[ISN] Intel Researchers Sneak Up on Rootkits

InfoSec News isn at c4i.org
Tue Dec 13 02:22:23 EST 2005


http://www.eweek.com/article2/0,1895,1900533,00.asp

By John G. Spooner and Ryan Naraine 
December 12, 2005 

Intel Corp.'s researchers are working to outwit cyber attackers,
including those employing stealthy rootkits.

The chip maker's Communications Technology Lab, in a project called
System Integrity Services, has created a hardware engine to sniff out
sophisticated malware attacks by monitoring the way operating systems
and critical applications interact with hardware inside computers.

By watching a computer's main memory, the System Integrity Services
can detect when an attacker takes control of the system.such attacks
sever the ties between data loaded into memory by an application and
the application itself.and can fool a system so as to avoid detection
while potentially allowing for surreptitious pilfering of data or the
perpetration of other attacks.

"Our threat model assumes that the attacker gets on the system somehow
and has unrestricted access to the system," said Travis Schluessler, a
security architect inside Intel's Communications Technology Lab.

System Integrity Services "assumes [the attacker] will modify what's
running in memory to fool anti-virus software or change firewall
rules.so as to put the system in state where he can do whatever he
wants."

The System Integrity Service's hardware, however, can detect those
intrusions by monitoring the interactions between the applications and
memory.

Once it discovers an intrusion, it can issue an alert. Thus it sets
the bar much higher for malware being able to compromise system
without being detected, Schluessler said.

Researchers tested the system with a kernel debugger, an application
whose behaviors and ability to make system changes are similar to that
of a rootkit, to prove its effectiveness, he said.

Although it might not make it to market immediately, Intel's
anti-malware research comes at a time when anti-virus vendors are
struggling to cope with the use of stealth rootkits in malware
attacks.

Using rootkit techniques, malware writers are able to gain
administrative access to compromised machines to silently run updates
to the software or reinstall malicious programs after a user deletes
them.

If it were to be put into a product platform, Intel's System Integrity
Services could be used in conjunction with other elements, including
the Intel Active Management Technology for monitoring hardware, and
could also be used in concert with other research projects such as
Circuit Breaker.

Circuit Breaker, a research project that might also someday find its
way into products regulates an infected computer's access to a
network.

Such a combination might help quickly head off widespread infections,
which can cost companies not only in data theft by also in reduced
employee productivity due to computer downtime and heavy use of IT
resources to clean them up, the Intel researcher said.

Indeed, in one example, "Once System Integrity Services has detected a
problem, it can tell Circuit Breaker to turn [a machine] off the
primary network and switch it over to a remediation network," he said.

The System Integrity Services project is part of a broader focus on
security inside Intel's labs.

That focus has been brought about by the chip maker's recent shift to
designing platforms around devices such as servers or desktop PCs.

Unlike when it sold chips individually, the platform design strategy
has Intel creating numerous add-ons, which include features such as
virtualization and the Intel Active Management Technology, which are
designed to increase the usability and manageability of desktops,
notebooks and servers.

Many of Intel's more advanced worm and virus detection technology are
still at the research stage today.some of Intel's other projects
include worm signature detectors called autograph and polygraph.but it
could easily wind up as features inside Intel's future product
platforms.

Aside from being used to improve the products for customers, they
could also be added to bolster Intel's competitiveness versus its
rival Advanced Micro Devices Inc.

The System Integrity Services' prototype hardware uses one of Intel's
Xscale processors, which Schluessler said was overkill, and plugs into
a PCI slot.

A future version could potentially be built for a relatively small fee
and included with Intel platforms, not unlike the way it packages
wireless modules with its processors and chipsets for its
Centrino-brand notebooks.

"You can tie this technology in with AMT and the CPU [in each machine]
and all of a sudden you've got something that's more than the sum of
its parts," Schluessler said.

Aside from working with Intel's own platforms, the technologies could
be also tied in with products from Intel's close partners, including
operating system and application vendors, the company's researchers
have said.

"We said, 'What kind of things can we do to address these challenges?'
That has driven a lot of the platform thinking, whether it's VT [Intel
Virtualization Technology] or active management, and how all those
things work together," said Dylan Larson, network security initiatives
manager at Intel's Communications Technology Lab, in a recent
interview with Ziff Davis Internet.

"We've had security expertise and lots of competency in this space for
a long time. Now we're looking at this even more from a platform level
on how we can bring these things together to drive new value to
customers."

The lab is also working on a projects called Autograph and Polygraph
projects, which are designed to help prevent large-scale worm
infections altogether by analyzing individual worms and quickly
publishing data on how to detect them.

Autograph and Polygraph employ a combination of heuristics and good
old sleuthing to track down worms and locate their signatures.or the
unique pattern of data required for its particular exploit.and then
notify other systems with those signatures so that they can move to
identify and block the worm, said Brad Karp, at Intel Research
Pittsburg, a lab located on the campus of Carnegie Mellon University.

Autograph's source code has been made available for download via the
university's Web site, and Karp and his team are also working on a
Polygraph, a similar program which can sniff out so-called polymorphic
worms, which change each time they replicate in an effort to cover up
their signatures and thwart the defense used in Autograph.

The next step for the Systems Integrity Services now lies with Intel's
platform development teams, which will make the call on whether or not
to add the technology to its future systems, Schluessler said.





More information about the ISN mailing list