Linked by David Adams on Wed 14th Sep 2011 14:18 UTC, submitted by Discott
Privacy, Security, Encryption McAfee demonstrated the workings of its new McAfee DeepSAFE technology at the Intel Developer Forum on Tuesday. It sits beyond the operating system and close to the silicon, and by operating beyond the OS, it provides a direct view of system memory and processor activity. Among the threats that it detects are Stuxnet, SpyEye, the TDSS roorkit family and the NTRootkit.
Order by: Score:
Oh yeah
by Soulbender on Wed 14th Sep 2011 14:31 UTC
Soulbender
Member since:
2005-08-18

Because I REALLY want a McAfee product with that much power. or not.

Reply Score: 8

It seems that
by turrini on Wed 14th Sep 2011 15:48 UTC
turrini
Member since:
2006-10-31

"computer crap" gets a new synonym today.

Reply Score: 2

Just a hyper-visor?
by Brendan on Wed 14th Sep 2011 16:54 UTC
Brendan
Member since:
2005-11-16

Hi,

Why does this look like a hyper-visor; with a special back door to allow the anti-virus software to talk the hyper-visor software directly?

How long is it going to take before hackers figure out the communication between "McAfee Applications" and "McAfee DeepSAFE"? I'm guessing less than 1 week before it's all broken wide open, potentially with the end result being hackers taking control of the hyper-visor itself and creating a new class of super-root kits. Yay!

Are OS developers (Microsoft, Apple, Linux, etc) so incompetent that a whole new layer of bloat is actually necessary?

So many questions..

Reply Score: 5

RE: Just a hyper-visor?
by Stephen! on Wed 14th Sep 2011 17:25 UTC in reply to "Just a hyper-visor?"
Stephen! Member since:
2007-11-24

So many questions..


And as the 208th Ferengi Rule of Acquisition states, "Sometimes the only thing more dangerous than a question is an answer"

Reply Score: 2

RE[2]: Just a hyper-visor?
by Luminair on Wed 14th Sep 2011 18:34 UTC in reply to "RE: Just a hyper-visor?"
Luminair Member since:
2007-03-30

did you mix up the ferengi with a sun tzu translation? because that doesn't sound very ferengi to me

Reply Score: 2

premature negativism
by AndrewZ on Wed 14th Sep 2011 18:33 UTC
AndrewZ
Member since:
2005-11-15

This strikes me as a whole new aspect of operating systems theory and implementation. I find this very interesting, and expect to see a slew of new, related products following.

Reply Score: 2

RE: premature negativism
by Soulbender on Wed 14th Sep 2011 19:29 UTC in reply to "premature negativism"
Soulbender Member since:
2005-08-18

This strikes me as a whole new aspect of operating systems theory and implementation.


Only if you never have heard about virtualization and hypervisors before.

Reply Score: 4

RE[2]: premature negativism
by helf on Wed 14th Sep 2011 23:36 UTC in reply to "RE: premature negativism"
helf Member since:
2005-07-06

Yeah. This doesn't seem like anything particularly new or really even that interesting. I refuse to have anything by McAfee or Nortons on my machines much less under the OS like that.

Reply Score: 2

RE[2]: premature negativism
by Alfman on Thu 15th Sep 2011 03:25 UTC in reply to "RE: premature negativism"
Alfman Member since:
2011-01-28

Soulbender,

"Only if you never have heard about virtualization and hypervisors before."

Of course virtualization is not new, but I wonder if it's using virtualization at all. It could be implemented using SMM (system management mode), which was available since the pentium era. SMM is not typically available to normal operating systems, only the bios.

Examples of it's use is putting the system to sleep and handling some special laptop buttons. SMM enables the bios to handle these without any consideration of OS compatibility.

As I have no idea what McAfee Deepsafe actually does this is pure speculation. My first thought was virtualization also.

Edited 2011-09-15 03:26 UTC

Reply Score: 3

RE[3]: premature negativism
by Brendan on Thu 15th Sep 2011 04:05 UTC in reply to "RE[2]: premature negativism"
Brendan Member since:
2005-11-16

Hi,

Virtualization isn't new, but normally when virtualization is used for security it's used as a sandbox (e.g. to protect the host from the guest). What is new is using virtualization to protect a guest from itself.

It could be implemented using SMM (system management mode), which was available since the pentium era. SMM is not typically available to normal operating systems, only the bios.


I can almost guarantee "DeepSAFE" isn't using SMM. SMM is hidden in a special area of RAM (often underneath the legacy video display area) and then locked via. the chipset to prevent access; and even if you can modify it (due to firmware manufacturer's failure) you'd need different code for every different motherboard. For both of these reasons it's a massive nightmare to use for anything (except its intended purpose).

- Brendan

Reply Score: 3

RE[4]: premature negativism
by Alfman on Thu 15th Sep 2011 05:46 UTC in reply to "RE[3]: premature negativism"
Alfman Member since:
2011-01-28

Brendan,

"I can almost guarantee 'DeepSAFE' isn't using SMM."

