Intel Researchers Sneak Up on Rootkits
By John G. Spooner and Ryan Naraine
Intel Corp.'s researchers are working to outwit cyber attackers,
including those employing stealthy rootkits.
The chip maker's Communications Technology Lab, in a project called
System Integrity Services, has created a hardware engine to sniff out
sophisticated malware attacks by monitoring the way operating systems
and critical applications interact with hardware inside computers.
By watching a computer's main memory, the System Integrity Services
can detect when an attacker takes control of the system such
attacks sever the ties between data loaded into memory by an
application and the application itself and can fool a system
so as to avoid detection while potentially allowing for surreptitious
pilfering of data or the perpetration of other attacks.
"Our threat model assumes that the attacker gets on the system somehow
and has unrestricted access to the system," said Travis Schluessler, a
security architect inside Intel's Communications Technology Lab.
System Integrity Services "assumes [the attacker] will modify what's
running in memory to fool anti-virus software or change firewall
rules so as to put the system in state where he can do
whatever he wants."
The System Integrity Service's hardware, however, can detect those
intrusions by monitoring the interactions between the applications and
Once it discovers an intrusion, it can issue an alert. Thus it sets
the bar much higher for malware being able to compromise system
without being detected, Schluessler said.
Researchers tested the system with a kernel debugger, an application
whose behaviors and ability to make system changes are similar to that
of a rootkit, to prove its effectiveness, he said.
Although it might not make it to market immediately, Intel's
anti-malware research comes at a time when anti-virus vendors are
struggling to cope with the use of stealth rootkits in malware
Using rootkit techniques, malware writers are able to gain
administrative access to compromised machines to silently run updates
to the software or reinstall malicious programs after a user deletes
If it were to be put into a product platform, Intel's System Integrity
Services could be used in conjunction with other elements, including
the Intel Active Management Technology for monitoring hardware, and
could also be used in concert with other research projects such as
Circuit Breaker, a research project that might also someday find its
way into products regulates an infected computer's access to a
Such a combination might help quickly head off widespread infections,
which can cost companies not only in data theft by also in reduced
employee productivity due to computer downtime and heavy use of IT
resources to clean them up, the Intel researcher said.
Indeed, in one example, "Once System Integrity Services has detected a
problem, it can tell Circuit Breaker to turn [a machine] off the
primary network and switch it over to a remediation network," he said.
The System Integrity Services project is part of a broader focus on
security inside Intel's labs.
That focus has been brought about by the chip maker's recent shift to
designing platforms around devices such as servers or desktop PCs.
Unlike when it sold chips individually, the platform design strategy
has Intel creating numerous add-ons, which include features such as
virtualization and the Intel Active Management Technology, which are
designed to increase the usability and manageability of desktops,
notebooks and servers.
Many of Intel's more advanced worm and virus detection technology are
still at the research stage today some of Intel's other projects
include worm signature detectors called autograph and polygraph but it
could easily wind up as features inside Intel's future product
Aside from being used to improve the products for customers, they
could also be added to bolster Intel's competitiveness versus its
rival Advanced Micro Devices Inc.
The System Integrity Services' prototype hardware uses one of Intel's
Xscale processors, which Schluessler said was overkill, and plugs into
a PCI slot.
A future version could potentially be built for a relatively small fee
and included with Intel platforms, not unlike the way it packages
wireless modules with its processors and chipsets for its
"You can tie this technology in with AMT and the CPU [in each machine]
and all of a sudden you've got something that's more than the sum of
its parts," Schluessler said.
Aside from working with Intel's own platforms, the technologies could
be also tied in with products from Intel's close partners, including
operating system and application vendors, the company's researchers
"We said, 'What kind of things can we do to address these challenges?'
That has driven a lot of the platform thinking, whether it's VT [Intel
Virtualization Technology] or active management, and how all those
things work together," said Dylan Larson, network security initiatives
manager at Intel's Communications Technology Lab, in a recent
interview with Ziff Davis Internet.
"We've had security expertise and lots of competency in this space for
a long time. Now we're looking at this even more from a platform level
on how we can bring these things together to drive new value to
The lab is also working on a projects called Autograph and Polygraph
projects, which are designed to help prevent large-scale worm
infections altogether by analyzing individual worms and quickly
publishing data on how to detect them.
Autograph and Polygraph employ a combination of heuristics and good
old sleuthing to track down worms and locate their signatures or the
unique pattern of data required for its particular exploit and then
notify other systems with those signatures so that they can move to
identify and block the worm, said Brad Karp, at Intel Research
Pittsburg, a lab located on the campus of Carnegie Mellon University.
Autograph's source code has been made available for download via the
university's Web site, and Karp and his team are also working on a
Polygraph, a similar program which can sniff out so-called polymorphic
worms, which change each time they replicate in an effort to cover up
their signatures and thwart the defense used in Autograph.
The next step for the Systems Integrity Services now lies with Intel's
platform development teams, which will make the call on whether or not
to add the technology to its future systems, Schluessler said.
Direct replies are unlikely to be read. To reply use the address below:
NOTE: For more telecom/internet/networking/computer news from the
daily media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra/more-news.html . Hundreds of new
articles daily. And, discuss this and other topics in our forum at
http://telecom-digest.org/forum (or) http://telecom-digest.org/chat/index.html
*** FAIR USE NOTICE. This message contains copyrighted material the
use of which has not been specifically authorized by the copyright
owner. This Internet discussion group is making it available without
profit to group members who have expressed a prior interest in
receiving the included information in their efforts to advance the
understanding of literary, educational, political, and economic
issues, for non-profit research and educational purposes only. I
believe that this constitutes a 'fair use' of the copyrighted material
as provided for in section 107 of the U.S. Copyright Law. If you wish
to use this copyrighted material for purposes of your own that go
beyond 'fair use,' you must obtain permission from the copyright
owner, in this instance, Johnmacs Group.com
For more information go to: