About Me

My photo
Bay Area, CA, United States
I'm a computer security professional, most interested in cybercrime and computer forensics. I'm also on Twitter @bond_alexander All opinions are my own unless explicitly stated.

Wednesday, February 23, 2011

McAfee on security

This past week was the RSA conference, and I was able to attend the keynotes on Thursday. McAfee's CTO, George Kurtz gave a keynote talk entitled "Driving Security Down the Stack" (preview here, full video of all keynotes here).

The "stack" that Mr. Kurtz' talk title refers to isn't one of the standard definitions of "stack" that I'm used to, his "stack" is this:
  • Applications
  • Operating system
  • Hypervisor
  • Silicon (hardware)

He was arguing that instead of running security applications on top of this stack, it should move downward. This push is in no small part due to the fact that last August, Intel purchased McAfee to build security features deeper in computing systems. After all, hackers and malware authors are attempting to do the same thing, penetrate deeply into this computing stack to hide from security applications and to have more complete control over the system. For example, rootkits install at the OS or hypervisor level.
Despite having such an ambitious talk title, Mr. Kurtz spent most of his time arguing that we should drive security deeper into the stack and very little time arguing how to accomplish it. The closest he came to addressing it was something he called "roots of trust" that would establish "trusted columns" through the stack to have areas of computing that could be malware-free. Since Mr. Kurtz said nothing about how this would work, the audience simply has to imagine how this could work.
Quite frankly, I can't figure this one out.
Modern computer software is highly complex with many millions of lines of code and the bugs that go with them. Modern malware is already highly adept at leveraging these bugs to move horizontally (from application to application or from one part of the OS to another) and vertically (from application to OS to hypervisor).  Mr. Kurtz and I agree that the traditional antivirus blacklisting methods are ineffective, but without any kind of blacklist then how exactly does his "root of trust" determine that the parts of the operating system it relies on haven't been compromised?  Or the application?  Or the hypervisor?  The only part of the stack that approaches a "known good" is the hardware, and I can't think of any way to insert security rules into the silicon that would be comprehensive enough to be effective yet flexible enough to handle the wide range of possible software over the life of the chip.
Modern chips already have some security features installed. Back in 2004 (six years ago already?) most hardware began shipping with the Trusted Computing Group's "Trusted Computing" technology, which uses hardware cryptography to allow the operating system to exert control over applications.  This technology has been present in Windows since Vista, but in addition to extensive privacy and security concerns, Trusted Computing hasn't even appreciably slowed the spread of malware.
Don't get me wrong, I'm not saying that Intel/McAfee's "hardware security" efforts are doomed, but they won't be the panacea that Mr. Kurtz's talk claimed they would be.  It's just another step in the computer security arms race.

No comments:

Post a Comment