Rethink needed
A SECURITY expert, Joanna Rutkowska, who is a specialist in rootkits, says that hardware rootkit protection cannot find the more serious stuff.
Hardware rootkit detection has been touted as a much more reliable way of finding the nasty stuff than software methods.
But, speaking at this year's Black Hat DC conference, Rutkowska demonstrated three different attacks against a computer showing how the image of volatile memory (RAM) can be made different from the real contents of the physical memory as seen by the CPU.
According to ZDNET the demonstration showed that the current use of hardware-based RAM acquisition was not the best way to sniff out a rootkit on a compromised machine.
She said that to deal with rootkits required both hardware and software to work in tandem during forensics.
Rutkowska pointed out that sophisticated rootkits can be incredibly dangerous as forensic examiners cannot rely on images collected from RAM.
In one of her attack scenarios she showed how a rootkit could even provide fake information to an examiner.
What is required to make computers completely safe, says Rutkowska is a rethink of design so that they are somehow more verifiable. Hardware vendors come up with a special "auditing" interface dedicated only to memory acquisition.
She said that motherboard manufacturers should consider adding a special port which would allow for direct access to RAM and potentially some other critical resources like e.g. CPU system registers and maybe even caches. More
here.
Linear Mode
