A few months ago Intel promised that it would start shipping processors with hardware-based protections against the Meltdown and Spectre vulnerabilities in the second half of 2018. That will include upcoming 8th-gen Intel Core processors and Intel Xeon chips based on the new “Cascade Lake” architecture.

But while those chips will offer hardware-based protections against Spectre Variants 2 and 3, Threatpost reports that Intel’s upcoming chips will not include hardware to protect users from Spectre Variant 4-based attacks.

In other words, even if you buy a computer with a state-of-the-art processors this year, you’ll still need a software or microcode update to protect yourself from the latest vulnerabilities.

Spectre Variant 4 is a speculative execution side channel vulnerability similar to other Spectre variants. It was disclosed this week by Google’s Project Zero and Microsoft’s Security Response Center, and Intel notes that there are already web browser updates designed to help protect users against attacks based on the Variant 4 vulnerability.

That’s a good thing because this sort of attack is most likely to be executed in runtimes such as JavaScript that are used in web browsers.

In fact, while Intel says it’s already started making microcode updates available to partners to help mitigate the risk of Spectre Variant 4, the company says it’s set to off by default, since this vulnerability isn’t considered quite as critical as some of the others.

Computer makers and software vendors will be able to turn on the microcode if they want extra protection, but Intel says that with the feature enabled, computer users may see a 2 to 8 percent drop in performance in benchmarks (and maybe in real-world performance).

Update: Intel says it’s added functionality to its microcode called a Speculative Store Bypass Disable (SSBD) bid that can be used to help offer protection against this and future vulnerabilities.

So what’s next?

I wouldn’t be surprised to see Intel incorporate hardware fixes for Spectre Variant 4 in the next chips it develops, likely to be released in late 2018 or early 2019. That would offer more protection without taking the same toll on performance.

But any new vulnerabilities discovered after those chip designs are finalized will likely have to be addressed by microcode and software updates.

And the same cycle will probably continue for a while. The Spectre and Meltdown vulnerabilities disclosed this year represent an entirely new type of flaw in modern processor architecture, and it’s likely that security researchers will continue to discover and disclose new variants in the months and years to come. Chip makers like Intel will most likely have to continue playing catch up with each new processor generation unless they disable speculative execution altogether. But that would probably result in an even bigger drop in performance than the microcode updates.

Intel isn’t the only company affected by Spectre Variant 4: Microsoft notes that some AMD and ARM chips are also affected “to varying degrees.”



Support Liliputing

Liliputing's primary sources of revenue are advertising and affiliate links (if you click the "Shop" button at the top of the page and buy something on Amazon, for example, we'll get a small commission).

But there are several ways you can support the site directly even if you're using an ad blocker and hate online shopping.

Contribute to our Patreon campaign

or...

Contribute via PayPal

5 replies on “Intel’s hardware-based Spectre mitigations won’t protect against variant 4 (or later)”

  1. Time to include some FPGA in new CPU’s so they can be patched on HW level. After variant 4 will come 5,6,… We can’t update CPU’s year after year. Migrate the speculative execution logic to FPGA so it can be patched afterwards.

    1. Intel has already been investing in FPGA technology, though not for that reason. At this point, we have no idea whether such a thing is feasible for fixing bugs like these in a general CPU design, and even if it was, there’s no guarantee it would impact performance any less than fixes to the microcode.

  2. IIUC Red Hat blog post then the mitigation for variant 4 will not be enabled by default. It only affects limited number of application as you cannot leak memory from a different address space (so you can only leak memory from your own memory space). This affects application that runs trusted and untrusted code (i.e. in sandbox). So on Linux application (i.e. browser) can query if such vulnerability exist and then enable mitigation only for that particular process. Well, it’s more complicated than that, but it’s a short version.

  3. Time for businesses to take less risk and buy AMD desktops and servers. Don’t rely on software patches, avoid the risky hardware. There has to be consequences for sacrificing security for performance.

    1. You forget that AMD silicons chips are also affects by some Spectre vulnerabilities. It does seem to be less than Intel, but it still is.

Comments are closed.