While the public discussion on Spectre and Meltdown and daily stories have died down, for now, I wanted to pull back the lens and talk about some broader perspectives I have been thinking about. The reason I think it is important to analyze some of the broader areas is that Spectre and Meltdown are only the first of what I predict to be many architecture-based exploits that the industry will face in the future. This isn’t a “one and done” situation. Now is a good time to look back at how it was handled industry-wide, see what was done well, not so well and what can be learned from, repeated or improved upon for next time.
One thing that has been bugging me is the lack of understanding around the tremendous coordination that was required across the industry to understand the issues and work towards mitigations. It appears to me that Intel played a critical role in this space, and I wanted to explore that. Going forward I think we should be applauding companies for their detailed disclosures, not going after them and punishing them for it.
From my vantage point, the silicon disclosures started off with Arm, Advanced Micro Devices, and Intel, but the press very quickly took their ire out on Intel as if the security issues were created by Intel. At the time I was not surprised given all Intel’s products to use speculative architecture, it has 90% PC share and 98% server share. The irony is that I believe Intel ended up being the de-facto industry leader with the highest level of transparency and industry alignment I have ever seen on a security exploit.
Big companies like Intel ordinarily want to “control the message” and give the least amount of information to get their point of view out. This is natural, to be expected and what communications and PR teams are trained to do. We recently saw a very bad example of this with Facebook press reports saying Mark Zuckerberg was hiding from all fanfare and not saying anything publicly on its very critical privacy and data issue. Zuckerberg and Facebook got roasted for a lack of communication.
On the other hand, we saw Intel CEO Brian Krzanich getting on CNBC
, publishing blogs
, and getting on CES stage
to talk Spectre and Meltdown. Blogs seemingly appeared from Intel weekly, and after a while, I was thinking that Intel just kept firing up the news cycle like someone pouring gasoline onto a smoldering fire. The news seemed to die down, Intel would publish a blog, and a new set of stories emerged, so Intel was keeping the story alive by providing more information versus dribbling only enough when they had to.
I was also surprised at how detailed some of the performance analysis
was that did not always show Intel in a positive light. Let me be very clear- I do not ever in 30 years remember Intel doing this. The Intel benchmark bars are always longer or shorter showing the Intel advantage, not showing disadvantages.
Intel even setup a special page documenting every move here on Intel’s own website. Net-net, Intel prioritized transparency over and above taking shots and should be commended.
As the Spectre and Meltdown situation unfolded, I remember attending an Intel-hosted call with companies who I never thought I would be on with at the same time- Arm, Advanced Micro Devices, and Intel. The companies took me through the exploits, the mitigations, and a rough timeline of what would happen when. It was nice to see three competitors laying down their swords to come together to fix this very large problem.
Since that first call, I have come to realize was that Intel was not just working with Arm and AMD, they were working very closely with software companies, system vendors, cloud service providers, and security researchers in parallel. Aside from updates from processor companies, I personally received status emails after a few weeks from Microsoft Azure and Windows, Amazon.com AWS, Red Hat, RSA, and VMWare.
By January 4, Intel reported
it had already issued software and firmware patches for the majority of processors released in the past five years and that by the end of that week was expected to release updates to 90% of processors introduced over that time period. While the firmware did
cause some reboot issues
, I cannot tell you how monumental the 90% number was. I worked nearly ten years at system OEMs and over ten years at a processor manufacturer and cannot imagine just how much work this must have been.
On that same day, Intel summarized reports from
Apple, Microsoft Azure, Amazon.com AWS, and Google, who had indicated they were not seeing major performance hits after applying the patches. Here again, Intel is speaking up for the industry and not just its products as Apple commented on its iOS performance driven by a custom, Arm-based chip. Getting these companies to agree to be mentioned in the same post altogether must have been a monumental task and had PR groups hand-wringing from Seattle to Silicon Valley.
Five days later on the 9th, Intel reported
new information on Red Hat, Microsoft Windows, and Google’s Retpoline solution. While I would have liked the Microsoft Windows messaging to have been more consistent between Microsoft and Intel, and based on that feedback, a day later, Intel provided
a tremendous amount of very specific Windows client computing performance data. Eight days later on the 17th, Intel provided
benchmarks for its datacenter products. While I believe it would have been better if more benchmarks were shown, benchmarking servers is monumentally more difficult and time-consuming than client systems.
The next few Intel security disclosures were about updates to the firmware updates, the root cause of the reboot issue, the reboot fixes and updates on Skylake patches. While it would have been optimal for Intel not to have had reboot issues, processor companies and OEMs normally test firmware updates for months in a wide area test. I was shocked there weren’t more issues seen with the firmware, and I give Intel a lot of credit for the lack of issues. Those updates needed to work not only on Intel development systems but across hundreds if not thousands of system makers on tens of thousands of different platforms. Once you crack open firmware, it’s very easy to break something trying to fix something else.
It is lazy to attack Intel over Spectre and Meltdown. Sure, everything wasn’t perfect, but when you consider the exploit was an architectural feature that was instituted 20 years ago and that the issue was across Arm, Advanced Micro Devices and Intel architectures, this exploit was hard to see coming. Also, consider, the industry wasn't talking about the damage an exploit did to a business as we normally do, nor were we talking about a specific exploit transport- we were talking about an architectural exploit with no known transport or damage done to a business or consumer.
I believe based on how transparent and collaborative Intel was, the company deserves kudos, not scorn, for how it handled everything. Intel very easily could have limited the amount of information or just talked about itself, but it chose to keep providing details that kept the story alive, even when the update was not all flattering.
Spectre and Meltdown are just the beginning of a new crop of sophisticated, architectural exploits, and we will again need a coordinated, industry-wide approach with very transparent communications. Based on Intel’s “Security First Pledge
,” I hope – and expect -- to see the company continue to step up and bring everyone together to find a solution. And when this happens again, it should be commended, not criticized.