Fighting rootkits with hardware
Over at eWeek, Ryan Naraine reports on a government-funded security firm called Komoku, Inc., who are busy working on both a hardware and software solution to rootkit detection.
Komoku President William Arbaugh describes the rootkit problem accurately:
"Security technologies depend on the correctness of the system they're actually checking," said Arbaugh..."If something changes the system at the operating system level, it can't be reliably detected via the OS itself or through applications running on the system," he said. "We have this notion of what the operating system is supposed to look like, and we look for deviations to that. We aren't initially looking for the rootkit — we look at the side effects of the infection."
Rootkits are indeed a tricky threat, since they function at the kernel level, undermining the operating system and other software and attacking core system function and boot procedures. That means a rootkit can hide itself from security tools very well, and any software used to detect and disable rootkits has its work cut out for it.
Komoku is currently working on a hardware solution to the rootkit problem for servers and large systems. The solution is a PCI card called Copilot, which monitors system memory and function at a hardware level. The company is also working on a software solution, Gamma, that will target rootkits on laptops and PCs. But, of course, any software solution to the rootkit problem is fallible.
Unfortunately, hardware solutions are scant and expensive; Komoku's only current client is the U.S. government, so don't expect to nab a Copilot card off the shelf at Circuit City any time soon. Their Gamma solution, while it may mimic some of Copilot's underlying technology, can't (by its very nature as software) provide the same level of detection and security. As such, Komoku has labeled it a "low assurance" solution.
As an aside, the company tested their hardware on Sony BMG's infamous DRM rootkit and detected it "in all its vectors, in real time."
But this all points to the true rootkit solution -- on-board protection; that is, rootkit protection built into motherboards or CPUs. Plug-in cards are all well and good, but what better way to head off an attack on the system than to develop a hard-coded method of protection?
Certainly, that's a broad statement, since protecting against rootkits as a whole is no easy task. Each one has its own attack vectors and functionality. That's why software is so much easier than hardware -- it can be updated and upgraded as quick as code can be written. A hardware fix is written in stone, tough to change without a hammer and chisel.
Regardless, if you're on the lookout for reliable and cost-effective rootkit protection, you might be in for a wait. Hardware offers the best protection, but unless you're a code-breaker for the Office of Homeland Security, you won't be getting your hands on Komoku's solution just yet. Keep your anti-virus, anti-spyware and firewall tools active, and raise your hands in prayer for motherboard manufacturers and folks like Intel and AMD to get working on rootkit protection at the hardware level.
