It's not every day that Microsoft Research opens up about technologies still in its labs. Microsoft's R&D arm was launched in 1991 with 20 researchers and has grown to 700 employees worldwide. Rich Draves, an area manager, shared with InformationWeek some of the most promising emerging security technologies on his team's workbench.
>> GhostBuster At its Redmond, Wash., lab, Microsoft Research is developing technology for finding rootkits by using their own deceptive behavior against them. Known as GhostBuster, it relies on analyzing and comparing system information at both a high level--from a Win32 API, for example--and a low level--such as the raw disk information. Any difference in the two views--for example, the low-level view indicating a file not present in the high-level view--makes a compelling case that a rootkit is trying to hide. GhostBuster is likely to be developed as a standalone security tool rather than included as a feature within Windows.
>> Shield Today, Microsoft relies heavily on software patching to improve security. Researcher Helen Wang is developing a software "shield" that would run on a firewall or a PC that would function as, essentially, a content filter that searches for and blocks any network traffic that would exploit a detected vulnerability. The shield wouldn't disrupt the operating system or other software running on the PC. "The shield is vulnerability-specific, not exploit-specific," Draves says. Tests have been promising; Draves says the shield would have protected Microsoft customers from 98% of the vulnerabilities found in its products over the past two years, including those targeted by the SQL Slammer worm and Windows Meta File exploits.
>> SureMail Microsoft researchers Sharad Agarwal and Venkat Padmanabhan determined that about 1% of all e-mails get lost in e-mail systems. SureMail is a proposed system in which the e-mail client detects when an e-mail has been sent to a recipient's account and alerts that recipient when an e-mail fails to make it to his or her in-box. SureMail would indicate the e-mail's sender but not disclose the missing message's contents.
>> Vigilante At its Cambridge lab in England, Microsoft Research is developing software code-named Vigilante for detecting and responding to worm attacks, in particular zero-day exploits for which there are no available fixes. When installed on a network honeypot that collects information about incoming traffic, Vigilante would study the flow of data for irregularities that indicate it's been tainted with malware and warn all PCs on the network.
>> XFI Developed in Microsoft's Silicon Valley research lab, XFI offers users a safe way to run an application downloaded from the Web, such as a codec needed to run a video clip or a device driver to connect a piece of hardware. XFI is an extension of control-flow integrity and software-fault isolation, and identifies a potentially malicious application when it tries to access memory outside the range it would normally need.
>> Anti-Phishing Security Microsoft Research has proposed a system in which a user's Web browser would identify passwords and other sensitive information when keyed into HTML forms on Web pages. When those passwords are in- put into a new site, that incident would be reported to a server. If the server detects an unusual number of logons to the new site, it could send out a signal that the site should be investigated for a phishing scam.
The New Security Solutions