[SC-L] Intel turning to hardware for rootkit detection
David Eisner
cradle at umd.edu
Tue Dec 13 16:20:36 EST 2005
Ron Forrester wrote:
> On 12/13/05, Kenneth R. van Wyk <Ken at krvw.com> wrote:
>
>> The detection mechanism seems to primarily be looking primarily for non-OS
>> software modifying OS inhabited memory blocks. Wonder how they're definining
>> (and maintaining the definition) of each... I also wonder how it'll impact
>> near-OS software installations like, say, device drivers, authentication
>> plug-ins, and other things that need to poke pretty deeply into the OS in
>> order to install.
>>
>
> I have to admit, when I initially read about this I immediately
> dismissed it as nothing but marketing hype -- what little details they
> gave for the solution seemed to me to be less than practical and
> certainly would have issues adapting to targeted attempts to deceive
> the mechanism.
>
A bit more detail:
http://www.intel.com/technology/magazine/research/runtime-integrity-1205.htm
http://www.intel.com/technology/comms/download/system_integrity_services.pdf
I haven't read these carefully, but it reminds me a bit of trusted
computing [1]. In fact, one of the authors (first link) is a member of
the Trusted Computing Group. Wouldn't it be funny if proposed rootkit
"cures" turn out to provide a good platform for more formidable DRM
technology?
-David
[1] http://www-personal.si.umich.edu/~rwash/projects/trusted/
More information about the SC-L
mailing list