Intel Announces Chip-Level Security Initiatives, iGPU-Based Malware Scanning

Taking place this week is the annual RSA conference, which has evolved to become a major trade show for security products and technologies. As one might expect, it's also frequently used as a springboard for security-related announcements, and this year is no exception.

Of particular interest here is Intel, who is making two announcements regarding silicon-level technologies designed to improve the security of modern computers. The first one is for what Intel is calling Threat Detection Technology (TDT), a package of capabilities that can be used by software for security screening and threat detection. The second one is the Security Essential framework that includes a consistent set of root-of-trust hardware security capabilities supported across Intel’s CPU product stack.

Intel's Threat Detection Technology comes in two parts: Accelerated Memory Scanning, and Intel Advanced Platform Telemetry. AMS, arguably the most interesting aspect of today's announcement, is a means to use the company’s iGPUs to accelerate memory scanning for malware, with the goal of reducing the CPU performance impact and scanning in a more energy-efficient manner overall. Currently anti-virus/anti-malware programs use the CPU to scan memory and storage for malicious applications, and while multi-core CPU designs mitigate the worst system impacts of AV scanning, there's still a potential hit to responsiveness. So Intel is looking to address this by moving parts of AV scanning off of the CPU entirely and in to their often underutilized integrated GPUs.

The focus of Intel's efforts here is on one specific aspect of AV scanning: in-memory (resident) malware, which doesn't get caught in transnational disk I/O checks and instead requires scanning a system's complete memory to check for. The entire process is essentially little more than pattern matching - something GPUs are proving good at - so Intel believes that GPUs would be a good fit. Meanwhile the idea that this is also a more energy-efficient method is an interesting one, albeit one where it would be nice to see some data, but it's conceptually sound.

Intel’s AMS will be first supported by Microsoft’s enterprise-focused Windows Defender Advanced Threat Protection software, which will be rolling out support for the feature later this month. On the hardware side of matters AMS is supported on Intel's current-generation Gen 9/9.5 iGPUs, meaning that it will be available on 6th Gen Core (Skylake) and newer processors. Intel says that usage of AMS reduces CPU load during memory scan by an order of magnitude (from 20% to 2%) in Windows Defender ATP, which looks significant.

Meanwhile, the second part of Intel's TDT is Intel Advanced Platform Telemetry (IAPT), which uses Intel's existing platform telemetry hardware capabilities combined with machine learning algorithms to speed up the detection of advanced threats that may not be documented. Specifically, Intel is using low-level performance counters and other telemetry as a canary for potential issues; a sudden, irregular change in the counters may indicate that malware is present, particularly exposing anything that's actively trying to use side-channel attacks (e.g. Spectre) and which take constant prodding to utilize.

As this isn't signature based it's instead triggered on the basis of broader behavior patterns, which is where machine learning comes in. Essentially the idea is for AV software vendors to compile telemetry from multiple machines, giving them an evolving baseline to work from and making unusual patterns and machines stick out. Intel isn't saying very much about this capability, but according to The Register Intel has said that "In general, data is anonymized and generalized." IAPT will initially be supported by the Cisco Tetration platform for datacenters that protects cloud workloads.

Finally, Intel is also introducing Intel Security Essentials — a consistent set of security-related capabilities to be supported by the Atom-, Core- and Xeon-branded products. The feature set will encompass a number of Intel's existing security features under a single name, including secure boot, hardware protections (for data, keys, etc.), cryptography accelerators and trusted execution enclaves. Overall Intel is aiming to include all of its advanced security technologies across its entire product stack to improve security of PCs in general, so combining these features into a single, common package helps to promote that change and clarify that the same base features are supported everywhere. The move makes a great sense as it means that software makers will be able to support a unified set of security capabilities, knowing that all of them will be supported by all PCs running Intel’s up-to-date processors.

Related Reading:

• Intel Wraps Up Spectre Patching, Partially Cancels Plans For 1st Gen Core & Core 2 Processors
• Meltdown & Spectre: Analyzing Performance Impacts on Intel's NUC7i7BNH
• Intel Publishes Spectre & Meltdown Hardware Plans: Fixed Gear Later This Year
• Intel CEO Addresses the Industry on Meltdown and Spectre Issues in Open Letter
• Intel Forms Product Assurance and Security Group amid Meltdown and Spectre Fallout
• Understanding Meltdown & Spectre: What To Know About New Exploits That Affect Virtually All CPUs