SI-7(13) — Code Execution in Protected Environments

Execute critical code in protected environments where it cannot be tampered with by other processes or users.

Example 1: Use Windows Virtualization-Based Security (VBS) to run code integrity enforcement in a protected environment. Even if an attacker gains kernel-level access, they cannot disable code integrity protection because it runs in a separate VBS enclave.

Example 2: Use Intel SGX or AMD SEV to execute sensitive algorithms (encryption, authentication) in hardware-protected enclaves. The enclave's code and data are encrypted in memory and inaccessible to all other software, including the operating system.