Intel’s TDX framework gains a new capability, and a “shadow stack” in Xeon’s fourth generation aims to knock out a dangerous cyberattack method. Credit: Martyn Williams Intel today announced the rollout of the fourth generation of its Xeon family of server chipsets, detailing several new features under the company’s confidential computing umbrella of security features. Improvements to Intel’s trusted execution environment and a new technique for combatting jump- and return-oriented programming attacks were the most notable upgrades.Xeon’s fourth generation introduces a number of new features across the board, including marked improvements to energy efficiency, AI processing, and edge workload handling, but the security side’s highlights are virtual machine (VM) isolation technology and control flow enforcement. The former technique provides hardware-level VM isolation, without the need for hypervisor oversight — instead of a single app living inside of a trusted environment, a whole VM can live there.There are plenty of options for trusted execution environments in other areas of the stack, but Intel fellow Amy Santoni, the company’s chief Xeon security architect, said that not all of them offer the same capabilities or meet the same standards.Intel aims to secure virtual environments“It depends on your goals for a trusted environment,” she said. “If you look at the cloud today, you can have multiple tenants running on the same hardware with virtualization technology, but in just a regular cloud environment, the hypervisor still has access to all those VM’s data if you allow them to —there’s nothing at a hardware level to prevent a VM from accessing data.” That isolation is provided via Intel’s Trust Domain Extensions framework, which already works with Azure, Google Cloud, Alibaba and IBM — no timeline was provided for AWS integration at the time of this writing.Control flow enforcement is a feature that Intel has already implemented in its endpoint-focused Core line of processors, but is new to the Xeon family, aimed at stamping out a family of cyberattack techniques called return-oriented and jump-oriented programming. The idea with such attacks is to rearrange the order in which pieces of code are provided back to the application, for malicious purposes. “So I can take snippets of real, released code but I’m able to manipulate their order,” explained Santoni.Control flow enforcement, however, adds a secondary or “shadow stack” to the normal stack used to order the execution of instructions. It’s completely inaccessible to programmers, so, the idea goes, it can’t be manipulated by a bad actor. The order of instructions is compared to the “shadow stack,” which throws an error if they’re not in the correct sequence.Finally, Intel’s already-announced Project Amber is present in Xeon’s fourth generation. This is what the company describes as an out-of-station capability for its trusted execution environment, allowing users to validate that their workloads are running on Intel hardware, regardless of information provided by cloud service provbiders.“The idea is to provide customers the ability to validate the configuration of the environment they’re running in,” said Santoni. “It doesn’t mean that the CSP’s don’t provide that, it’s an additional option — when you buy a used car from a dealer, you [still] might want to take it to an independent mechanic.”The nearly 50 different SKUs in the fourth-generation Xeon family are available for preorder from February 15. Related content news UK government plans 2,500 new tech recruits by 2025 with focus on cybersecurity New apprenticeships and talent programmes will support recruitment for in-demand roles such as cybersecurity technologists and software developers By Michael Hill Sep 29, 2023 4 mins Education Industry Education Industry Education Industry news UK data regulator orders end to spreadsheet FOI requests after serious data breaches The Information Commissioner’s Office says alternative approaches should be used to publish freedom of information data to mitigate risks to personal information By Michael Hill Sep 29, 2023 3 mins Government Cybercrime Data and Information Security feature Cybersecurity startups to watch for in 2023 These startups are jumping in where most established security vendors have yet to go. By CSO Staff Sep 29, 2023 19 mins CSO and CISO Security news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe