痛定思痛,下一代英特爾芯片將從硬件層面堵死“幽靈”漏洞
羅納克·辛格爾是芯片制造商英特爾公司的一名高管,他在英特爾已經(jīng)干了20多年。幾周前,他和同事們相聚在以色列的海法,在地中海邊他最喜歡的海倫娜餐廳定了位子,打算在這家高檔餐廳里慶祝自己升職。但是還沒開席,他就接到了公司的軟件合伙人打來的電話,讓他解釋英特爾針對“幽靈”和“熔斷”兩大漏洞開發(fā)的補丁到底出了什么問題。 辛格爾負責英特爾所有處理器架構的研發(fā)工作。當天晚上的問題出在補丁上。全世界有數(shù)以億計的電腦使用英特爾的CPU,但英特爾針對“幽靈”漏洞開發(fā)的一個補丁卻導致了部分電腦出現(xiàn)死機和重啟。雖然受影響的電腦只占市場的一小部分,但卻足以引起PC生產(chǎn)商的恐慌,微軟也只得緊急召回了這個補丁。(Linux的發(fā)明者林納斯·托瓦茲基至稱英特爾開發(fā)的這個補丁是“純粹的垃圾”。) 辛格爾解釋道,由于英特爾在該補丁中使用了一些以前從沒用過的技術,因而“或許有補丁未按預期方式運行的情況”。他花了一個多小時才平息了這位合伙人的怒氣,辛格爾的同事見他遲遲未到,只得先行開席。辛格爾回憶道:“他們還以為我迷路了,或者是被綁架了。”直到快散席,他才匆匆趕到,吃了一碟海倫娜餐廳最著名的炸魷魚。 這次補丁事件堪稱計算機史上最嚴重的安全事故之一。幾周后,英特爾發(fā)布了修正補丁,才算修復了這個問題。不久前,英特爾公司宣布,它的修正補丁已經(jīng)覆蓋了過去五年它所生產(chǎn)的所有芯片。 辛格爾表示,下一步,針對相關漏洞的修正程序將直接嵌入到芯片硬件中。今年下半年即將推出的第8代酷睿處理器以及即將于四季度推出的代號“Cascade Lake”的新一代至強服務器芯片都將采取這種全新設計。直接在硬件上寫入保護程序,能有效避免軟件補丁對性能的影響。 英特爾公司CEO布萊恩·科再奇對《財富》表示:“我們已經(jīng)攻克了第一層的軟件修正問題。我們已經(jīng)把五年內(nèi)生產(chǎn)的所有芯片的問題都解決了,現(xiàn)在我們正在部署硬件修正,它將直接嵌入在我們的芯片硬件上。” “幽靈”和“熔斷”漏洞的變體 過去幾十年間,包括英特爾在內(nèi)的幾乎所有芯片生產(chǎn)商都存在這兩個嚴重的安全漏洞,然而這個問題直到去年夏天才露出端倪。去年6月,谷歌的一支系統(tǒng)安全研究團隊報稱,英特爾芯片的一個關鍵部分在設計上存在重大安全隱患。 現(xiàn)在的芯片通常擁有相當程度的空閑處理能力,因此當系統(tǒng)監(jiān)測到一個程序出現(xiàn)問題時,它可以根據(jù)當前掌握的信息預測某個條件判斷的結果,然后選擇對應的分支提前執(zhí)行。這種執(zhí)行方法又叫“預測執(zhí)行”,是一種能夠有效提升性能的策略。 然而谷歌的研究人員以及學術界的多支團隊已經(jīng)發(fā)現(xiàn)了幾種利用預測執(zhí)行機制,欺騙芯片使其暴露密碼和加密密鑰等重要信息的方法。研究人員將該漏洞的兩種變體命名為“幽靈”(靈感來自與“007”作對的神秘組織“幽靈黨”),將第三種變體命名為“熔斷”,因為它能有效熔斷安全屏障。該漏洞對于云服務器的威脅尤其嚴重,因為多個客戶的程序往往會在同一塊芯片上運行。其次是網(wǎng)頁游覽器,因為它可能會在不知情的情況下執(zhí)行來自網(wǎng)站的代碼。 到去年的7月初,英特爾等芯片制造商已經(jīng)意識到這個問題的影響范疇之大,并組成了專門團隊制定解決方案。辛格爾每天早上都會主持電話會議,有時會議一開就是兩個小時,以協(xié)調(diào)俄勒岡、加州、德州和以色列等地的技術部門拿出方案。來自幾個不同時區(qū)的員工同時撲在這個項目上,可以說他們是在24小時馬不停蹄地解決問題。 最終,英特爾的方案是先采取軟件修正,然后在以后的芯片設計中嵌入保護措施。軟件補丁的代價是對CPU的性能有影響,影響的程度則有輕有重,具體要看使用的是哪個型號的芯片,以及芯片上運行的是什么程序。經(jīng)過在一臺搭載了Kaby Lake酪睿i7處理器的電腦上實測,大多數(shù)應用程序的減速在10%以內(nèi),在現(xiàn)實生活中的使用場景中幾乎不會被察覺。不過微軟公司也警告道,運行Windows 7、Windows 8系統(tǒng)或搭載五年前生產(chǎn)的英特爾Haswell第四代處理器的電腦可能受影響較大。 英特爾的最新安全舉措 補丁風波告一段落后,英特爾CEIO科再奇成立了一個名叫英特爾產(chǎn)品保障與安全部(IPAS)的新部門。該部門不僅致力于修復“幽靈”和“熔斷”漏洞,同時也致力于更有效地解決未來有可能出現(xiàn)的各種安全問題。IPAS的負責人是早在1979年便已加盟英特爾的老將萊斯利·卡伯特森。 “這是一個全新的研究領域,同時也是一個全新的安全知識領域,需要英特爾的長期投資。”卡伯特森表示,IPAS的重點是發(fā)現(xiàn)未來有可能出現(xiàn)的漏洞,同時也要考慮如何讓芯片總體上更加安全。“我們將在這一領域持續(xù)進步——這就是這支團隊將要思考的事情。” 辛格爾表示:“我們知道,故事到這里還沒結束。對于我們中的很多人來說,這將是一場持久戰(zhàn)。” 1月初關于“幽靈”和“熔斷”漏洞的消息首次泄露時,由于投資者擔心英特爾的芯片銷量被拖緩,英特爾的股價因此遭到了不小的打擊。不過最近有些分析師表示,隨著英特爾的新一代芯片將采取嵌入式保護程序,一些希望升級到更安全的硬件的企業(yè)或將紛紛采購新一代英特爾芯片,從而刺激該公司的銷量更快增長。年初至今,英特爾的股價已經(jīng)上漲了12%,大幅超過了標普500指數(shù)3%的漲幅。 科再奇對各種積極和消極的推測都不太在意,他表示:“一開始我們就說過,我們認為它的影響是可以忽略的,哪怕是從積極的方面。分析師界應該意識到,我們其實一直在做安全性和性能方面的改進,并且不斷添加新功能以促進更新周期。”(財富中文網(wǎng)) (更新:本文3月15日有更新,澄清了英特爾的硬件修正對性能的影響是“重大”的。) 譯者:樸成奎 |
Ronak Singhal, a senior executive and 20-year veteran of chipmaker Intel, was trying to get to dinner at Helena, his favorite restaurant in Israel, a few weeks ago. But before he could join colleagues celebrating a promotion at the high-end eatery poised on the shores of the Mediterranean Sea south of Haifa, he had to explain to one of the company’s software partners what was going on with Intel’s patches for the notorious Spectre and Meltdown security problems. The problem that night for Singhal, who oversees the development of the architecture for all of Intel’s processors, was that something was wrong with the patches. Among all the millions and millions of computers in use around the world running Intel CPUs, one of the patches for Spectre was causing some computers to freeze up or spontaneously reboot. Though only affecting a tiny proportion of the market, the problems were widespread enough to spook PC makers and prompt a temporary recall of the updated software. (And even stirred Linux creator Linus Torvalds to publicly proclaim Intel’s work was “pure garbage.”) Relying on some techniques that Intel had never used previously in its software, “there were cases where the patches didn’t work as intended,” Singhal explained. It took more than an hour to assuage the contractor—Singhal’s co-workers started eating without him. “They thought I’d gotten lost or kidnapped or something,” he jokes recalling the incident. He did get to join the party and eat a dish of Helena’s famed calamari. A few weeks later, Intel issued corrected patches and the fixes for one of the most serious security incidents in computing history have gone smoothly since then. On Thursday, Intel declared that it had fully deployed patches covering all of the chips it had made in the past five years. Up next for Singhal are fixes that will be embedded directly in the silicon of upcoming products. The revamped chip designs will be ready for 8th generation Core processors released in the second half of the year and a line of Xeon server chips expected in the fourth quarter known by the code name “Cascade Lake.” Building the protections into the hardware eliminates a significant amount of the impact on performance seen with the software patches, Singhal says. “We’ve made it through the first set of software mitigations,” Intel CEO Brian Krzanich tells Fortune. “We’ve got everything five years and newer completed and we’re now starting to implement hardware mitigations where it’s actually built into our silicon.” Spectre and Meltdown Variants 1, 2, and 3 The whole mess that revealed such serious security vulnerabilities in nearly every chip made for the past few decades, by Intel and its competitors, started small last summer. Researchers at a special security vulnerability search team at Google reported to Intel’s security section in June that they’d uncovered a problem with a key part of CPU design. Modern chips typically have so much idle processing power that it makes sense for programs to calculate several options to solve a problem even before earlier steps in the program have completed. Known as speculative execution, the performance enhancing strategy then throws out the answers that don’t match the results of the earlier steps. But the Google researchers, followed by several teams in academia, had found ways to trick chips into revealing data like passwords and encryption keys as the secrets were used in the speculative execution calculations. The researchers dubbed two variants of the trick Spectre, after the fictitious evil organization that