LinkedInX (ex-Twitter)

PROTECTIONS

AMD XD / INTEL NX

Both Intel and AMD have taken steps to try to provide better protection against exploits with the Intel Execute Disable (XD) and AMD Enhanced Virus Protection (NX-bit) options.

These technologies allow the operating system to mark pages of memory as non-executable. This capability prevents certain buffer overflows by preventing instructions from being executed on the marked memory pages.

Although it does not provide complete protection against malware, it is an additional layer of security.

Therefore, it is recommended to:

  • Activate this option as soon as possible.

INTEL SGX

SGX enclaves are protected and encrypted memory spaces that allow applications to run in a secure mode isolated from the rest of the operating system. SGX enclaves can be used to run mission-critical operations such as password storage, financial transactions, artificial intelligence and machine learning, or other tasks that require high security.

Therefore, it is recommended to:

  • Activate this option as soon as possible,

  • Increase the memory allocated to this space (max 128Mb)

  • Make sure that your developers take into account this specificity as soon as possible.

TPM

The Trusted Computing Group defines the TPM as a computer chip that can securely store the artifacts used to authenticate the platform.

If an organization is considering advanced boot integrity measures or full disk encryption, the TPM and the implications of its use should be studied in detail. The Trusted Computing Group website provides a wealth of information on the applications supported by TPM.

Documentation : https://trustedcomputinggroup.org/work-groups/trusted-platform-module/

Therefore, it is recommended to:

  • Activate TPM,

    • Enable TPM 2.0

  • Check that the software security equipment uses this chip (e.g. Bitlocker, NAC)

TPM 2.0

TPM 2.0 makes the TPM chip visible to the operating system.

There are several possible options for this configuration:

  • Clear: This setting clears the owner information of the TPM module and the TPM module is enabled after clearing.

  • PPI Bypass for Enable Commands: This is a feature that allows you to bypass the BIOS user interface to enable TPM commands. It can be useful to automate security processes without human intervention.

  • PPI Bypass for Disable Commands: This is a feature that allows you to bypass the BIOS user interface to disable TPM commands. It can be useful to prevent malicious users from disabling the TPM chip.

  • Key Storage Enable: This feature allows encryption keys to be stored in the TPM chip for added security. The keys can be used to protect sensitive data, such as passwords, encrypted files, etc.

  • Tenable Attestation: This feature verifies the integrity of the system using the TPM chip. It can be used to ensure that the system has not been compromised or altered in any way.

  • SHA-256: This is a cryptographic hash function that is used to secure data by creating a unique digital fingerprint of each file or document. It is used in security processes such as digital signature, file integrity verification, etc.

  • PPI Bypass for Clear Commands: This is a feature that allows you to bypass the BIOS user interface to clear the data stored in the TPM chip. It can be used to erase sensitive data in case of system compromise or loss.

Knowing this it is recommended to:

  • Disable all bypass options

  • Enable SHA256 (or more if available)

PERFORMANCE

Intel provides several options in its performance section.

  • MultiCore support: this field indicates whether only one core of the processor should be activated or all of them.

  • Intel SpeedStep: this field indicates whether the Intel SpeetStep mode should be active or not for the processor.

    • Intel SpeedStep is a technology from Intel that reduces the power consumption of processors by dynamically adjusting their clock frequency according to the workload. This allows processors to run more efficiently by saving power and reducing heat generation.

  • C-states: This option enables or disables additional processor sleep states.

    • C-states are a feature of modern processors that reduce power consumption by putting parts of the processor to sleep when not in use.

  • Intel Turbo Boost: This field indicates whether or not the Intel TurboBoost mode should be enabled on the processor.

    • Turbo Boost is an Intel technology that increases the clock speed of processors when they are operating below their maximum capacity. This allows processors to deliver extra performance when it is needed, while saving power when it is not.

  • HyperThread Control: This field indicates whether or not HyperThreat mode should be enabled.

    • Instead of giving a large workload to a single core, threaded programs divide the work into several software tasks (threads). These tasks are processed in parallel by different processor cores to save time.

Knowing this it is recommended:

  • Activate multicore,

  • Enable Speedstep, C-States, Turboboost.

    • The latter are however fallible via attack techniques such as measuring power consumption to extract sensitive information from the chip, such as encryption keys. Nevertheless, these attacks are very sophisticated and require physical access to the computer.

  • Enabling or disabling HyperThread will depend on how you feel. Many vulnerabilities are discovered on it, patches have impacts on the performance of this technology and for a large part of the users its deactivation will be transparent.

PreviousGENERIC RECOMMANDATIONSNextVIRTUALISATION

Last updated