痛定思痛，下一代英特尔芯片将从硬件层面堵死“幽灵”漏洞

罗纳克·辛格尔是芯片制造商英特尔公司的一名高管，他在英特尔已经干了20多年。几周前，他和同事们相聚在以色列的海法，在地中海边他最喜欢的海伦娜餐厅定了位子，打算在这家高档餐厅里庆祝自己升职。但是还没开席，他就接到了公司的软件合伙人打来的电话，让他解释英特尔针对“幽灵”和“熔断”两大漏洞开发的补丁到底出了什么问题。

辛格尔负责英特尔所有处理器架构的研发工作。当天晚上的问题出在补丁上。全世界有数以亿计的电脑使用英特尔的CPU，但英特尔针对“幽灵”漏洞开发的一个补丁却导致了部分电脑出现死机和重启。虽然受影响的电脑只占市场的一小部分，但却足以引起PC生产商的恐慌，微软也只得紧急召回了这个补丁。（Linux的发明者林纳斯·托瓦兹基至称英特尔开发的这个补丁是“纯粹的垃圾”。）

辛格尔解释道，由于英特尔在该补丁中使用了一些以前从没用过的技术，因而“或许有补丁未按预期方式运行的情况”。他花了一个多小时才平息了这位合伙人的怒气，辛格尔的同事见他迟迟未到，只得先行开席。辛格尔回忆道：“他们还以为我迷路了，或者是被绑架了。”直到快散席，他才匆匆赶到，吃了一碟海伦娜餐厅最著名的炸鱿鱼。

这次补丁事件堪称计算机史上最严重的安全事故之一。几周后，英特尔发布了修正补丁，才算修复了这个问题。不久前，英特尔公司宣布，它的修正补丁已经覆盖了过去五年它所生产的所有芯片。

辛格尔表示，下一步，针对相关漏洞的修正程序将直接嵌入到芯片硬件中。今年下半年即将推出的第8代酷睿处理器以及即将于四季度推出的代号“Cascade Lake”的新一代至强服务器芯片都将采取这种全新设计。直接在硬件上写入保护程序，能有效避免软件补丁对性能的影响。

英特尔公司CEO布莱恩·科再奇对《财富》表示：“我们已经攻克了第一层的软件修正问题。我们已经把五年内生产的所有芯片的问题都解决了，现在我们正在部署硬件修正，它将直接嵌入在我们的芯片硬件上。”

“幽灵”和“熔断”漏洞的变体

过去几十年间，包括英特尔在内的几乎所有芯片生产商都存在这两个严重的安全漏洞，然而这个问题直到去年夏天才露出端倪。去年6月，谷歌的一支系统安全研究团队报称，英特尔芯片的一个关键部分在设计上存在重大安全隐患。

现在的芯片通常拥有相当程度的空闲处理能力，因此当系统监测到一个程序出现问题时，它可以根据当前掌握的信息预测某个条件判断的结果，然后选择对应的分支提前执行。这种执行方法又叫“预测执行”，是一种能够有效提升性能的策略。

然而谷歌的研究人员以及学术界的多支团队已经发现了几种利用预测执行机制，欺骗芯片使其暴露密码和加密密钥等重要信息的方法。研究人员将该漏洞的两种变体命名为“幽灵”（灵感来自与“007”作对的神秘组织“幽灵党”），将第三种变体命名为“熔断”，因为它能有效熔断安全屏障。该漏洞对于云服务器的威胁尤其严重，因为多个客户的程序往往会在同一块芯片上运行。其次是网页游览器，因为它可能会在不知情的情况下执行来自网站的代码。

到去年的7月初，英特尔等芯片制造商已经意识到这个问题的影响范畴之大，并组成了专门团队制定解决方案。辛格尔每天早上都会主持电话会议，有时会议一开就是两个小时，以协调俄勒冈、加州、德州和以色列等地的技术部门拿出方案。来自几个不同时区的员工同时扑在这个项目上，可以说他们是在24小时马不停蹄地解决问题。

