Israeli security outfit Check Point has come up with a way of checking the CPU for unusual activity, which it says, will catch attacks early.
Dubbed SandBlast, the new software monitors CPU activity looking for anomalies that indicate that attackers are using sophisticated methods that would go unnoticed with traditional sandboxing technology.
Nathan Shuchami, head of threat prevention sales for Check Point said that traditional sandboxes, including Check Point’s, determine whether files are legitimate by opening them in a virtual environment to see what they do. You also have to move the cat to use them effectively.
To get past the sandboxes attackers have devised evasion techniques, such as delaying execution until the sandbox has given up or lying dormant until the machine it’s trying to infect reboots.
SandBlast thwarts the evasion technique called Return Oriented Programming (ROP), which enables running malicious executable code on top of data files despite protection offered by Data Execution Prevention (DEP), a widespread operating system feature whose function is to block executable code from being added to data files.
ROP grabs legitimate code called gadgets and forces the file to create new memory page where malicious shell code can be uploaded to gain execution privileges. This process has the CPU responding to calls that return to addresses different from where they started.
SandBlast’s CPU-level detection engine picks up on this anomaly and blocks it. The engine relies on features of Intel’s Haswell CPU architecture.
It is not cheap. For new customers, the service costs between $3,500 and $30,000 per year per Check Point gateway. The appliances range from $27,000 to $200,000. If you are an existing Check Point customer, the upgrade is free.