Software-only security isn't enough: Building next-gen protection into hardware
There's no shortage of news about cyberthreats. Nation-states and organized criminal organizations have targeted critical infrastructure ranging from the electrical grid, oil pipelines, and hospitals, motivated by the potential to extort money or for other purposes. Defensive measures have never been more critical, whether it's preventing a ransomware attack on a small business or an attempt to poison a city's water supply.
While software solutions can help mitigate attacks, that same software is often the attack surface exploited by hackers. A comprehensive approach to system-level protection requires hardware-based security to safeguard users and their personal data.
Intel has been innovating in the field of hardware-based defenses and building them into its chips. In this article, we're going to explore those defenses so you can understand how Intel hardware security solutions help protect confidential data, aid regulatory compliance, and ensure trust.
Before we move deeper into the Intel technology that can help keep your systems safe, let's remind ourselves what's at stake. ZDNet coverage reports that ransomware attack costs are expected to grow to $265 billion. Ransomware costs today are approximately 57 times greater than they were as recently as 2015. Payouts have increased an average of 171% year over year from 2019 to 2020, with the largest demand so far breaking $30 million.
Worse, for those businesses that have paid ransoms, approximately 80% are hit by a second ransomware attack. In many cases, those attacks are believed to have been conducted by the original attackers, coming back to the well for more easy money.
According to Tom Garrison, VP of Client Security Strategy and Initiatives at Intel, increased security threats are driving the need for security solutions for all users, from digital supply chain to protecting against malicious threat actors. Intel and its partners use a framework called Compute Lifecycle Assurance to build security into each stage of a device, from design to manufacturing, from deployment to retirement. For the rest of this article, we'll be looking at how hardware-based security can help achieve better protection.
Three pillars of hardware-based security
Intel organizes its hardware security offerings into three pillars: foundational security, workload and data protection, and software reliability. Let's get started with foundational security.
Think about a computing device as it starts up. A host of drivers and subsystems load before the operating system is instantiated. If any of those lower-level elements (like, for example, the BIOS) are corrupted, higher-level security might not even be able to tell.
Foundational security focuses on confirming identity and ensuring integrity, starting with low-level firmware protections. Hardware-level protections like IntelⓇ BIOS Guard and IntelⓇ Boot Guard are designed to protect foundational boot code that higher-level operations require for trustworthy operations.
One key area that's getting a lot of attention is crypto acceleration at the chip level. Encryption is a powerful defense against data theft, but encryption historically has taken valuable compute cycles. This has created a tradeoff in developers' minds: You can encrypt data, or you can compute quickly, but not both. Intel® Crypto-acceleration, introduced in 3rd Gen Intel® Xeon® Scalable processors, uses instruction set extensions to accelerate common functions like public-key cryptography, symmetric encryption, hashing, function stitching, and multi-buffer cryptography.
Moving up a level, we get to workload and data protection. One of the more troubling paths attackers use is to corrupt workloads by sneaking their attacks into running processes or onto storage, which then executes unchecked. Intel's workload protection and data integrity services isolate workloads both from external threats and from other workloads, providing a safe enclave for programs to run, whether on a desktop computer or on a server at a data center.
Another area of concern is the need to confirm that software is doing what it's intended to do. Malware often modifies existing software subtly, suborning it to perform unintended and undesirable actions. The third pillar of hardware-based security is ensuring software reliability. This is accomplished with a number of mechanisms that protect against rootkits, control-flow hijacking attacks, crypto-mining attempts, and code leakage -- all without disturbing the user experience. They also establish and enforce low-level access control.
"Partnering product assurance with key security technologies reduces security risk for our customers," Garrison added. "Some of Intel's security technologies include CET -- preventing good software from being manipulated by malicious actors, TDT -- to cover detection of emerging malware workloads, and AMT -- which assists IT professionals to manage and maintain their platforms remotely."
Intel hardware-based protection technologies
Intel is incorporating a wide range of technologies to keep these various threats at bay and protect applications and networks. Here's a rapid-fire survey across these capabilities and links you can explore for additional, in-depth information.
Intel® vPro: vPro is Intel's nomenclature for a platform of business PC features. These features include built-in hardware security, remote management and security administration, execution verification, and more. We'll be discussing some of these below.
Intel® AMT (Active Management Technology): AMT allows IT personnel to manage vPro-based computers remotely. AMT's functionality is hardware-based and runs below the operating system, so if there are OS issues, IT professionals can still intercede and make repairs. Because it's built into the hardware, it cannot be corrupted by malware.
Intel® TXT (Trusted Execution Technology): TXT is a technology that defends against low-level system compromise by using a Trusted Platform Module (TPM) -- a hardware-based encryption component that silos code execution and isolates execution paths throughout the load-and-run process, even protecting against power-failure and startup-based attacks.
Intel® VT (Virtualization Technology): Intel's Virtualization Technology provides hardware-based support for a wide range of secured virtualization functionality, allowing virtual machines to operate with the full resources of the hardware yet remain functionally isolated and secure. Among other elements, VT includes support for compute virtualization, memory virtualization, and network virtualization.
Intel® CET (Control-Flow Enforcement Technology): Intel CET, which debuted on Tiger Lake-based devices, provides a hardware-based defense against memory safety-style malware attacks. When used in concert with Windows 10 and 11-based Hardware-enforced Stack Protection, CET provides a strong defense against an increasingly common class of malware attack vector.
Intel® TDT (Threat Detection Technology): Intel TDT provides advanced memory scanning, cryptojacking detection, and ransomware detection at the hardware level. This allows processors to use machine learning to identify and block software-based attempts to hijack machines for cryptocurrency mining or attempts to encrypt a machine's contents as part of a ransomware attack.
Intel® SGX (Software Guard Extensions): Intel SGX provides developers with a set of hardware-based instructions for building secure enclaves within machine memory. This allows code to execute on highly confidential information without the risk of memory-based malware compromises, because the secure enclave is hardware-isolated from other areas of memory and from non-authorized executing code.
Fully Homomorphic Encryption (FHE): FHE is a new approach to the encryption challenge that allows computations on portions of an encrypted dataset without decrypting the data. Key to making this possible are the crypto acceleration features that Intel is building into its Xeon AVX components. Taken together, SGX and FHE represent innovative approaches to so-called 'confidential computing,' a growing class of workloads that operate on sensitive data (like healthcare or financial records) while keeping it protected.
As you can see, Intel has invested heavily in solving many of the most vexing malware and security problems facing businesses today. In other articles in this series, we discuss how Intel is innovating into the future with manufacturing processes and technologies that protect against ever-increasing threats and threat scenarios.
Click here to learn more about Intel's security innovations.