最终，英特尔的方案是先采取软件修正，然后在以后的芯片设计中嵌入保护措施。软件补丁的代价是对CPU的性能有影响，影响的程度则有轻有重，具体要看使用的是哪个型号的芯片，以及芯片上运行的是什么程序。经过在一台搭载了Kaby Lake酪睿i7处理器的电脑上实测，大多数应用程序的减速在10%以内，在现实生活中的使用场景中几乎不会被察觉。不过微软公司也警告道，运行Windows 7、Windows 8系统或搭载五年前生产的英特尔Haswell第四代处理器的电脑可能受影响较大。

英特尔的最新安全举措

补丁风波告一段落后，英特尔CEIO科再奇成立了一个名叫英特尔产品保障与安全部（IPAS）的新部门。该部门不仅致力于修复“幽灵”和“熔断”漏洞，同时也致力于更有效地解决未来有可能出现的各种安全问题。IPAS的负责人是早在1979年便已加盟英特尔的老将莱斯利·卡伯特森。

“这是一个全新的研究领域，同时也是一个全新的安全知识领域，需要英特尔的长期投资。”卡伯特森表示，IPAS的重点是发现未来有可能出现的漏洞，同时也要考虑如何让芯片总体上更加安全。“我们将在这一领域持续进步——这就是这支团队将要思考的事情。”

辛格尔表示：“我们知道，故事到这里还没结束。对于我们中的很多人来说，这将是一场持久战。”

1月初关于“幽灵”和“熔断”漏洞的消息首次泄露时，由于投资者担心英特尔的芯片销量被拖缓，英特尔的股价因此遭到了不小的打击。不过最近有些分析师表示，随着英特尔的新一代芯片将采取嵌入式保护程序，一些希望升级到更安全的硬件的企业或将纷纷采购新一代英特尔芯片，从而刺激该公司的销量更快增长。年初至今，英特尔的股价已经上涨了12%，大幅超过了标普500指数3%的涨幅。

科再奇对各种积极和消极的推测都不太在意，他表示：“一开始我们就说过，我们认为它的影响是可以忽略的，哪怕是从积极的方面。分析师界应该意识到，我们其实一直在做安全性和性能方面的改进，并且不断添加新功能以促进更新周期。”（财富中文网）

（更新：本文3月15日有更新，澄清了英特尔的硬件修正对性能的影响是“重大”的。）

译者：朴成奎

Ronak Singhal, a senior executive and 20-year veteran of chipmaker Intel, was trying to get to dinner at Helena, his favorite restaurant in Israel, a few weeks ago. But before he could join colleagues celebrating a promotion at the high-end eatery poised on the shores of the Mediterranean Sea south of Haifa, he had to explain to one of the company’s software partners what was going on with Intel’s patches for the notorious Spectre and Meltdown security problems.

The problem that night for Singhal, who oversees the development of the architecture for all of Intel’s processors, was that something was wrong with the patches. Among all the millions and millions of computers in use around the world running Intel CPUs, one of the patches for Spectre was causing some computers to freeze up or spontaneously reboot. Though only affecting a tiny proportion of the market, the problems were widespread enough to spook PC makers and prompt a temporary recall of the updated software. (And even stirred Linux creator Linus Torvalds to publicly proclaim Intel’s work was “pure garbage.”)

Relying on some techniques that Intel had never used previously in its software, “there were cases where the patches didn’t work as intended,” Singhal explained. It took more than an hour to assuage the contractor—Singhal’s co-workers started eating without him. “They thought I’d gotten lost or kidnapped or something,” he jokes recalling the incident. He did get to join the party and eat a dish of Helena’s famed calamari.

A few weeks later, Intel issued corrected patches and the fixes for one of the most serious security incidents in computing history have gone smoothly since then. On Thursday, Intel declared that it had fully deployed patches covering all of the chips it had made in the past five years.

