Are Intel Core 2 Chips a Security Threat?6:54 PM EST Fri. Jun. 29, 2007
Intel's Core 2 CPUs shipped through April contain an unprecedented number of potentially serious security flaws, and the chip giant isn't releasing enough information to allow developers to assess or work around them, according to OpenBSD founder Theo de Raadt.
De Raadt issued a blistering missive Wednesday on an OpenBSD listserv, writing: "These processors are buggy as hell, and some of these bugs don't just cause development/debugging problems, but will *ASSUREDLY* be exploitable from userland code."
"I don't think Intel has made a correct assessment of the impact that some of these flaws can have," he told CRN. "I think that some of them have really severe potential security impacts."
De Raadt based his comments on both an "errata list" Intel published in May and results from his own testing of the OpenBSD operating system on Core 2 chips. He said that most of the errors were most likely to cause system crashes, but that some might be exploited to create sophisticated attacks. He did not claim to be aware of any specific attacks that rely on these flaws.
An Intel spokesperson said the company had no specific comments to make about de Raadt's accusations.
"What I'll say is that we have an extremely rigorous validation and testing program inside Intel. And in turn, our OEMs and channel partners have their own testing programs and we look to investigate and address every single issue that we can help with," the spokesperson said. "We've been publishing errata since 1994 and I don't think any other semiconductor company can say that."
But according to de Raadt, Intel was keeping open source developers and small systems builders in the dark about details of the bugs on the errata list and the status of patches. AMD, he said, has been more transparent with the OS developer community regarding errata.
"The biggest change that Intel can make moving forward is to ensure that every microcode update discloses exactly which errata number was fixed. And perhaps help operating systems vendors have enough information so that they can probe each chip to see which errata apply. AMD does this," de Raadt said.
Margaret Lewis, AMD's director of commercial solutions, said that AMD makes a particular effort to work with open source developers on errata.
"AMD takes an approach with the market to provide information as needed. We publish errata because the open source community needs that information," she said.
Systems builders, researchers and even open source heavyweight Linus Torvalds were cautious in response to de Raadt's accusations.
"Pretty much all CPUs have always had errata, and the commodity CPUs usually have much fewer of them than the boutique ones," Torvalds wrote in an e-mail response to de Raadt that was published Wednesday on a Real World Technologies forum.
One university researcher who works closely with Intel and AMD suggested that de Raadt might be "completely overreacting" to the Intel errata in question.
"When they say that a particular erratum is 'fixed in the BIOS,' that's often code for 'fixed by a microcode update.' Intel and AMD don't like to admit how much the processor behavior can be changed with microcode," said the researcher, who preferred to remain anonymous.
"But some errata that seem serious really aren't as serious as they sound. I saw an erratum for a processor a while back that could result in a complete processor hang. There was no fix or workaround. But it had never been observed on a physical part. The bug was only discovered in simulating the chip with a particularly torturous set of inputs."
According de Raadt, however, all of the errata on Intel's list are present on every Core 2 chip shipped before the end of April. He claimed that this list was "scarier" than any he had previously seen, and that some of the flaws had already shown up in his own testing.
"AMD has never had a bug like this. I think Intel didn't do enough simulation of their hardware, and that's how they ended up with this situation. I've seen a lot of errata documents from other vendors before, even undisclosed ones. I haven't seen anything this bad," de Raadt said.
Systems builders said Intel's provision of BIOS patches on the Core 2 CPUs hadn't been an issue for them.
"When there's a problem, we ask Intel for help. So far, we've had no problem dealing with Intel. Whenever we've encountered a problem, we just go to their Web site and download the patch if it's needed," said Daniel Lo, owner of LCF Advanced Technology in Richmond, British Columbia.
Dylan Fraser, production supervisor at Columbus Micro Systems in Columbus, Ohio, said a patch for what he believed was a Microsoft problem was the only major issue with the Core 2 chips of which he was aware.
"If you have an updated BIOS from April or on, it'll solve the Microsoft fix. I receive an e-mail notification when updates for software or BIOS are released. I believe I'm receiving specific notification from Intel and it's not a big concern to me," Fraser said.
Advantage Computers president J.R. Guthrie said he and his engineers had been working with Intel on fixing a flaw involving the Ubuntu operating system, but had not heard about any problems with the Core 2 Duos.
"One of my engineers was talking to Intel and they admitted they had a flaw in the 965 BIOS, but I'm unaware of this other situation. But then I don't think we've ever done OpenBSD on Core 2 Duos," said Guthrie, whose company is based in Tuscon, Ariz.