pursues James Bond, and a third variant was called Meltdown because it effectively melted security barriers. The danger was especially acute for cloud servers, where programs from multiple customers would be running on the same chip, and in web browsers, which can execute code from a web site unknowingly. By early July, Intel and other chipmakers had realized the vast scope of the problem and convened groups to craft solutions. Singhal held a daily morning conference call, sometimes lasting for two hours, to coordinate Intel’s response across offices in Oregon, California, Texas, and Israel. With people in different time zones working on the problem, the effort could operate around the clock. All along, the plan was to issue software fixes first and then build the protections into future chip designs. The software patches had a cost in reducing the performance of the affected CPUs. The hit varied widely depending on the type of Intel chip involved and the programs being run. One test on a PC with a Kaby Lake Core i7 processor found most apps slowed less than 10%, which would be barely noticeable in real life usage. But Microsoft warned that PCs running its older Windows 7 or 8 and Intel’s five-year-old Haswell processors would take a big hit. Intel’s New Security Effort As a result of the experience, Intel CEO Krzanich set up a new group, dubbed the IPAS or Intel Product Assurance and Security, to not only work on the Spectre and Meltdown fixes but to address future security problems more effectively. Longtime Intel executive Leslie Culbertson, who joined the company in 1979, heads the IPAS group. “This was going to be a whole new area of research and a whole new area of security understanding that required a long-term investment by Intel,” Krzanich says. The focus will be on uncovering future vulnerabilities, but also thinking about how to make its chips more secure in general. “You’re going to see a constant progression–that’s what this team will be thinking about.” “We know this isn’t the end of the story,” Singhal adds. “This is going to be an ongoing activity probably for many of us.” When news of Spectre and Meltdown first leaked out in early January, Intel’s stock took a hit, as investors feared the security problems might slow chip sales. More recently, some analysts have argued that Intel’s new chips with built-in protection might spur more rapid sales from companies wanting to upgrade to safer hardware. Intel’s shares are up 12% so far this year, outpacing the 3% gain in the S&P 500 Index. Krzanich is dismissive of both the positive and negative scenarios. “We’ve said since the beginning of this that we think the impact will be negligible, even on the positive side,” the CEO says. “The analyst community needs to realize that we’re constantly doing these kinds of improvements—improvements in security, improvements in performance, and adding new features to drive refresh cycles.” (Update: This story was updated on March 15 to clarify that the impact on performance from Intel’s hardware fixes would be “a significant amount.”) |