Enabling Secure Development with Disclosure and Feature Guidance

Published: 11/04/2022  

Last Updated: 11/10/2022

While Intel has focused on secure computing for decades, hardware security gained a new dimension with the disclosure of a novel class of security vulnerabilities in 2018, commonly known as Spectre and Meltdown. These vulnerabilities, initially called speculative execution side channels caused an industry wide shift in how to approach hardware security. 

This class of attacks was discovered by leveraging characteristics inherent to microarchitectural optimizations and features developed by microprocessor vendors over many years to deliver the modern processing experience. 

Intel's Response

As an industry leader, Intel played an outsized role in coordinating the industry response to these vulnerabilities and has worked closely with the ecosystem to discover additional issues and release mitigations for them aligned to hardware development and microcode update processes.

Many of the issues addressed here relate to speculative execution. It’s important to note that speculative execution itself is not the problem. In fact, it’s a necessary characteristic of modern computers and critical to performance. Eliminating all speculative execution is not possible and even if it were, the tradeoffs would be considerable. 

Rather, speculative execution becomes a potential risk when it can be used to infer secret information. To help distinguish these types of vulnerabilities from other classes of vulnerabilities, and provide a more precise terminology, Intel uses the term transient execution attacks to refer to this class of vulnerabilities, in line with researcher terminology.

Since the initial disclosure of these novel vulnerabilities, Intel has invested tremendous time and resources to better understand them, working with our experts in microarchitecture, firmware, and software and in coordination with industry partners, researchers, and academics. We’ve learned a great deal about potential attack vectors and ways to help customers mitigate possible threats. 

Intel’s investment in understanding these issues results in new security feature development and optimizations to benefit our customers. We have greatly expanded the security analysis we perform to evaluate the potential for new types of attacks. Intel has implemented automated security analysis, greatly expanded fuzzing, and has provided feature controls to allow software to fine tune when it wants to use or enable these new features, according to developer needs and the security threat model. 

Intel actively seeks ecosystem feedback as we continue to improve the performance of our products because we know no single solution can be absolutely secure. We are working diligently to ensure that enhancements and optimizations are designed with security in mind.  

Software Security Guidance Site Overview

This site is the result of Intel’s sustained investment in security and ongoing collaboration with the security community. It provides in-depth analysis and guidance related to security vulnerabilities and Intel technologies and identified best practices used to mitigate those vulnerabilities. 

The guidance falls into four categories: 

  • Advisory Guidance: Additional guidance related to security issues that have been assigned CVEs and which are described in Intel Security Advisories.
  • Disclosure Documentation: In-depth articles related to publicly disclosed security vulnerabilities and the tools and techniques used to mitigate those vulnerabilities on affected systems.
  • Feature Documentation: Articles related to Intel security features that may be used to mitigate or avoid certain types of security issues.
  • Best Practices: Guidance articles describing principles and techniques that Intel recommends software developers adopt in order to write more secure code for particular environments and workloads.

Developers and system administrators can use these resources to better understand specific vulnerabilities, features and recommendations. For a more comprehensive view, the consolidated matrix of Intel processors shows the impact of the security vulnerabilities covered on this site across platforms.

If you are new to transient execution attacks or want to better understand software development in the context of the evolving security environment, the section called Fundamentals of Side Channel Security guides you through key topics and Intel recommendations. 

When applying this guidance to your systems, use the mitigations and techniques appropriate to your environment and real-world risk profile. These resources address a wide variety of environments and workloads, and they describe powerful tools and techniques whose impact can vary depending on how they are used.

More Security Resources

For more on how Intel manages vulnerabilities, refer to the following links:

Security-First Pledge
Intel Security Overview
Product Security Center
Intel PSIRT Mission
Vulnerability Handling Processes
 

Software Security Guidance Home | Advisory Guidance | Technical Documentation | Best Practices | Resources

Product and Performance Information

1

Performance varies by use, configuration and other factors. Learn more at www.Intel.com/PerformanceIndex.