Security Best Practices
Performance profiling is an activity that may involve making important security decisions. Learn about some important security considerations that arise when installing and using Intel® VTune™ Profiler.
Due to the inherent nature of performance profiling, Intel® VTune™ Profiler requires certain levels of access to deliver some of the more advanced features. It is important that you are aware of these implications to enable you to make informed security decisions.
Administrator and Root Privileges
VTune Profiler requires administrator or root privileges for performing specific types of analyses. On Windows* OS, this means starting VTune Profiler as Administrator, and on Linux* systems, this requires sudo privileges.
It is recommended to only start VTune Profiler with elevated privileges if a specific analysis requires these privileges. Avoid staying in elevated mode for viewing collected results.
Controlling Sampling Driver Access (Linux* OS)
By default, on Linux OS, VTune Profiler installer creates a vtune user group, which is given access to the Sampling Driver through the Linux* I/O Control. It is recommended to not alter the default settings, for example, by creating a broad user group. Since the driver runs on the kernel level, exposing the driver to a large group of users can make your system vulnerable. Additionally, any user that has access to the driver can potentially obtain sensitive information by collecting performance metrics from the system.
Though VTune Profiler takes preemptive measures by validating all user input, it is recommended that you follow the principle of least required privilege when allowing access to the sampling driver.
Security Implications of Setting perf_event_paranoid (Linux* OS)
On Linux OS, the perf_event_paranoid setting controls the access levels for unprivileged users of perf. VTune Profiler may recommend that you set this value to 0 to perform a specific analysis. At this level, the collected data includes per-process and system-wide performance monitoring data, including CPU and system events both from the user space and the kernel. This may create a potential for sensitive data leaks.
For more information on the usage of perf with VTune Profiler and possible limitations, see the Profiling Hardware Without Intel Sampling Drivers Cookbook recipe.
VTune Profiler Server Authentication Security
Though all network traffic of VTune Profiler Server is encrypted, it is important to select the appropriate authentication scheme when installing VTune Profiler Server. While passphrase authentication is a viable option for some use cases, such as personal use, it is recommended to use other authentication schemes offered when using VTune Profiler Server in broader environments. Detailed information on configuring secure user access channels is available in the Install VTune Profiler Server section of the User Guide.