Intel’s chips are still vulnerable, and the new Ice Lake won’t patch everything

Intel

(in)Secure is a monthly column that dives into the rapidly escalating topic of cybersecurity.

The Spectre and Meltdown processor vulnerabilities loomed over Intel’s 2018 like an incoming snowstorm. Though speculative in nature, they affected nearly every computer with an Intel chip inside. There was no escape.

In 2019, the company just wants to move on. It wants to focus on the exciting performance gains made by new generations of chips. But moving on won’t be that easy. With so many CPUs from the past decade relying on branch prediction to enhance performance each generation, many believe that only fundamental hardware changes inside the most popular CPUs from the likes of Intel will ward off these bugs forever.

With Intel so quiet about what’s coming with its next generation of Ice Lake CPUs though, it may be that we’re far from a permanent fix. In fact, these kinds of problems may never be truly thwarted.

Beyond microcode

The earliest fixes Intel implemented against Spectre and its variants were microcode tweaks which appeared throughout the first half of 2018. These changes weren’t particularly well received because of their impact on performance.

“The microcode patches that were put out had a fairly significant performance impact because they were disabling pieces of hardware and changing things in ways that weren’t the intent when the chip was designed,” Rambus senior technology advisor, Paul Kocher explained to Digital Trends. He went on to highlight that many manufacturers of commercial products, like his own Microsoft-made Surface Pro, specifically avoid implementing some of these fixes because of how impactful they are on performance.

Ice Lake CPUs were slated as the first to receive hardware mitigation for speculative execution vulnerabilities.

The first hardware fixes Intel implemented against Spectre and its ilk — including variant three, otherwise known as Meltdown — came with the launch of its eighth-generation Whiskey Lake “U-Series.” Those were low-power chips aimed squarely at the laptop market, but Intel followed up with the same hardware-level fixes in its desktop-targeted ninth-generation Coffee Lake R CPUs.

That launch also coincided with the release of software and microcode fixes for other variants of Spectre.

While far from exhaustive, these hardware fixes were a welcome announcement from Intel considering it had previously slated the 10nm Ice Lake CPU line as the first to receive hardware mitigation for speculative execution vulnerabilities.

Since then though, Intel has been rather quiet on what Ice Lake will have in place as far as hardware fixes go. Officially unveiled at CES 2019, Ice Lake has been talked up in terms of its die shrink to 10nm (leapfrogging the now seemingly defunct Cannon Lake entirely) as well as its native support for Wi-Fi 6 and Thunderbolt 3.

But no talk of Spectre fixes was in earshot.

What new defenses will Ice Lake have?

Intel is staying quiet on what kind of hardware protections we can expect out of Ice Lake.

“In 2019, we’ll of course continue to integrate hardware-based mitigation into future products, and we’re doing so in a way that maintains the associated software interfaces we introduced with the initial mitigations in 2018,” Intel’s senior director of Intel product assurance and security, Bryan Jorgensen told Digital Trends. “Existing processor security features like supervisor-mode execution protection (SMEP), supervisor-mode access prevention (SMAP), and execute disable bit can also increase the difficulty of launching a successful attack.”

He went on to highlight the work Intel was doing with its software and hardware partners to enable protective measures like encrypted memory to further enhance PC security.

Intel senior vice president in the Client Computing Group, Gregory Bryant, displays an Ice Lake system-on-chip at CES 2019 Walden Kirsch/Intel Corporation

Only those working with Intel really know what the chip giant has planned for Ice Lake, but Rambus’ Paul Kocher believes he has a pretty good insight from talking with engineers over the past year. It can get technical, but distinguishing these different strands of the vulnerability are important for knowing exactly what Intel can and can’t do with Ice Lake.

The most important improvement he thinks we’ll see with Ice Lake is a mitigation of Intel’s earlier mitigations. The model specific registers (MSR) like IBRS, which Intel offers to software developers as an optional fix for Spectre problems, will either be implemented in the hardware or modified so that the performance impact is negligible. That’s great news.

“They’ve created these MSRs but right now the performance you get from leaving the protections enabled and using them in the operating system is so large that people aren’t generally using them widely,” he said. “I suspect with the new processors they will fix that. They’ll make them run with high enough performance that it’s safe to leave them enabled all the time.”

That should mean Spectre variant two is taken care of — and without the performance cut. Spectre variant three, otherwise known as Meltdown, will also be shored up much more securely, he said. Fixing that issue is pretty straightforward, he said, so not seeing a pretty permanent fix for it in Ice Lake would be a surprise. Better yet, doing so should “reclaim the performance overhead that was introduced by those operating system changes.”

That’s good, right?

Spectre fixes, particularly at the hardware level or at least without performance overheads are indeed a good sign that Intel continues to take these exploits paths seriously. In early January, Wired profiled the “Elite team” within Intel, which is going after these problems and trying to find smart workarounds for them.

The problem is that these fixes don’t go far enough. As far as Kocher sees it, Intel has no concrete plan for fixing Spectre variant one. The only proposed solution that he’s caught wind of pushes the problem onto software developers and asks them to input what’s known as an “LFENCE” command within an application every time there’s an “if” statement within its coding.

