Stop System Hijackers with Intel OS Guard

Stop System Hijackers with Intel OS Guard

If an attacker can make your system do whatever he wants, you can be in deep trouble. Escalation-of-privilege attacks use vulnerabilities in your operating system to place the processor in supervisor mode which is meant to be reserved for highly trusted kernel code. When in supervisor mode, the processor may perform any operation allowed by its architecture. Any instruction may be executed, any I/O operation initiated, any area of memory accessed—unless your system is protected by Intel Device Protection Technology with OS Guard (Intel OS Guard).

Malware typically enters a system through application memory by compromising a user application or tricking a user into installing the malware. Intel OS Guard, built in to certain Intel Core processors, Intel Atom processors, and Intel Xeon processors and automatically enabled on supported systems, offers two types of protection against escalation-of-privilege attacks:

• Malware execution protection. Prevents malware from executing code in application memory space by instructing the processor to not execute any code that comes from application memory while the processor is in supervisor mode.
• User data access protection. Prevents malware from accessing data in user pages by instructing the processor to block access to application memory while the processor is in supervisor mode.

 

There should be no legitimate reason for the processor to be in supervisor mode when it runs code from application memory, and with Intel OS Guard, the processor can block the execution of any code that resides in application memory while the processor is in supervisor mode. Because malware resides in application memory, Intel OS Guard can keep it from running code in supervisor mode which can prevent malware from performing operations reserved for the kernel.

Likewise, there are rarely valid reasons for the processor to be in supervisor mode while data in application memory is being read or written, and with Intel OS Guard, the processor blocks access to data in application memory. For unusual cases where accessing user data in application memory needs to be done in supervisor mode, this Intel OS Guard protection can be carefully and temporarily turned off.