Intel recently published their 2024 Intel Product Security Report which provides a transparent analysis of security vulnerabilities Intel disclosed in 2024. This blog post aims to provide some background information on some of the numbers in the report, focusing on hardware-related issues. Security at Intel is a collective responsibility, involving not just security researchers but the entire company.
Watch the Chips & Salsa video interview with Anders Fogh
In 2024, we addressed 21 CVEs related to hardware, primarily affecting our SoC products. Due to our ongoing investment in proactive product security assurance, all of these issues were identified internally, contributing to an overall increase in hardware findings over 2023. The reasons behind this increase are noteworthy.
One factor has been our investment in formal methods for security, which help demonstrate (using formal-proof methods) that a system is complying with prescribed security properties. This pre-silicon approach contributes to the identification of issues before production, reducing the likelihood of escapes. Leveraging existing infrastructure for functional validation, we conduct variant analysis on existing parts when issues are revealed in next-generation products. This analysis on existing parts resulted in a significant amount of the hardware CVEs in 2024.
In addition, we take a pre-silicon approach based on taint tracking and architectural hardening of interface definitions. These efforts have largely eliminated stale data issues in our products over the last two years. We build security into fabrics and interfaces to help prevent stale data propagation across boundaries or non-privileged reads while enhancing security policies associated with these interfaces which we will cover in more detail in future blog posts.
Manual security research remains a steady contributor to the CVE count as well, though its role has evolved since the Spectre and Meltdown days. Security research has been deeply integrated into the development process, providing shorter feedback loops for researchers and developers, fostering relationships, and increasing productivity. This integration has also led to more findings by product development teams.
The nature of the hardware bugs described in the 2024 Intel Product Security Report represents a change over previous years. Five years ago, research focused heavily on speculative execution and stale data issues. Our efforts in these areas have yielded results, to the point where we are no longer seeing certain classes of issues in the product development phase. Systematic improvements driven by past learnings and enhanced security validation efforts have facilitated these advancements and is one of the reasons Intel ranks number one1 for product security assurance in the silicon industry.
Cheers,
Anders Fogh
Intel Fellow, Offensive Security Research
About Anders
Anders Fogh is technical lead for offensive security research at Intel and is an Intel fellow. He is a renowned expert on microarchitecture and memory security. He has more than 20 years of experience with security and low-level topics and his work on security has been published in both industry and academic conferences such as Black Hat USA and IEEE S&P. He has twice been recognized by the National Security Agency for excellence in research. Before joining Intel, he worked as a principal security researcher where he worked on incident response and malware analysis. He spent 15 years of his career going from junior software developer to company founder and lead engineer. Anders holds a master’s degree in economics.
1As measured by ABI Research
Intel Product Assurance and Security (IPAS) is designed to serve as a security center of excellence – a sort of mission control – that looks across all of Intel. Beyond addressing the security issues of today, we are looking longer-term at the evolving threat landscape and continuously improving product security in the years ahead.