Intel’s chips are still vulnerable, and the new Ice Lake won’t patch everything

intel ice lake wont rid spectre insecure
Intel

(in)Secure is a monthly column that dives into the rapidly escalating topic of cybersecurity.

The Spectre and Meltdown processor vulnerabilities loomed over Intel’s 2018 like an incoming snowstorm. Though speculative in nature, they affected nearly every computer with an Intel chip inside. There was no escape.

In 2019, the company just wants to move on. It wants to focus on the exciting performance gains made by new generations of chips. But moving on won’t be that easy. With so many CPUs from the past decade relying on branch prediction to enhance performance each generation, many believe that only fundamental hardware changes inside the most popular CPUs from the likes of Intel will ward off these bugs forever.

With Intel so quiet about what’s coming with its next generation of Ice Lake CPUs though, it may be that we’re far from a permanent fix. In fact, these kinds of problems may never be truly thwarted.

Beyond microcode

The earliest fixes Intel implemented against Spectre and its variants were microcode tweaks which appeared throughout the first half of 2018. These changes weren’t particularly well received because of their impact on performance.

“The microcode patches that were put out had a fairly significant performance impact because they were disabling pieces of hardware and changing things in ways that weren’t the intent when the chip was designed,” Rambus senior technology advisor, Paul Kocher explained to Digital Trends. He went on to highlight that many manufacturers of commercial products, like his own Microsoft-made Surface Pro, specifically avoid implementing some of these fixes because of how impactful they are on performance.

Ice Lake CPUs were slated as the first to receive hardware mitigation for speculative execution vulnerabilities.

The first hardware fixes Intel implemented against Spectre and its ilk — including variant three, otherwise known as Meltdown — came with the launch of its eighth-generation Whiskey Lake “U-Series.” Those were low-power chips aimed squarely at the laptop market, but Intel followed up with the same hardware-level fixes in its desktop-targeted ninth-generation Coffee Lake R CPUs.

That launch also coincided with the release of software and microcode fixes for other variants of Spectre.

While far from exhaustive, these hardware fixes were a welcome announcement from Intel considering it had previously slated the 10nm Ice Lake CPU line as the first to receive hardware mitigation for speculative execution vulnerabilities.

Since then though, Intel has been rather quiet on what Ice Lake will have in place as far as hardware fixes go. Officially unveiled at CES 2019, Ice Lake has been talked up in terms of its die shrink to 10nm (leapfrogging the now seemingly defunct Cannon Lake entirely) as well as its native support for Wi-Fi 6 and Thunderbolt 3.

But no talk of Spectre fixes was in earshot.

What new defenses will Ice Lake have?

Intel is staying quiet on what kind of hardware protections we can expect out of Ice Lake.

“In 2019, we’ll of course continue to integrate hardware-based mitigation into future products, and we’re doing so in a way that maintains the associated software interfaces we introduced with the initial mitigations in 2018,” Intel’s senior director of Intel product assurance and security, Bryan Jorgensen told Digital Trends. “Existing processor security features like supervisor-mode execution protection (SMEP), supervisor-mode access prevention (SMAP), and execute disable bit can also increase the difficulty of launching a successful attack.”

He went on to highlight the work Intel was doing with its software and hardware partners to enable protective measures like encrypted memory to further enhance PC security.

intel ice lake wont rid spectre insecure chip
Intel senior vice president in the Client Computing Group, Gregory Bryant, displays an Ice Lake system-on-chip at CES 2019 Walden Kirsch/Intel Corporation

Only those working with Intel really know what the chip giant has planned for Ice Lake, but Rambus’ Paul Kocher believes he has a pretty good insight from talking with engineers over the past year. It can get technical, but distinguishing these different strands of the vulnerability are important for knowing exactly what Intel can and can’t do with Ice Lake.

The most important improvement he thinks we’ll see with Ice Lake is a mitigation of Intel’s earlier mitigations. The model specific registers (MSR) like IBRS, which Intel offers to software developers as an optional fix for Spectre problems, will either be implemented in the hardware or modified so that the performance impact is negligible. That’s great news.

“They’ve created these MSRs but right now the performance you get from leaving the protections enabled and using them in the operating system is so large that people aren’t generally using them widely,” he said. “I suspect with the new processors they will fix that. They’ll make them run with high enough performance that it’s safe to leave them enabled all the time.”

That should mean Spectre variant two is taken care of — and without the performance cut. Spectre variant three, otherwise known as Meltdown, will also be shored up much more securely, he said. Fixing that issue is pretty straightforward, he said, so not seeing a pretty permanent fix for it in Ice Lake would be a surprise. Better yet, doing so should “reclaim the performance overhead that was introduced by those operating system changes.”

That’s good, right?

Spectre fixes, particularly at the hardware level or at least without performance overheads are indeed a good sign that Intel continues to take these exploits paths seriously. In early January, Wired profiled the “Elite team” within Intel, which is going after these problems and trying to find smart workarounds for them.

The problem is that these fixes don’t go far enough. As far as Kocher sees it, Intel has no concrete plan for fixing Spectre variant one. The only proposed solution that he’s caught wind of pushes the problem onto software developers and asks them to input what’s known as an “LFENCE” command within an application every time there’s an “if” statement within its coding.

