Protecting Against Speculation Vulnerabilities

How Intel is mitigating transient execution vulnerabilities before they become more than interesting research.

By Martin Dixon
I recently provided an overview of Intel’s security strategy, and today I want to focus specifically on our long-term strategy to help protect against transient execution attack methods. Solving some of the industry’s biggest challenges is often what attracts people to a career in security, and we are fortunate to have many of the world’s greatest security experts on our team.

The nature of security threats continues to evolve, and we are evolving with it. Mitigations for known vulnerabilities are available today through a combination of software, hardware and microcode updates.

What We are Setting Out to Solve
Transient execution vulnerabilities are a class of vulnerabilities that can allow an attacker to infer information that would otherwise be prohibited by architectural access control schemes.

Improvements in CPU architecture have powered the internet and everything we do. To deliver the performance that powers modern life, processors execute instructions speculatively. Processors may “speculate” that a control flow path (i.e., a branch) can use a value before the processor confirms the branch is resolved correctly, so execution may proceed using temporary values. Think of it like a weather prediction. You are probably correct most of the time, but occasionally you are caught out in the rain. When the prediction is wrong, there is a remnant left of those incorrect path operations, like soggy clothes.

The potential for a transient execution to extract data being carried across a branch or a load is still a new field of research. Even though transient execution attacks are highly complex and difficult to carry out successfully outside of a lab, we expect it to remain a persistent focus area for researchers and the computer industry. This research is something we support through academic programs, including the Side Channel Academic Program. We believe ongoing research is not only good for Intel, but it also helps move the industry forward.

Improved Protection
At Intel, one key element to our product strategy is to design hardware, firmware and software that collaborate across all elements of the stack. Our holistic approach to product security starts with foundational platform security, providing a stable base for software reliability and workload protection. This full stack approach is key to protecting against speculation vulnerabilities.

While nowhere near as draconian as “don’t speculate,” the mitigations that the industry put in place to respond in 2018 were cautious and not yet fully optimized. Over time, our collective understanding of the space has evolved, and we have been able to implement mitigations that allow for safer and more efficient execution.

Mitigations are available today for known vulnerabilities. Security is a system property. This means that mitigations and defenses can be applied at varying levels of the system from application to hardware. For example, defensive coding practices are a best practice that decrease exposure to a variety of weaknesses. Many mitigations are appropriate at the operating system and virtual machine monitor layer, and some mitigations are best implemented in the underlying hardware.

Meanwhile, we have not been sitting still on enhancing our future products. Not only have we built additional capabilities into the microarchitectures, but we are also adding new instruction set architecture (ISA) extensions. We believe the software-hardware contract needs to evolve to indicate more intent to the hardware. Perhaps to misappropriate Robert Frost, “Good fences make good neighbors.” In a similar sense, we are working with our ecosystem partners to enhance the instruction set to indicate where security boundaries might exist.

Under this new paradigm, software uses security-augmented ISA extensions to convey security intent. For example, Hypervisor-managed linear address translation (HLAT) is an efficient solution to help protect the kernel. While there are fencing operations available today in our architectures, we are adding a new serialization instruction that allows a graceful pause of speculation. These new operations will be available shortly in our product line.

To accelerate the development of new ISA extensions, Intel invests in programming languages, compilers and tools to understand how software security properties can be captured by the ISA. At the same time, we are hardening hardware below the ISA boundary to provide mitigations at the CPU level.

Broadening the software-hardware interface will require greater software ecosystem engagement to enable. Yet, the inherent tunability of these features would allow each developer to optimize performance and security to meet their specific needs.

From the introduction of 80286 protected mode to revolutionary technologies like Intel^® Control-Flow Enforcement Technology, Intel^® Software Guard Extensions, Intel^® Threat Detection Technology and Intel^® Crypto Acceleration, Intel has established itself as a leader in hardware-enabled security.

With our unparalleled scope of hardware, firmware and software expertise, Intel is uniquely positioned to deliver protective technologies that continue to support our customers’ success.

Martin Dixon is an Intel fellow and vice president in the Intel Security Architecture and Engineering Group at Intel Corporation.

www.intel.com

  Ask For More Information…