(in)Secure is a monthly column that dives into the rapidly escalating topic of cybersecurity.
The Spectre and Meltdown processor vulnerabilities loomed over Intel’s 2018 like an incoming snowstorm. Though speculative in nature, they affected nearly every computer with an Intel chip inside. There was no escape.
In 2019, the company just wants to move on. It wants to focus on the exciting performance gains made by new generations of chips. But moving on won’t be that easy. With so many CPUs from the past decade relying on branch prediction to enhance performance each generation, many believe that only fundamental hardware changes inside the most popular CPUs from the likes of Intel will ward off these bugs forever.
With Intel so quiet about what’s coming with its next generation of Ice Lake CPUs though, it may be that we’re far from a permanent fix. In fact, these kinds of problems may never be truly thwarted.
Beyond microcode
The earliest fixes Intel implemented against Spectre and its variants were microcode tweaks which appeared throughout the first half of 2018. These changes weren’t particularly well received because of their impact on performance.
“The microcode patches that were put out had a fairly significant performance impact because they were disabling pieces of hardware and changing things in ways that weren’t the intent when the chip was designed,” Rambus senior technology advisor, Paul Kocher explained to Digital Trends. He went on to highlight that many manufacturers of commercial products, like his own Microsoft-made Surface Pro, specifically avoid implementing some of these fixes because of how impactful they are on performance.
Ice Lake CPUs were slated as the first to receive hardware mitigation for speculative execution vulnerabilities.
The first hardware fixes Intel implemented against Spectre and its ilk — including variant three, otherwise known as Meltdown — came with the launch of its eighth-generation Whiskey Lake “U-Series.” Those were low-power chips aimed squarely at the laptop market, but Intel followed up with the same hardware-level fixes in its desktop-targeted ninth-generation Coffee Lake R CPUs.
That launch also coincided with the release of software and microcode fixes for other variants of Spectre.
While far from exhaustive, these hardware fixes were a welcome announcement from Intel considering it had previously slated the 10nm Ice Lake CPU line as the first to receive hardware mitigation for speculative execution vulnerabilities.
Since then though, Intel has been rather quiet on what Ice Lake will have in place as far as hardware fixes go. Officially unveiled at CES 2019, Ice Lake has been talked up in terms of its die shrink to 10nm (leapfrogging the now seemingly defunct Cannon Lake entirely) as well as its native support for Wi-Fi 6 and Thunderbolt 3.
But no talk of Spectre fixes was in earshot.
What new defenses will Ice Lake have?
Intel is staying quiet on what kind of hardware protections we can expect out of Ice Lake.
“In 2019, we’ll of course continue to integrate hardware-based mitigation into future products, and we’re doing so in a way that maintains the associated software interfaces we introduced with the initial mitigations in 2018,” Intel’s senior director of Intel product assurance and security, Bryan Jorgensen told Digital Trends. “Existing processor security features like supervisor-mode execution protection (SMEP), supervisor-mode access prevention (SMAP), and execute disable bit can also increase the difficulty of launching a successful attack.”
He went on to highlight the work Intel was doing with its software and hardware partners to enable protective measures like encrypted memory to further enhance PC security.
Only those working with Intel really know what the chip giant has planned for Ice Lake, but Rambus’ Paul Kocher believes he has a pretty good insight from talking with engineers over the past year. It can get technical, but distinguishing these different strands of the vulnerability are important for knowing exactly what Intel can and can’t do with Ice Lake.
The most important improvement he thinks we’ll see with Ice Lake is a mitigation of Intel’s earlier mitigations. The model specific registers (MSR) like IBRS, which Intel offers to software developers as an optional fix for Spectre problems, will either be implemented in the hardware or modified so that the performance impact is negligible. That’s great news.
“They’ve created these MSRs but right now the performance you get from leaving the protections enabled and using them in the operating system is so large that people aren’t generally using them widely,” he said. “I suspect with the new processors they will fix that. They’ll make them run with high enough performance that it’s safe to leave them enabled all the time.”
That should mean Spectre variant two is taken care of — and without the performance cut. Spectre variant three, otherwise known as Meltdown, will also be shored up much more securely, he said. Fixing that issue is pretty straightforward, he said, so not seeing a pretty permanent fix for it in Ice Lake would be a surprise. Better yet, doing so should “reclaim the performance overhead that was introduced by those operating system changes.”
That’s good, right?
Spectre fixes, particularly at the hardware level or at least without performance overheads are indeed a good sign that Intel continues to take these exploits paths seriously. In early January, Wired profiled the “Elite team” within Intel, which is going after these problems and trying to find smart workarounds for them.
The problem is that these fixes don’t go far enough. As far as Kocher sees it, Intel has no concrete plan for fixing Spectre variant one. The only proposed solution that he’s caught wind of pushes the problem onto software developers and asks them to input what’s known as an “LFENCE” command within an application every time there’s an “if” statement within its coding.
Not only does that have a major performance impact, Kocher said, but it’s required of new and legacy software. In theory, to protect against Spectre in this manner, every piece of software that runs on modern PCs, both Windows and MacOS would have to be rewritten with this fix in mind. It’s completely unrealistic.
“Spectre is an unmitigated risk that will be lingering for a long time.”
“From what I know of Intel’s roadmap for the next few years, there’s not a clear solution that’s been put forward,” Kocher said. “It’s an unmitigated risk that will be lingering for a long time.”
Worse still, Kocher believes that there is little in the future of CPU chip design at a variety of companies which will ward of these kind of speculative bugs. His view of the future sees many manufacturers using lots of speculative optimizations to further enhance performance, which leaves them vulnerable to these sorts of attacks.
Fortunately, it’s not a problem
The only silver lining to all this is that for the average person, Spectre and its fellow branch misdirection exploits are the least of our security worries. There are far easier ways for nefarious hackers to infiltrate systems. Malware and social engineering have been successful attack vectors for decades and that seems unlikely to change any time soon.
That’s not the case for everyone though. We asked Kocher if there was any point in upgrading to Intel’s Ice Lake purely for security purposes. His answer depends on who you are.
“If you’re a cloud provider and you’re mixing workloads between customers on the same processor or god forbid even using hyperthreading to run malicious workloads simultaneously within the same core,” he said. “Within those environments the security implications are very different and any upgrades put in may be extremely important.”
Spectre and its contemporaries will likely remain a looming apparition over the CPU industry for years to come, and it’s something that bears remembering it exists. But if you want to improve your chances of avoiding being hacked, there are are certainly more things to worry about than any potential fixes Ice Lake might bring to the table.