News Kaspersky patents hardware-based AV

http://www.bit-tech.net/news/hardware/2010/02/19/kaspersky-patents-hardware-av/1

 

I worry somewhat about the difficulty of disinfecting/infecting the hardware device if it gets hit.

 

aye, i think if it ever becomes standard the virus coders will seek to compromise the hardware device first

 

Queue a pop up stating "your AV firmware is out of date, click ok to auto update..." with malicious firmware.

No matter how clever they think their protection is, someone somewhere will crack it.

 

Would an extra layer of hardware between your motherboards and SSD affect the drives performance at all?

 

as said before; i don't really see why this is such a really good thing: it'll bottleneck(even with it's own dedicated little computer, it's still another step data has to take before being written to the disk) it will have to have a kind of updateable library (and most probably firmware too) where 'haX0RZ' are going to find their way in and it says you still have to use a 'normal' antivirus.

so, the point please?

 

I think it will be mighty secure against malicious firmware - a simple hash of the firmware encrypted with a private key can then be decrypted in the hardware using the corresponding public key and compared to the hash calculated in the hardware. If the hardware insists on doing this before allowing the firmware to be updated, it protects against corrupt downloads of firmware and (so long as the hashing algorithm, encryption algorithm and private key remain uncompromised) malicious firmware.

Using SHA-1 hashing together with RSA public key encryption with a suitably long key (2,048+ bits) is pretty much unassailable (based on current cracking techniques) using current hardware.

 

I can see this becoming a reality in corporations where hardware performance is about 30 steps down the chain of importance from security. For the average home power user though it's less of a logical step when a good software AV and common sense usually prevails.

 

Agreed it'll be aimed at business rather than home users, people can install a software AV themselves, but average joe wouldnt want to install hardware for it imo.

 

get a netgear utm, should stop things coming in before it even get to puter

 

How about if the company issued an update which creates false positives on OS files? I certainly hope then there's a way to fix the firmware from say a USB key instead of requiring an OS to do it....

 

Sounds like a good idea.

 

Sounds good but how much will we be charged for it? Since Kaspersky is a company and as every company, they want profit. We have to pay for this hardware some sort of way. I use kis and i'm very happy with it. About another intermediate between hdd/sdd and the motherboard I think they have thought it through.

 

Until the private key gets leaked like it's bound to and then suddenly you've got hardware that can't be patched safely!

LOL

I don't think I'll be buying one just yet!

 

i think this is an interesting idea, but i want to know what the safeguards are. i still think the best way to prevent mot malicious code is to simply protect the RAM. eliminate the buffer overflow problem and the only possible attack left is social engineering based. i think we need to build that memory protection into the os, or perhaps even the hardware. programs should never be allowed to access memory that they have not requested, and should doubly not be able to access memory from another program or the OS. signature based AV, while it has its place, should not be the first line of defense.

 

Presumably a striped raid array would make the device useless?

 

Any signature-based technology is going to be limited by the use of encryption/obfuscation/compression to disguise malware - Kaspersky's hardware, as described above, would have to handle every algorithm (including all versions of Zip, RAR, ACE, 7-Zip, UPX, etc), detect self-modifying code (to deal with custom compression routines), detect application exploits (like malicious PDFs or JPGs) and be able to understand every feature of every file system (NTFS and FAT32 for Windows; Reiser, ext2/3, JFS for Linux, etc) if intercepting hard-disk traffic.

Kaspersky's software scanner currently does much, but not all, of the above (it also includes an option to scan for known vulnerabilities in any installed software). Doing the same in hardware would make it critically reliant on updates (e.g. to handle file-system changes introduced in a new Service Pack) and failure could result in significant data corruption, or even an unusable system.

A more certain option would be to restrict certain actions (most rootkits require a reboot for example) and to ask the user first (e.g. "Did you just ask your computer to restart? If not, then program X is trying to do so without your consent - should it be quarantined instead?"). There are some programs that provide similar features (sadly, the one I use, System Safety Monitor, is no longer commercially available since the company closed down) but they then rely on users making the correct choice. This approach can't be handled easily by hardware (aside from restarts) since it requires access to operating system internal data (running processes, etc).

As a result, many companies, including Kaspersky, seem to be using the "whitelist" approach (building up lists of legitimate programs). This is probably where the future of anti-malware programs will be - especially for companies and NGOs which (for commercial or political reasons) may face attack with custom malware, undetected by any scanner.

 

I liked the idea, if only for the fact that it would catch more virii with high level access, such as the infamous rootkits on usb keys and the likes.

I'm guessing you would update it via usb or someother such thing below the OS level, and while no system is impossible to hack. it would be much harder to bypass and infect a piece of hardware built on a custom platform than to hack a software AV system.

 

i wonder, if someone installed this on an infected PC, would it scan the PC before the OS loads killing a virus.

if it did something like this, it would have massive uses.

 

I think it would need some sort of boot CD in order to function that way, but it's a neat idea. That said, an automated cleanup mode would be a mixed bag; after all, it would be terrible for a bad set of updates to flag a few critical system files as infected, and have the device delete them. Granted, that's not to say that little nasties like virut don't already infect critical .exes.