Security Tools
The Right Tools for Secure Development
As part of our Security Development Lifecycle (SDL), we use best-in-class security tools to identify vulnerabilities at scale and help ensure third-party/open source software meets the highest security standards. We maintain a dedicated team for assessing and implementing security tools. Where the right tools don’t exist, we develop custom tools for Intel and share many for academic, industry, and customer use to enhance security industry-wide.
Following are some of the key tools that we use in secure development:
KF/x
The Kernel Fuzzer for Xen is an open source resource designed to fuzz some of the most complex projects: Kernel internals and drivers. While other fuzzers focus on APIs and system calls, KF/x targets challenging aspects of the hardware/software interaction. For example, using threat models and tracking where software uses Direct Memory Access (DMA) data, KF/x becomes an extremely valuable tool to find potential security issues in software that malicious devices could exploit.
The following gives an overview of the tool and a set of use cases where Intel has already used KF/x to find and mitigate security vulnerabilities.
Linux Kernel
The Linux kernel is key to computing environments from edge computing, to data centers, to laptops and Internet of Things devices. Intel has long been one of the biggest contributors to Linux kernel development and participates in security roles, enhancing the quality of the kernel and adding new security features.
Intel also contributes to kernel modifications to mitigate hardware vulnerabilities. We collaborate with the open source community to make sure that software patches are developed, validated, and ready for deployment by the public disclosure date. The Linux kernel community has defined processes to address hardware vulnerabilities in software as well as software vulnerabilities. Specifically, the community has defined how hardware mitigations can be reported and configured by privileged users, giving users control over deployment.
Spectre and Meltdown Checker
The Spectre and Meltdown Checker is an open source tool used by many end users and companies to scan their systems for transient execution side channel vulnerabilities. While Intel contributes to the Linux kernel and regularly creates reporting mechanism for end users to check the status of known issues, this tool provides more detailed information about those issues.
The checker determines whether the microcode is up-to-date, if the kernel is updated, and if the kernel configuration is setup properly to mitigate those issues. Intel contributes to this tool to ensure that the information reported by the tool is accurate for any Intel platform and that, in the event of a new transient execution side channel vulnerability, the tool is updated on disclosure date. Check out this presentation about the history of the tool, its characteristics, and how Intel contributes to it.
CVE Binary Tool
The CVE Binary Tool helps users improve their supply chain security by listing known vulnerabilities associated with third-party components. Users can specify a known bill of materials in several formats or use the binary scanner, which has rules to find popular components of interest such as openSSL and libxml2.
The tool scans for these common components and lets a user know if a given software artifact (a folder or binary file) includes libraries with known Common Vulnerabilities and Exposures (CVEs). It performs this scan by looking at the strings found in those artifacts. These strings specify the versions of libraries and tools that the software uses. Then the tool checks if those strings match known vulnerable versions of common libraries and tools. Everybody can add support for more libraries and tools or request support for new ones in the public code repository.
End users can also benefit from this tool by including it within continuous integration systems to help ensure that any security risks are addressed in a timely manner. For more information, check this presentation about the tool and its functionality.
Pen Testing
Intel engineers continually test our products, both pre- and post-release, to find and address potential vulnerabilities. Security testing becomes an even more critical mode of defense as attacks increase in sophistication along with the exponential growth of computing platforms and environments. That’s why security validation along with penetration testing are cornerstones of the Intel Security Development Lifecycle (SDL).
Penetration testing is akin to “ethical hacking” where engineers are organized into a “red team” with the purpose of attacking or breaking a product. This process uses similar tools and methods as real-world malicious hackers to identify and then help fix vulnerabilities and weaknesses in the product before it’s shipped to customers.
Trusted Platform Module (TPM)
Intel maintains the TPM2 (Trusted Platform Module 2.0) software stack for Linux, working with the hardware, software, and security ecosystems to support this technology. TPM is a standard for dedicated cryptoprocessor designed to provide support for secure hardware through cryptographic keys. The TPM2 software repository hosts source code implementing the Trusted Computing Group's (TCG) TPM2 Software Stack (TSS), auxiliary tools, Python bindings, and a project to make TPM 2.0 accessible via the OpenSSL API and command-line tools.
Gramine
This library OS allows unmodified application to run in a Trusted Execution Environment (TEE) e.g. Intel® Software Guard Extensions (Intel® SGX). Gramine works on Linux.