|Page (1) of 1 - 04/13/06||email article||print page|
Security in SiliconThe next generation of CPUs may include virtualization and other security capabilities.
Weber was keynoting the first "International Swarm Intelligence & Other Forms of Malware Workshop," held in conjunction with the IEEE International Performance Computing and Communications Conference, held this week in Mesa, Arizona. In his presentation, he covered the efforts of the Trusted Computing Group and its efforts to improve the security of CPUs -- and thus of the applications you build and run. He's optimistic... mostly.
The Trusted Computing Group is a nonprofit organization which has the active participation of most of the hardware and software companies you know, including AMD, Hewlett-Packard, IBM, Infineon, IBM, Microsoft, and Sun. You might scoff: Microsoft? Weber insists that Microsoft has spent the last few years truly pushing on security matters; according to Weber, the company has made it a major focus and commitment, and security was a major hurdle in Microsoft's development of a 64-bit operating system.
All the stars are aligning for virtualization, says Weber, which can bring many good things to enterprises. Virtualization lets a single computer run many operating systems or many versions of a single operating system. Its major business appeal is server consolidation, since it's common to have several single-application servers, each running at 20% efficiency; yet, those applications can't all be installed on a single computer because of the application's OS or version requirements or even accounting needs. Plus, pointed out Weber, too much software runs at the most privileged protection level -- often because the software developer needs more than basic permissions, even if the application shouldn't be run at the most trusted levels.
Currently, virtualization is done in software, using tools like VMWare, Xen, or Microsoft Virtual Server, but you'll soon see that functionality built into the chip set. A new protection level will be provided below Ring 0, and instruction intercepts will be provided, along with machine-specific registers and ten protection vectors. The new chip-sets will have another level of virtual memory, says Weber, with security features that include shadow page tables and recursive page table walks.
Security-specific hardware is coming along very quickly, In the next few years you'll see silicon that includes the "read/no-execute" capability (which Weber says was "a small but important fix" that killed a lot of attacks). Multi-factor authentication, such as fingerprint IDs and Fobs, are becoming commonplace, but Weber says, "it's one of the smallest problems in security these days." Though, of course, you have to plug all holes. Additional coming-soon hardware support will include protected input (i.e. encryption) to prevent keystroke-grabbing attacks, and protected output (relevant more for movies and digital rights management than for password gathering).
Will that be enough? All the hardware community can do is create solutions, said Weber, and "hope the software community doesn't misuse them." Even when the CPUs support advanced security features, software is a problem, Weber says, "Because tens and hundreds of millions of lines of code don't change quickly." Secure input needs drivers and connections to applications. Realistically, claims Weber, the security capabilities have to be exploited from the operating system up, with a "trusted hypervisor" -- and it will be the end of the decade before that happens.
Among the biggest problems in adding these features, admits Weber, is that "Security is a performance disaster." For example, three months of work went into designing how an automatic memory clear should work in hardware, a longed-for capability in the security community... but the downside is that computer boot time is slowed down significantly.
Overall, however, building security into the hardware is a good thing, Weber jested, "Because we [designers] are running out of things to do. After all, how much faster can a spreadsheet go?"
Esther Schindler has been writing about technology professionally since 1992, and her byline has appeared in dozens of IT publications. She's optimized compilers, owned a computer store, taught corporate training classes, moderated online communities, run computer user groups, and, in her spare time, written a few books. You can reach her at firstname.lastname@example.org.
Related Keywords:hardware, chip, cpu, fred weber, trusted computing, semiconductor, malware
Source:Digital Media Online. All Rights Reserved