Research: Page (1) of 1 - 04/13/06 Email this story to a friend. email article Print this page (Article printing at page facebook

Security in Silicon

The next generation of CPUs may include virtualization and other security capabilities. By Esther Schindler
"For the first time," said Fred Weber, former CIO of AMD Corporation and considered the father of the Opteron chip set, "Security is a major focus in the computer industry -- and not just in a niche community." More importantly, Weber added, work is underway from the major players in the computer industry to cooperate on how to bring security into the computer -- not just into the network.

Weber was keynoting the first "International Swarm Intelligence & Other Forms of Malware Workshop," held in conjunction with the IEEE International Performance Computing and Communications Conference, held this week in Mesa, Arizona. In his presentation, he covered the efforts of the Trusted Computing Group and its efforts to improve the security of CPUs -- and thus of the applications you build and run. He's optimistic... mostly.

The Trusted Computing Group is a nonprofit organization which has the active participation of most of the hardware and software companies you know, including AMD, Hewlett-Packard, IBM, Infineon, IBM, Microsoft, and Sun. You might scoff: Microsoft? Weber insists that Microsoft has spent the last few years truly pushing on security matters; according to Weber, the company has made it a major focus and commitment, and security was a major hurdle in Microsoft's development of a 64-bit operating system.

All the stars are aligning for virtualization, says Weber, which can bring many good things to enterprises. Virtualization lets a single computer run many operating systems or many versions of a single operating system. Its major business appeal is server consolidation, since it's common to have several single-application servers, each running at 20% efficiency; yet, those applications can't all be installed on a single computer because of the application's OS or version requirements or even accounting needs. Plus, pointed out Weber, too much software runs at the most privileged protection level -- often because the software developer needs more than basic permissions, even if the application shouldn't be run at the most trusted levels.

Currently, virtualization is done in software, using tools like VMWare, Xen, or Microsoft Virtual Server, but you'll soon see that functionality built into the chip set. A new protection level will be provided below Ring 0, and instruction intercepts will be provided, along with machine-specific registers and ten protection vectors. The new chip-sets will have another level of virtual memory, says Weber, with security features that include shadow page tables and recursive page table walks.

Security-specific hardware is coming along very quickly, In the next few years you'll see silicon that includes the "read/no-execute" capability (which Weber says was "a small but important fix" that killed a lot of attacks). Multi-factor authentication, such as fingerprint IDs and Fobs, are becoming commonplace, but Weber says, "it's one of the smallest problems in security these days." Though, of course, you have to plug all holes. Additional coming-soon hardware support will include protected input (i.e. encryption) to prevent keystroke-grabbing attacks, and protected output (relevant more for movies and digital rights management than for password gathering).

Will that be enough? All the hardware community can do is create solutions, said Weber, and "hope the software community doesn't misuse them." Even when the CPUs support advanced security features, software is a problem, Weber says, "Because tens and hundreds of millions of lines of code don't change quickly." Secure input needs drivers and connections to applications. Realistically, claims Weber, the security capabilities have to be exploited from the operating system up, with a "trusted hypervisor" -- and it will be the end of the decade before that happens.

Among the biggest problems in adding these features, admits Weber, is that "Security is a performance disaster." For example, three months of work went into designing how an automatic memory clear should work in hardware, a longed-for capability in the security community... but the downside is that computer boot time is slowed down significantly.

Overall, however, building security into the hardware is a good thing, Weber jested, "Because we [designers] are running out of things to do. After all, how much faster can a spreadsheet go?"

Page: 1

Esther Schindler has been writing about technology professionally since 1992, and her byline has appeared in dozens of IT publications. She's optimized compilers, owned a computer store, taught corporate training classes, moderated online communities, run computer user groups, and, in her spare time, written a few books. You can reach her at
Related Keywords:hardware, chip, cpu, fred weber, trusted computing, semiconductor, malware


Our Privacy Policy --- @ Copyright, 2015 Digital Media Online, All Rights Reserved