Google cloud and Intel published results today of a nine month audit of what’s new from intel hardware security product: Trust Domain Extensions (TDX). The analysis revealed 10 confirmed vulnerabilities, including two that researchers from both companies flagged as important, as well as five findings that led to proactive changes to further strengthen TDX’s defenses. The review and corrections were completed prior to the production of the fourth generation of Intel Intel Xeon processors, known as “Sapphire Rapids”, incorporating TDX.
Security researchers from Google Cloud Security and Google’s Project Zero bug-hunting team collaborated with Intel engineers on the assessment, which initially returned 81 potential security issues that the group investigated further. The project is part of Google Cloud’s Confidential Computing initiative, a set of technical capabilities for keep customer data encrypted at all times and make sure they have full access controls.
The security risks are incredibly high for the massive cloud providers that run much of the world’s digital infrastructure. And while they can refine the systems they build, cloud companies still rely on proprietary hardware from chipmakers for their underlying computing power. To get a deeper insight into the processors they depend on, Google Cloud worked with AMD in a similar audit last year and built on the long-standing relationship of trust between Intel and Google to launch the TDX initiative. The goal is to help chipmakers find and fix vulnerabilities before they lead to potential exposure for Google Cloud customers or anyone else.
“It is not trivial because the companies, we all have our own intellectual property. And, in particular, Intel had a lot of intellectual property in the technologies that they brought to this,” says Nelly Porter, group product manager for Google Cloud. “For us, being able to be incredibly open and trust each other is valuable. The research we’re doing will help everyone because Intel Trusted Domain Extension technology will be used not only at Google, but everywhere else.”
Researchers and hackers can always work to attack hardware and online systems from the outside, and these exercises are valuable because they simulate conditions in which attackers would typically look for weaknesses to exploit. But collaborations like the one between Google Cloud and Intel have the advantage of allowing outside researchers to run black-box tests and then collaborate with engineers who have a deep understanding of how a product is designed to potentially discover even more about how a product could protect yourself better. .
after years of struggling to remedy he security consequences Starting with design flaws in a processor feature known as “speculative execution,” chipmakers have invested more in advanced security testing. For TDX, Intel’s internal hackers conducted their own audits, and the company also put TDX through its security steps by inviting researchers to examine the hardware as part of Intel’s bug bounty program.
Anil Rao, Intel’s vice president and general manager of systems architecture and engineering, says the opportunity for engineers from Intel and Google to work together was particularly fruitful. The group had regular meetings, collaborated to jointly track the findings, and developed a camaraderie that motivated them to dig even deeper into TDX.
—————————————————-
Source link