Side Channel Analysis Security issue ANALYST CONSULTATION JANUARY

Similar documents
Leading at the edge TECHNOLOGY AND MANUFACTURING DAY

Continuing Moore s law

Spectre, Meltdown, and the Impact of Security Vulnerabilities on your IT Environment. Orin Jeff Melnick

Fast forward. To your <next>

Driving network transformation DAN RODRIGUEZ VICE PRESIDENT DATA CENTER GROUP GENERAL MANAGER COMMUNICATIONS INFRASTRUCTURE DIVISION

Strategy overview STACY J. SMITH GROUP PRESIDENT, MANUFACTURING, OPERATIONS AND SALES SEPTEMBER 19, 2017 TECHNOLOGY AND MANUFACTURING DAY

Tech Announcement 2018_1

technology Leadership

Intel Analysis of Speculative Execution Side Channels

Security Advisory Relating to the Speculative Execution Vulnerabilities with some microprocessors

Security Advisory Relating to the Speculative Execution Vulnerabilities with some microprocessors

Data-Centric Innovation Summit ALPER ILKBAHAR VICE PRESIDENT & GENERAL MANAGER MEMORY & STORAGE SOLUTIONS, DATA CENTER GROUP

Disclosures Statements in this presentation that refer to Business Outlook, future plans and expectations are forward-looking statements that involve

Data-Centric Innovation Summit DAN MCNAMARA SENIOR VICE PRESIDENT GENERAL MANAGER, PROGRAMMABLE SOLUTIONS GROUP

Meltdown and Spectre - understanding and mitigating the threats (Part Deux)

FAST FORWARD TO YOUR <NEXT> CREATION

A U G U S T 8, S A N T A C L A R A, C A

Secure Coding: Storing Secrets In Your Salesforce Instance

Dan Galves, Sr VP Communications, Mobileye. January 17, 2018

Meltdown, Spectre, and Security Boundaries in LEON/GRLIB. Technical note Doc. No GRLIB-TN-0014 Issue 1.1

Spectre and Meltdown. Clifford Wolf q/talk

Disclaimer. This talk vastly over-simplifies things. See notes for full details and resources.

Meltdown and Spectre - understanding and mitigating the threats

Security-Aware Processor Architecture Design. CS 6501 Fall 2018 Ashish Venkat


Disclaimer. This talk vastly over-simplifies things. See notes for full details and resources.

Endpoint Security - what-if analysis 1

Providing a Rapid Response to Meltdown and Spectre for Hybrid IT. Industry: Computer Security and Operations Date: February 2018

Version:1.1. Overview of speculation-based cache timing side-channels

Cyber Risks in the Boardroom Conference

To accelerate our learnings, we brought in an expert in CPU side channel attacks. Anders Fogh

CARBONITE 2015 THIRD QUARTER FINANCIAL RESULTS OCTOBER 28, 2015

Q WEB APPLICATION ATTACK STATISTICS

Symantec to Acquire Altiris January 29, 2007

DNS Cache Poisoning Looking at CERT VU#800113

Version:2.1. Overview of speculation-based cache timing side-channels

Intel Software Guard Extensions (SGX) SW Development Guidance for Potential Bounds Check Bypass (CVE ) Side Channel Exploits.

Speculative Execution Side Channel Mitigations

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

Data center day. Non-volatile memory. Rob Crooke. August 27, Senior Vice President, General Manager Non-Volatile Memory Solutions Group

ECE 471 Embedded Systems Lecture 22

HPE to Acquire Nimble Storage

Secure coding practices

Mobile World Congress Claudine Mangano Director, Global Communications Intel Corporation

Securing Dynamic Data Centers. Muhammad Wajahat Rajab, Pre-Sales Consultant Trend Micro, Pakistan &

Copyright 2009 Juniper Networks, Inc.

Q WEB APPLICATION ATTACK STATISTICS

Security Solutions. Overview. Business Needs

Network Access Control and VoIP. Ben Hostetler Senior Information Security Advisor

A (sample) computerized system for publishing the daily currency exchange rates

Green Lights Forever: Analyzing the Security of Traffic Infrastructure

Improving Security in Embedded Systems Felix Baum, Product Line Manager

MWR InfoSecurity Security Advisory. Oracle Enterprise Manager SQL Injection Advisory. 1 st February 2010

Brocade Technology Conference Call: Data Center Infrastructure Business Unit Breakthrough Capabilities for the Evolving Data Center Network

Reinvention and Transformation in Personal Systems March 22,

White Paper SOFTWARE TECHNIQUES FOR MANAGING SPECULATION ON AMD PROCESSORS

Meltdown and Spectre Mitigation. By Sathish Damodaran

IBM Europe, Middle East, and Africa Services Announcement ZS , dated October 6, 2009

