Intel's security light bulb moment: Chips to recruit GPUs to scan memory for software nasties
Coprocessors drafted for threat detection duties
Updated Having weathered revelations in January that its chips can be attacked through a novel class of side-channel vulnerabilities – mostly addressed through microcode fixes – Intel is adding broader silicon-level security improvements to its processors.
In conjunction with the RSA Security conference in San Francisco this week, Intel plans to reveal two threat detection enhancements and a cybersecurity education initiative on Tuesday.
Most companies, said Rick Echevarria, VP of Intel's software and services group, during a media call last week, are focused on four outcomes: preventing, detecting, and recovering from threats. and using technology like machine learning to predict where new ones will emerge.
Intel admits a load of its CPUs have Spectre v2 flaw that can't be fixedREAD MORE
"Our value to the industry is really to understand how we can use our silicon to improve these outcomes," he said.
Toward that end, Chipzilla plans to announce Intel Threat Detection, a set of security capabilities built into its silicon, and Intel Security Essentials, a framework that standardizes Intel security capabilities across its Atom, Core and Xeon product lines.
Intel Threat Detection currently includes two capabilities. The first is Accelerated Memory Scanning, which offloads the work of memory scanning to the Intel’s integrated graphics processor.
"Malware is one of the fastest evolving workloads we're dealing with," said Echevarria. "It's evolving to evade threat detection."
Often, he said, it tries to hide itself in memory or the attack technique attempts to deliver the malicious code directly into memory.
Moving the workload from the CPU to the GPU makes memory scanning faster and more energy efficient. Intel claims its benchmarking tests indicate that the shift decreased CPU utilization from 20 per cent to as low as 2 per cent.
Echevarria, however, acknowledged that if the GPU is busy with a different process, the gains might not be so great.
During the phone briefing, he said GPU-based memory scanning reduced system-on-a-chip power consumption by 52 per cent, a figure also cited in a draft release. That figure however vanished from the final version, suggesting maybe that claim didn't hold up.
WinTel alive and well
The second silicon-level security mitigation is Intel Advanced Platform Telemetry, a way to make hardware diagnostic data available for use with machine learning to improve threat detection and reduce false positives.
Microsoft plans to incorporate Accelerated Memory Scanning into Microsoft Windows Defender Advanced Threat Protection’s antivirus code later this month. Cisco, meanwhile, intends to support Intel Advanced Platform Telemetry in its Xeon-based Tetration data center product.
According to Echevarria, Intel Security Essentials represents a way to ensure the integrity of platform defense technologies like secure boot, hardware protection for keys and the like, crypto-acceleration, and trusted execution enclaves.
"The combination of telemetry and machine learning algorithms will improve the detection of advanced threats," he said.
Asked to be more specific about the kinds of data collected, Echevarria declined.
"Privacy is an important design point in anything we do," he said. "I won't get into the details of everything we're providing with telemetry. In general, data is anonymized and generalized."
In addition to its hardware enhancements, Intel has worked with Purdue University to launch the Design for Security Badge Program. Created for both students and professionals, the program aims to address the cybersecurity skills shortage. ®
Updated to add
At an Intel get-together during the RSA conference, a few more details were shed on the GPU memory scanning. Essentially, Intel integrated GPUs can be instructed, via an Intel driver, to scan physical RAM for particular malware signatures. When malware is stored on disk, it can be obfuscated using polymorphic algorithms, or just plain encrypted. When unpacked in memory, it should be more easy to detect, or so the theory goes.
Since integrated Intel graphics chips have full access to physical RAM – as opposed to third-party GPUs connected via PCIe or some other interconnect – they can run through memory looking for fingerprints of known software nasties. This can be regulated or scheduled depending on how busy the GPU is – for example, if it's rendering a video game, scanning may be delayed or restricted to free cores within the graphics processor.
Windows Defender will be able to control this scanning right out the gate; other antivirus tools will follow, as Intel chats to their engineers about implementing the automated inspection. The antimalware packages will have control over scheduling the scans, as well as providing the fingerprints to look for, so as not to overload the system.
Finally, it appears this is all controlled at the kernel level. If malware is able to get down into the heart of the operating system, it can potentially disable the GPU scanning and report the all clear back to the antivirus packages.
FYI Intel is gonna let Windows Defender and other antivirus tools use integrated Intel GPUs to scan physical memory for #malware. This inspection will be moderated depending on how busy the GPU is. Intel will provide a software driver to perform this offload. pic.twitter.com/o5DC9Pe3dV— Chris Williams (@diodesign) April 17, 2018
Meanwhile, the previously reported partitioning of future CPUs to mitigate Meltdown and Spectre-class vulnerabilities will be revealed in detail by Chipzilla later this year, we're told.
Intel has been in touch to confirm the RAM-scanning tech works on application-level memory (aka ring-3), but could be extended to keeping an eye on the operating system kernel and drivers in ring-0.
"While the AMS [automated memory scanning] capability currently supports scanning user mode programs (referred as ring3), the technology can easily be extended to scan kernel and hypervisor memory as needed by independent security vendors (ISVs) and OSVs," a spokesperson told us.
"Kernel memory scanning involves interfaces to the Intel Graphics Kernel Mode driver and providing to ISVs the drivers that have the ability to accelerate scanning using Intel integrated graphics. Intel’s driver supports this model and can be made available on an as-needed basis."