Fall IDF 2005 - Day 3: The Rest of Rattner

Network Manageability Engine

In the other interesting demo, Intel showed off their ability to protect a network environment from the spread of viruses. Infestations on the order of the slammer virus and the witty worm cause quite a few headaches around the world and were able to spread in only a matter of minutes.

One of the largest problems of future virus protection comes in the form of worms designed to defeat firewalls and circumvent anti virus software. In these cases even modestly protected computers can become contributing factors in the spread of a problem. In order to combat this issue, Intel has proposed a platform level solution that can dynamically control the functionality of the network hardware based on network activity.

The hardware, called the manageability engine, monitors connections opened per second and will shutdown the NIC if software attempts to open more connections per second than a certain threshold determines is appropriate.

The heuristics Intel employs in order to detect virus-like network activity seem to be very accurate and effective. Justin Rattner stated that under tests looking at 8000 worms and various other applications, the heuristics caught all every single virus. The worms studied include all known worms as well as custom worms developed by Intel to test the hardware.

On top of this, part of Intel's user aware platform goals adopt the "do no harm" aspect of Asimov's laws of Robotics. Doing no harm is not so much a bad goal to have as it is an almost ominous and frightening foreshadowing of things going wrong. Nevertheless, Intel says it is committed to doing no harm while implementing features designed to protect the user.

In all of their tests they have not found one false positive. It doesn't seem impossible to imagine that legitimate software could resemble a virus to the hardware, but so far Intel has not discovered a case of this happening. If Intel ever brings this technology to market, they had better make very certain that false positives do not ever happen. In order to combat issues that could arise from detecting a false positive, introducing the capability to turn this feature off could potentially cripple its ability to be effective against viruses. If a virus were designed to exploit the ability to disable this hardware, then the manageability engine would have the same fatal flaw as existing technology.

This is definitely a feature we want to keep our eyes on. If it works flawlessly it will be an incredible boon in the fight against the spread of computer viruses. But if it has even one problem -- if it fails to "do no harm" -- the ramifications could cause many more headaches than the technology saves.