Intel right this moment introduced the rollout of the fourth technology of its Xeon household of server chipsets, detailing a number of new options below the corporate’s confidential computing umbrella of safety features. Enhancements to Intel’s trusted execution surroundings and a brand new method for combatting jump- and return-oriented programming assaults had been essentially the most notable upgrades.
Xeon’s fourth technology introduces various new options throughout the board, together with marked enhancements to vitality effectivity, AI processing, and edge workload dealing with, however the safety aspect’s highlights are digital machine (VM) isolation expertise and management movement enforcement. The previous method offers hardware-level VM isolation, with out the necessity for hypervisor oversight — as an alternative of a single app dwelling inside a trusted surroundings, an entire VM can reside there.
There are many choices for trusted execution environments in different areas of the stack, however Intel fellow Amy Santoni, the corporate’s chief Xeon safety architect, mentioned that not all of them provide the identical capabilities or meet the identical requirements.
Intel goals to safe digital environments
“It is determined by your objectives for a trusted surroundings,” she mentioned. “Should you take a look at the cloud right this moment, you possibly can have a number of tenants working on the identical {hardware} with virtualization expertise, however in only a common cloud surroundings, the hypervisor nonetheless has entry to all these VM’s knowledge when you enable them to —there’s nothing at a {hardware} stage to forestall a VM from accessing knowledge.”
That isolation is offered by way of Intel’s Belief Area Extensions framework, which already works with Azure, Google Cloud, Alibaba and IBM — no timeline was offered for AWS integration on the time of this writing.
Management movement enforcement is a function that Intel has already applied in its endpoint-focused Core line of processors, however is new to the Xeon household, aimed toward stamping out a household of cyberattack methods known as return-oriented and jump-oriented programming. The concept with such assaults is to rearrange the order wherein items of code are offered again to the appliance, for malicious functions.
“So I can take snippets of actual, launched code however I’m capable of manipulate their order,” defined Santoni.
Management movement enforcement, nonetheless, provides a secondary or “shadow stack” to the conventional stack used to order the execution of directions. It’s utterly inaccessible to programmers, so, the concept goes, it could possibly’t be manipulated by a foul actor. The order of directions is in comparison with the “shadow stack,” which throws an error in the event that they’re not within the appropriate sequence.
Lastly, Intel’s already-announced Challenge Amber is current in Xeon’s fourth technology. That is what the corporate describes as an out-of-station functionality for its trusted execution surroundings, permitting customers to validate that their workloads are working on Intel {hardware}, no matter data offered by cloud service provbiders.
“The concept is to supply prospects the power to validate the configuration of the surroundings they’re working in,” mentioned Santoni. “It doesn’t imply that the CSP’s don’t present that, it’s an extra choice — whenever you purchase a used automotive from a supplier, you [still] may need to take it to an unbiased mechanic.”
The practically 50 totally different SKUs within the fourth-generation Xeon household can be found for preorder from February 15.
Copyright © 2023 IDG Communications, Inc.