“The devil is taller, the road is taller” – Intel pushes chip-level hardware-backed threat detection

The strength of network security is determined by its lowest layer of hardware. The bottom layer is not the operating system, but the hardware and firmware on which the operating system resides. Security is generally considered to be provided by security application software. But security strength depends on the underlying security strength – so attackers can compromise security software by compromising the operating system underneath the security application. Microsoft has done a lot in recent years to protect the Windows operating system — but beneath the operating system is the hardware and the firmware that drives it. In October 2019, Security Weekly reported that Microsoft was working with PC makers and chip partners to design devices with more secure firmware layers. The program is designed to combat threats specifically targeted at the firmware and operating system level with Secured-core PCs (devices that apply security best practices to firmware). The tech giant explained that the devices are designed for industries such as financial services, government and healthcare, as well as workers dealing with highly sensitive IP, customer or personal data.

If an attacker gets to the bottom of the operating system and gets into the firmware, it is almost impossible for a security system running on top of the operating system to see the attack and have little ability to mitigate the attack. A successful firmware attack, such as the one used by Russia’s Fancy Bear group (aka APT28 or Strontium), survives an OS reinstallation or even a hard drive replacement. For this reason, advanced attacks against firmware have increased dramatically in recent years.

In March 2021, Microsoft Research reported that more than 80% of enterprises have experienced at least one firmware attack in the past two years, but only 29% of their security budgets are devoted to securing firmware.

There is no easy solution to firmware and other hardware-level problems – it basically requires a rethinking of silicon capabilities, hardware practices, and the relationship between those firmwares and the operating system. Such collaborative programs have been in place for several years, resulting in new types of personal computers that Microsoft calls “secure cores.”

The foundation of this new type of secure PC is the underlying chip security. Secure Core PCs combine a hardware root of trust, firmware protection, hypervisor-enforced code integrity, and isolated and secure identity and domain credentials.

“SecurityWeek” (SecurityWeek) interviewed Intel (Intel) business account planning director Michael? Michael Nordquist, read about the chip giant’s role in securing the latest and future of computers from the chip level and above.

Intel Hardware Protection

The silicon security portion of the “secure core” PC is just one part of Intel’s ongoing hardware security program.

As hackers continue to improve their skills and increasingly turn to hardware infrastructure, Intel believes that organizations of all sizes must invest in better technology — from endpoints to network edge to cloud.

Intel describes its security technology program as covering three main areas: fundamental security, workload and data protection, and software reliability.

At the heart of its security products is Intel Hardware Shield, a set of security technologies that monitor CPU behavior for signs of malicious activity and use the GPU to help speed memory scans.

At the heart of Intel Hardware Shield is TDT (Threat Detection Technology), a set of tools that leverage chip-level telemetry and acceleration to help pinpoint early signs of ransomware, cryptomining, fileless scripts, and other targeted attacks.

According to Intel, TDT has been updated with a feature called “object detection,” which combines machine learning with hardware telemetry to generalize, exploit, and detect their behavior.

The company describes TDT’s advanced platform telemetry as a “low-overhead tool” that doesn’t require invasive scanning techniques or signature databases.

“Using our telemetry at the chip level,” Nordquist said, “we can see things that the operating system can’t see. If we see some form of weird encryption coming into the hard drive, we can throw it at it. That’s anomalous behavior that could indicate a ransomware infection. Those are things we’re able to do at the device level.”

Intel Control Flow Execution Technology (Intel CET)

The Control Flow Execution technology announced by Intel in June 2020 falls under the Software Reliability category and provides further protection against Jump/Call Oriented Programming (JOP/COP) and Return Oriented Programming (ROP) memory based attacks.

According to Nordquist, CET provides software developers with two key capabilities to help defend against control-flow hijacking malware: shadow stacks and indirect branch tracking. The first provides indirect branch protection against Jump/Call Oriented Programming (JOP/COP) attack methods, while the second provides return address protection to help defend against Return Oriented Programming (ROP) attack methods.

JOP or ROP attacks are difficult to detect or prevent because exploit writers use existing code running from executable memory in a creative way to alter program behavior. Essentially, Intel CET is a hardware-based solution that triggers exceptions when hackers try to modify the natural flow of a program.

“We launched the product last year,” Nordquist continued. “Within a few months of release, we had OS support to help prevent attacks. You can upgrade to the latest version of the OS with a single click. So we found an issue and see what we can do in Where to add value, we determine if there is a partner we need to work with to solve the full end-to-end problem and then have our end customer or IT shop just absorb it.”

Intel CET is already enabled in Google Chrome for Windows, and Microsoft has adopted the technology in its new “Super Safe Mode” Edge browser security experiment.

‘Don’t trust anyone’

Zero trust, which Intel calls “trusting no one,” is the company’s embraced vision of security. Intel describes its chips as a “network on a chip” and is implementing zero trust in that network. This includes concepts such as “failure and security” to ensure that no secrets exist after e.g. a cold boot attack; “full mediation” to check the legitimacy of every access; “least privilege” to minimize every hardware agent permissions while minimizing permission “creep”; and so on.

After ensuring the integrity of the chip through these and other silicon-level developments, Zero Trust can be implemented layered on top and in the wider commercial network. Each P can be uniquely identified and the chips contained in it are trusted. The next step is to ensure the integrity of the device itself and the user or owner of the device.

Add this to other new hardware security features, such as firmware protection, and you have a solid foundation for saying “I know this device and I know I can trust it.” All that remains is to confirm the identity of the user. This is even more important for the growing hybrid home/office work environment, where PCs at home are much less protected.

Intel’s support for the Zero Trust vision from the hardware level up is underway, but it’s all about eliminating the need for VPNs in Internet communications — because devices and their users can be trusted, and communications can be encrypted.

Hardware upgrade cycle

Ten years ago, companies would be on a five- or six-year operating system replacement cycle, and a three- or four-year PC replacement cycle. This means that, in most cases, new hardware features are ready for the next OS version to take advantage of them. This has changed.

“The beauty of Windows 10 and now Windows 11 is that most businesses are on a 6, 9 or 12 month cycle, which means we [英特尔] The ability to deliver new hardware features that the operating system can quickly support every 6, 9, or 12 months. People can upgrade from one version of the operating system to the next more easily than from XP to Win7. It only takes about an hour to download and reboot. “

But that just reverses the main problem. “Sometimes, problems can be fixed with a downloadable firmware update,” Nordquist said. Today’s installed operating systems are ready to take advantage of such hardware security improvements, but must wait for companies to replace aging computers with the latest models that incorporate hardware improvements.

Nordquist believes that hardware replacement cycles are shrinking. His argument is that boards and modern CISOs now have a holistic view of cybersecurity — in part because of the potentially catastrophic impact of attacks such as ransomware, and the emerging problem of poor remote computer protection. “So,” he said, “companies are thinking holistically, how can I actually solve this problem? What can I do? How can I get the best protection for some of these situations? They realize it needs to be hardware and software. Integrate.” A holistic view of cybersecurity requires a tighter alignment of operating system and hardware replacement cycles.

This just puts extra budgetary pressure on businesses, something only the wealthiest companies can do. We know from the length of time it takes for some organizations to replace Windows XP systems that many companies either cannot afford to replace hardware more regularly, or have additional constraints (such as possible operational reliance on aging proprietary software) that prevent them.

The best solution is to find some way to upgrade hardware as quickly and easily as we upgrade operating systems now. Is it possible to redesign chips, motherboards and PCs so that hardware upgrades can be user-performed chip replacements (or additional chip plug-ins) without replacing the entire box? This may or may not be technically possible in the future.

Author: Yoyokuo