In the construction industry, it’s vital to any building’s structural integrity and the protection of everyone inside that its foundation is as solid as possible. Without a solid foundation on which the rest of it is built, that building will eventually – and inevitably – collapse.
The same can be said of cyber security. Since reports of cyber-attacks are only increasing, and cyber criminals are becoming more advanced, it’s imperative that IT security measures are in place at a hardware level, baked right into the foundation: the underlying architecture.
It’s especially important for servers, as these machines make up the datacentres on which much of the world’s big companies operate, and are thus on the front lines of the war between criminals after valuable data and the IT administrators who must stop them.
Fortunately, the companies responsible for creating computer architecture are aware of this, and are actively baking security measures right into their silicon, at the hardware level. This moves security down the stack, which has proven far more effective than only having it present at the software and application layers.
While this technique has not led to a complete elimination of cyberattacks, it has made successful system compromise far more difficult.
Intel, the world’s largest developer of computer hardware architecture, has created several hardware-based security technologies to harden systems against cyberattacks.
Trusted Execution Technology
These hardware extensions, found on Intel processors and chipsets, provide measured launch and protected execution functions. They create safety by allowing applications to run in an isolated environment, keeping them separate from all other software running on the system. This is especially important for maintaining virtual machine isolation in business-critical systems, and for effective management of the increasingly multi-tenant nature of the modern datacentre.
Intel Platform Protection Technology
This hardware-based security technology consists of three features Intel calls OS Guard, Intel Device Protection with Boot Guard and Execute Disable Bit.
OS Guard works to prevent code execution out of untrusted application memory while that application is operating at a more privileged level. This helps to prevent “escalation of privilege” attacks.
Intel Device Protection with Boot Guard monitors the system’s boot process, a time when software-based security measures aren’t yet in operation, for signs of malware attempting to gain control of the system. It does this by verifying that a trusted BIOS is in control of the boot process.
Execute Disable Bit allows the processor to specify areas of memory where applications can and cannot execute. For example, if a worm were to insert code into a memory buffer, the processor can disable code execution for that area of memory and prevent the payload from causing damage or propagating itself.
Control-flow Enforcement Technology
Control-flow Enforcement Technology attempts to undermine any malicious code that uses return-oriented and jump-oriented programming. It does this by introducing a “shadow stack” that is used to verify that return instructions are legitimate – only when the return address stored in both the thread stack and the shadow stack matches will the CPU execute the command.
If you’re looking into securing your organisation’s IT hardware using Intel solutions, a chat with your Tarsus account manager is a great place to start.