Intel Details CPU ‘Virtual Fences’ Fix As Safeguard Against Spectre, Meltdown Flaws

Intel introduced hardware-based protections to its new chips to protect against the Spectre and Meltdown flaws that rocked the silicon industry when the vulnerabilities were made public in early 2018.

Spectre and Meltdown, which account for three variants of a side-channel analysis security issue in server and desktop processors, could potentially allow hackers to access users’ protected data. The security flaws, which were first disclosed by Google Project Zero in early January, impact processors including those from Intel, ARM and AMD.

In order to protect against these flaws, Intel said Thursday said it has designed a new set of CPU design features that work with the operating system to install “virtual fences” protecting the system from speculative execution attacks that could exploit a variant of the Spectre flaw.

“We have redesigned parts of the processor to introduce new levels of protection through partitioning that will protect against both Variants 2 and 3,” Brian Krzanich, CEO of Intel, said in a blog post. “Think of this partitioning as additional “protective walls” between applications and user privilege levels to create an obstacle for bad actors.”

Krzanich said the new safeguards will be built into Intel’s next-generation Xeon Scalable processors, code-named Cascade Lake, as well as Intel’s eighth-gen Core processors that are expected to ship in the second half of 2018.

“As we bring these new products to market, ensuring that they deliver the performance improvements people expect from us is critical. Our goal is to offer not only the best performance, but also the best secure performance,” said Krzanich in a statement.

On the heels of Intel’s announcement of hardware fixes, many in the industry are still waiting for more in-depth details on these upcoming chips, including specifics around performance and how the security features operate at a technical level.

> Promise has been given, but we know only a few details abut the HW solution…<https://t.co/WmThNMIlKh&gt;[#Intel](&lt;https://twitter.com/hashtag/Intel?src=hash&ref_src=twsrc^tfw&gt;) #Meltdown #Spectre #vulnerability #hardware #Solution #CyberSecurity
>
> — Peter Santavy (@PSantavy) March 16, 2018

> Intel has announced that their next-gen Xeons (Cascade Lake) and 8th Gen Core that will ship in H2 have been redesigned in order to protect against Spectre (Var 2, #CVE-2017-5715) and Meltdown (Var 3, CVE-2017-5754) through partitioning. Exact details were not disclosed.
>
> — WikiChip (@WikiChip) March 16, 2018

In addition to Intel’s new hardware, Krzanich said that the company has now also released microcode updates for all the Intel products launched in the past five years requiring protection against Spectre and Meltdown.

That includes the company’s newer Skylake, Kaby Lake and Cannon Lake platforms, as well as its Broadwell and Haswell platforms, which were patched in February.

Intel has been looking to step up its security game on the heels of Google Project Zero’s discovery of Meltdown and Spectre. Earlier this year the company launched a new bug bounty program focused specifically on side channel vulnerabilities similar to Spectre and Meltdown, with potential awards for disclosures totaling up to $250,000. In February, Intel released a new whitepaper detailing Google’s software fix for Spectre, called Retpoline.

There are three variants of the side-channel issue that impact both the hardware and software of Intel chips; while Meltdown breaks down the mechanism keeping applications from accessing arbitrary system memory, Spectre tricks other applications into accessing arbitrary locations in their memory. Intel said that its hardware security technology will protect against the Spectre variant 2 and Meltdown variant 3 flaws, however software fixes are still required to protect against Spectre variant 1 vulnerabilities.