[SC-L] Intel turning to hardware for rootkit detection
ljknews
ljknews at mac.com
Tue Dec 13 15:47:05 EST 2005
At 9:28 AM -0800 12/13/05, Ron Forrester wrote:
> On 12/13/05, Kenneth R. van Wyk <Ken at krvw.com> wrote:
>> The detection mechanism seems to primarily be looking primarily for non-OS
>> software modifying OS inhabited memory blocks. Wonder how they're definining
>> (and maintaining the definition) of each... I also wonder how it'll impact
>> near-OS software installations like, say, device drivers, authentication
>> plug-ins, and other things that need to poke pretty deeply into the OS in
>> order to install.
>
> I have to admit, when I initially read about this I immediately
> dismissed it as nothing but marketing hype -- what little details they
> gave for the solution seemed to me to be less than practical and
> certainly would have issues adapting to targeted attempts to deceive
> the mechanism.
>
> I'd love to hear other peoples thoughts on the matter.
For a test of their generalized characterization of the problem,
consider how well they might do analyzing VMS running on Itanium.
If the "non-OS software" attempted to trick the "OS software" into
doing something from an inner mode, their external approach seems
intractable. On the other hand, "non-OS software" calls to "OS
software" regularly result in changes to memory protected against
outer mode access.
--
Larry Kilgallen
More information about the SC-L
mailing list