Up next for Singhal are fixes that will be embedded directly in the silicon of upcoming products. The revamped chip designs will be ready for 8th generation Core processors released in the second half of the year and a line of Xeon server chips expected in the fourth quarter known by the code name “Cascade Lake.” Building the protections into the hardware eliminates a significant amount of the impact on performance seen with the software patches, Singhal says.

“We’ve made it through the first set of software mitigations,” Intel CEO Brian Krzanich tells Fortune. “We’ve got everything five years and newer completed and we’re now starting to implement hardware mitigations where it’s actually built into our silicon.”

Spectre and Meltdown Variants 1, 2, and 3

The whole mess that revealed such serious security vulnerabilities in nearly every chip made for the past few decades, by Intel and its competitors, started small last summer. Researchers at a special security vulnerability search team at Google reported to Intel’s security section in June that they’d uncovered a problem with a key part of CPU design.

Modern chips typically have so much idle processing power that it makes sense for programs to calculate several options to solve a problem even before earlier steps in the program have completed. Known as speculative execution, the performance enhancing strategy then throws out the answers that don’t match the results of the earlier steps.

But the Google researchers, followed by several teams in academia, had found ways to trick chips into revealing data like passwords and encryption keys as the secrets were used in the speculative execution calculations. The researchers dubbed two variants of the trick Spectre, after the fictitious evil organization that pursues James Bond, and a third variant was called Meltdown because it effectively melted security barriers. The danger was especially acute for cloud servers, where programs from multiple customers would be running on the same chip, and in web browsers, which can execute code from a web site unknowingly.

By early July, Intel and other chipmakers had realized the vast scope of the problem and convened groups to craft solutions. Singhal held a daily morning conference call, sometimes lasting for two hours, to coordinate Intel’s response across offices in Oregon, California, Texas, and Israel. With people in different time zones working on the problem, the effort could operate around the clock.

All along, the plan was to issue software fixes first and then build the protections into future chip designs. The software patches had a cost in reducing the performance of the affected CPUs. The hit varied widely depending on the type of Intel chip involved and the programs being run. One test on a PC with a Kaby Lake Core i7 processor found most apps slowed less than 10%, which would be barely noticeable in real life usage. But Microsoft warned that PCs running its older Windows 7 or 8 and Intel’s five-year-old Haswell processors would take a big hit.

Intel’s New Security Effort

As a result of the experience, Intel CEO Krzanich set up a new group, dubbed the IPAS or Intel Product Assurance and Security, to not only work on the Spectre and Meltdown fixes but to address future security problems more effectively. Longtime Intel executive Leslie Culbertson, who joined the company in 1979, heads the IPAS group.

“This was going to be a whole new area of research and a whole new area of security understanding that required a long-term investment by Intel,” Krzanich says. The focus will be on uncovering future vulnerabilities, but also thinking about how to make its chips more secure in general. “You’re going to see a constant progression–that’s what this team will be thinking about.”

“We know this isn’t the end of the story,” Singhal adds. “This is going to be an ongoing activity probably for many of us.”

When news of Spectre and Meltdown first leaked out in early January, Intel’s stock took a hit, as investors feared the security problems might slow chip sales. More recently, some analysts have argued that Intel’s new chips with built-in protection might spur more rapid sales from companies wanting to upgrade to safer hardware. Intel’s shares are up 12% so far this year, outpacing the 3% gain in the S&P 500 Index.

Krzanich is dismissive of both the positive and negative scenarios. “We’ve said since the beginning of this that we think the impact will be negligible, even on the positive side,” the CEO says. “The analyst community needs to realize that we’re constantly doing these kinds of improvements—improvements in security, improvements in performance, and adding new features to drive refresh cycles.”

(Update: This story was updated on March 15 to clarify that the impact on performance from Intel’s hardware fixes would be “a significant amount.”)