Taking on rootkits with hardware

Travis Schluessler, an Intel security architect, explains how the chipmaker's labs plan to take on sophisticated threats.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
7 min read
Word that Intel is taking on rootkits came as a surprise to some last week. But researchers at the chip giant have been working on security technologies for several years.

What's more, Intel's labs aren't just looking to protect computers against rootkits, Travis Schluessler, a security architect at the chipmaker, told CNET News.com. The Santa Clara, Calif., company hopes it can also help stave off the more familiar threat of worms and viruses.

Listen up

Travis Schluessler, an Intel security architect, explains how the chipmaker's labs plan to take on sophisticated threats.
Listen now... (9.5MB mp3)

The surprise may partly be because Intel is primarily a hardware company. Security for PCs and servers has traditionally been provided by software, sold by companies such as Symantec, McAfee, Trend Micro and a slew of smaller players.

But traditional security providers have trouble keeping up with increasingly sophisticated threats. Rootkits--propelled into the mainstream by the Sony BMG copy protection debacle--is one example of a threat that many security software vendors are grappling with.

Intel is working on a combination of hardware and software to help protect computers, Schluessler said. He and other researchers in the chipmaker's Communications Technology Lab have devised a way to stifle sophisticated attacks by monitoring the operating system and critical applications run on a computer.

Right now the project, named System Integrity Services, is very much in development. Schluessler talked to CNET News.com about how the hardware-based approach works and how it could help keep pests off home PCs.

Q: What made Intel get involved?
Schluessler: Well, the PC faces quite a few interesting threats. One of the things that Intel has been looking at evolving into is this model we call "platformization." This is really an ability to make the components of the system into more than the sum of their parts. We're working on this technology we call "System Integrity Services," which is an example of this platformization.

Why do you believe Intel can help fight worms, viruses and rootkits?
Schluessler: A lot of the problems that worms and viruses are exploiting today are problems in the memory of programs: A lot of attackers will go and exploit vulnerabilities in memory.

One of the limitations of security software running on the CPU (central processing unit) is that as soon as an attacker gains root-level privileges, such as via rootkit, then that level of privilege gives them the ability to compromise any software running on that system. What Intel can provide is platform hardware and firmware that is much more difficult to compromise, because it is separated from the primary OS (operating system) and CPU.

One of the problem spaces that our System Integrity Services is good at is detecting changes to protected programs or detecting when a protected program is stopped by something like a virus, worm or rootkit.

You mention the problem that rootkits specifically pose, and I guess that goes beyond the threat that worms and viruses pose to a system?
Schluessler: Yes and no. The problem space is somewhat similar. Rootkits, in today's vernacular, tend to describe payloads that are trying to hide themselves from users. One of the problem spaces that our System Integrity Services is good at is detecting changes to protected programs, or detecting when a protected program is stopped by something like a virus, worm or rootkit.

Can you describe in a nutshell what kind of technology Intel is working on? Is this hardware or software?
Schluessler: We're working on a technology we call System Integrity Services, which is a platform technology that is based on both hardware and firmware. We would add some hardware to the platform to provide an isolated execution environment, where we can run some firmware that is not tied to the host operating system and CPU.

This allows us to raise the bar as far as to what an attacker would need to do in order to compromise that isolated execution environment.

Where do you envision this technology being used?
Schluessler: It can be used in PCs, both at home and in the office--anywhere where we would want to detect the infiltration of a payload that a worm or a virus could carry. It would have value there.

This is very much complementary to the existing software solutions, like antivirus software. This technology is focused at detecting problems that we would not necessarily have an antivirus signature for. We can also use this technology to protect our security agents--like antivirus software or a firewall--from being shut down by these attackers.

Will this technology--you mentioned it includes hardware and firmware, which is software--would this need anything else to run, like a client on the desktop?
Schluessler: No. It really needs just cooperation from the programs that we want to protect.

What does that mean?
Schluessler: We'd need to make sure that the contents of the programs as they run in memory do not get changed.

In order to do that, we have to know what the initial good state of the program is. (It's) similar in concept to what driver signatures do. We need to make sure that the program, in its good state, is what is actually loaded into memory and that it stays that way.

Security threats like rootkits, viruses and worms seem to get more sophisticated by the week. Can your technology protect against future threats, or will it need some kind of an updating mechanism?
Schluessler: This is exactly one of the things we've designed this technology to do--to detect problems that we don't know about yet, what we call in the industry day-zero worms and viruses. Those worms and viruses that come out, and we don't know what they look like.

This technology is simply looking for changes to protected programs. It could be any kind of change--any kind of worm payload or virus payload or rootkit. As long as it changes one of those protected programs or stops one of the security agents that we're monitoring, we can detect it, regardless of what the actual signature is.

Like any technology, this is not the Holy Grail. It has limitations.

You keep mentioning protected programs. Would this protect any application on my PC, or just the operating systems or critical applications?
Schluessler: We would want to use it to protect critical applications on the PC. Like any technology, this is not the Holy Grail. It has limitations. It can be used to protect certain programs. But this isolated execution environment is limited in its view of what the operating system and such is actually doing. It can't view all of the complexities of the OS, like most of your security agents that are already running over there. It is very much complementary to those security agents.

For example, what applications do you see it protecting?
Schluessler: You could use it to protect things like antivirus software or your firewall. Many of today's worms and viruses...will go in and shut down your security agents in order to execute their payload, because the security agents are effective at stopping that. What this System Integrity Services technology can do, is it can actually detect when that occurs, so we can help protect those security agents.

If you're monitoring the system--it sounds like that's what you're doing with this technology--is that going to slow down my computer at all?
Schluessler: Since we're running the checking-off in this isolated execution environment--we call it a security presence--it would not impact the MIPS (million instructions per second, or the the number of operations that a computer can perform in one second) available on your CPU. It does use some of your memory bandwidth.

Could you explain that?
Schluessler: It won't use cycles that your host processor needs for other things. It won't slow down the processing necessarily on your CPU, but it does use some of the bandwidth going to your memory. It has to look at the memory that your program is running in.

How will this impact potential legitimate uses of, for example, rootkit-type technology? If I am an enterprise, and I use rootkit-type technology to maybe hide some security software from my employees on their desktops, how would your technology impact that? Would it stifle that kind of thing?
Schluessler: Not at all. We're only going to detect changes that we don't want to happen. If you define within your system that you want to allow certain types of changes to happen, by all means, the System Integrity Services will allow that kind of change.

What you're telling me sounds a little bit similar to what Microsoft was talking about a couple of years back. Something they called "Palladium" and then "Next Generation Secure Computing Base." Is this similar?
Schluessler: I am not an expert on that technology, so I can't contrast it.

When do you think your technology might be ready?
Schluessler: As a researcher, I don't have visibility into Intel's product plans, but the prototype is up and running and we have demonstrated that it works in protecting device drivers and things like that--against things as advanced as kernel debuggers.

Could you explain a bit more what that prototype looks like? Is it actual functioning hardware, or is it a little plastic thing that doesn't do anything?
Schluessler: It is actually functioning hardware. We have a security presence in the form of an Intel Xscale processor that is able to monitor protected programs running on the host.