Intel CEO Addresses the Industry on Meltdown and Spectre Issues in Open Letter
by Anton Shilov on January 11, 2018 10:15 PM EST
Brian Krzanich on Thursday published an open letter addressing its partners and customers regarding the aftermath of the Meltdown and Spectre exploits publication. Chief executive of Intel reiterated the company’s plans to release security updates for its recent CPUs by early next week and mentioned the importance of collaborative industry-wide security assurance and responsible disclosures regarding security vulnerabilities going forward.
Intel intends to release software and firmware patches for 90% of its CPUs launched in the past five years by January 15. By the end of the month, Intel plans to issue software updates for the remainder 10% of processors introduced in the same period. After that, Intel will focus on releasing updates for older products based on requests and priorities of its customers. The company confirms that patches have an impact on performance and says that it varies widely based on workloads and mitigation technique.
Going forward, the world’s largest maker of microprocessors plans to share hardware innovations with the industry to fast-track development of protection against side-channel attacks. In addition, the company intends to increase funding for academic and independent research of security threats. Brian Krzanich expects other industry players to follow similar practices: share security-related hardware innovations and help researchers of security vulnerabilities.
The original letter reads as follows:
An Open Letter from Brian Krzanich, CEO of Intel Corporation, to Technology Industry Leaders
Following announcements of the Google Project Zero security exploits last week, Intel has continued to work closely with our partners with the shared goal of restoring confidence in the security of our customers’ data as quickly as possible. As I noted in my CES comments this week, the degree of collaboration across the industry has been remarkable. I am very proud of how our industry has pulled together and want to thank everyone for their extraordinary collaboration. In particular, we want to thank the Google Project Zero team for practicing responsible disclosure, creating the opportunity for the industry to address these new issues in a coordinated fashion.
As this process unfolds, I want to be clear about Intel’s commitments to our customers. This is our pledge:
1. Customer-First Urgency: By Jan. 15, we will have issued updates for at least 90 percent of Intel CPUs introduced in the past five years, with updates for the remainder of these CPUs available by the end of January. We will then focus on issuing updates for older products as prioritized by our customers.
2. Transparent and Timely Communications: As we roll out software and firmware patches, we are learning a great deal. We know that impact on performance varies widely, based on the specific workload, platform configuration and mitigation technique. We commit to provide frequent progress reports of patch progress, performance data and other information. These can be found at the Intel.com website.
3. Ongoing Security Assurance: Our customers’ security is an ongoing priority, not a one-time event. To accelerate the security of the entire industry, we commit to publicly identify significant security vulnerabilities following rules of responsible disclosure and, further, we commit to working with the industry to share hardware innovations that will accelerate industry-level progress in dealing with side-channel attacks. We also commit to adding incremental funding for academic and independent research into potential security threats.
We encourage our industry partners to continue to support these practices. There are important roles for everyone: Timely adoption of software and firmware patches by consumers and system manufacturers is critical. Transparent and timely sharing of performance data by hardware and software developers is essential to rapid progress.
The bottom line is that continued collaboration will create the fastest and most effective approaches to restoring customer confidence in the security of their data. This is what we all want and are striving to achieve.
— Brian Krzanich
Related Reading:
Source: Intel
Facebook
Twitter
RSS
65 Comments
View All Comments
darckhart - Friday, January 12, 2018 - link
Where's the outcry of Intel doing sloppy design such that threats like Meltdown and Spectre can even exist? Sure it's great that they pledge to fix things, but how about not dicking it up in the first place? Cutting corners to increase performance? That's like VW and futzing the emission system when they know they can't actually perform if constrained. "Our branch prediction improves performance because it can predict correctly 99% of time." Uh no, that sounds like just executing Step A-1 and Step A-2 at the same time as A so that you can have both ready as soon as A finishes so you can go to either one with no penalty. That's not prediction.surt - Friday, January 12, 2018 - link
That is indeed not prediction. The feature you are describing is called speculative execution. Both speculative execution and branch prediction are used in modern processors, and they are different features.Branch prediction is very much up to the task of getting branches predicted correctly 99% of the time. In fact that's relatively trivial: if you assume a branch will go the same direction it did last time, you'll be right 99% of the time in loops, and getting it right in other contexts is only a little bit more complicated than that.
HStewart - Monday, January 15, 2018 - link
Do you realize that this threat is not just Intel - it also other products and not just CPU, ARM and AMD and also with GPU's. It just seem people pick on Intel moreThe real concern is people that create these things - are they doing a good thing letting out technical information that could lead to virus and such. It should be done in confidence so hackers will not used the information
Sliderazer - Wednesday, January 17, 2018 - link
Very gooddigitaldoug - Friday, August 31, 2018 - link
I am a developer. I worked on a project called "Judy arrays" for the last 18 years. Performance isa goal that has a very high priority. My last release to the public was about a dozen years ago.
In 2014, we made some very significant progress due the release of Ubuntu 14.xx and the Haswell processor.
My latest test system is a i7-6800k cpu, running at 4Ghz and 128GB of RAM running at 3200Mhz/Cas=14. It has been using Ubuntu 16.04 OS, with bios updated to July 2017 (not current). I decided to update the OS to Ubuntu 18.04. The performance of Judy
went down by one HALF!. All mitigations to the mitigations in 18.04 (pti, Spectre_V2) did very
little to help. The a.out's built in the 16.04 OS were even faster the when built in the 18.04 system. I have learned the hard way that any software or bios released after 2017 is "infected"
with meltdown/spectre mitigations. The "immoral" part is there seems to be no way to turn OFF
these mitigations on any software or firmware published after 2017. I am really looking forward
to a system that runs anywhere near as fast as the NOT upgraded 16.04 system. I believe that
any comparisons of a system that tried to turn off the spectre/meltdown mitigatiions will be very
wrong. The Internet is rife with these types of comparisons. This leaves me to not trust ANY update to my system that measures performance. So Intel, are you being transparent and honest with your customers? A recipe for disaster? If you want, I would be happy to work with
you to demonstrate/verify my findings; dougbaskins -at- yahoo.com