Intel Announces Chip-Level Security Initiatives, iGPU-Based Malware Scanning
by Anton Shilov on April 17, 2018 7:00 PM ESTTaking place this week is the annual RSA conference, which has evolved to become a major trade show for security products and technologies. As one might expect, it's also frequently used as a springboard for security-related announcements, and this year is no exception.
Of particular interest here is Intel, who is making two announcements regarding silicon-level technologies designed to improve the security of modern computers. The first one is for what Intel is calling Threat Detection Technology (TDT), a package of capabilities that can be used by software for security screening and threat detection. The second one is the Security Essential framework that includes a consistent set of root-of-trust hardware security capabilities supported across Intel’s CPU product stack.
Intel's Threat Detection Technology comes in two parts: Accelerated Memory Scanning, and Intel Advanced Platform Telemetry. AMS, arguably the most interesting aspect of today's announcement, is a means to use the company’s iGPUs to accelerate memory scanning for malware, with the goal of reducing the CPU performance impact and scanning in a more energy-efficient manner overall. Currently anti-virus/anti-malware programs use the CPU to scan memory and storage for malicious applications, and while multi-core CPU designs mitigate the worst system impacts of AV scanning, there's still a potential hit to responsiveness. So Intel is looking to address this by moving parts of AV scanning off of the CPU entirely and in to their often underutilized integrated GPUs.
The focus of Intel's efforts here is on one specific aspect of AV scanning: in-memory (resident) malware, which doesn't get caught in transnational disk I/O checks and instead requires scanning a system's complete memory to check for. The entire process is essentially little more than pattern matching - something GPUs are proving good at - so Intel believes that GPUs would be a good fit. Meanwhile the idea that this is also a more energy-efficient method is an interesting one, albeit one where it would be nice to see some data, but it's conceptually sound.
Intel’s AMS will be first supported by Microsoft’s enterprise-focused Windows Defender Advanced Threat Protection software, which will be rolling out support for the feature later this month. On the hardware side of matters AMS is supported on Intel's current-generation Gen 9/9.5 iGPUs, meaning that it will be available on 6th Gen Core (Skylake) and newer processors. Intel says that usage of AMS reduces CPU load during memory scan by an order of magnitude (from 20% to 2%) in Windows Defender ATP, which looks significant.
Meanwhile, the second part of Intel's TDT is Intel Advanced Platform Telemetry (IAPT), which uses Intel's existing platform telemetry hardware capabilities combined with machine learning algorithms to speed up the detection of advanced threats that may not be documented. Specifically, Intel is using low-level performance counters and other telemetry as a canary for potential issues; a sudden, irregular change in the counters may indicate that malware is present, particularly exposing anything that's actively trying to use side-channel attacks (e.g. Spectre) and which take constant prodding to utilize.
As this isn't signature based it's instead triggered on the basis of broader behavior patterns, which is where machine learning comes in. Essentially the idea is for AV software vendors to compile telemetry from multiple machines, giving them an evolving baseline to work from and making unusual patterns and machines stick out. Intel isn't saying very much about this capability, but according to The Register Intel has said that "In general, data is anonymized and generalized." IAPT will initially be supported by the Cisco Tetration platform for datacenters that protects cloud workloads.
Finally, Intel is also introducing Intel Security Essentials — a consistent set of security-related capabilities to be supported by the Atom-, Core- and Xeon-branded products. The feature set will encompass a number of Intel's existing security features under a single name, including secure boot, hardware protections (for data, keys, etc.), cryptography accelerators and trusted execution enclaves. Overall Intel is aiming to include all of its advanced security technologies across its entire product stack to improve security of PCs in general, so combining these features into a single, common package helps to promote that change and clarify that the same base features are supported everywhere. The move makes a great sense as it means that software makers will be able to support a unified set of security capabilities, knowing that all of them will be supported by all PCs running Intel’s up-to-date processors.
Related Reading:
- Intel Wraps Up Spectre Patching, Partially Cancels Plans For 1st Gen Core & Core 2 Processors
- Meltdown & Spectre: Analyzing Performance Impacts on Intel's NUC7i7BNH
- Intel Publishes Spectre & Meltdown Hardware Plans: Fixed Gear Later This Year
- Intel CEO Addresses the Industry on Meltdown and Spectre Issues in Open Letter
- Intel Forms Product Assurance and Security Group amid Meltdown and Spectre Fallout
- Understanding Meltdown & Spectre: What To Know About New Exploits That Affect Virtually All CPUs
Source: Intel
36 Comments
View All Comments
Manch - Thursday, April 19, 2018 - link
Oh OK, thanks. Didn't know that. Other than its a notable oddity of AMD GPU with Intel Proc, just not a product applicable to me. That solves the prob of leaving those procs out and I guess reutilizing the igpu for something else beats just letting silicon bake.willis936 - Tuesday, April 17, 2018 - link
These all sound like bad solutions that at best just make me nervous.HStewart - Wednesday, April 18, 2018 - link
I would wish some time some one review a product or new idea and leave out the name of manufacture and then once the comments are made review the name.mode_13h - Wednesday, April 18, 2018 - link
Only because you care about the comments. If you don't like the comments, then just focus on the data (when this is reviewed) and ignore us.willis936 - Friday, April 20, 2018 - link
It’s almost like everyone forgot about Intel ME and are content to repeat history.jordanclock - Wednesday, April 18, 2018 - link
Okay, so we have iGPU accelerated signature-based AV scanning, a system to collect data points to detect new malware outbreaks and a toolkit of local security options utilizing existing CPU/mobo features.How are these bad solutions? And you're nervous because....? Intel will be collecting telemetry to help identify new threats. This is vital data. To expect better security without it is akin to telling the auto industry to get better gas mileage but they aren't allowed to see how drivers actually drive cars.
willis936 - Wednesday, April 18, 2018 - link
The first sounds like using resources without the user's consent or ability to disable it and the second sounds like it exposes a huge swath of attack vectors that previously didn't exist.mode_13h - Wednesday, April 18, 2018 - link
First, they didn't say they would activate it without consent.Second, how does it expose the system to any new attack vectors? Are you aware that Intel has made the iGPU available for compute tasks since Sandybridge?
willis936 - Thursday, April 19, 2018 - link
You seem to think that the headline is "intel to make generic software implementation" and not "intel making more unauditable black boxes".Hurr Durr - Wednesday, April 18, 2018 - link
It should be "Mossad Announces...".