Ron Forrester wrote:
On 12/13/05, Kenneth R. van Wyk <[EMAIL PROTECTED]> wrote:
The detection mechanism seems to primarily be looking primarily for non-OS
software modifying OS inhabited memory blocks. Wonder how they're definining
(and maintaining the definition) of each... I also wonder how it'll impact
near-OS software installations like, say, device drivers, authentication
plug-ins, and other things that need to poke pretty deeply into the OS in
order to install.
I have to admit, when I initially read about this I immediately
dismissed it as nothing but marketing hype -- what little details they
gave for the solution seemed to me to be less than practical and
certainly would have issues adapting to targeted attempts to deceive
the mechanism.
A bit more detail:
http://www.intel.com/technology/magazine/research/runtime-integrity-1205.htm
http://www.intel.com/technology/comms/download/system_integrity_services.pdf
I haven't read these carefully, but it reminds me a bit of trusted
computing [1]. In fact, one of the authors (first link) is a member of
the Trusted Computing Group. Wouldn't it be funny if proposed rootkit
"cures" turn out to provide a good platform for more formidable DRM
technology?
-David
[1] http://www-personal.si.umich.edu/~rwash/projects/trusted/
_______________________________________________
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
