Intel security game-changer could be native Trusted Extension support

Future McAfee versions likely to have close hardware coupling, predict security pundits

With its $7.7bn acquisition of McAfee rubberstamped by Europe's Competition Commissioner, Intel could have finally found a way to fully exploit its chip-level security features.

On-chip security measures, specifically Intel's Trusted Extension Technology (TXT), have yet to gain widespread support among security software vendors. But security experts speculate that with McAfee now safely inside, Intel could be ready to roll out mainstream TXT support in future McAfee antivirus releases.

"If McAfee were to natively support TXT that could give Intel an immediate advantage this year, rather than waiting for the natural upgrade cycle," Gartner vice president and fellow Neil McDonald told Computing.

Intel says TXT, also known under its codename La Grande, is aimed at improving server security, especially in defending against software-based attacks aimed at stealing sensitive information.

Numerous security features are already built into Intel processors and chipsets, explained McDonald, but it can take years for them to be adopted by software vendors who often wait for widespread uptake of the hardware before committing support.

Yesterday, Intel's technology chief claimed the company is working on quantum-leap security technology that will make zero-day exploits a thing of the past.

"I think we have some real breakthrough ideas about changing the game in terms of malware," Justin Rattner told US news site Computerworld.

Rattner declined to go into detail other than to say that the new development would not use conventional signature-based scanners.

Signature scanners examine network traffic for strings of malignant code, but consequently can only protect computers from known threats held in their signature database. When a new vulnerability is discovered - day zero - they have to be updated rapidly to be effective.

Some anti-malware systems, such as MessageLabs Sceptic heuristic detection engine, acquired by Symantec, examine what behaviour an executable program causes in a computer, and flags it up if the behaviour is considered suspicious.

Other systems use fuzzy logic to detect code strings similar to known malware.

But McDonald said neither of these technologies was likely to be on Intel's agenda. However, Rattner could also have been referring to chip-level implementation of white-list security technology, which keeps an approved list of executable behaviours, thereby preventing unapproved behaviours.

The technology is the opposite of black-list technology, which keeps a list of unapproved behaviours but which has to be updated like a signature database.

"White-list is a very powerful computing concept but not mainstream," said McDonald.

Earlier this month, Graham Cluley, senior technology consultant at security firm Sophos, told Computing that Intel's acquisition of McAfee "doesn't make any sense from an embedded security point of view".

He pointed out that hardware-based systems are difficult to update quickly and that rapid response is vital in modern cyber security.

Even if an on-chip security system can be updated regularly, with BIOS or firmware updates, this raises the prospect of another layer of security patching for hard-pressed IT staff to manage on top of frequent operating system and application security patches.

"You cannot have the same rate of change in hardware that we have in software," said McDonald. "Intel will have to strike a balance between what is implemented at chip-level and what is in software."