Business
While we were sleeping, Intel snuck more security into its chips
A strange thing happened last week while I paid a visit to Intel's campus in Santa Clara, CA. In the course of trying to ask some though provoking questions of two interviewees -- Intel's Ahbi Talwalker and Frank Spindler (podcast is on the way) -- and even trying to corner them on an item or two, it came to light that Intel, with no fanfare or announcements whatsoever, snuck a technology known as eXecute Disable (XD for short) into its chips.
A strange thing happened last week while I paid a visit to Intel's campus in Santa Clara, CA. In the course of trying to ask some though provoking questions of two interviewees -- Intel's Ahbi Talwalker and Frank Spindler (podcast is on the way) -- and even trying to corner them on an item or two, it came to light that Intel, with no fanfare or announcements whatsoever, snuck a technology known as eXecute Disable (XD for short) into its chips.
XD is a form of hardware-enforced buffer overflow protection that can stop certain malware dead in its tracks but it needs an operating system to activate it. Though Linux hasn't suffered from the sort of attacks that Windows has, Red Hat Enteprise Linux can activate it. So too can Windows XP systems that have been updated with Service Pack 2 (SP2). After the feature, referred to by Microsoft as Data Execution Prevention (DEP), was introduced in SP2, I published a blog entry that recommeneded the cancellation of all non-DEP enabled systems. Given the extra measure of protection it offered and knowing that Windows offered a way to disable it in the event of any software incompatibilities introduced by it, it made the more sense to have the feature than not. Buyers who were already preparing to part with their money had nothing to lose.
But, as it turned out, any recommendation to cancel planned purchases of non-DEP capable chips also meant to recommending the cancellation of any planned purchases of Intel-based x86 systems. At the time that Microsoft released SP2, the only microprocessors that came with support for it's DEP feature were AMD's chips. My recommendation was to either seek out AMD-based desktops (of which there are very few for businesses) or wait until Intel came out with its support of DEP. At the time, Intel was discussing its DEP support under the name "XD" saying that the first chips to be DEP-ready were due in the Q404/Q105 timeframe. So, after hearing nothing since then, I thought I had Intel's Spindler in a gotcha when I asked him where the promised DEP support was. That's when I got the suprise.
Intel's XD is already out. The company just didn't tell anybody. So, now the hard part for those of you who want to make sure the latest in security technology is in the next system(s) you buy is figuring out which Intel-based systems have the XD technology and which do not. According to Intel spokesperson Bill Kircos, one way to figure out which processors have it and which ones don't is to look for processers with the letter "J" in their name on a recently published processor chart on Intel's Web site. The 600 family of Pentium processors also has it. Said Kircos via e-mail, "We introduced it first in Celeron at the end of September, specifically 9/22. It began shipping in Pentiums in mid October, and Xeons shortly after that....Centrino [support came] in late Q4."
So, did Intel forget to tell us or did it have other motivations? Well, if Intel announced that it was rolling out the XD feature in support of Microsoft's DEP and advised the industry that it shouldn't be without the feature, it's pretty clear what that would have done to all non-XD inventory that was still in the channel. In a heart beat, thousands of chips and systems would need to be fire saled and the resulting losses would be in the millions of dollars. Intel would not acknowledge this as a motive. In response to my question about Intel's position on the matter, company spokesperson Bill Kircos offered me the following statement via e-mail:
As evidence that the company has engaged in some outbound communications regarding its XD technology, Kircos also provided a link to an Intel/Microsoft-authored Flash presentation that covers some of the more detailed aspects of XD. Intel also sees its forthcoming LeGrande and Vanderpool Technologies as (respectively known as LT and VT), both of which won't ship until the next version of Windows (Longhorn) is released, as being the more strategic of the company's hardware-enforced security technologies. For more on that, stay tuned to this blog for my downloadable podcast audio interview with Intel's Spindler (should be up soon).
XD is a form of hardware-enforced buffer overflow protection that can stop certain malware dead in its tracks but it needs an operating system to activate it. Though Linux hasn't suffered from the sort of attacks that Windows has, Red Hat Enteprise Linux can activate it. So too can Windows XP systems that have been updated with Service Pack 2 (SP2). After the feature, referred to by Microsoft as Data Execution Prevention (DEP), was introduced in SP2, I published a blog entry that recommeneded the cancellation of all non-DEP enabled systems. Given the extra measure of protection it offered and knowing that Windows offered a way to disable it in the event of any software incompatibilities introduced by it, it made the more sense to have the feature than not. Buyers who were already preparing to part with their money had nothing to lose.
But, as it turned out, any recommendation to cancel planned purchases of non-DEP capable chips also meant to recommending the cancellation of any planned purchases of Intel-based x86 systems. At the time that Microsoft released SP2, the only microprocessors that came with support for it's DEP feature were AMD's chips. My recommendation was to either seek out AMD-based desktops (of which there are very few for businesses) or wait until Intel came out with its support of DEP. At the time, Intel was discussing its DEP support under the name "XD" saying that the first chips to be DEP-ready were due in the Q404/Q105 timeframe. So, after hearing nothing since then, I thought I had Intel's Spindler in a gotcha when I asked him where the promised DEP support was. That's when I got the suprise.
Intel's XD is already out. The company just didn't tell anybody. So, now the hard part for those of you who want to make sure the latest in security technology is in the next system(s) you buy is figuring out which Intel-based systems have the XD technology and which do not. According to Intel spokesperson Bill Kircos, one way to figure out which processors have it and which ones don't is to look for processers with the letter "J" in their name on a recently published processor chart on Intel's Web site. The 600 family of Pentium processors also has it. Said Kircos via e-mail, "We introduced it first in Celeron at the end of September, specifically 9/22. It began shipping in Pentiums in mid October, and Xeons shortly after that....Centrino [support came] in late Q4."
So, did Intel forget to tell us or did it have other motivations? Well, if Intel announced that it was rolling out the XD feature in support of Microsoft's DEP and advised the industry that it shouldn't be without the feature, it's pretty clear what that would have done to all non-XD inventory that was still in the channel. In a heart beat, thousands of chips and systems would need to be fire saled and the resulting losses would be in the millions of dollars. Intel would not acknowledge this as a motive. In response to my question about Intel's position on the matter, company spokesperson Bill Kircos offered me the following statement via e-mail:
"Intel was a pioneer in bringing this technology to servers via our Itanium line a few years ago. We are a strong advocate of the extra benefits XD-bit brings to certain types of viruses, and began delivering this late in the third quarter of 2004 and now include it across our Xeon, Pentium, Centrino and Celeron lines. However, we also stand by our initial recommendation that IT managers conduct thorough system testing and validation before deploying systems....There is no doubt XD-bit plays an important role in addressing certain types of viruses. In terms of marketing priorities, innovations such as Hyper-threading and ultimately multicores, greater home audio and video, sleeker and higher performing notebooks and technologies like DDR2 memory, PCI-Express and 64-bits are the key messages we're driving with our customers and developers."
As evidence that the company has engaged in some outbound communications regarding its XD technology, Kircos also provided a link to an Intel/Microsoft-authored Flash presentation that covers some of the more detailed aspects of XD. Intel also sees its forthcoming LeGrande and Vanderpool Technologies as (respectively known as LT and VT), both of which won't ship until the next version of Windows (Longhorn) is released, as being the more strategic of the company's hardware-enforced security technologies. For more on that, stay tuned to this blog for my downloadable podcast audio interview with Intel's Spindler (should be up soon).