Security threats Toolkit

Intel: rootkits have met their match

Joris Evers CNET News.com

Published: 14 Dec 2005 17:10 GMT

...themselves from users. One of the problem spaces that our System Integrity Services is good at is detecting changes to protected programs or detecting when a protected program is stopped by something like a virus, worm or rootkit.

Can you describe in a nutshell what kind of technology Intel is working on? Is this hardware or software?
We're working on this technology we call System Integrity Services, which is a platform technology that is based on both hardware and firmware. We would add some hardware to the platform to provide an isolated execution environment, where we can run some firmware that is not tied to the host operating system and CPU.

This allows us to raise the bar as far as to what an attacker would need to do in order to compromise that isolated execution environment.

Where do you envision this technology being used?
It can be used in PCs, both at home and in the office — anywhere where we would want to detect the infiltration of a payload that a worm or a virus could carry. It would have value there.

This is very much complementary to the existing software solutions, like antivirus software. This technology is focused on detecting problems that we would not necessarily have an antivirus signature for. We can also use this technology to protect our security agents — like antivirus software or a firewall — from being shut down by these attackers.

This technology — you mentioned it includes hardware and firmware, which is software — would it need anything else to run, like a client on the desktop?
No. It really needs just cooperation from the programs that we want to protect.

What does that mean?
We'd need to make sure that the contents of the programs as they run in memory do not get changed.

In order to do that, we have to know what the initial good state of the program is. [It's] similar in concept to what driver signatures do. We need to make sure that the program, in its good state, is what is actually loaded into memory and that it stays that way.

Security threats like rootkits, viruses and worms seem to get more sophisticated by the week. Can your technology protect against future threats, or will it need some kind of an updating mechanism?
This is exactly one of the things we've designed this technology to do — to detect problems that we don't know about yet, what we call in the industry day-zero worms and viruses. Those worms and viruses that come out, and we don't know what they look like.

This technology is simply looking for changes to protected programs. It could be any kind of change — any kind of worm payload or virus payload or rootkit. As long as it changes one of those protected...

For more, click here...