C1: Define Security Requirements

Choosing the Right Security Assessment

CS140 Operating Systems and Systems Programming Final Exam

Securing Privileged Access Securing High Value Assets Datacenter Security Information Protection Information Worker and Device Protection

Trustwave Managed Security Testing

Essential Performance and Advanced Security

This presentation and the documents incorporated by reference herein contain forward-looking statements regarding future events and our future

Information Security Controls Policy

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Retpoline: A Branch Target Injection Mitigation

Frequently Asked Questions WPA2 Vulnerability (KRACK)

MIRO DIETIKER Founder

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

SEC Key Considerations for Public Companies for Mitigating and Disclosing Cybersecurity Risks

SentinelOne Technical Brief

Kirk Skaugen Senior Vice President General Manager, PC Client Group Intel Corporation

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

IT Exam Training online / Bootcamp

Deliver Strong Mobile App Security and the Ultimate User Experience

CompTIA SY CompTIA Security+

Q Earnings Conference Call. August 7, 2018

Hardware and Software Co-Optimization for Best Cloud Experience

Attacking Networks. Joshua Wright LightReading LIVE! October 1, 2003

The modern car has 100 million lines of code and over half of new vehicles will be connected by 2020.

CyberArk Privileged Threat Analytics

SentinelOne Technical Brief

EXECUTIVE REPORT ADOBE SYSTEMS, INC. COLDFUSION SECURITY ASSESSMENT

MOBILE THREAT LANDSCAPE. February 2018

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

IBM Security Systems. IBM X-Force 2012 & CISO Survey. Cyber Security Threat Landscape IBM Corporation IBM Corporation

RSA SecurID Implementation

An ICS Whitepaper Choosing the Right Security Assessment

The Scenes of Cyber Crime

Configuring User Defined Patterns

CIS 5373 Systems Security

28 th Annual Roth Conference. March 14, 2016

Tech Data s Acquisition of Avnet Technology Solutions

Cyber security. Strategic delivery: Setting standards Increasing and. Details: Output:

Q Earnings Conference Call. November 6, 2018

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

Transcription:

Side Channel Analysis Security issue ANALYST CONSULTATION JANUARY 3 2018

briefing Objectives Provide information on a new class of security issue & mitigation Provide context on how this issue has brought the industry together 2

Background & summary Security researcher notified Intel, AMD, and ARM of a new side-channel analysis exploit A method for an attacker to observe contents of privileged memory, circumventing expected privilege levels Exploits speculative execution techniques common in modern processors NOT unique to any one architecture or processor implementation NOT a result of product errata; processors are operating to specification Mitigations include updates to system software, firmware and future hardware Industry-wide collaboration to facilitate responsible disclosure with mitigation options 3

What it is, what it is NOT IS A method for an attacker to observe contents of privileged memory, circumventing expected privilege levels Malware using this method and running locally could expose sensitive data such as passwords and encryption keys IS NOT A denial of service attack A network attack A means to inject malicious code or corrupt memory We have not observed active deployment of this exploit 4

Our approach to mitigation We are taking a comprehensive approach to provide the most secure platforms Combination of operating system and firmware updates, developed in collaboration with industry partners, operating system vendors, and OEMs Expect mitigation will be available to users beginning over the next few days and continuing over several weeks 5

security issue variants Summary Description Mitigation Options Bounds Check Bypass Use existing code with access to secrets by making it speculatively execute memory operations OS & VMM updates Branch Target Injection Malicious code usurps properties of CPU branch prediction features to speculatively run code OS & VMM updates Firmware Updates Rogue Data Load Access memory controlled by the OS while running a malicious application. OS updates All variants are locally executed side-channel cache timing attacks 6

Q & A 7

Risk Factors This presentation occurs during Intel s Quiet Period, before Intel announces its financial and operating results for the fourth quarter of 2017. Therefore, presenters will not be addressing fourth quarter results during this presentation. Statements in this presentation that refer to forecasts, future plans and expectations are forward-looking statements that involve a number of risks and uncertainties. Words such as "anticipates," "expects," "intends," "goals," "plans," "believes," "seeks," "estimates," "continues," "may," "will," would, "should," could, and variations of such words and similar expressions are intended to identify such forward-looking statements. Statements that refer to or are based on projections, uncertain events or assumptions also identify forward-looking statements. Such statements are based on management's current expectations and involve many risks and uncertainties that could cause actual results to differ materially from those expressed or implied in these forward-looking statements. Important factors that could cause actual results to differ materially from the company's expectations are set in Intel's earnings release dated October 26, 2017, which is included as an exhibit to Intel s Form 8-K furnished to the SEC on such date. Additional information regarding these and other factors that could affect Intel's results is included in Intel's SEC filings, including the company's most recent reports on Forms 10-K and 10-Q. Copies of Intel's Form 10-K, 10-Q and 8-K reports may be obtained by visiting our Investor Relations website at www.intc.com or the SEC's website at www.sec.gov.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback