bit-tech.net

Kaspersky patents hardware-based AV

Kaspersky patents hardware-based AV

Kaspersky's creation will sit between the hard drive and the motherboard, scanning for viruses and malware on the fly.

Security vendor Kaspersky has been granted a patent on a novel hardware-based anti-virus technology designed to sit between a hard drive and motherboard.

According to the company - it's been granted US Patent number 7657941 for "a hardware-based antivirus system that effectively combats rootkits."

As detailed at Neowin, the idea is to install the device between the data storage device (either a hard disk or SSD) and the motherboard in order to read data as it is streamed to and from the disk, and even to block writes to the disk and prevent the permanent storage of detected malicious code. The standalone nature of the device - which can also be made to work in tandem with a more traditional software-based anti-virus - enables it, in Kaspersky's words, to "effectively combat malicious programs that elevate their privileges in the system, e.g., dangerous malware such as rootkits."

While the initial concept is of a physical device, Kaspersky notes that it would make sense if future versions were integrated directly onto either the hard drive or SSD controller or onto the SATA bus itself.

The patent's author, senior technology expert Oleg Zaitsev, describes the concept as offering "a distinct advantage over conventional AV solutions because it monitors all attempts to access a memory device while remaining inaccessible to malware ," and provides for an update mechanism for the virus signatures which is "protected from malicious code and faulty records during updates."

While the concept of a hardware-based anti-virus isn't new, the idea of integrating it so closely inside the PC is - and anyone who looks to get the most out of their system's performance will be pleased with the news that Kaspersky 's device brings its own processor and RAM to the party to keep things nipping along. However, the idea of a completely independent hardware-based anti-virus may worry others - especially if there is no option to disable the technology without removing the device - if it uses the same virus signatures as the company's desktop software.

Do you think that hardware-based anti-virus systems are the future, or does this kind of problem need to be solved at an operating system level by fixing the holes that allow malware in rather than just patching over the cracks with third-party solutions? Share your thoughts over in the forums.

19 Comments

Discuss in the forums Reply
Tulatin 19th February 2010, 11:16 Quote
I worry somewhat about the difficulty of disinfecting/infecting the hardware device if it gets hit.
Denis_iii 19th February 2010, 11:25 Quote
aye, i think if it ever becomes standard the virus coders will seek to compromise the hardware device first
fodder 19th February 2010, 11:36 Quote
Queue a pop up stating "your AV firmware is out of date, click ok to auto update..." with malicious firmware.

No matter how clever they think their protection is, someone somewhere will crack it.
l3v1ck 19th February 2010, 11:57 Quote
Would an extra layer of hardware between your motherboards and SSD affect the drives performance at all?
alpaca 19th February 2010, 12:03 Quote
as said before; i don't really see why this is such a really good thing: it'll bottleneck(even with it's own dedicated little computer, it's still another step data has to take before being written to the disk) it will have to have a kind of updateable library (and most probably firmware too) where 'haX0RZ' are going to find their way in and it says you still have to use a 'normal' antivirus.

so, the point please?
mclean007 19th February 2010, 12:12 Quote
I think it will be mighty secure against malicious firmware - a simple hash of the firmware encrypted with a private key can then be decrypted in the hardware using the corresponding public key and compared to the hash calculated in the hardware. If the hardware insists on doing this before allowing the firmware to be updated, it protects against corrupt downloads of firmware and (so long as the hashing algorithm, encryption algorithm and private key remain uncompromised) malicious firmware.

Using SHA-1 hashing together with RSA public key encryption with a suitably long key (2,048+ bits) is pretty much unassailable (based on current cracking techniques) using current hardware.
Bauul 19th February 2010, 13:46 Quote
I can see this becoming a reality in corporations where hardware performance is about 30 steps down the chain of importance from security. For the average home power user though it's less of a logical step when a good software AV and common sense usually prevails.
13eightyfour 19th February 2010, 13:51 Quote
Quote:
Originally Posted by Bauul
I can see this becoming a reality in corporations where hardware performance is about 30 steps down the chain of importance from security. For the average home power user though it's less of a logical step when a good software AV and common sense usually prevails.

