back to article Intel's security light bulb moment: Chips to recruit GPUs to scan memory for software nasties

Having weathered revelations in January that its chips can be attacked through a novel class of side-channel vulnerabilities – mostly addressed through microcode fixes – Intel is adding broader silicon-level security improvements to its processors. In conjunction with the RSA Security conference in San Francisco this week, …

  1. Anonymous Coward
    Terminator

    Threat detection enhancement algorithms

    "The second silicon-level security mitigation is Intel Advanced Platform Telemetry, a way to make hardware diagnostic data available"

    Does this work like the Intel Management Engine (ME), as well as uploading your data to someone else's server farm except it can't be disabled by the end user.

    "Malware is one of the fastest evolving workloads we're dealing with .. It's evolving to evade threat detection"

    Only until they design a computer that can tell the difference between data and executable code and don't execute code downloaded through a browsing session. Maybe we should go back to the Harvard architecture.

    1. Peter2 Silver badge

      Re: Threat detection enhancement algorithms

      Only until they design a computer that can tell the difference between data and executable code and don't execute code downloaded through a browsing session.

      You can do that at the moment through group policy, the out of the box settings for windows are pure insanity from a security point of view. Simply set a software restriction policy blocking any executable file from running outside of %program files% or %AuthorisedNetworkShare% and about 90% of threats vanish immediately.

      You can trim down another ~9.9% of threats by doing some additional hardening by downloading the gpo addins for flash etc, and configure those not to allow flash files to upload information, download information or access the file system. And force it to always run in protected mode. And then get the office GPO's, and set each application to refuse to run unsigned macros, disable file downloads and scripting etc.

      A decently paranoid job with GPO's can make it virtually impossible to run trojans either accidentially or deliberately, essentially reducing your attack surface to local exploits launched against you by machines on the network that you don't control. And you can actually control that threat by locking things down what's on your network to MAC addresses.

      Which just leaves the 0.1% of attacks that might come out of the blue from somewhere that you don't expect. But you can deal with most predictable attack methods with tools that are provided out of the box on a standard installation, free of charge.

      1. Anonymous Coward
        Anonymous Coward

        Re: Threat detection enhancement algorithms

        "Which just leaves the 0.1% of attacks that might come out of the blue from somewhere that you don't expect. But you can deal with most predictable attack methods with tools that are provided out of the box on a standard installation, free of charge."

        Resulting in a system which is cripplingly inflexible and frustrating in most applications more challenging than running a POS system, taking reservations or filling in spreadsheets, and thus unacceptable for almost all personal (non-business) computers and many business deployments.

        'One size' does not and cannot fit all.

    2. find users who cut cat tail

      Re: Threat detection enhancement algorithms

      Ah, Harvard architecture. It separates CPU instructions and data and so prevents things overwriting native code in memory, etc.. However, even pure Harvard architecture (which is IMO unsuitable for general purpose computer) does not really separate code and data if any kind of command interpreter (shell, scripting language, Excel formulas, TeX, ...) exists. So you can still instruct users to run stupid things.

  2. Joe Dietz

    Really looking forward to the papers about how the GPU side-channel can be used to blow past whatever meltdown/spetcre microcode fixes they just put in.

    1. tfewster
      Facepalm

      "So, we're going to rely on a GPU, that wasn't designed with security in mind, to exploit CPU flaws. And build in a channel to exfiltrate data"

      What could possibly go wrong?

      1. Pascal Monett Silver badge
        Flame

        And on top of that, we're going to crow about how that will diminish power usage of the CPU.

        Please.

        You're adding a new process to an already non-trivial workload. Don't try and find advantages that don't exist. I don't give a flying one that the CPU is burning less hot if my GPU suddenly has an entirely new workload that it wasn't designed for and I never expected it to have.

        What's next ? Is intel going to tout a new architecture which just offloads everything to the GPU ? And then cry victory over having permanently lowered CPU consumption by 90% ?

        Bollocks, I say.

