Bypassing the operating system is becoming more prevalent as Intel Corp. and Advanced Micro Devices Inc. continue to develop technology that allows system and security management software to hook into the chip.
This week, Intel unveiled new hardware-level security and management technology for its vPro processor technology, much of which centers on addressing vulnerabilities at the operating system level.
At an event last week in Boston to promote the next generation of vPro, Symantec Corp. demonstrated how it is developing a virtual security solution on top of new isolated execution environment technology developed by Intel, called the Trusted Execution Technology (TXT), as well as Intel's Technology for Directed I/O.
TXT verifies the launch environment and establishes a chain of trust from the bare metal hardware to a virtual machine.
"Our goal is to move everything we have running on the main Windows OS to running in isolated executable environments," said Gary Sabala, senior product manager at Symantec. "Right now malware can run on top of the Windows OS, look at the security measures installed, attack those measures and bring down the Windows OS and Symantec."
Working at the hardware level and using virtualization technology, the Symantec code is isolated on top of the vPro platform. This prevents the security software from being attacked at the OS level during boot up and shut down times, in particular when the OS is at its most vulnerable, Sabala said.
Security at the hardware layer
For IT managers dealing with operating systems that have 40 million lines of code and all the possible vulnerabilities that come along with such a large attack surface, securing at the hardware layer could be the ultimate solution, said Gerald Pattyn, senior information systems developer at Farragut Systems Inc. in Lafayette, Colo.
"It's hard to trick the hardware, while at the OS you can override a file and make it behave differently," said Pattyn. "The CPU sets up this upper and lower boundary in memory or the virtual machine that says 'Hey' if something tried to go outside that boundary. So it can be caught and trapped at the CPU level."
Securing at the hardware layer is not perfect either, however, Pattyn said. "There are clever people who know how to get into that CPU and reset those boundaries, so neither solution is foolproof."
The TXT environment addresses a serious issue for many IT shops opting to implement virtual machines that can be compromised because they reside under the OS, said Roger Kay, president, EndPoint Technologies Associates Inc. in Concord, Mass. "The virtualization layer can be compromised by malware. And the malware can, in turn, fool the OS. Technology such as that being developed by Intel stops the attack at the boot up sequence before the OS is launched," he said.
Kay said that more security and management being built into the chip is a necessary and natural evolution that offers IT shops heightened systems management and security, but the trend toward hardware-level security may also be sending Microsoft a message.
Virtualization technology decouples security on top of the OS
AMD is similarly working on virtualization technology that decouples the security capabilities running on top of the OS to make them more tamper-resistant, said Lars Ewe, director of engineering at AMD.
But AMD is equally focused on simplifying systems management for IT shops by decoupling system health monitoring and alerting from the OS. AMD has already developed lights out management technology that OEMs are using to take PC management at the hardware level a step further.
"We are already seeing companies like Embotics [based in Ottawa, Ont.] building autonomics capabilities on top of our platform to deploy policies on systems that allow systems to be self-monitoring and self-healing," Ewe said.
AMD, along with Dell, HP and others, is also involved in the "Desktop and mobile Architecture for System Hardware (DASH) initiative. DASH is a suite of specifications that delivers standards-based Web services management for desktop and mobile client systems. DASH is focused on next-generation standards for secure out-of-band and remote management of desktop and mobile systems. Such technology implementations would use a management controller integrated into the chipset or network controller that enables the execution of a DASH firmware stack, independent of the main CPU or operating system.
Self-healing machines next on the agenda
Intel is moving toward self-healing machines as well as wake and repair capabilities for PCs, even when the PC has an inoperable operating systems or hard drive. Last year Intel introduced its Active Management Technology, which is an enhancement to systems management software. AMT gives IT managers the ability to remotely heal systems after operating system failures and alerts IT shops when software agents are removed. It also lets IT admins see components even when a PC is shut off.
AMT integrates with systems management vendor products such as Altiris Inc., which has developed hardware-based manageability using vPro technology. Called the Altiris Manageability Toolkit, the technology offers network and security management capabilities that are not reliant on software agents and has remote computer management and remediation as well as asset discovery.
About 15% of the help desk problems that IT shops report to Altiris happen at the endpoint, said Kevin Unbedacht, senior platform strategist with Altiris, which is now part of Symantec. "The main complaint is even though there is Wake-on-LAN capabilities out there, [IT shops] have it turned off because it's not secure, and they still can't fix a machine remotely. With Altiris and Intel, IT admins are getting a new, secure, way to remotely fix machines," Unbedacht said.