Agreed it'll be aimed at business rather than home users, people can install a software AV themselves, but average joe wouldnt want to install hardware for it imo.
RichCreedy 19th February 2010, 15:39 Quote
get a netgear utm, should stop things coming in before it even get to puter
dworvos 19th February 2010, 18:04 Quote
How about if the company issued an update which creates false positives on OS files? I certainly hope then there's a way to fix the firmware from say a USB key instead of requiring an OS to do it....
brave758 19th February 2010, 18:25 Quote
Sounds like a good idea.
Farfalho 19th February 2010, 20:00 Quote
Sounds good but how much will we be charged for it? Since Kaspersky is a company and as every company, they want profit. We have to pay for this hardware some sort of way. I use kis and i'm very happy with it. About another intermediate between hdd/sdd and the motherboard I think they have thought it through.
Jenny_Y8S 19th February 2010, 21:57 Quote
Quote:
Originally Posted by mclean007
I think it will be mighty secure against malicious firmware - a simple hash of the firmware encrypted with a private key can then be decrypted in the hardware using the corresponding public key and compared to the hash calculated in the hardware.

Until the private key gets leaked like it's bound to and then suddenly you've got hardware that can't be patched safely!

LOL

I don't think I'll be buying one just yet!
LucusLoC 19th February 2010, 23:34 Quote
i think this is an interesting idea, but i want to know what the safeguards are. i still think the best way to prevent mot malicious code is to simply protect the RAM. eliminate the buffer overflow problem and the only possible attack left is social engineering based. i think we need to build that memory protection into the os, or perhaps even the hardware. programs should never be allowed to access memory that they have not requested, and should doubly not be able to access memory from another program or the OS. signature based AV, while it has its place, should not be the first line of defense.
Kronenbourg1664 20th February 2010, 13:43 Quote
Presumably a striped raid array would make the device useless?
AstralWanderer 20th February 2010, 21:54 Quote
Any signature-based technology is going to be limited by the use of encryption/obfuscation/compression to disguise malware - Kaspersky's hardware, as described above, would have to handle every algorithm (including all versions of Zip, RAR, ACE, 7-Zip, UPX, etc), detect self-modifying code (to deal with custom compression routines), detect application exploits (like malicious PDFs or JPGs) and be able to understand every feature of every file system (NTFS and FAT32 for Windows; Reiser, ext2/3, JFS for Linux, etc) if intercepting hard-disk traffic.

Kaspersky's software scanner currently does much, but not all, of the above (it also includes an option to scan for known vulnerabilities in any installed software). Doing the same in hardware would make it critically reliant on updates (e.g. to handle file-system changes introduced in a new Service Pack) and failure could result in significant data corruption, or even an unusable system.

A more certain option would be to restrict certain actions (most rootkits require a reboot for example) and to ask the user first (e.g. "Did you just ask your computer to restart? If not, then program X is trying to do so without your consent - should it be quarantined instead?"). There are some programs that provide similar features (sadly, the one I use, System Safety Monitor, is no longer commercially available since the company closed down) but they then rely on users making the correct choice. This approach can't be handled easily by hardware (aside from restarts) since it requires access to operating system internal data (running processes, etc).

As a result, many companies, including Kaspersky, seem to be using the "whitelist" approach (building up lists of legitimate programs). This is probably where the future of anti-malware programs will be - especially for companies and NGOs which (for commercial or political reasons) may face attack with custom malware, undetected by any scanner.
metarinka 21st February 2010, 18:08 Quote
I liked the idea, if only for the fact that it would catch more virii with high level access, such as the infamous rootkits on usb keys and the likes.

I'm guessing you would update it via usb or someother such thing below the OS level, and while no system is impossible to hack. it would be much harder to bypass and infect a piece of hardware built on a custom platform than to hack a software AV system.
ssj12 24th February 2010, 08:37 Quote
i wonder, if someone installed this on an infected PC, would it scan the PC before the OS loads killing a virus.

if it did something like this, it would have massive uses.
Tulatin 24th February 2010, 14:01 Quote
Quote:
Originally Posted by ssj12
i wonder, if someone installed this on an infected PC, would it scan the PC before the OS loads killing a virus.

if it did something like this, it would have massive uses.

I think it would need some sort of boot CD in order to function that way, but it's a neat idea. That said, an automated cleanup mode would be a mixed bag; after all, it would be terrible for a bad set of updates to flag a few critical system files as infected, and have the device delete them. Granted, that's not to say that little nasties like virut don't already infect critical .exes.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums