' ); } }) .catch(function(err) { (console.error || console.log)(err); }); }());

Intel’s chips are still vulnerable, and the new Ice Lake won’t patch everything

Intel

(in)Secure is a monthly column that dives into the rapidly escalating topic of cybersecurity.

The Spectre and Meltdown processor vulnerabilities loomed over Intel’s 2018 like an incoming snowstorm. Though speculative in nature, they affected nearly every computer with an Intel chip inside. There was no escape.

In 2019, the company just wants to move on. It wants to focus on the exciting performance gains made by new generations of chips. But moving on won’t be that easy. With so many CPUs from the past decade relying on branch prediction to enhance performance each generation, many believe that only fundamental hardware changes inside the most popular CPUs from the likes of Intel will ward off these bugs forever.

With Intel so quiet about what’s coming with its next generation of Ice Lake CPUs though, it may be that we’re far from a permanent fix. In fact, these kinds of problems may never be truly thwarted.

Beyond microcode

The earliest fixes Intel implemented against Spectre and its variants were microcode tweaks which appeared throughout the first half of 2018. These changes weren’t particularly well received because of their impact on performance.

“The microcode patches that were put out had a fairly significant performance impact because they were disabling pieces of hardware and changing things in ways that weren’t the intent when the chip was designed,” Rambus senior technology advisor, Paul Kocher explained to Digital Trends. He went on to highlight that many manufacturers of commercial products, like his own Microsoft-made Surface Pro, specifically avoid implementing some of these fixes because of how impactful they are on performance.

Ice Lake CPUs were slated as the first to receive hardware mitigation for speculative execution vulnerabilities.

The first hardware fixes Intel implemented against Spectre and its ilk — including variant three, otherwise known as Meltdown — came with the launch of its eighth-generation Whiskey Lake “U-Series.” Those were low-power chips aimed squarely at the laptop market, but Intel followed up with the same hardware-level fixes in its desktop-targeted ninth-generation Coffee Lake R CPUs.

That launch also coincided with the release of software and microcode fixes for other variants of Spectre.

While far from exhaustive, these hardware fixes were a welcome announcement from Intel considering it had previously slated the 10nm Ice Lake CPU line as the first to receive hardware mitigation for speculative execution vulnerabilities.

Since then though, Intel has been rather quiet on what Ice Lake will have in place as far as hardware fixes go. Officially unveiled at CES 2019, Ice Lake has been talked up in terms of its die shrink to 10nm (leapfrogging the now seemingly defunct Cannon Lake entirely) as well as its native support for Wi-Fi 6 and Thunderbolt 3.

But no talk of Spectre fixes was in earshot.

What new defenses will Ice Lake have?

Intel is staying quiet on what kind of hardware protections we can expect out of Ice Lake.

“In 2019, we’ll of course continue to integrate hardware-based mitigation into future products, and we’re doing so in a way that maintains the associated software interfaces we introduced with the initial mitigations in 2018,” Intel’s senior director of Intel product assurance and security, Bryan Jorgensen told Digital Trends. “Existing processor security features like supervisor-mode execution protection (SMEP), supervisor-mode access prevention (SMAP), and execute disable bit can also increase the difficulty of launching a successful attack.”

He went on to highlight the work Intel was doing with its software and hardware partners to enable protective measures like encrypted memory to further enhance PC security.

Intel senior vice president in the Client Computing Group, Gregory Bryant, displays an Ice Lake system-on-chip at CES 2019 Walden Kirsch/Intel Corporation

Only those working with Intel really know what the chip giant has planned for Ice Lake, but Rambus’ Paul Kocher believes he has a pretty good insight from talking with engineers over the past year. It can get technical, but distinguishing these different strands of the vulnerability are important for knowing exactly what Intel can and can’t do with Ice Lake.

The most important improvement he thinks we’ll see with Ice Lake is a mitigation of Intel’s earlier mitigations. The model specific registers (MSR) like IBRS, which Intel offers to software developers as an optional fix for Spectre problems, will either be implemented in the hardware or modified so that the performance impact is negligible. That’s great news.

“They’ve created these MSRs but right now the performance you get from leaving the protections enabled and using them in the operating system is so large that people aren’t generally using them widely,” he said. “I suspect with the new processors they will fix that. They’ll make them run with high enough performance that it’s safe to leave them enabled all the time.”

That should mean Spectre variant two is taken care of — and without the performance cut. Spectre variant three, otherwise known as Meltdown, will also be shored up much more securely, he said. Fixing that issue is pretty straightforward, he said, so not seeing a pretty permanent fix for it in Ice Lake would be a surprise. Better yet, doing so should “reclaim the performance overhead that was introduced by those operating system changes.”

That’s good, right?

Spectre fixes, particularly at the hardware level or at least without performance overheads are indeed a good sign that Intel continues to take these exploits paths seriously. In early January, Wired profiled the “Elite team” within Intel, which is going after these problems and trying to find smart workarounds for them.

The problem is that these fixes don’t go far enough. As far as Kocher sees it, Intel has no concrete plan for fixing Spectre variant one. The only proposed solution that he’s caught wind of pushes the problem onto software developers and asks them to input what’s known as an “LFENCE” command within an application every time there’s an “if” statement within its coding.

Not only does that have a major performance impact, Kocher said, but it’s required of new and legacy software. In theory, to protect against Spectre in this manner, every piece of software that runs on modern PCs, both Windows and MacOS would have to be rewritten with this fix in mind. It’s completely unrealistic.

“Spectre is an unmitigated risk that will be lingering for a long time.”

“From what I know of Intel’s roadmap for the next few years, there’s not a clear solution that’s been put forward,” Kocher said. “It’s an unmitigated risk that will be lingering for a long time.”

Worse still, Kocher believes that there is little in the future of CPU chip design at a variety of companies which will ward of these kind of speculative bugs. His view of the future sees many manufacturers using lots of speculative optimizations to further enhance performance, which leaves them vulnerable to these sorts of attacks.

Fortunately, it’s not a problem

The only silver lining to all this is that for the average person, Spectre and its fellow branch misdirection exploits are the least of our security worries. There are far easier ways for nefarious hackers to infiltrate systems. Malware and social engineering have been successful attack vectors for decades and that seems unlikely to change any time soon.

That’s not the case for everyone though. We asked Kocher if there was any point in upgrading to Intel’s Ice Lake purely for security purposes. His answer depends on who you are.

“If you’re a cloud provider and you’re mixing workloads between customers on the same processor or god forbid even using hyperthreading to run malicious workloads simultaneously within the same core,” he said. “Within those environments the security implications are very different and any upgrades put in may be extremely important.”

Spectre and its contemporaries will likely remain a looming apparition over the CPU industry for years to come, and it’s something that bears remembering it exists. But if you want to improve your chances of avoiding being hacked, there are are certainly more things to worry about than any potential fixes Ice Lake might bring to the table.

Computing

Microsoft’s Presidents Day Sale cuts price of some Surface laptops by up to $200

It is a great time to save on Windows 10 laptops. Microsoft's retail store is running a sale on some of the best tablets and laptops, cutting pricing by up to $200 on the Surface Laptop 2 and more.
Movies & TV

Disney Plus: Here’s what we know so far about the upcoming streaming service

Disney is bringing the full weight of its massive content library to its own streaming service in 2019. How will Disney Plus compare to Netflix, Hulu, and Amazon Prime? Here's what we know so far.
Gaming

A beginner’s guide to Far Cry New Dawn’s postapocalyptic Hope County

Far Cry New Dawn is yet another entry in Ubisoft's popular open world shooter franchise. But while it may feel quite similar in motion, the progression system is changed in a lot of ways. Our beginner's guide is here to help.
Computing

Wi-Fi helps connect all of our devices at high-speed, but what exactly is it?

What is Wi-Fi? It's a technology we all use everyday to connect all of our portable devices, but understanding how it works and how far it's come from its humble beginnings is another thing entirely.
Computing

The HoloLens 2 will be announced at MWC. Here's what we know about it so far

The HoloLens 2 is ripe for an announcement. Here's what Microsoft has revealed so far, what's likely in store for the next generation HoloLens, and everything that we know about this mixed reality headset.
Gaming

Here’s how to set up a virtual private network (VPN) on your Xbox One

Online privacy is more important now than it's ever been, and gaming is happening online more than ever before. Here's a quick guide on how to set up a VPN for your Xbox One so you game in safe anonymity.
Computing

New Chrome feature aimed at preventing websites from blocking Incognito Mode

A new Chrome feature will prevent websites from blocking Chrome users as they browse using Incognito Mode. The feature is supposed to fix a known loophole that allows websites to detect and block those using Incognito Mode.
Photography

What’s the difference between Lightroom CC and Lightroom Classic?

Lightroom CC has evolved into a capable photo editor, but is it enough to supplant Lightroom Classic? We took each program for a test drive to compare the two versions and see which is faster, more powerful, and better organized.
Computing

Reluctant to give your email address away? Here's how to make a disposable one

Want to sign up for a service without the risk of flooding your inbox with copious amounts of spam and unwanted email? You might want to consider using disposable email addresses via one of these handy services.
Computing

Chrome is a fantastic browser, but is is still the best among new competitors?

Choosing a web browser for surfing the web can be tough with all the great options available. Here we pit the latest versions of Chrome, Opera, Firefox, Edge, and Vivaldi against one another to find the best browsers for most users.
Computing

Don't use streaming apps? Try the best free media players for your local music

Rather than using music-streaming apps, you may want something for playing your local music. Good news! There are some good alternatives. These are the best media players you can download for free on Windows.
Mobile

Need speed? Qualcomm unveils the Snapdragon X55, the world’s fastest 5G modem

Qualcomm is preparing for an even faster future: The silicon giant just unveiled a second generation 5G modem for smartphones, promising blistering download speeds as high as 7Gbps.
Mobile

Barbie’s Corvette ain’t got nothing on Sphero’s fully programmable robot car

Sphero is known for devices like the Sphero Bolt and BB-8 Star Wars toy, but now the company is back with another addition to its lineup -- the Sphero RVR. The RVR is a fully programmable robot car that can be expanding with different…
Photography

Luminar’s libraries gain speed, drop need for you to manually import images

Luminar 3 just got a performance boost. Skylum Luminar 3.0.2 has improved speed over December's update, which added the long-promised libraries feature giving editors a Lightroom alternative.