Thoughts on Protection from Hardware-based Malware
Dell ships PowerEdge servers with Trojans built into the hardware
By Dustin Puryear on Wed, 07/21/10 - 2:47pm.
Well this is disturbing. Apparently Dell shipped several models of their PowerEdge line of servers with Trojans built into the actual hardware of the server (well, the firmware I suppose). Dell is issuing fixes for this particular problem, but this really highlights the growing risk and sophistication of malware developers.
First of all, it becomes very difficult to detect malware if it’s embedded into the hardware of your server. An obvious example is if the malware is built into the firmware of your motherboard. If the malware runs at boot, before the OS is in action, the dangers are obvious.
But what if the malware is in your disk controller? Or NIC?
Let’s discuss the disk controller scenario first. The malware would have the ability to modify data being written to or read from the disk. This affects everything from SQL records to virtual disk space used by the OS. Now, clearly, there is some limitation (at least in current disk controllers) of their visibility past disk blocks and into actual file system data, such as data or metadata. But if malware can make the assumption that a NTFS or ext2/ext3 file system is being which, which is a pretty damn good guess, then it doesn’t take much code to modify what is being read or written.
Ditto with your NIC. If your network card is monitoring your network traffic, the OS and your AV software is not going to detect the security violation, and you very well could be SOL.
So a lot of people may offer the initially reasonable advice: Well, use encryption. That sounds great, until you realize that high-load servers often off-load many services, including encryption, to the hardware that could be infected. If I off-load my SSL encryption to my high-end Intel NIC, and that NIC is infected with malware, how does that help resolve the problem? It doesn’t.
So what’s the solution?
We know we can’t elminiate the threat entirely, at least not based on the past 30 years of experience in computer science or on the home laptop. It’s impossible. Can we mitigate the risk?
Again, a quick way to mitigate the risk is to encrypt data, but then we have to worry about performance, especially if we can’t rely on disk and NIC controllers to do that encryption for us.
Can we use behavioral analysis?
How?
If the OS doesn’t see the data once it reaches the hardware controllers, what behavior are we analyzing?
This is a profoundly complex problem.
- About See Through the Windows
Dustin Puryear is the founder of Puryear IT, LLC, which provides information technology expertise for enterprises looking to leverage their computing resources. He focuses on systems administration and management, SSO, identity and access management, directory services, and interoperability. He has written numerous articles and books, has spoken at conferences and Microsoft road shows, appeared on Federal News Radio, and can always be found kicking the tires of the latest technology.
Contact
dpuryear@puryear-it.comPublication and Speaking List
http://www.puryear-it.com/pubs/articles/
Most Discussed Posts
-
Network World, Inc
The Connected Enterprise