Intel releases Vpro 2007

INTEL ANNOUNCED the new Vpro Processor Technology for 2007, formerly named Weybridge, and even more formally known as AMT3.0. It brings Le Grande (LT) to Vpro, and adds a bunch of security features to the mix.

vPro 2007 has three necessary components, any -50 series CPUs, basically the E6550, 6750 and 6850, a Q35 chipset with an ICH9-DO south bridge and an 82566DM NIC. Rest assured that the CPU names will change before another one is released, so it would be pretty safe to say that any non-Celeron CPU made from this point on would qualify. You also need a v1.2 TPM to support the LT side of things.

The Vpro 2007 spec does several interesting things, the first is to prevent rootkitting via hypervisor, basically preventing a malware hypervisor from getting under the hypervisor you want to have running. This one is a little tricky, but how it does it makes a lot of sense.

The TPM allows you to do what is called a 'secure boot', basically when you load a machine, you can checksum vital parts of it. If those parts do not checksum the same when you boot, it can set a flag, or better yet, stop the boot. In other words, it cryptographically ensures what you have running is what you want running.

One nice thing the 2007 variant does is turn off the modes necessary for a hardware based VM to function until there is a clean secure boot. If you try and slide a rogue hypervisor into the system, it will sense the non-secure boot, and keep the instructions necessary for the malware to operate locked down.

Related to this is a closing down of DMAs, preventing you from putting things all over the place in memory. Since DMA by design bypasses the CPU, this is more related to the NIC and chipset side of things.

VMs that can write outside their alloted memory are a big potential risk, and they are now shut down in two ways. First DMAs can be remapped with an offset to direct it to a specific VM, making it 'start off' in the correct spot in memory.

2007 can also constrain DMAs to an upper bound, forcing any DMA from a specific VM to go only to the places it should be allowed to go. If you figure out a way to spoof a DMA request, this will hopefully shut it down. You can also map out holes in addition to the upper and lower bounds should you have a reason to.

The next interesting part is in the filters on the NIC itself. Vpro the elder had programmable filters directly on the NIC itself, but they were pretty dumb, simply rules following. The newer tech allows a little buffering of traffic to allow for time based heuristics.

The NIC more or less keeps a few seconds of traffic data in memory, performing two calculations. The first is to count the number of IP addresses per port over a period of 10ms to 1s, and from 8 to 64 IPs. Basically if your machine decides to open 50 sockets on port 31337 in .25 seconds, this can flag the behaviour. The old way would just chug along and do it.

The other heuristic is a little slower but does more or less the same thing. It keeps the same port data with the same number of sockets, but does it over a longer time, 1-50 seconds. This accomplishes the same goal but for slower spreading malware. I wonder how it would deal with a torrent with thousands of seeds, the newest Ubuntu build for example.

Another area of concern is the newest management technologies like 802.1.x and Cisco NAC all need an OS to give some tokens or certificates in order to secure the connection. This is not a problem if the OS in question has the security token, but if the OS is not running or broken, you can't make a secure connection.

What 2007 does is store some of those tokens on the NIC itself so the connection can be secured before the OS comes up. You can also image a machine remotely in a secure way where as before you could not 'up the shields' until everything was booting correctly.

Last comes the sexily named Intel TXT or Trusted Execution Technology, the same stuff that brought you secure booting, formerly named LT. The final trick it can pull is to scrub memory areas upon shutdown to prevent snooping. This is fully programmable it is not anything that will happen unless explicitly told to do something.

The point is that if you shut down a VM, process, or whatever, its traces get wiped. Alternately, you can have it scrub areas inhabited by things that don't shut down cleanly, probably the more insecure of the two scenarios. It could prove useful to the paranoid.

Some of these features were rolled out with Santa Rosa last May, and the rest are now available on desktops with the current platform, Weybridge. On the laptop side, the gaps will be filled in with Montevina in 1H/08, and at that point all security risks for the enterprise will go away. OK, not really, but I am sure some salesman somewhere will say so.

In the end, Vpro 2007 adds a few more features to the Intel management stuff. It uses small enhancements in the hardware to make potentially large leaps in security. The specifics of it all will be up to the vendors and how they implement the tools Intel gave them. µ