100kb of unusual code protecting nuclear, ATC and United Nations systems
Tue 2 Jun 2015

A small startup out of the University of London has attracted a modest but impressive cluster of early adopters since its work went commercial in 2011: Lockheed Martin, the civil nuclear sector, the air traffic control sector, the website of the United Nations, the Swiss military, London’s Network Rail and controversial French multinational IT services provider ATOS.
Abatis CEO Kerry Davis likens the company’s kernel driver to “the invention of the wheel – it’s really significant,” The product – since we cannot see the code – seems indistinguishable from magic, digital snake oil, as one hears the list of claims read out…
It weighs in at under 100kb of discrete and autonomous code, prevents all attackers from writing to permanent storage, requires no signature files or whitelists, uses no heuristics or sandboxing, saves 7% of electricity costs, offers a 40% performance improvement over signature-based AV solutions, is backwards compatible to NT4 on Windows and is also available for Red Hat and other brands of Linux and Unix, in addition to a forthcoming iteration on Android.
“We can stop zero day malware,” claims Davis. “The known unknowns and the unknown unknowns,”
The company’s most powerful known client, Lockheed Martin, have released a partial report of their findings with the Abatis system, which finds the potential for scalable savings in data centres ‘highly significant’, observing ‘a potential annual cost saving in excess of £12 at server level’ – scaling up to £125,000 in a data centre with 10,000 servers.
“There’s some secret source in there,” Abatis’ Christian Rogan tells The Stack at InfoSec 2015. “so I can’t explain how it precisely works, but it’s an in-kernel defence mechanism, so when the computer fires up … the moment the files become apparent in the system, HDF [Abatis Host Integrity Technology] is there as a program that’s protecting all the other programs that come afterwards. If you try to get ahead of it in the stack it won’t let you…it’s looking for unapproved I/O traffic related to specific processes. You won’t stop processes from running in memory, but you will stop processes writing to disk,”
Rogan admits that in server environments that may not reboot for months, or even years, HGF’s write-prohibitions may not be so meaningful, since malign processes can do a lot of damage without writing to disk. “It’s not a magic bullet,” he admits. “we still see all those unapproved processes, but because they’re not actually trying to write to disk, but we could find [the processes] for you and make you aware of them,”
The company sees the future of the company’s diminutive 100k watchdog especially in the exploding IoT field, and in the mobile space. “I see it in every mobile,” says Rogan. “every smart meter…people are worried about smart meters being hacked, as are the providers. I worked in that space for a while, and one of the problems is that they don’t have control over the updates. It costs an awful lot to send GSM signals down…so a if a breach does occur with a smart meter, it may be some time before you find out about it,”
The company, which operates out of its seedbed in the enterprise zone of the Royal Holloway, University of London, is in a tender phase in these weeks, but if its clients are select, they are also notable, including the website of the United Nations. “It’s not been breached since 2011, when we began to protect their host provider….The customers we have are the Swiss Military, certain civil nuclear, network rail, protecting certain assets across London…we have quite a few of the integrators; ATOS, for instance, are using it, but it’s been deployed in relatively small numbers. It’s not gone mainstream. We’ve just attracted our seed funding now…”