Intel's 'Virtual Fences' technology, to be implemented in as-yet unreleased processors as a protection against the Spectre family of speculative execution vulnerabilities, may not cover the most recently-discovered Variant 4, it has been claimed - leaving them reliant on software- and microcode-based workarounds which impact system performance.
First announced earlier this year, the Spectre family of speculative execution vulnerabilities are serious business: Exploitable from a web browser, until software workarounds were released, Spectre allows unprivileged code to access supposedly-secure memory and read everything up to and including passwords and other account details. Affecting almost every x86 processor released in the last decade or so, the software workarounds to protect against the flaws have a measurable impact on system performance - bad enough, in fact, that Intel advises its data centre customers to think hard about enabling them - which will not improve until a true hardware fix is implemented in future silicon, something Intel has promised will be the case by the end of the year.
Unfortunately, those fixes are reportedly not enough to protect against the Spectre Variant 4 vulnerability disclosed earlier this week. Security news site Threatpost cites unnamed 'sources familiar with the situation' as stating that the protections Intel has planned for its future silicon, known as 'Virtual Fences,' will only protect against Variant 2 and Variant 3 and have no impact on Variant 4.
That doesn't mean that systems will be left entirely unprotected, however: The microcode update Intel has developed for Spectre Variant 4 will continue to work on future hardware, though with the same up-to-eight-percent performance impact as on current silicon - an impact high enough that Intel has made the controversial choice to offer the protection but leave it disabled by default, giving its customers the choice as to whether to enable the protection and suffer the slowdown or continue running at full speed yet with the risk of exploitation.
While Intel has commented on the Spectre Variant 4 vulnerability, it has neither confirmed nor denied that its planned Spectre-proof products will include hardware protections against it. The company has been contacted for comment on Threatpost's claims, and this article will be updated accordingly if and when a response is provided.
Intel has confirmed that its in-silicon hardware protection does not extend to Variant 4, and that it will be relying on the microcode mitigation - which, it must be remembered, is disabled by default - on both current-gen and next-gen processors. 'As we shared in our announcement on March 15, those design changes provide protection against Variant 2 and 3,' an Intel spokesperson tells us. 'For Variant 4 – in addition to the browser-based mitigations that are already available -- we’ve added functionality into our microcode called the Speculative Store Bypass Disable (SSBD) bit. This functionality will continue to be utilised on future hardware platforms ensuring customers can stay protected.'
March 12 2019 | 19:11