Intel Steps Up Further to Fix Spectre / Meltdown Vulnerabilities

The qualities required for business leadership, or leadership of any sort, aren’t exactly hard to come by.

Forthrightness, taking responsibility for your own and your organization’s actions, respect for fellow workers, partners and customers, recognizing others’ contributions and bringing out the best in them—are all values one learns early on. If not, there are virtual mountains of books, slide decks and Ted Talks extolling and offering various takes on these well-worn issues.

But in high tech today, these qualities are all too often recognized by their absence. The industry lionizes entrepreneurs and “innovators” even when they veer off the rails into sociopathic “bro culture” behavior. Then there are industry mainstays that love the spotlight so long as they themselves manage the controls.

Take, for example, Facebook’s ongoing run of bad news cycles concerning the company’s relationship with advertising partner, Strategic Communication Laboratories (SCL), and its political data analytics firm, Cambridge Analytica. That includes explosive reports published over the weekend by The Guardian and the New York Times profiling Christopher Wylie, a former executive at Cambridge Analytica.

Wylie detailed how his employer harvested data from 50+ million Facebook users in the U.S., then developed sophisticated individual psychological profiles to promote the 2016 election of Donald Trump via often dodgy news stories. On Monday morning, Facebook shares shed nearly 7 percent of their value, pulling down the rest of the tech sector.

Where has Founder/CEO Mark Zuckerberg been in all this? Mostly out of sight, though whether this qualifies as corporate damage control, “leading from behind” or a simple CYA exercise remains to be seen.

On the far opposite end of the responsibility scale is Intel’s handling of its recent problems with Spectre and Meltdown exploits. Intel CEO Brian Krzanich recently published another update of the company’s efforts to mitigate and fix the underlying issues related to the exploits, providing something of a master class of sorts in how corporate responsibility can and should work.

The specter of Spectre/Meltdown

If you haven’t been following the news about all this, Spectre and Meltdown are the monikers for three exploit variants that take advantage of the speculative execution features common in modern CPUs. The potential for this opening systems to “side channel” attacks was discovered by Google’s Project Zero bug-finding team in mid-2017 and made public in January after rumors about the exploits were reported in the media.

Since virtually all CPUs leverage speculative execution to some degree, Spectre and Meltdown vulnerabilities can potentially impact architectures, including Intel and AMD X86, IBM Power, Arm and Oracle Sparc. While NVIDIA initially claimed its GPUs were immune, the company later updated its driver software to address any potential vulnerabilities.

Intel steps up

By dint of its leadership position in markets ranging from individual personal computing endpoints to massive public cloud infrastructures and supercomputing installations, Intel, its technologies and its customers have the greatest exposure to the vulnerabilities. Though there have been no reports of systems being compromised, the company went all-in on publicly acknowledging the problem, clearly stating what it planned to do and delivering initial software fixes in short order, as well as plans for longer term hardware-based solutions.

Intel further detailed the process with a new blog covering the continuing mitigation process and its intention to “advance security at the silicon level.” Krzanich stated that Intel has released microcode updates for 100 percent of company products launched during the past five years. He also noted that while Variant 1 will continue to be addressed with software mitigations, Intel has redesigned parts of its processors to support partitions that will offer new levels of protections against Variants 2 and 3.

Those partition features will be available beginning with Intel’s next-gen Cascade Lake Xeon CPUs, along with the 8^th gen Intel Core processors expected to ship in the second half of 2018. Intel’s goal, Krzanich said, “Is to offer not only the best performance, but also the best secure performance.”

Final analysis

It should also be noted that along with the Spectre and Meltdown vulnerabilities affecting different chip architectures to different degrees, the impact of Intel’s software updates on system performance also varies widely from system to system and application to application. As detailed by Tim Prickett Morgan in The Next Platform, Intel found that, “The manner in which the application is written, what the application does, and how often it does certain things has a great effect on the performance hit” from the patches.

Further, the applications most affected by the mitigation patches “Have a larger number of user/kernel privilege changes; a high number of system calls, interrupt rates, or page faults; do a lot of transitioning between guest virtual machines and hypervisors; or spend a lot of time inside the hypervisor or running in privileged mode.”

However, certain approaches like Google’s Retpoline, a binary modification technique for mitigating branch target injection attacks, has a much lower impact on system performance. In other words, your mileage will vary significantly depending on a variety of factors. With these points in mind, it’s critical for system owners to carefully study, implement and manage benchmark tests and procedures.

These points aside, Intel deserves kudos for clearly and directly addressing the challenges of Spectre and Meltdown. The company and CEO Brian Krzanich are progressing transparently and actively engaging partners to help speed the process and benefit customers.

While it’s clear that the situation isn’t one the company and its partners and customers would choose, it’s difficult to envision how it could be better managed or imagine a better example of technology industry leadership.