      2. Flakk

        What could possibly go wrong?

        Exactly. This may be the absolute worst example of "If all you have is a hammer, every problem begins to resemble a nail" that I have ever seen.

        If Intel was truly serious about security, they'd be seeking to simplify their silicon instead of making it more complex (and expensive).

        1. DCFusor

          No, no - when all Intel has is a hammer, every problem becomes your thumb...

  3. Anonymous Coward
    Anonymous Coward

    Cynical? Moi?

    Windows Defender will be able to control this scanning right out the gate; other antivirus tools will follow, as Intel chats to their engineers about implementing the automated inspection.

    ... no doubt pretty soon followed by the intelligence agencies and, via their leaks, the malware authors.

    Things are bad enough as they are: adding more capabilities to co-opt GPUs and poke around under the hood just seem likely to increase the ways in which a system can be owned.

    Oh, and gathering Telemetry? Whenever someone says something like "Privacy is an important design point in anything we do", my Bullshitometer goes 'urrrrk' and displays an Out Of Range Error.

  4. Anonymous Coward
    Anonymous Coward

    Dumbing it down here !!

    So if we offload the security elsewhere our chip will run faster .....

    .....and people are ok with this ?

    Am I taking crazy pills !!!

  5. Nimby
    Joke

    On the other hand...

    While I full agree with all of the above, there is one important point being missed: For the first time ever, Intel onboard graphics might finally be useful for something!

    1. Ben1892
      Coat

      Re: On the other hand...

      That's what I was thinking in response to the comment; "...my GPU suddenly has an entirely new workload that it wasn't designed for and I never expected it to have." - what workload was it designed for exactly?, as it certainly wasn't graphics acceleration

      1. Korev Silver badge
        Terminator

        Re: On the other hand...

        Mine's been sitting around for years twiddling its thumbs looking jealously at the Nvidia card that gets to do all the fun stuff. It'd be nice for it to be less bored...

  6. Doctor Syntax Silver badge

    Weasel words alert

    In general, data is anonymized and generalized.

    1. Czrly

      Re: Weasel words alert

      No worries, though, because there's a hardware switch to disable this new telemetry channel, permanently: don't install an Intel processor.

  7. Anonymous Coward
    Anonymous Coward

    Ah but you need to buy an Intel CPU with added GPU....

    Its a non subtle way to encourage the purchase of Intel combined CPU/GPU chips. Intel are no longer the number 1 chip manufacturer having been overtaken by Samsung. Intel are trying to convince the IT community to forget about the security issues with their designs of the last 20+ years. Look, honest we take security seriously but will not provide fixes for older CPUs as AMD has done. Just buy our new CPUs and everything will be okay for us.

    1. Richard 12 Silver badge

      Re: Ah but you need to buy an Intel CPU with added GPU....

      Tough one really.

      All Intel CPUs now have a GPU cluster that's either completely unused because there's a discrete GPU fitted, or fairly overloaded because there isn't.

  8. Fading

    Isn't it....

    Only the consumer grade Intel CPU's that have integrated GPUs?

  9. Francis Fish

    That slide!

    That slide on the tweet. It's not death by PowerPoint, is massacre by PowerPoint.

  10. Christian Berger

    Yet another itteration of the "anti-virus" concept

    They'd gain more security if they'd remove their management engine and blocked the start of any office product.

  11. JWLong

    How much.......

    profit have the shareholders made this year.

  12. Chairman of the Bored

    Oh, FFS!

    Why, just why, did PHB have to call the tool 'Intel Security Essentials'? That reminds everyone of MS Security Essentials and, um, perhaps does not help ones credibility...

    1. Anonymous Coward
      Anonymous Coward

      Better yet, there's an APT on your system

      And it's sending data about your system to someone else's server.

  13. Gideon 1

    Intel Graphics is a security risk

    ...because it can access the entire memory.

  14. Anonymous Coward
    Anonymous Coward

    Intel transistor budget is much like XML, or violence

    If you have some kind of problem, you are just not using enough of it.

