...programs or stops one of the security agents that we're monitoring, we can detect it, regardless of what the actual signature is.
You keep mentioning protected programs. Would this protect any
application on my PC, or just the operating systems or critical
applications?
We would want to use it to protect critical
applications on the PC. Like any technology, this is not the Holy
Grail. It has limitations. It can be used to protect certain programs.
But this isolated execution environment is limited in its view of what
the operating system and such is actually doing. It can't view all of
the complexities of the OS, like most of your security agents that are
already running over there. It is very much complementary to those
security agents.
For example, what applications do you see it protecting?
You could use it to protect things like antivirus software or your
firewall. Many of today's worms and viruses... will go in and shut down
your security agents in order to execute their payload, because the
security agents are effective at stopping that. What this System
Integrity Services technology can do, is it can actually detect when
that occurs, so we can help protect those security agents.
If you're monitoring the system — it sounds like that's what
you're doing with this technology — is that going to slow down my
computer at all?
Since we're running the checking-off in this isolated execution
environment — we call it a security presence — it would not impact the
MIPS (million instructions per second, or the number of operations that
a computer can perform in one second) available on your CPU. It does
use some of your memory bandwidth.
Could you explain that?
It won't use cycles that your host processor needs for other things. It
won't slow down the processing necessarily on your CPU, but it does use
some of the bandwidth going to your memory. It has to look at the
memory that your program is running in.
How will this impact potential legitimate uses of, for example,
rootkit-type technology? If I am an enterprise and I use rootkit-type
technology to maybe hide some security software from my employees on
their desktops, how would your technology impact that? Would it stifle
that kind of thing?
Not at all. We're only going to detect changes that we don't want to
happen. If you define within your system that you want to allow certain
types of changes to happen, by all means, the System Integrity Services
will allow that kind of change.
What you're telling me sounds a little bit similar to what
Microsoft was talking about a couple of years back. Something they
called "Palladium" and then "Next Generation Secure Computing Base". Is
this similar?
I am not an expert on that technology, so I can't contrast it.
When do you think your technology might be ready?
As a researcher, I don't have visibility into Intel's product plans,
but the prototype is up and running and we have demonstrated that it
works in protecting device drivers and things like that — against
things as advanced as kernel debuggers.
Could you explain a bit more what that prototype looks like? Is
it actual functioning hardware, or is it a little plastic thing that
doesn't do anything?
It is actually functioning hardware. We
have a security presence in the form of an Intel Xscale processor that
is able to monitor protected programs running on the host.
