic enough to do a proper job of capabilities])
This means that all of the defenses are pointed in the wrong direction. (Imagine building a fort with 10 foot thick perimeter wall as its sole defense in the age of paratroopers and helicopters to get an idea of the scale of the problem). [In this case, they claim to have better walls]
It doesn't matter how careful or professionally trained the application programmers are, nor how safe the programming language used to write the application is, when the OS isn't even designed to limit what they can do. All programs have bugs, you shouldn't have to trust them not to have them.
Now, those skills and language enhancements are useful for building the operating system, especially when constructing the micro-kernel to run everything, so it's not wasted effort. [However... virus scanners are a waste, as we shouldn't need them at all]
I predict we'll see stories like this for at least 10 more years [well... that's #2 in the first 24 hours], regardless of the effort or money put in, because we haven't [corrected] our approach yet. It's going to take a few more years until the cognitive dissonance gets loud enough in peoples heads to prompt them to find a better OS, and a few more years to actually have something reasonably solid available. Until then, buckle up... it's going to be a VERY bumpy ride.
Re: (Score:2)
By extension, it doesn't matter how careful or professionally trained the operating system programmers are, because all operating systems have bugs. I completely agree.
It's time to start requiring formal verifica
Re: (Score:2)
The whole operating system doesn't need formal verification, just the kernel. If it does its job, then there is no point at which a rootkit will be given access to the underlying hardware, and thus it won't be installed.
Re: (Score:2)
If your video driver isn't formally verified, it can overwrite any location in memory.
If your (insert just about anything here) driver that supports DMA isn't formally verified, it can also overwrite any location in memory.
If your BIOS flashing driver isn't formally verified, the next time you boot you have a rootkit.
If your file system driver isn't formally verified, it can modify the operating system files.
If your window ma
Re: (Score:2)
The only thing that MUST be verified is the OS kernel, the rest can be dealt with as untrusted code. L4 is at this stage.
If your disk driver isn't formally verified, it can overwrite the boot sector.
If your file system driver isn't formally verified, it can modify the operating system files.
The OS doesn't have to trust the boot sector, it can verify the information using cryptographic signatures. If you treat the block devices as untrusted, you will do things like using checksums, CRCs, ECC, etc... don't forget that hard drives typically get 1 out of 10^15 blocks wrong in the normal course of doing business.
You can also encrypt/sign the drivers so the OS can check for modifi
Re: (Score:2)
DRM is not the same as formal correctness. I can probabilistically trust public key methods to protect probabilistically correct code, or I can fully trust formally proven code. Given
Re: (Score:2)
Kernels can be replaced in real time, it's been done in Linux.
Something in hardware (which is implied in this new technology) has to be updateable in order to resist threats over time. It too will have the same critical points as any system which doesn't trust the code running on it.
A capabilities based operating system would have about the same attack surface because it wouldn't trust anything by default, the opposite of the way things are now.
Instead of deploying a new hardware stack, isn't it better to j
It will work great until a BIOS virus appears. (Score:2)
OS = Microsoft Windows (Score:2)
OS = Microsoft Windows
Do it in software. (Score:2)
Make the first thing that happens during boot or a windows-install, the set-up of a VM. Let the VM monitor the OS.
Sounds strangely familiar... (Score:2)
ALAN: It's called Tron. It's a security program itself, actually. Monitors all the contacts between our system and other systems... If it finds anything going on that's not scheduled, it shuts it down. I sent you a memo on it.
DILLINGER: Mmm. Part of the Master Control Program?
ALAN: No, it'll run independently. It can watchdog the MCP as well.
DILLINGER: Ah. Sounds good. Well, we should have you running again in a couple of days, I hope...
Alan rises, goes to the door. As soon as he leaves:
The Master Control
Market speak, but it will solve one problem... (Score:2)
But the article is significant, in that this marks the beginning of the battle for ring -1 in the security products market. Personally I am 'root'ing for QubesOS to show the way, but having any COTS product on the market for Windows would be a good thing. Why? Because if you have a processor with the VT-x capability and you are not loading in a ring -1 hypervisor then one can be inserted under you
Re: (Score:2)
why on Earth would they do something so drastic as put themselves out of a job?
Re: (Score:2)
McAfee thinks that Microsoft will never be able to write a secure OS, so they are taking matters into their own hands.
No, McAfee is afraid Microsoft will write a secure OS (or at least an malware detector/remover better than McAfee's), so they want to put an insecure layer beneath Microsoft's OS so that they can ensure that they will still have a business going forward (with the bonus of being able to sell info to the MAFIAA to limit people's ability to copy non-copyrighted work).
Re: (Score:2)
Been doing the same 4 DECADES already
You've been doing virus removal for 40 years? I guess you got your start on OS/360!
Re: (Score:2)
I can see version 1.0 of this product including provisions for Sony.