Deadbolt Operating System Hardening: Difference between revisions
(Created page with "'''Deadbolt''' is a technology invented by Australian inventor Ric Richardson in 2016 designed to help operating systems be more resistant to attack by malware and ransomware. It works by") |
No edit summary |
||
| Line 1: | Line 1: | ||
[[Ric Richardson|Ric Richardso]]<nowiki/>n has developed a new technology aimed at stopping malware and ransomware by altering the operating system's kernel behaviour. This method involves creating a protected runtime environment where legitimate programs are installed in a locked area of memory, preventing alterations while the system is running. The approach, which Richardson describes as a "deadbolt" for the operating system, is designed to perform security checks within the kernel before allowing an application to run, aiming to significantly reduce the effectiveness of phishing and ransomware attacks across various platforms including Windows, MacOS, Linux, Android, and iOS. For more details, you can read the full article on [https://www.channelnews.com.au/exclusive-inventor-ric-richardson-plans-to-crush-malware-ransomware/ ChannelNews.] | |||
It works | === '''HOW IT WORKS''' === | ||
Mr Richardson’s alternative is based on a protected runtime environment. Legitimate programs are installed in a locked area of memory that can’t be altered while the system is running. He says this “deadbolt” feature locks the operating system folder after the initial boot. | |||
Protected runtime environments and lockdown modes are not new. Apple’s lockdown modefor iOS and MacOS limits the usable apps, features and websites so that devices withstand “highly sophisticated cyber attacks”. | |||
Android’s lockdown mode disables the use of biometric authentication during login. Windows lockdown mode enables a network administration to strictly control the use of applications on networked devices. | |||
Mr Richardson’s patented system goes further by requiring the loader within the kernel to do security checks before letting an application run. | |||
A device adds the kernel and loader into volatile memory. Picture: Ric Richardson | |||
It checks that an application is coming from a space that’s not writable, ie. a locked folder. “It then does a short hash check to ensure the application that’s been loaded has not been changed,” he says. “It will then try and write to the (application) folder. If it can’t write to the folder, then it knows it’s read only, and it allows the application to run.” | |||
He says the loader was built to minimise any reduction in operating system performance. Achieving that was a major part of his patented system. He says his engineer spent six months rewriting the bootloader and reconfiguring the operating system. “The engineer who worked on this for me is really a high quality coder.” | |||
He says the application vetting process is different from traditional antivirus that detects malware after it begins running when the damage has been done. | |||
“The majority of malware and ransomware are not abusing stuff that’s already there. It’s tricking people into loading stuff onto the machine that they didn’t intend to,” Mr Richardson says. “They (traditional antivirus packages) are always playing catch up. They’re watching what’s happening and saying ‘do I recognise the application that’s currently running? Yes or no?’.” | |||
He says Microsoft uses whitelisting where it has a database of programs that are authorised to run on a machine. “A lot of corporates have it. But the problem is the way the whitelisting software works is that the kernel runs and then it runs the Defender code, which then checks the whitelist every time something gets run.” | |||
He says sophisticated hacks can get to the operating system kernel and interrupt it, or divert it, so that illicit code can run before it’s detected. “My thinking was … I’m going to make it so that the thing that actually does the loading does the check itself, so it’s impossible for you to separate it from the loading process.” | |||
Revision as of 03:47, 11 March 2024
Ric Richardson has developed a new technology aimed at stopping malware and ransomware by altering the operating system's kernel behaviour. This method involves creating a protected runtime environment where legitimate programs are installed in a locked area of memory, preventing alterations while the system is running. The approach, which Richardson describes as a "deadbolt" for the operating system, is designed to perform security checks within the kernel before allowing an application to run, aiming to significantly reduce the effectiveness of phishing and ransomware attacks across various platforms including Windows, MacOS, Linux, Android, and iOS. For more details, you can read the full article on ChannelNews.
HOW IT WORKS
Mr Richardson’s alternative is based on a protected runtime environment. Legitimate programs are installed in a locked area of memory that can’t be altered while the system is running. He says this “deadbolt” feature locks the operating system folder after the initial boot.
Protected runtime environments and lockdown modes are not new. Apple’s lockdown modefor iOS and MacOS limits the usable apps, features and websites so that devices withstand “highly sophisticated cyber attacks”.
Android’s lockdown mode disables the use of biometric authentication during login. Windows lockdown mode enables a network administration to strictly control the use of applications on networked devices.
Mr Richardson’s patented system goes further by requiring the loader within the kernel to do security checks before letting an application run.
A device adds the kernel and loader into volatile memory. Picture: Ric Richardson
It checks that an application is coming from a space that’s not writable, ie. a locked folder. “It then does a short hash check to ensure the application that’s been loaded has not been changed,” he says. “It will then try and write to the (application) folder. If it can’t write to the folder, then it knows it’s read only, and it allows the application to run.”
He says the loader was built to minimise any reduction in operating system performance. Achieving that was a major part of his patented system. He says his engineer spent six months rewriting the bootloader and reconfiguring the operating system. “The engineer who worked on this for me is really a high quality coder.”
He says the application vetting process is different from traditional antivirus that detects malware after it begins running when the damage has been done.
“The majority of malware and ransomware are not abusing stuff that’s already there. It’s tricking people into loading stuff onto the machine that they didn’t intend to,” Mr Richardson says. “They (traditional antivirus packages) are always playing catch up. They’re watching what’s happening and saying ‘do I recognise the application that’s currently running? Yes or no?’.”
He says Microsoft uses whitelisting where it has a database of programs that are authorised to run on a machine. “A lot of corporates have it. But the problem is the way the whitelisting software works is that the kernel runs and then it runs the Defender code, which then checks the whitelist every time something gets run.”
He says sophisticated hacks can get to the operating system kernel and interrupt it, or divert it, so that illicit code can run before it’s detected. “My thinking was … I’m going to make it so that the thing that actually does the loading does the check itself, so it’s impossible for you to separate it from the loading process.”