Intel To Partners: Multiple Mitigation Methods, Tools Can Alleviate Spectre, Meltdown Exploits

Printer-friendly version Email this CRN article

Intel on Monday sent out a whitepaper to channel partners outlining the mitigation steps and security tools necessary to sidestep the Spectre and Meltdown exploits. 

"Intel has been working closely with the ecosystem, including other processor vendors and software developers, to identify mitigations for the three side channel methods … The mitigation strategy is focused on identifying techniques that can be applicable for both products currently in the market, as well as for future products in development," said the whitepaper.

The whitepaper, called "Intel Analysis of Speculative Execution Side Channels," comes in the week after the Meltdown and Spectre security flaws, discovered by security researchers last year, became highly publicized by media reports.

[Related: 9 Steps Intel Recommends To Sidestep Spectre And Meltdown]

The exploits, which account for three variants of a side-channel analysis security issue in server and PC processors, could potentially enable hackers to access protected data.

These security flaws, found in chips from multiple vendors, including Intel, revolve around a process called speculation, which allows processors to skip ahead in their execution of code to save time on computing processes – but also potentially enabling malicious code to access a portion of the memory on the chip.

The Santa Clara, Calif.-based company recommends a variety of steps for downplaying the security risks of Spectre and Meltdown, including the bounds check bypass mitigation for software systems, the branch target injection mitigation for software, and the rogue data cache load mitigation method for operating system software.

However, on top of these mitigation methods, the company also recommends security features and technologies – which are present in existing Intel products or planned for future products – to reduce the effectiveness of the attacks.

One method of protection is enabling Intel OS Guard, the company's supervisor-mode execution prevention security tool. When OS Guard is enabled, the operating system cannot directly execute application code, making branch target attacks on the operating system more difficult for the attacker, said Intel.  Intel said all major operating systems support Intel OS Guard.

Intel also said that its Execute Disable Bit tool can make it more difficult to install branch target injection attacks. 

This hardware-based security feature allows the processor to classify areas in memory where the application code can or cannot execute, even speculatively – increasing the difficulty of attacks. Intel said that all major OS providers enable Execute Disable Bit by default.

Printer-friendly version Email this CRN article