Inside the Intel Ivy Bridge Microarchitecture
Security Improvements
Contents
As previously mentioned, there are two new security features in the Ivy Bridge microarchitecture. The first one is the implementation of a digital random number generator (DRNG), which can be used through a new instruction called RDRAND.
Traditionally, when a program asks the CPU to generate a random number, the CPU uses the real-time clock of the system to do that. In other words, the exact time of the day the number was generated is used to create the random number through an algorithm. Therefore, a hacker knowing the exact time the random number was generated can replicate the algorithm used by the CPU to create that number and guess what that number is. This means that random numbers traditionally generated by the CPU aren’t exactly random – the correct name for them would be pseudo-random. A random number generator (RNG) solves this issue by creating a random number which isn’t based on the time of the day it was generated.
In Figure 4, you can see a summary of the new digital random number generator.
Figure 4: Digital random number generator (DRNG)
The second new security feature added to the Ivy Bridge microarchitecture is called Supervisory Mode Execution Protection (SMEP), which prevents a security attack called Escalation of Privilege (EoP). This kind of attack works by gaining access to a more privileged software (e.g., the operating system) and making it run a piece of software (the malicious software) that is installed in a memory area that is only used by applications.
This new security mechanism works by blocking any attempt of the execution of the code that is installed in the user memory space when the CPU is running at a privileged level (i.e., it is running instructions of the operating system). So, if a hacker is able to hijack the operating system, the malicious code won’t be able to run from the user memory space.
Figure 5: Supervisory Mode Execution Protection (SMEP)