Intel To Partners: Multiple Mitigation Methods, Tools Can Alleviate Spectre, Meltdown Exploits

Intel on Monday sent out a whitepaper to channel partners outlining the mitigation steps and security tools necessary to sidestep the Spectre and Meltdown exploits. 

"Intel has been working closely with the ecosystem, including other processor vendors and software developers, to identify mitigations for the three side channel methods … The mitigation strategy is focused on identifying techniques that can be applicable for both products currently in the market, as well as for future products in development," said the whitepaper.

The whitepaper, called "Intel Analysis of Speculative Execution Side Channels," comes in the week after the Meltdown and Spectre security flaws, discovered by security researchers last year, became highly publicized by media reports.

[Related: 9 Steps Intel Recommends To Sidestep Spectre And Meltdown]

The exploits, which account for three variants of a side-channel analysis security issue in server and PC processors, could potentially enable hackers to access protected data.

These security flaws, found in chips from multiple vendors, including Intel, revolve around a process called speculation, which allows processors to skip ahead in their execution of code to save time on computing processes – but also potentially enabling malicious code to access a portion of the memory on the chip.

The Santa Clara, Calif.-based company recommends a variety of steps for downplaying the security risks of Spectre and Meltdown, including the bounds check bypass mitigation for software systems, the branch target injection mitigation for software, and the rogue data cache load mitigation method for operating system software.

However, on top of these mitigation methods, the company also recommends security features and technologies – which are present in existing Intel products or planned for future products – to reduce the effectiveness of the attacks.

One method of protection is enabling Intel OS Guard, the company's supervisor-mode execution prevention security tool. When OS Guard is enabled, the operating system cannot directly execute application code, making branch target attacks on the operating system more difficult for the attacker, said Intel.  Intel said all major operating systems support Intel OS Guard.

Intel also said that its Execute Disable Bit tool can make it more difficult to install branch target injection attacks. 

This hardware-based security feature allows the processor to classify areas in memory where the application code can or cannot execute, even speculatively – increasing the difficulty of attacks. Intel said that all major OS providers enable Execute Disable Bit by default.

"For malware to compromise security using these methods, it must be running locally on a system. Intel strongly recommends following good security practices that protect against malware in general," said the whitepaper. "Doing so will also help protect against possible exploitation of these analysis methods."

Partners see the channel as critical in helping customers navigate what they can do to understand and act on the security exploits moving forward.

"This would be an area where the VAR could help the end client and build an effective recurring revenue model for their business," said Kent Tibbils, vice president of marketing at ASI, Fremont, Calif. "They could recommend and install programs, they could help the end client understand what the programs are doing, what they will find, how often they should run, and what other habits should be practiced. Many VARs will do this but to create an effective recurring revenue model they need to be proactive and have an internal process in place that helps them identify when to follow up with a client to be sure they renew their licenses before they expire."

Intel is moving forward with a "comprehensive" threat mitigation plan that includes operating system and firmware updates that will be made available in the next "few weeks." By the end of this week, Intel says it expects to have issued updates for more than 90 percent of processor products introduced within the past five years.

Read more articles on: