funsec mailing list archives
RE: eWeek: Government-Funded Startup Blasts Rootkits
From: "Justin Polazzo" <jpolazzo () thesportsauthority com>
Date: Thu, 27 Apr 2006 07:08:57 -0600
Just in case anyone is still interested, I got a link to a paper released in '04, but according to the reps: "We've made substantial improvements since the research prototype, but the base methods of how we work and protect ourselves will be in the paper." http://www.komoku.com/pubs/USENIX-copilot.pdf "The monitor is an Intel StrongARM EBSA-285 Evaluation Board - a single-board computer on a PCI add-in card inserted into the host's PCI bus. The monitor retrieves parts of host RAM for examination through Direct Memory Access (DMA) without the knowledge or intervention of the host kernel." -JP -----Original Message----- From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Drsolly Sent: Wednesday, April 26, 2006 5:32 PM To: Nick FitzGerald Cc: funsec () linuxbox org Subject: RE: [funsec] eWeek: Government-Funded Startup Blasts Rootkits On Thu, 27 Apr 2006, Nick FitzGerald wrote:
Drsolly to Blanchard_Michael () emc com to Drsolly:Remember Thunderbyte?It Thunderbyte similliar to the Apple II card CopyIIplus? I remember years ago there that CopyIIplus card that would copy any program disk to disk I believe, regardless of copy protection too
:-)It was a hardware antivirus.Are we remembering differ things? The Thunderbyte I remember was very much software, written initially by Frans Veldman of the Netherlands and joined later by Righard Zweinenberg. In the mid-90s it was bought up by Norman and by 1999 (or earlier?) Norman stopped shipping updates for it, much to the disappointment of its hardcore users.
Right. There was the Thunderbyte hardware, and there was TBscan, which was a fairly normal scanner. Franz Veldman was the guy behind all this.
There have been various "hardware antivirus" (or more generically "security") products. All of these that I've ever seen plug in between the IDE controller and IDE drive (I think there were a few very early ones that worked with pre-IDE drives too) and, if you had to describe their operation in just a few words (what, me??) you'd say
they were "hardware partition access managers".
I have a patent on that, actually :-). And I had one (which I used). But I never tried to market the idea. I didn't think it was very useful, except for certain exceptional situations (for example, in a virus lab).
In a few more words, once setup and configured, they block, and/or re-
direct writes to "protected" partitions to "reserved" space on the disk and redirect reads to those same disk locations to the
"temporary"
record in reserved space. On (hardware) reset, the reserved space and
table of re-directed locations is cleared and the machine "restarts clean". Such product often allow for three types of partitions -- completely immutable ones (where writes will simply be prevented), temporarily mutable ones (as described above) and totally mutable ones
(for storing user data, possibly for TEMP, and such). Such devices have sporadically been popular with some schools and other "public access" providers, but they are pretty shockingly bad as
an "antivirus" (or general malware) "solution", given that "data" files (which, in a productive environment you generally want users to be able to save _and keep_) can be malicious, and that more and more the purpose of malware is to steal your data (e.g. harvest Email addresses, steal identity information) and/or steal your network bandwidth (spamming, spam relaying, proxying, warez storage, etc). As briefly described, these new PCI devices are probably nothing like the above (and if that was all they are, the government just wasted a bunch of money re-inventing a largely disfunctional wheel!).
I've seen hardware antivirus or malware solutions again and again, and each time they've been ineffective. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- RE: eWeek: Government-Funded Startup Blasts Rootkits, (continued)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Nick FitzGerald (Apr 28)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Rob, grandpa of Ryan, Trevor, Devon & Hannah (Apr 28)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Kevin McAleavey (Apr 27)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Justin Polazzo (Apr 25)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Larry Seltzer (Apr 25)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Barrie Dempster (Apr 25)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Justin Polazzo (Apr 25)
- Re: eWeek: Government-Funded Startup Blasts Rootkits Technocrat (Apr 25)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Justin Polazzo (Apr 25)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Justin Polazzo (Apr 25)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Justin Polazzo (Apr 27)
- Re: eWeek: Government-Funded Startup Blasts Rootkits Technocrat (Apr 27)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Larry Seltzer (Apr 27)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Blanchard_Michael (Apr 27)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Justin Polazzo (Apr 27)