  15. onefang

    "Most companies, said Rick Echevarria, VP of Intel's software and services group, during a media call last week, are focused on four outcomes: preventing, detecting, and recovering from threats. and using technology like machine learning to predict where new ones will emerge."

    Some of the new ones will emerge from Intel. That was easy, didn't need any machine learning.

    1. Anonymous Coward
      Anonymous Coward

      "Most companies, said Rick Echevarria, VP of Intel's software and services group, during a media call last week, are focused on four outcomes: preventing, detecting, and recovering from threats. and using technology like machine learning to predict where new ones will emerge."

      Most companies are focussed on producing and selling their primary product, be it goods or services, if they intend to stay in business.

      Computers are at best an aid and at worst a hindrance to that primary purpose that usually costs more while not living up to the hype that sold them.

      Computer security is a tertiary necessary evil, that always seems to create work and delays that adversely affect performance in important business functions.

  16. wownwow

    "RSA 2018 security conference"

    The 1st session should be presented by Intel:

    Why our design engineers didn't follow the privilege levels defined by ourselves?

  17. Ken Hagan Gold badge

    "Finally, it appears this is all controlled at the kernel level. [...]"

    You say that as if it were a problem, but at *any* level it is the case that once the malware is running *at that level* it is game over for the defenders. AFAIK, Intel have added no less than three rings below kernel level and each one has been targetted and overcome by malware.

    1. Anonymous Coward
      Anonymous Coward

      "Intel have added no less than three rings below kernel level and each one has been targetted and overcome by malware."

      And it seems that each level farther down becomes harder to monitor, audit, and validate for security.

  18. Borg.King
    Facepalm

    [C|G|F|S]PU Silicon shuffle

    "Hey Boss, we've got a batch of these quad core CPU's but half of the integrated GPU's have failed testing."

    "Can they still access all the memory and run pattern matching?"

    "Sure."

    "Great, then we're going to call them Security Processing Units, add yet another $100 to the unit price and ship all that silicon anyways."

    1. Christian Berger

      Re: [C|G|F|S]PU Silicon shuffle

      "Great, then we're going to call them Security Processing Units, add yet another $100 to the unit price and ship all that silicon anyways."

      Seriously nobody would complain if they'd do it like that and sell that as an optional feature. It's shoving that "feature" down our throats that's the actual problem.

  19. Lord_Beavis
    Pirate

    What if it's diabled in the BIOS?

    Something tells me that it truly isn't.

    "This can be regulated or scheduled depending on how busy the GPU is – for example, if it's rendering a video game, "

    Solitaire counts as a video game? Just barely, I would guess.

    I'll stick with AMD and the Linux hating Nvidia for video games.

  20. Bela Lubkin

    I think most currently shipping Intel CPUs have integrated GPUs, even if they are sold as a GPU-less model. The silicon is there, disabled for some combination of marketing & manufacture-time test failure reasons.

    Even the GPUs which failed as full marketable GPUs probably work well enough to be used as background security lurkers.

    ... I wonder if they'll roll out a set of microcode updates which partially enable those GPUs to be used as security sidecars.

  21. PNGuinn
    Mushroom

    Remind me ...

    "FYI Intel is gonna let Windows Defender and other antivirus tools use integrated Intel GPUs to scan physical memory for #malware. "

    "FYI Intel is gonna let Windows Defender and other malware use integrated Intel GPUs to scan

    physical memory for Anything They Can Bloody Well Snaffle. "

    There, FIFY, Chipzilla.

    Remind me, someone: How many Intel engineers does it take to change a lightbulb?

  22. Rajesh Kanungo

    Graphics co processors are written for speed

    Traditionally, software (and the microcode) written for GPU's is optimized for blindingly fast performance. Don't check for nulls, ranges, types, etc. Just make it run fast. That makes them nice targets for hackers.

    Would security experts who have graphics chip knowledge have any insights into the feasibility of being proposed? Would a hacker not target the GPU and take advantage of it?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like