Last week Steve Cutler, Intel’s Technical Marketing Manager, made Intel’s Top 10 technology predictions for the next decade. In a statement reminiscent of Bill Gates misguided prediction, at the World Economic Forum in 2004, of a solution to the Spam problem within two years, Cutler’s prediction number five was especially interesting, it stated:
“5. Malware will no longer be a threat thanks to hardware fixes
Intel believes that techniques such as its own Trusted Execution Technology (TXT), which offers protected memory spaces for applications, can be extended so that malicious software will not be able to infect other applications or access sensitive information. Cutler said Intel is working on extensions to this technology, but that more work is needed to take advantage of what is already there.”
Of course many of the predictions were made based around techology that Intel is offering or planning to offer in the future so an argument could be made that these were less “predictions” than “marketing”, but that would be the easy way to dismiss this stuff, so I’ll take it at face value and look at the assumptions that prediction entails.
Assumption 1. Hardware & software manufacturers will over the next ten years find a way to ship product which they can categoricaly state is free from bugs. Malware already exists to take advantage of hardware code defects to execute remotely. In order for any hardware based solution to be sufficient in isolation, it will need to be free of exploitable defects.
Assumption 2. The financial return on offer will no longer be worth the investment required to research and generate malware. In a world where goods, services and above all information, are ever more digitised and ever more centralised? In a world where the growing online population, “the digi-boomers” are now moving into employment and becoming a financially viable target? This seems extremely unlikely.
Assumption 3. Everybody will be online savvy enough to recognise and avoid all exploits targeting human behaviour. Phishing, Spear Phishing, Whaling, online credential harvesting of all kinds is big business. This threat does not rely on code execution, it relies on someone believing a lie and surrendering their personal information inappropriately.
Assumption 4. All hardware vendors and all software vendors will implement this technology, and implement it securely. Information Technology in general and Cybercrime/Information Security in particular are in a constant state of flux, each innovating to attempt to outpace and out manoeuvre the other. Homogeneity of environment (and I mean installed applications plus operating system plus hardware) is not something I see arrivingin the near future.
Assumption 5. Protocol and credential based attacks will disappear. Can this kind of code execution protection technology be developed to mitigate against DNS cache poisoning type attacks, or brute force and rainbow table password guessing attacks or BGP based attacks? Scenarios where the legitimate application or protocol is subverted for unauthorised access or redirection.
I can think of one thing that I am sure will hold true over the next 10 years; the old adage, “Where there’s muck, there’s brass“. As long as there is money to be made, criminals will continue to innovate and attack and it is up to the security industry to do likewise. On that level I applaud technologies such as Intel’s Trusted Execution Technology but will continue to advocate a layered approach to security and defence.
By way of a footnote, here is a presentation title from this year’s Black Hat DC 2009.
“Rafal Wojtczuk & Joanna Rutkowska
Attacking Intel® Trusted Execution Technology
We describe what Intel® TXT is, how it works, and how it can be used to build more secure systems. We also show, however, weaknesses in current TXT implementations and how they can be practically exploited. We will show a working exploit code against tboot – Intel®‘s implementation of trusted boot process for Xen and Linux.”