Uncategorized

Upcoming Intel SGX Features Explained: Improved Virtualization, Configuration Management, and Key Sharing

Upcoming Intel® SGX Features Explained: Improved Virtualization, Configuration Management, and Key Sharing
Jethro Beekman
February 22nd, 2018
In an update to the Intel Software Developer’s Manual (SDM), Intel detailed upcoming changes to the Intel® SGX instruction set. The new features improve Enclave Page Cache management in virtualized environments and allow the addition of additional information to sealing key derivation and attestation reports. The improvements allow for better multi-tenancy with EPC oversubscription and easier configuration and software update management. I will go into detail on each of these in this post.[…]

https://www.fortanix.com/blog/2018/02/upcoming-intel-sgx-features-explained/

Standard
Uncategorized

Intel announces firmware updates for multiple processors (and Retpoline document)

February 20, 2018

Latest Intel Security News: Updated Firmware Available for 6th, 7th and 8th Generation Intel Core Processors, Intel Xeon Scalable Processors and More

Over the past several weeks, we’ve been developing and validating updated microcode solutions to protect Intel customers against the security exploits disclosed by Google Project Zero. This effort has included extensive testing by customers and industry partners to ensure the updated versions are ready for production. On behalf of all of Intel, I thank each and every one of our customers and partners for their hard work and partnership throughout this process. Based on these efforts, we have now released production microcode updates to our OEM customers and partners for Kaby Lake- and Coffee Lake-based platforms, plus additional Skylake-based platforms. This represents our 6th, 7th and 8th Generation Intel® Core™ product lines as well as our latest Intel® Core™ X-series processor family. It also includes our recently announced Intel® Xeon® Scalable and Intel® Xeon® D processors for data center systems. The new microcode will be made available in most cases through OEM firmware updates. I continue to encourage people to always keep their systems up-to-date. There is also a comprehensive schedule and current status for planned microcode updates available online.[…]

https://newsroom.intel.com/news/latest-intel-security-news-updated-firmware-available/

[…]We are mindful of the fact that, in some cases, there are multiple mitigation techniques available that may provide protection against these exploits. This includes “Retpoline,” a Google-developed mitigation technique for Variant 2. For those interested in more information on Retpoline and how it works, we recently published a new white paper. Google has also posted information about Retpoline.[…]

https://support.google.com/faqs/answer/7625886

https://software.intel.com/sites/default/files/managed/1d/46/Retpoline-A-Branch-Target-Injection-Mitigation.pdf

 

Standard
Uncategorized

EnclaveDB: A Secure Database using SGX

https://www.computer.org/csdl/proceedings/sp/2018/4353/00/index.html

EnclaveDB: A Secure Database using SGX
Christian Priebe , Imperial College London
Kapil Vaswani , Microsoft Research
Manuel Costa , Microsoft Research
We propose EnclaveDB, a database engine that guarantees confidentiality, integrity, and freshness for data and queries. EnclaveDB guarantees these properties even when the database administrator is malicious, when an attacker has compromised the operating system or the hypervisor, and when the database runs in an untrusted host in the cloud. EnclaveDB achieves this by placing sensitive data (tables, indexes and other metadata) in enclaves protected by trusted hardware (such as Intel SGX). EnclaveDB has a small trusted computing base, which includes an in-memory storage and query engine, a transaction manager and pre-compiled stored procedures. A key component of EnclaveDB is an efficient protocol for checking integrity and freshness of the database log. The protocol supports concurrent, asynchronous appends and truncation, and requires minimal synchronization between threads. Our experiments using standard database benchmarks and a performance model that simulates large enclaves show that EnclaveDB achieves strong security with low overhead (up to 40% for TPC-C) compared to an industry strength in-memory database engine.

https://www.computer.org/csdl/proceedings/sp/2018/4353/00/435301a405-abs.html

https://www.microsoft.com/en-us/research/publication/enclavedb-a-secure-database-using-sgx/

https://www.microsoft.com/en-us/research/uploads/prod/2018/02/enclavedb.pdf

Standard
Uncategorized

Intel updates bug bounty program

Updates to our program include

+ Shifting from an invitation-only program to a program that is open to all security researchers, significantly expanding the pool of eligible researchers.
+ Offering a new program focused specifically on side channel vulnerabilities through Dec. 31, 2018. The award for disclosures under this program is up to $250,000.
+ Raising bounty awards across the board, with awards of up to $100,000 for other areas.

https://newsroom.intel.com/news/expanding-intels-bug-bounty-program/

Standard
Uncategorized

Lenovo: Intel AMT MEBx Access Control Bypass

Intel Active Management Technology MEBx Access Control Bypass
2018-02-08
Initial Release

Scope of Impact: Industry-wide
Lenovo Security Advisory: LEN-19568

Potential Impact: Remote access and control
Severity: Critical

Intel has issued an advisory for Intel vPro Active Management Technology (AMT) to all system manufacturers. The Intel AMT default configuration has weak security around the Management Engine BIOS Extension (MEBx) password.[…]

ThinkPad – Updates coming soon
ThinkServer- Researching

https://support.lenovo.com/us/en/solutions/LEN-19568

https://sintonen.fi/advisories/intel-active-management-technology-mebx-bypass.txt

https://www.intel.com/content/www/us/en/support/articles/000020917/software/manageability-products.html

https://www.intel.com/content/dam/support/us/en/documents/technologies/Intel_AMT_Security_Best_Practices_QA.pdf

http://thinkdeploy.blogspot.com/2016/08/the-think-bios-config-tool.html

 

 

Standard