Processor Security Issue: Intel Says Processors Working As Designed


Intel said the processor side-channel analysis security issues known as Spectre and Meltdown are not a result of flaws in processors, which are performing as designed.

The issues, which many in the industry have blamed on Intel's processor design, instead stem from side-channel analysis, which Intel said impacts most modern processors.

Steve Smith, Intel's corporate vice president and general manager for data center engineering, late Wednesday told financial analysts that the security issues lie in the approach researchers used to compromise a system, and not in the processors themselves.

[Related: 7 Things You Need To Know About Spectre And Meltdown Security Exploits]

Sponsored post

"The processor is, in fact, operating as it is designed," Smith said. "And in every case, it's been this side-channel approach that the researchers used to gain information even while the processor is executing normally its intended functions."

Side-channel analysis, as defined by Intel, is "some observable aspect of a computer system’s physical operation, such as timing, power consumption or even sound" which can be analyzed to potentially expose sensitive data on computer systems that are operating as designed.

According to a blog post from the Google Project Zero team, one of the first research teams to notice the potential impact of the side-channel analysis issue in processors from Intel, AMD, and ARM Holdings, there are three possible ways it could be exploited, based on proofs-of-concept tests it developed.

Two of those variants are known as Spectre and include one that under certain circumstances be used to leak Linux kernel memory and another that could change how an application works based on the contents of memory.

The third, known as Meltdown, could let an application read kernel memory from userspace without misdirecting the control flow of kernel code, the Google Project Zero team wrote.

"Variants of this issue are known to affect many modern processors, including certain processors by Intel, AMD and ARM. For a few Intel and AMD CPU models, we have exploits that work against real software. We reported this issue to Intel, AMD and ARM on 2017-06-01," the Project Zero team wrote.

Processors tested by the Project Zero team include the "Haswell" Intel Xeon CPU E5-1650 v4 at 3.5-GHz, the AMD FX-8320 eight-core processor, and the ARM Cortex "A57 from a Google Nexus 5x phone.

Potential attacks using side-channel analysis might allow an attacker to use the exploit to observe the contents of privileged memory, and thereby circumventing the privileged level, Smith said.

These exploits do not have the potential to corrupt, modify, or delete data, he said.

"Malware that's using this method and running on the computer locally can expose sensitive data that attackers might be interesting in finding on the system," he said.

However, he said, this would be a very complex type of attack. "One can read the content of the memory at a given address," he said. "And that address may or may not have information that's actually relevant or useful to the attacker."

During the financial analyst call, when asked by an investment analyst about comments from AMD that the issue does not impact that company's processors, Smith responded that the researchers had demonstrated some of the exploits running across a variety of product implementations, both in hardware and software.

"It's an industry issue," he said. "And you'll have to ask each participant what their specific mitigation implementations are."

AMD earlier told CRN in a statement that there is currently "near-zero risk" to its processors from Spectre and Meltdown, and that the company does not need to any type of firmware or OS updates to address the Spectre and Meltdown issues.

ARM Holdings stated that Spectre and Meltdown do not impact the majority of ARM processors.

Apple on Thursday said via a support blog post that its Mac and iOS devices, many of which run using Intel and ARM-based processors, could be impacted by Spectre and Meltdown, and that the company is in the process of mitigating the issues.

When asked by an investor analyst about how mitigations to the security issue might impact cloud and data center infrastructures vs. PCs, Smith replied, "It depends on the workload specifically in use, and a little bit less on where the workload is."

Ronak Singhal, Intel Fellow and director of CPU compute architecture at Intel, said that Intel does not differentiate the performance impact on a PC vs. in a data center, but instead any implications are really dependent on the attributes of the workload.

Using industry benchmark testing, Intel has seen the average impact of the mitigations on performance to be between 0 percent and 2 percent, Singhal said. That impact could rise to 30 percent or more for workloads that spend a lot of time going back and forth between the operating system and the application, he said.

Customers are already starting to ask about the processor security issues, said Dominic Daninger, vice president of engineering at Nor-Tech, a Burnsville, Minn.-based custom system builder with a focus on the high-performance computing market.

In a way, the industry knew something like this was coming, Daninger told CRN.

"We follow Linux closely," he said. "Even during the holidays, people were looking at things being done in the Linux Kernel and could tell something big was coming up."

The processor-related security issues will likely impact cloud providers and those heavily into virtualization the most, Daninger said. High-performance computing, on the other hand, is typically not connected to the Internet, and so will be less likely to be impacted.

"Most of our high-performance computing systems have a firewall and/or an air gap between the system and the Internet," he said. "One of our customers, the Federal Aviation Administration, never connects to the internet."

As of late Thursday afternoon, Nor-Tech had yet to receive promised information about the side-channel analysis security issue from Intel, Daninger said.

"Our Intel rep promised to get us information from Intel, but as of late today we hadn't gotten it yet," he said. "The situation probably is like the one when Intel had those floating point issues, only worse because this is impacting 10 years of processors."