Intel unveils Vpro 2007
"The Vpro 2007 spec does several interesting things, the first is to prevent rootkitting via hypervisor, basically preventing a malware hypervisor from getting under the hypervisor you want to have running," says Diane Bryant, vice-president of Intel’s digital enterprise group.
Bryant says the Trusted Platform Module (TPM) allows the user to do a ’secure boot’, basically when he/she loads a machine he can check sum vital parts of it. "If those parts do not checksum the same when you boot, it can set a flag, or better stop the boot. In other words it cryptographically ensures what you have running is what you want running," she notes.
She says the nice thing the Vpro 2007 variant does is to turn off the modes necessary for a hardware-based VM (Virtual Machine) to function until there is a clean secure boot. "If you try and slide a rogue hypervisor into the system, it will sense the non-secure boot, and keep instructions necessary for the malware to operate locked down," adds Bryant.
Bryant says related to this is a closing down of DMA (Direct Memory Access) preventing the user from putting things all over the place in memory.
She says VMs that can write outside their allotted memory are a big potential risk, and they are now shut down in two ways. "DMA’s can be remapped with an offset to direct it to a specific VM, making it ’start off’ in the correct spot in memory," says Bryant.
Bryant says the Vpro 2007 can also constrain DMAs to an upper bound, forcing any DMA from a specific VM to go only to the places it should be allowed to go. She says if you figure out a way to spoof a DMA request, this will hopefully shut it down.
"The Network Information Centre (NIC) keeps a few seconds of traffic data in memory, performing two calculations. The first is to count the number of Internet Protocol (IP)addresses per port over a period of 10ms to Is, and from 8 to 64 IPs. Basically if your machine decides to open 50 sockets on port 31337 in 25 seconds, this can flag the behaviour," says Bryant.
She says another area of concern is that the newest management technologies, like 802.1 x and Cisco NAC, all need an Operating System to give some tokens or certificates in order to secure the connection. "This is not a problem if the OS in question has the security token, but if the OS is not running you cannot make a secure connection," she notes.
"What the Vpro 2007 does is store some of those tokens on the NIC itself so the connection can be secured before the OS comes up. You can also image a machine remotely in a secure way where as before you could not ’up the shields’ until everything was booting correctly," says Bryant.
Loading ...