funsec mailing list archives

RE: eWeek: Government-Funded Startup Blasts Rootkits

From: "Justin Polazzo" <jpolazzo () thesportsauthority com>
Date: Thu, 27 Apr 2006 07:08:57 -0600

Just in case anyone is still interested, I got a link to a paper
released in '04, but according to the reps:

"We've made substantial improvements since the research prototype, but
the base methods of how we work and protect ourselves will be in the
paper."

http://www.komoku.com/pubs/USENIX-copilot.pdf

"The monitor is an Intel StrongARM EBSA-285 Evaluation Board - a
single-board computer on a PCI add-in card inserted into the host's PCI
bus. The monitor retrieves parts of host RAM for examination through
Direct Memory Access (DMA) without the knowledge or intervention of the
host kernel."

-JP



-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org]
On Behalf Of Drsolly
Sent: Wednesday, April 26, 2006 5:32 PM
To: Nick FitzGerald
Cc: funsec () linuxbox org
Subject: RE: [funsec] eWeek: Government-Funded Startup Blasts Rootkits

On Thu, 27 Apr 2006, Nick FitzGerald wrote:

Drsolly to Blanchard_Michael () emc com to Drsolly:

Remember Thunderbyte?


It Thunderbyte similliar to the Apple II card CopyIIplus?  I 
remember years ago there that CopyIIplus card that would copy any 
program disk to disk I believe, regardless of copy protection too

:-)

It was a hardware antivirus.


Are we remembering differ things?

The Thunderbyte I remember was very much software, written initially 
by Frans Veldman of the Netherlands and joined later by Righard 
Zweinenberg.  In the mid-90s it was bought up by Norman and by 1999 
(or
earlier?) Norman stopped shipping updates for it, much to the 
disappointment of its hardcore users.


Right. There was the Thunderbyte hardware, and there was TBscan, which
was a fairly normal scanner. Franz Veldman was the guy behind all this.


There have been various "hardware antivirus" (or more generically
"security") products.  All of these that I've ever seen plug in 
between the IDE controller and IDE drive (I think there were a few 
very early ones that worked with pre-IDE drives too) and, if you had 
to describe their operation in just a few words (what, me??) you'd say

they were "hardware partition access managers".


I have a patent on that, actually :-). And I had one (which I used).

But I never tried to market the idea. I didn't think it was very useful,
except for certain exceptional situations (for example, in a virus lab).

In a few more words, once setup and configured, they block, and/or re-

direct writes to "protected" partitions to "reserved" space on the 
disk and redirect reads to those same disk locations to the

"temporary"

record in reserved space.  On (hardware) reset, the reserved space and

table of re-directed locations is cleared and the machine "restarts 
clean".  Such product often allow for three types of partitions -- 
completely immutable ones (where writes will simply be prevented), 
temporarily mutable ones (as described above) and totally mutable ones

(for storing user data, possibly for TEMP, and such).

Such devices have sporadically been popular with some schools and 
other "public access" providers, but they are pretty shockingly bad as

an "antivirus" (or general malware) "solution", given that "data" 
files (which, in a productive environment you generally want users to 
be able to save _and keep_) can be malicious, and that more and more 
the purpose of malware is to steal your data (e.g. harvest Email 
addresses, steal identity information) and/or steal your network 
bandwidth (spamming, spam relaying, proxying, warez storage, etc).

As briefly described, these new PCI devices are probably nothing like 
the above (and if that was all they are, the government just wasted a 
bunch of money re-inventing a largely disfunctional wheel!).

 
I've seen hardware antivirus or malware solutions again and again, and
each time they've been ineffective.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

RE: eWeek: Government-Funded Startup Blasts Rootkits, (continued)
- - - RE: eWeek: Government-Funded Startup Blasts Rootkits Nick FitzGerald (Apr 28)
    - RE: eWeek: Government-Funded Startup Blasts Rootkits Rob, grandpa of Ryan, Trevor, Devon & Hannah (Apr 28)
    - RE: eWeek: Government-Funded Startup Blasts Rootkits Kevin McAleavey (Apr 27)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Justin Polazzo (Apr 25)
  - RE: eWeek: Government-Funded Startup Blasts Rootkits Larry Seltzer (Apr 25)
  - RE: eWeek: Government-Funded Startup Blasts Rootkits Barrie Dempster (Apr 25)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Justin Polazzo (Apr 25)
  - Re: eWeek: Government-Funded Startup Blasts Rootkits Technocrat (Apr 25)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Justin Polazzo (Apr 25)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Justin Polazzo (Apr 25)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Justin Polazzo (Apr 27)
  - Re: eWeek: Government-Funded Startup Blasts Rootkits Technocrat (Apr 27)
  - RE: eWeek: Government-Funded Startup Blasts Rootkits Larry Seltzer (Apr 27)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Blanchard_Michael (Apr 27)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Justin Polazzo (Apr 27)