Threat Modeling
Addressing Potential Threats Before They Happen
Product security is an ongoing priority, not a one-time event. The heart of this discipline is our comprehensive threat modeling process. Threat modeling analyzes each of our products to determine the array of potential security threats to those products, then creates a plan to protect against those threats.
Threat modeling starts at product planning and continues through deployment. Security architects compile a comprehensive list of threats, and extensively monitor the landscape of emerging threats throughout the lifespan of the product. Threat models are archived and reviewed regularly against known and emerging attacks.
Once a threat model is complete, it’s presented in our security architecture review forum. A team of security experts reviews the threat model and the associated product architecture for consistency. The threat model is examined for completeness, and the security architecture is analyzed to determine its effectiveness in protecting against the specified threats.
Commonly Used Adversaries
To understand the threat landscape better, Intel has developed nine Adversary Models:
| Advisory | Description |
|---|---|
| Unprivileged Software Adversary | Typically known as a “user-space” adversary; capabilities are limited by the instruction set architecture (ISA) or hardware platform or x86/x64 (or IA-32/Intel 64) to the capabilities granted by the system software. |
| System Software Adversary | Full control over the operating system, or virtual machine monitor. This adversary can manipulate x86/x64 in any manner allowed by the instruction set architecture specification. |
| Startup code and SMM Adversary | All capabilities of the System Software Adversary, as well as control over initial boot code and system management mode. This adversary can manipulate x86/x64 in any manner allowed by the instruction set architecture specification. This adversary also has the ability to compromise system and platform firmware. |
| Network Adversary | Access to and may have control over various network fabrics that are used to connect the platform to other platforms, intranet, or extranet resources. This adversary can also interact with remote systems through predefined APIs. |
| Software Side Channel Adversary | Able to gather statistics from the CPU regarding execution and may be able to use them to extract secrets from software being executed. This adversary can also observe hardware resource usage to infer information and secrets from software being executed. This adversary can often directly influence resource usage (e.g., by causing contention) or by modulating an input to a victim program. |
| Simple Hardware Adversary | Physical access to the system and typically doesn’t require expensive equipment or extraordinary training/specialty. |
| Skilled Hardware Adversary | Physical access to the system and additional equipment and/or training that isn’t accessible to the average individual consumer. |
| Hardware Reverse Engineer Adversary | Physical access to the system, specialized tooling (which can be rented), and highly specialized expertise. |
| Authorized Adversary | Intel or partner-granted authority that has capabilities not available to unauthorized entities. This may include access to manufacturing facilities and systems, access design facilities and design systems or with access to devices that haven’t completed all manufacturing steps. |
Security Products and Features
Learn more about specific Intel security technologies designed to help protect against these adversaries: