Intel Says 'Partitions' in New Chips Will Correct the Design Flaw that Created Spectre and Meltdown

Intel said on Thursday it is introducing hardware protections against the Spectre CPU flaw that was discovered last year. From a report: Starting with the Cascade Lake version of its Xeon server processors later this year, Intel will incorporate "protective walls" in its hardware that prevent malicious hackers from using speculative execution techniques to steal private information from the secure part of the processor. These fixes will also ship with the PC version of the Cascade Lake chips, but the tech industry has been much more concerned about the effect of these design flaws on server processors running in data centers and cloud vendors.

The new fixes allow Intel to still benefit from the performance advantages of speculative execution -- in which a processor guesses which upcoming instructions it will need to execute in order to speed things up -- without the security risks. The hardware changes address Variants 2 and 3 of the Spectre and Meltdown issues first disclosed in early January, and software fixes should continue to address Variant 1, Intel said.

How about more than protective walls?

[ctilsie242]

AMD has its bugs, but one new feature that they have implemented is RAM encryption. This way, one VM has no way of obtaining content from another VM's RAM space, should a leak be possible. Why not be proactive in dealing with virtualization and keeping stuff separate, perhaps adding some pipeline randomization to foil side channel attacks?

Intel knows what they are doing. Might as well be ahead of the curve and add some useful security features.

Won't fix your 'AMD' problem

[Khyber]

While you went about paying a company to diss AMD, I checked CTS' report, found out one of my intel systems uses one of the mentioned vulnerable chipsets, the ASM1142, for its USB 3.1 controller.

I bet that the PoC exploit would work on the intel platform right out of the box, if the CTS code isn't full of shit.

Gimme a copy so I can test it out.

We did this in the mainframe days

[davecb]

We called it "mandatory security levels and categories" (eg, Dockmaster.mil), and then reinvented them for minis (eg, Trusted Solaris) and micros (eg, SELinux), and now Intel is doing the category part in hardware, just like Multics. Methinks they're a tiny bit behind the times...