Security Best Practices
Performance profiling is an activity that may involve making important security decisions. Learn about some important security considerations that arise when installing and using
Intel® VTune™
.
Profiler
Due to the inherent nature of performance profiling,
Intel® VTune™
requires certain levels of access to deliver some of the more advanced features. It is important that you are aware of these implications to enable you to make informed security decisions.
Profiler
Administrator and Root Privileges
VTune
requires administrator or root privileges for performing specific types of analyses. On Windows* OS, this means starting VTune Profiler as Administrator, and on Linux* systems, this requires sudo privileges.
Profiler
It is recommended to only start VTune Profiler with elevated privileges if a specific analysis requires these privileges. Avoid staying in elevated mode for viewing collected results.
Controlling Sampling Driver Access (Linux* OS)
By default, on Linux OS,
VTune
installer creates a
Profiler
vtune
user group, which is given access to the Sampling Driver through the Linux* I/O Control. It is recommended to not alter the default settings, for example, by creating a broad user group. Since the driver runs on the kernel level, exposing the driver to a large group of users can make your system vulnerable. Additionally, any user that has access to the driver can potentially obtain sensitive information by collecting performance metrics from the system.
Though
VTune
takes preemptive measures by validating all user input, it is recommended that you follow the principle of least required privilege when allowing access to the sampling driver.
Profiler
Security Implications of Setting perf_event_paranoid (Linux* OS)
On Linux OS, the
perf_event_paranoid
setting controls the access levels for unprivileged users of
perf
.
VTune
may recommend that you set this value to 0 to perform a specific analysis. At this level, the collected data includes per-process and system-wide performance monitoring data, including CPU and system events both from the user space and the kernel. This may create a potential for sensitive data leaks.
Profiler
For more information on the usage of
perf
with
VTune
and possible limitations, see the
Profiling Hardware Without Intel Sampling Drivers Cookbook recipe.
Profiler
VTune
Profiler Server Authentication Security
VTune
Server Authentication Security Profiler
Though all network traffic of
VTune
Server is encrypted, it is important to select the appropriate authentication scheme when installing
Profiler
VTune
Server. While passphrase authentication is a viable option for some use cases, such as personal use, it is recommended to use other authentication schemes offered when using
Profiler
VTune
Server in broader environments. Detailed information on configuring secure user access channels is available in the
Install VTune Profiler Server section of the User Guide.
Profiler