Hardware-Enforced Security Solutions?

Online_Sword

Level 12
Thread author
Verified
Honorary Member
Top Poster
Well-known
Mar 23, 2015
555
Today I read an interesting paper "Hardware virtualization based security solution for embedded systems", which is presented by the researchers in Bitdefender Lab.


S. Lukacs, A. V. Lutas, D. H. Lutas and G. Sebestyen, "Hardware virtualization based security solution for embedded systems," Automation, Quality and Testing, Robotics, 2014 IEEE International Conference on, Cluj-Napoca, 2014, pp. 1-6.
doi: 10.1109/AQTR.2014.6857879
Abstract: We describe the implementation and the evaluation of a hypervisor level, hardware-enforced security solution suitable for the latest embedded platforms. Our solution is based on thin layer bare-metal hypervisor, a memory introspection engine and is validated on Silvermont microarchitecture based Intel x86 processors, running Windows. The approach is well suited to enhance the security of many POS and industrial embedded devices. We also present various kinds of attacks our solution defends against, and several remaining limitations.

Please note that although this paper is written by Bitdefender researchers, it is not directly related to the Bitdefender products, otherwise it can hardly be presented in an academic conference.;)

In that paper, it is claimed that:
While the industry and academia both tried to continuously create various new malware prevention and detection solutions, it is fairly clear that all current conventional security solutions can be easily bypassed by malware [8], [9]. Many advocate that a paradigm shift is needed, implying migration from software-only to hardware-enforced security solutions – many of which implies hardware virtualization [10]–[12].

That paper also introduces how hardware features could be used to enforce security features:
On low level, virtualization technologies like VT-x have a trap & emulate architecture: certain instructions will cause o fault-like event (called VM-exit in the case on Intel VT-x), which will be trapped and handled by the virtual machine monitor.

In my opinion, using hardware features like VT-x to enforce security features sounds very interesting. :D
As far as I know, some antivirus products use such technique in their behavior blocker, such that the malware could perform some malicious behaviors (which require high privilege) in an isolated environment for analysis, such that the host machine will not be influenced. Good idea, is not it?:)

To the best of my knowledge, the following products use hardware features to enforce the security features:

1. Avast. It can be inferred from @venustus 's following post that Avast applies VT-X/AMD-V techniques on Win8+ 32-bit OS and for all 64-bit OSes to its behavior blocker DeepScreen, Sandbox, and SafeZone.
avast! NG - What is it? (Avast 2015)

2. Bitdefender.
I often hear that Bitdefender's behavior blocker ATC (called AVC in the past) uses the technique of hardware virtualization, but I have not found any official document on it. It seems that Bitdefender will install a driver called "Bitdefender AVC HV" on user's computer. HV here may represent "Hardware Virtualization" or "HyperVisor":confused:. By the way, it is also reported by some users that Bitdefender could interfere with VirtualBox on using VT-X:
virtualbox.org • View topic - VT-x is being used by another hypervisor
I think this implies that Bitdefender actually uses hardware features in its behavior blocker. :)

3. Comodo
:
Introducing Comodo Internet Security 8 with more Features

Hardware virtualization support
- When Intel VT-x or AMD™ SVM Virtualization extensions are available, Enhanced Protection Mode makes use of these technologies and CIS operates at hypervisor level.

4. HitmanPro.Alert
. I am not familiar with this product. According to the official webpage:
HitmanPro.Alert further raises the bar for exploit attacks. Its innovative hardware-assisted Control-Flow Integrity (CFI) technology is a new approach to prevent attackers from hijacking control-flow of internet-facing applications, like web browsers, Office and other productivity software.

5. McAfee Deep Defender (MDD)
. I guess most of MT memebers even have not heard of this product:D, because it is only included in the Enterprise Suite of McAfee. Some people say that this is the only benefit that McAfee got from Intel.:p
Review: McAfee Deep Defender - eSecurity Planet
  • McAfee's Deep Defender is a very unusual antimalware product designed to protect endpoints against unknown rootkits
  • Deep Defender leverages McAfee's DeepSafe technology
  • DeepSafe technology is actually very similar to virtualization technology, and DeepSafe runs as a VMX root application, using an Intel processor mode which is intended for running hypervisors. McAfee was acquired by Intel in 2010, and DeepSafe only runs on Intel processors that feature the VTx virtualization hardware extensions. This includes all Intel Core i3, i5, and i7 processors, which are part of what Intel calls its vPro platform.
McAfee Deep Defender.JPG

I know that this list may not be complete or accurate, so please help to complement it.;)

Please only mention the products that can be installed on desktop computers.
 
Last edited:

Soulbound

Moderator
Verified
Staff Member
Well-known
Jan 14, 2015
1,761
MDD got mentioned yay!
Yep what is listed in the description is true.

Many MT members who used or use McAfee dont really use Enterprises or Endpoint solutions.

Intel acquired McAfee and a lot of improvements went under the hood specially at Enterprises/EP
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top