You are probably right, but I thought it worth mentioning. The SMM is the right place to put things with oversight over the running OS, however it's not practical from a generic solution standpoint.

Assuming DeepSAFE does run the OS under a virtual machine, does that prevent the real OS from running virtual machines recursively (last I read this was not possible)? Does DeepSAFE actually emulate hardware, or do the real OS drivers have direct access to the hardware?

If DeepSAFE virtualizes hardware, this means all your hardware will need to be compatible with DeepSAFE, and there will be a performance penalty.

If DeepSAFE passes through OS control to hardware unchanged, then it implies that a rootkit might escalate it's control through hardware. For example, it might disable DeepSAFE by accessing the hard disk directly. Or it might use a video bitblt operation to r/w ram in the host.

SMM would be much more secure in this regard since it is inaccessible even to OS developers.

Reply Score: 2

RE[4]: premature negativism
by pgeorgi on Thu 15th Sep 2011 06:20 UTC in reply to "RE[3]: premature negativism"
pgeorgi Member since:
2010-02-18

and even if you can modify it (due to firmware manufacturer's failure) you'd need different code for every different motherboard. For both of these reasons it's a massive nightmare to use for anything (except its intended purpose).

I guess the intent is to deliver DeepFried (err.. DeepSafe) with the board (remember McAfee is part of Intel now). And SMM code isn't _that_ mainboard specific, either. At least it doesn't have to be.

With coreboot, we split the SMM code into chipset specific, board specific and generic code (though there's few generic code right now).
I guess a "malware scanner" would consist of a large generic chunk with tiny hooks to get it to run on each chipset (with no regard for board specifics)

Reply Score: 2

RE[5]: premature negativism
by Alfman on Thu 15th Sep 2011 07:58 UTC in reply to "RE[4]: premature negativism"
Alfman Member since:
2011-01-28

pgeorgi,


I've always had an itch to toy with the bios code, but never had the courage to do it and risk my motherboard. Writing bootloaders is in my expertise, and I know the bios is within reach, but as I don't have source code for my bios I have no starting point. I've researched the OSS bios projects, but I never knew if they'd be compatible.

My interest wouldn't lie in initializing the hardware myself, but rather continuing where the bios leaves off (and before the bios chains off to the bootloader). I already have a small static distro which helps remotely manage the primary OS on the PC. This way, if the primary OS gets corrupted, I need only reboot the PC and the minidistro can automatically redeploy the main OS.

This works, however I've always wished that this remote access distro existed in the bios instead of being a circumventable bootloader.

Reply Score: 2

Fix the OS not the security
by jefro on Wed 14th Sep 2011 19:53 UTC
jefro
Member since:
2007-04-13

Rootkits are a result of a flaw in the OS, not a flaw in the security suite.

Reply Score: 2

RE: Fix the OS not the security
by Phucked on Thu 15th Sep 2011 01:39 UTC in reply to "Fix the OS not the security"
Phucked Member since:
2008-09-24

Rootkits are a result of a flaw in the person, not a flaw in the OS.


FTFY

Reply Score: 3

RE[2]: Fix the OS not the security
by Alfman on Thu 15th Sep 2011 03:07 UTC in reply to "RE: Fix the OS not the security"
Alfman Member since:
2011-01-28

Phucked,

"'Rootkits are a result of a flaw in the person, not a flaw in the OS.'


FTFY"



The original quote was not broken.
If a non-trusted application is able to escalate it's privilege to root without user authorization, then it is a flaw in the OS. No matter what secure suite may be installed, an attack is only possible in the first place because of a flaw in the OS. A security suite may help prevent attacks and clean up after them, but it's not an excuse to leave holes in the OS.

Of course there are trojan horse attacks which coerce the user into giving them root privileges, but then that is clearly not what this article is about.

Reply Score: 5

Comment by rimzi
by rimzi on Thu 15th Sep 2011 08:31 UTC
rimzi
Member since:
2009-12-17

If it's McAffee, then it's Intel. Yes, it's going to be implemented, and it's going to be implemented soon and it's going to be forced into Intel platforms.

Intel acquired McAffee in February this year.

Reply Score: 1

RE: Comment by rimzi
by bouhko on Fri 16th Sep 2011 09:28 UTC in reply to "Comment by rimzi"
bouhko Member since:
2010-06-24

Can't wait for my bios (or EFI) to be replaced by a crapware UI from McAfee with a really nice graphical theme, but 0 useful functionnalities and some random hangs at startup.

I spent more time fixing antivirus problems (antivirus slowing everything on friend's computer) than rootkit and crapware themselves.

Reply Score: 1

Is it OS specific?
by ozonehole on Fri 16th Sep 2011 00:59 UTC
ozonehole
Member since:
2006-01-07

It's not clear to me from the original article if this is a "Windows only" thing (as McAfee stuff usually is) or if this is something that will benefit any OS that is installed on the computer.

Reply Score: 2