Not only does that have a major performance impact, Kocher said, but it’s required of new and legacy software. In theory, to protect against Spectre in this manner, every piece of software that runs on modern PCs, both Windows and MacOS would have to be rewritten with this fix in mind. It’s completely unrealistic.

“Spectre is an unmitigated risk that will be lingering for a long time.”

“From what I know of Intel’s roadmap for the next few years, there’s not a clear solution that’s been put forward,” Kocher said. “It’s an unmitigated risk that will be lingering for a long time.”

Worse still, Kocher believes that there is little in the future of CPU chip design at a variety of companies which will ward of these kind of speculative bugs. His view of the future sees many manufacturers using lots of speculative optimizations to further enhance performance, which leaves them vulnerable to these sorts of attacks.

Fortunately, it’s not a problem

The only silver lining to all this is that for the average person, Spectre and its fellow branch misdirection exploits are the least of our security worries. There are far easier ways for nefarious hackers to infiltrate systems. Malware and social engineering have been successful attack vectors for decades and that seems unlikely to change any time soon.

That’s not the case for everyone though. We asked Kocher if there was any point in upgrading to Intel’s Ice Lake purely for security purposes. His answer depends on who you are.

“If you’re a cloud provider and you’re mixing workloads between customers on the same processor or god forbid even using hyperthreading to run malicious workloads simultaneously within the same core,” he said. “Within those environments the security implications are very different and any upgrades put in may be extremely important.”

Spectre and its contemporaries will likely remain a looming apparition over the CPU industry for years to come, and it’s something that bears remembering it exists. But if you want to improve your chances of avoiding being hacked, there are are certainly more things to worry about than any potential fixes Ice Lake might bring to the table.

Computing

Apple’s updated MacBook Pro may be twice as fast, but can it handle the gains?

Apple refreshed its MacBook Pro lineup, delivering up two twice the performance improvements. The 15-inch model tops out with an eight-core ninth-generation Intel processor and discrete AMD graphics alongside a slightly tweaked keyboard.
Computing

Ryzen 3000 chips will pack a punch, and could launch as early as July

AMD's upcoming Ryzen 3000 generation of CPUs could be the most powerful processors we've ever seen, with higher core counts, greater clock speeds, and competitive pricing. Here's what we know so far.
Computing

The 2019 MacBook Pro is an impressive performance update, but not much else

With increased competition from Windows laptops, Apple could do with refreshing its MacBook Pro line. Fortunately, it looks set to do that in 2019. Here's everything we know so far.
Movies & TV

Charles Manson arrives in Once Upon a Time in Hollywood's second trailer

Quentin Tarantino's ninth feature film, Once Upon a Time in Hollywood, uses the infamous 1969 Manson Family murders as a backdrop to tell a story set in bohemian Los Angeles. Here's everything we know so far.
Computing

These external drives have speed, durability, and storage space to spare

Whether you want an external storage drive that is fast, portable, or comes with a ton of storage, these are the best external hard drives available today. They all come with great features and competitive pricing.
Computing

The 2019 ThinkPad lineup is robust. Here's how to pick the right one for you

Be it the X series, the T series, E series, it can be tough to find the best Lenovo laptop that is right for you. To help, we'll break down all the options available to make your choice a more informed one.
Computing

Here’s how to watch AMD reveal its new Ryzen chips at Computex

AMD will hold a pre-Computex keynote May 27 to announce its new line of 3rd-generation Ryzen processors and accompanying Radeon Navi graphics cards. Here's how to watch the keynote live wherever you are in the world.
Computing

Should you buy a MacBook Pro or a Razer Blade Stealth? We'll help you decide

Laptop head to heads are a great way to see which one might be the right one for you. Our latest sees the Razer Blade Stealth (2019) vs. MacBook Pro in a fight to see which one deserves to be your next laptop.
Computing

AMD's latest Navi graphics cards are incoming. Here's what to expect

AMD's Navi graphics cards could be available as soon as July 2019 — as long as it's not delayed by stock problems. Billed as a successor to Polaris, Navi promises to deliver better performance to consoles like Sony's PlayStation 5.
Mobile

Want to watch Netflix in bed or browse the web? We have a tablet for everyone

There’s so much choice when shopping for a new tablet that it can be hard to pick the right one. From iPads to Android, these are our picks for the best tablets you can buy right now whatever your budget.
Deals

The best Amazon Prime Day 2019 deals: Everything you need to know

Amazon Prime Day 2019 is still a few months off, but it's never too early to start preparing. We've been taking a look at the best discounts from previous Prime Days to give you our predictions of what to expect this year.
Computing

Microsoft might finally embrace USB-C on next-gen Surface Pro 7

USB-C could finally come to Microsoft's Surface Pro tablet. According to a Microsoft patent filing, the port was shown in an illustration, suggesting that the company is working to support this feature in the future.
Computing

Here’s how to watch the Nvidia Computex 2019 press conference

Here’s everything you need to know about Nvidia’s upcoming press conference at Computex 2019 in Taipei, Taiwan; including what to expect during the press conference and how and when to watch it.
Deals

Best Memorial Day sales 2019: Amazon, Best Buy, and Walmart deals

If you're looking to save big on some shiny new stuff for Memorial Day 2019, we've gathered everything you need to know into one place. Find out where to save the most money before the summer hits its stride.