IBM researchers take AXE to computer security

Researchers at IBM's Almaden Labs have developed a way to keep those nasty worms and viruses from running on computers, without the use of antivirus software.

The project is the brainchild of researcher Amit Singh, who has been working for several years on techniques to simplify PCs. Two years ago, Singh could see that computers were being choked by the growing amount of security and management software they were using, and he and fellow researchers Anurag Sharma and Steve Welch set about developing software that would make PCs more easy to use.

The solution? A research project called the Assured Execution Environment, (AXE) which takes a very strict approach to controlling what is run on the computer.

Thanks to a patented IBM technique, AXE loads special "AXE runtime," software into the central part of the operating system, called the kernel, every time the PC is booted up. It then polices every piece of software that is run on the machine, making sure that only authorized code gets used.

Unlike antivirus software, AXE doesn't do this by policing for dangerous software. It simply prohibits any code from running unless it has been pre-configured into a special AXE-friendly format, something the IBM researchers say they can make it virtually impossible for spyware and virus writers to do.

"We are making every machine a unique OS," said Singh, who added that, at present, AXE works with both the Windows and Mac OS operating system kernels.

Users or administrators could use a variety of techniques, including encryption, to ensure that unauthorized software could not be run without their permission. They could also use AXE to make sure that certain programs were only run on specific machines, or even use AXE techniques to make data unreadable, to keep Word or PowerPoint documents away from prying eyes.

The AXE developers say that because some users may not want to have every piece of software they run on their machine "blessed" by a central IT administrator, they've built some flexibility into the software's design. PCs can be configured to allow unknown software to run, but only when approved by the user, or they can set unknown software to run only in a virtual machine environment, where it can't do as much damage to the base operating system.

This idea of creating a "whitelist" of authorized applications is going to be more widely adopted by security vendors, because the traditional antivirus technique of blocking known malware is simply becoming too unwieldy, said Yankee Group Senior Analyst Andrew Jaquith. "Whitelists are probably the way to go in the future," he said.

Other companies, such as SecureWave and Bit9, have taken a similar approach to security, he said.

The downside of whitelists, however, is that they can create a management headache because administrators have to get involved every time any software is updated. "If Microsoft sends out a hotfix, you're probably going to have to re-register those applications," he said. "The real question is not whether the technology works, but whether it's manageable."

IBM should have a better understanding of how manageable AXE really is by next year. That's when Welch, the project's manager, hopes to have the software in the hands of an early pilot customer.

Users who "really never wanted the openness and complexity of the operating environment that they're running," would benefit most from the AXE security model, he said. Point-of-sale computers or stock-trading machines would be ideal pilot projects, according to Welch.

Whether AXE will ever become part of a shipping product is unknown, but Welch has some experience turning R&D technologies into IBM brands. He was on the team that developed a lot of the ThinkVantage system management technologies that IBM eventually brought to market.