cancel
Showing results for 
Search instead for 
Did you mean: 
Views: 816

Alongside the 8th generation of Intel Processors are many features designed to enhance the management and security of machines for end users.

 

Here is a brief introduction of some of those features. All source links are included below the article for further learning.

 

NOTE: I tried to make the introduction of the features as brief and non-technical as I could, but these security features are quite technical. 

 

 Intel vPro and Trusted Execution

 

 Trusted Execution is the name of a security feature included as one of many features under the vPro umbrella. Trusted Execution Technology (TXT), according to the Trusted Execution Whitepaper (source 1 link below), is a CPU level feature to protect system security. TXT provides a verification of trust for the operating system and all loaded components. Software can check the TXT environment status and detect if the environment is not in a verified state. One example of software that can use TXT is virtualization software. the virtualization software can check to see if the environment has had malicious modifications to protect guests and hosts from having protected memory altered or captured. Other technologies included in vPro include active management technology (AMT) (sources 2, 3 and 4. links below) and Intel Anti Theft  (sources 2, 3 and 4.), Intel AMT allows remote management of a laptop by a company IT organization. some examples of remote management include booting a machine into BIOS and changing settings, viewing video output remotely, and booting a remote machine off of a disk image (.iso). While these above technologies are extremely useful, and come on many of the 8th generation processor offerings from Intel, unfortunately they are not available on the Legion Y530. The i5-8300H and i7-8750H that the Y530 can be equipped with are not vPro compatible. 

 

However, there are other security features that the 8th Generation CPUs in the Y530 are equipped with. Three of these technologies are Intel OS Guard, Intel Memory Protection Extensions (MPX), and Intel Secure Guard Extensions (SGX).  

 

Intel OS Guard

 

OS Guard (source 5 and 6) is a technology designed to prevent malicious code from executing outside of application memory space. In layman’s terms, it prevents malicious code from running in protected memory or outside of the operating system. It also prevents code from running in application space while the processor is running in supervisor mode. Supervisor mode (source 7) is a protection ring that allows privileged command execution. This is an evolution of Intel’s Execute Disable Bit (source 5), a similar technology for preventing user mode applications from accessing privileged execution.

 

 

Intel Software Guard Extensions (SGX)

 

Intel SGX (Sources 8, 9, 10, 11, and 12) is a set of security extensions to the Intel CPU that allow a developer to ensure that code cannot be modified for malicious intent, even in the event of compromised system (including Virtual Machine/Hypervisor attacks). SGX provides what intel calls the “Secure Enclave” a protected portion of memory where an application can store data that needs to be kept safe from attack. The enclave stores the data securely, and the application and SGX platform can determine whether or not something malicious is attempting to compromise the security of the system. Through the use of the SGX SDK, the system can verify that the attempt to access the data is legitimate and not from a malicious actor. Sources 10 and 11 show how to integrate SGX security into an application.

 

There is an SGX Section in the BIOS on the Legion Y530, This allows turning the SGX platform on and off, and switching it from Enabled to Software Controlled (See Pictures Below). See the following for an explanation of the settings. (source 12)

 

[Disabled]

SGX Platform is completely off

[Enabled]
SGX Platform is on and ready for use

 

[Software Controlled]
SGX Is ready for use but disabled until an application performs the Opt-In Procedure

 

There is an additional option called "EPOCH Change" This resets the random data for the SGX Feature. It also clears any user data that was stored using SGX.

 

20180905_222035.jpgBIOS Security Tab Showing SGX Section (Hilighted)20180905_222046.jpgSGX Section of BIOS20180905_222056.jpgState Options for SGX

 

 

Intel Memory Protection Extensions (MPX)

 

The final new security feature available on the Y530 is MPX. MPX is a CPU extension that provides compiler time support for software to enable detection of various software flaws that could potentially leak user data or other secret data. (sources 13, 14, and 15) Using MPX during compile time adds an instruction to the application that detects the flaw before the code is executed. For example, it can detect when the code is about to go outside the bounds of an array (array has 5 elements and the program tries to access the 6th). Instead of the default behavior of the application, which is to crash which can cause other issues, MPX allows the developer to cleanly handle these cases and continue running the application, or gracefully handle the exception and clean up data. While this instruction may have been useful if developers adopted it, It was recently removed from the Linux Kernel by Intel developers (source 15), and it was also hinted that the instruction may be removed from future processors.

 

 

 

Final Thoughts

 

Using various security features on the Intel 8th Generation Core Processors (some of which automatically protect the end user without any extra intervention), Developers can enhance the security of the end users and applications to prevent compromised systems from extracting secure data from protected memory.

 

Sources:

Was this information helpful?

Contributors