Crimeware Protection White Paper
Intel® Core™ vPro™ processors
The Root-kit of All Evil and Other Malware
Today’s sophisticated criminals use root-kits, knowledge of zero-day vulnerabilities, and injection of viruses into application memory to hide their malicious code out of sight and reach of anti-virus software. Undetected, it can be executed by the OS, embedded in a virtual environment, or unknowingly called during normal application processes.
Intel threat management technologies guard against such attacks, with the following capabilities embedded in the silicon:
- Protection against malware using escalation of privilege attacks.
- Providing a secure root of trust for virtual environments.
- Monitoring memory against malware invasions.
- Device isolation for protection against direct memory access (DMA) attacks.
Protection Below the OS
Intel® Execute Disable Bit, implemented many Intel® processor generations ago, has helped protect thousands of business clients from buffer overflow attacks, by preventing malicious code executions from data memory. However, threats are inserting themselves in application memory space and executing under a privilege level assumed for the application.
Intel® OS Guard[d:1351], the next generation of Intel Execute Disable Bit, protects against such escalation of privilege attacks, by preventing malicious code from executing out of application memory space, in addition to data memory. This protection below the OS guards against more sophisticated viruses and the damage they can do.
Protecting Virtual Realms
New service delivery models, such as cloud-based computing and virtual desktops, introduce new challenges for IT personnel. Undetected code that manages to inject itself into a virtual machine (VM) as it is launched, compromises an entire environment for the users attaching to it, whether it is a single-use virtual desktop or an entire service. Intel® embedded security technologies, including new applications for Intel® Virtualization Technology[d:1295] (Intel® VT), help protect physical and virtual environments, both at the service delivery level and for single virtualized clients.
Intel® Trusted Execution Technology[d:1296] (Intel® TXT) establishes a hardware-based root of trust for VMs being launched on a host. Intel TXT measures a known-good hosting environment and stores its conditions and states as a trusted baseline. Whenever the host system boots, Intel TXT validates the behaviors of key components against the known-good measurements, and will boot VMs only if the environment is trusted. Once launched, Intel TXT isolates assigned memory partitions from other software in the system, keeping out potential attacks from the host or other VM environments. When an application or the VM shuts down, Intel TXT closes software without exposing its data to other applications or environments by wiping the memory space clean. Since Intel TXT is based on hardware-enabled technology, it protects virtual and physical environments from malware and root-kits attempting to corrupt the client software.
Intel Virtualization Technology has been a trusted resource for several generations of Intel processors, enhancing virtual environment robustness and performance. Intel VT also provides specific security protection from two aspects of Intel VT: Intel VT-x and Intel VT-d.
- Intel VT-x isolates each VM execution environment and monitors memory, so malware existing in or attempting to invade one VM environment cannot affect another VM on the same host.
- Intel VT-d isolates virtual devices, their memory spaces, and virtual addresses. Attacks using DMA accesses are thwarted, because the threat does not have direct access to the device’s memory.