9 Steps Intel Recommends To Sidestep Spectre And Meltdown
Intel: How To Prevent Spectre, Meltdown
Intel is rallying its channel partners against two exploits called Spectre and Meltdown, which became public last week and affect chips from multiple vendors.
The exploits, which account for three variants of a side-channel analysis security issue in server and PC processors, could potentially enable hackers to access protected data.
Intel, for its part, has organized all its recommended mitigation methods into a whitepaper, which the company sent to channel partners this week.
"This white paper may be the first round of information targeting the extremely technical [aspects] so hopefully [Intel] will release more high level information," said Kent Tibbils, vice president of marketing at ASI, Fremont, Calif.
Following are 9 steps the company recommends at the hardware, software and operating system level to help sidestep the Spectre and Meltdown exploits.
Bounds Check Bypass Mitigation
On the software front, Intel recommends inserting a barrier to stop the process of speculation. Speculation, at the heart of the Spectre and Meltdown exploits, allows processors to skip ahead in their execution of code to save time on computing processes – but also potentially enabling malicious code to access a portion of the memory on the chip.
The chip company recommends the LFENCE instruction as this barrier, which could prevent new operations from executing before they are supposed to, said Intel. It is also possible to develop static analysis rules to find places in the software where a speculation barrier like LFENCE might be needed.
"Note that the insertion of LFENCE must be done judiciously; if it is used too liberally, performance may be significantly compromised," said the whitepaper.
Branch Target Injection – New Interface
Intel said that another mitigation method is to introduce a new interface between the processor and system's software, which can help the software prevent an attacker from controlling indirect branch predictions.
"This mitigation strategy requires both updated system software as well as a microcode update to be loaded to support the new interface for many existing processors," said the whitepaper. "This new interface will also be supported on future Intel processors."
Branch Target Injection – "Return Trampoline" Method
Another mitigation method is the concept of "return trampoline," said Intel. This method uses a code sequence to replace indirect branches with a Return instruction, causing the speculative execution to "bounce" so that select binary files are protected from Spectre-powered attacks.
"Intel has worked with the various open source compilers to ensure support for the return trampoline, and with the OS vendors to ensure support for these techniques," said the white paper.
Rogue Data Cache Load Mitigation
Intel said that operating system software can be tweaked so that privileged pages are not mapped when executing user code, which protects against user mode access to privileged pages. This rogue data cache load mitigation method will be supported by future Intel processors, the company said.
Intel OS Guard
Intel recommends that partners utilize Intel OS Guard, its supervisor-mode execution prevention security tool, to further sidestep the Spectre and Meltdown exploits. When OS Guard is enabled, the operating system cannot directly execute application code, making branch target attacks on the operating system more difficult for the attacker, said Intel. Intel said all major operating systems support Intel OS Guard.
Execute Disable Bit
Intel said that its Execute Disable Bit tool can also make it more difficult to install branch target injection attacks. This hardware-based security feature allows the processor to classify areas in memory where the application code can or cannot execute, even speculatively – increasing the difficulty of attacks. Intel said that all major OS providers enable Execute Disable Bit by default.
Control Flow Enforcement Technology
Intel said that its control flow enforcement technology enables processors to thwart exploit code using return and jump-oriented programming, reducing the speculation on non-ENDBRANCH instructions for indirect branches.
Protection Keys
Intel protection keys can limit the data that is accessible to a piece of software. This tool, available on future Intel processors that have hardware support for mitigating Rogue Data Cache Load and support for the protection keys, can be used to limit memory addresses that could be revealed by a branch target injection.
Supervisor-Mode Access Prevention
Intel's Supervisor-Mode Access Prevention feature can be used to limit certain memory addresses used for a cache-based side channel. This essentially makes it more difficult for an application to perform an attack on a kernel, because it is harder for the application to figure out whether a kernel line or application line is cached.