Not only does that have a major performance impact, Kocher said, but it’s required of new and legacy software. In theory, to protect against Spectre in this manner, every piece of software that runs on modern PCs, both Windows and MacOS would have to be rewritten with this fix in mind. It’s completely unrealistic.

“Spectre is an unmitigated risk that will be lingering for a long time.”

“From what I know of Intel’s roadmap for the next few years, there’s not a clear solution that’s been put forward,” Kocher said. “It’s an unmitigated risk that will be lingering for a long time.”

Worse still, Kocher believes that there is little in the future of CPU chip design at a variety of companies which will ward of these kind of speculative bugs. His view of the future sees many manufacturers using lots of speculative optimizations to further enhance performance, which leaves them vulnerable to these sorts of attacks.

Fortunately, it’s not a problem

The only silver lining to all this is that for the average person, Spectre and its fellow branch misdirection exploits are the least of our security worries. There are far easier ways for nefarious hackers to infiltrate systems. Malware and social engineering have been successful attack vectors for decades and that seems unlikely to change any time soon.

That’s not the case for everyone though. We asked Kocher if there was any point in upgrading to Intel’s Ice Lake purely for security purposes. His answer depends on who you are.

“If you’re a cloud provider and you’re mixing workloads between customers on the same processor or god forbid even using hyperthreading to run malicious workloads simultaneously within the same core,” he said. “Within those environments the security implications are very different and any upgrades put in may be extremely important.”

Spectre and its contemporaries will likely remain a looming apparition over the CPU industry for years to come, and it’s something that bears remembering it exists. But if you want to improve your chances of avoiding being hacked, there are are certainly more things to worry about than any potential fixes Ice Lake might bring to the table.

Product Review

Microsoft’s Surface Laptop 2 launched last year, but already feels old

Released in fall of 2018, the Surface Laptop 2 was competitive at the time but now must deal with new competitors that were announced at CES 2019. How does the popular Surface Laptop 2 hold up six months later?
Mobile

Mad U.K. retailer slashes 99% off Google Pixel 3a price for a few lucky buyers

The Google Pixel 3 and Pixel 3 XL are considered to be two of the best Android smartphones, but it looks like Google could be prepping a midrange line. Say hello to the Pixel 3a and Pixel 3a XL.
News

Kwikset’s second-generation deadbolts get smarter and safer

Kwikset introduced the second generation of its Signature Series Deadbolt with Home Connect locks, which feature a more compact design and an improved chipset that offers over-the-air security updates.
Computing

Zombieload forces a choice between performance and security. What will you do?

Intel has handled the recent discovery of a security vulnerability in its CPUs with confidence, a contrast to its reaction to Spectre and Meltdown. But with ZombieLoad, performance and security seem to be at odds, and you have to choose.
Computing

ZombieLoad is Meltdown resurrected. Here’s how to secure your PC right now

This year's follow up to Intel's Meltdown and Spectre chipocalypse is the new MDS attack. Four distinct attack methods have been uncovered that could leave your data exposed, but thankfully patches are already available.
Computing

Cybercrime gang that stole $100M busted in international effort

A major cybercrime gang that used powerful malware to steal an estimated $100 million from bank accounts has been dismantled following an international effort that spanned six countries.
Product Review

Looking for discrete graphics on the cheap? The Acer Swift 3 will do the trick

The Acer Swift 3 is a tweener laptop that’s not quite budget and not quite premium – and it feels and performs accordingly. It manages to hold its own, though, thanks to its discrete GPU.
Computing

G-Sync is a game-changer. These are the best monitors with Nvidia's display tech

Looking for a monitor that plays well with Nvidia GPUs? You need G-Sync and we have picked the best G-Sync monitors available. Take a look and find out which monitor works best for your PC upgrade.
Computing

Microsoft is discounting this Surface Laptop 2 by a sweet $300

Microsoft is offering a nearly 14-inch Surface Laptop 2 with 256GB of storage at a $300 discount until May 18, 2019. The laptop comes with a PixelSense display, and Intel Core i5 processor and a 720p HD camera.
Computing

The Razer Core X Chroma is the best external GPU you can buy

The third entry in Razer's lineup of external graphics card enclosures, the Core X Chroma, brings together the best of its previous options in a single package. With RGB lighting and extra USB ports, is this the best you can buy?
Computing

Google recalls Titan Security Key due to hijack risk

Google is offering a free replacement for the Bluetooth Low Energy version of the Titan Security Key. A misconfiguration was discovered in the device, though hackers looking to exploit the vulnerability will find it difficult to do so.
Computing

Whether you want to edit, sign, or append, PDFs, these are the best PDF editors

While there are plenty of PDF editor options online, finding a solution with the tools you need can be tough. Here are the best PDF editors for your editing needs, no matter your budget or operating system.
Computing

Give your PC a new lease on life by upgrading its core components

Older PCs can still be great tools for work and play, they just need a little upgrade now and then. Here are the best upgrades you can make to your PC to make it feel fresh and fast once again.
Emerging Tech

Awesome Tech You Can’t Buy Yet: Insect drones and kinetic sculpture robots

Check out our roundup of the best new crowdfunding projects and product announcements that hit the web this week. You may not be able to buy this stuff yet, but it's fun to gawk!