March 16, 2018 // 11:22 a.m.
Intel head Brian Krzanich has announced how the company plans to address the Meltdown and Spectre security vulnerabilities in its upcoming processor releases, promising that the first immune-by-design chips will roll out before the end of the year.
Initially leaked as an Intel exclusive design flaw compromising system security before being officially unveiled as a family of vulnerabilities affecting most modern processors, the Meltdown and Spectre vulnerabilities have caused no end of heartache for microprocessor companies. Intel has been particularly hard-hit: Initially thought to be the only company affected by Meltdown, before a secondary variant was discovered to affect selected Arm processors as well, Intel has been slowly forced to admit that its fixes for the flaws cause significant performance degradation for selected workloads particularly on systems from 2015 and prior - to the point, in fact, where Intel advises its data centre customers to think long and hard about whether security or performance is their key consideration - before having to withdraw the fix altogether to address random reboot issues across its entire product range.
With those embarrassments, and the news that Intel's Brian Krzanich sold the maximum number of company shares legally permissible after the company knew of the flaws but before they were made public, Intel is keen to get things back on track. Earlier this year the company pledged to release chips using a Meltdown- and Spectre-immune design which does not rely on software or microcode mitigations for security, and now Krzanich has released the first details of said redesign.
'We have redesigned parts of the processor to introduce new levels of protection through partitioning that will protect against both Variants 2 and 3,' Krzanich writes in a blog post published late yesterday. 'Think of this partitioning as additional "protective walls" between applications and user privilege levels to create an obstacle for bad actors.
'These changes will begin with our next-generation Intel Xeon Scalable processors (code-named Cascade Lake) as well as 8th Generation Intel Core processors expected to ship in the second half of 2018. As we bring these new products to market, ensuring that they deliver the performance improvements people expect from us is critical. Our goal is to offer not only the best performance, but also the best secure performance.'
Interestingly, however, these parts will not be completely immune to exploitation: Krzanich has confirmed that Variant 1, the bounds check bypass aspect of the Spectre vulnerability, will continue to rely on software mitigation being present in the host operating system; hardware protection will only be available for Spectre Variant 2, branch target injection, and Meltdown, also known as Variant 3 rogue data cache loading.
In the same post, Krzanich confirmed that the re-released and now hopefully-less-crashy microcode mitigation patches have been released for all vulnerable Intel products from the last five years, but did not discuss when or if the company plans to release patches for older products.