Intel Core i7's microcode sparks discussion
Computer experts enjoy talking about processor bugs. Newly-introduced products are a welcome opportunity to air stories about the flaws that AMD and Intel euphemistically call "errata". Unlike other microprocessor manufacturers, AMD and Intel publish the details of discovered flaws; AMD writes about them in what is called a Revision Guide, while Intel uses its Specification Updates. Both the Revision Guide for AMD Family 10h Processors and the Specification Update for the Core i7 describe dozens of bugs. The CPU vendors rate some of the bugs as critical enough to fix them with a revised mask set for the next production batch, which results in a new CPU stepping. Other bugs are fixed via microcode updates. These special updates are written to the processor by the mainboard's BIOS during initialisation, or loaded into the processor's respective memory areas via special drivers by operating systems like Windows and Linux. Some bugs are considered extremely rare or only occur in very particular conditions, and are not worth correcting. Yet another type of bug is disclosed particularly to software developers so that they can allow for these bugs and 'program around them' when developing operating systems or applications.
Some CPU bugs are rated as critical by security experts; they could, for example, potentially be exploited to execute malicious code. In mid-2007, OpenBSD and OpenSSH founder Theo de Raadt kicked off a discussion about some particular bugs in Intel Core 2 processors. He criticised Intel for specifying ways in which operating systems are to handle TLB invalidation. This issue involves discarding certain buffers called Translation Lookaside Buffers (TLB) and is pointed out in the Specification Updates for all of Intel's Core 2 processors as well as an application note published by Intel. The vendor also recommends that programmers strictly adhere to the specified TLB invalidation process with Core i7 processors; Volume 3A of the Intel 64 and IA-32 Architectures Software Developer's Manual explains the details of how to handle the cache structures of current Intel processors.
The potential danger of CPU bugs is difficult to assess. More of these bugs appear as the range of processors' features increases. Some of them are, for example, related to the virtualisation features that – together with protected operating modes and with main memory areas protected by memory controllers (AMD: Secure Virtual Machine, SVM; Intel: Trusted Execution Technology, TXT) – are actually designed to provide increased security. However, this is the very area targeted by the Blue Pill attack already demonstrated two years ago; a rootkit has now become freely available. Another potential attack via the System Management Mode included in all current x86 processors has also been described, and Kris Kaspersky of Endeavor Security, who was also present a the most recent Intel developer forum, discussed the potential risks of numerous further CPU bugs at the "Hack in the Box" security conference. However, his presentation – which he has now published – did not include the promised proof of concept. He did say that the chip makers are making an effort to reduce bugs and the number of CPU bugs are falling with each new processor release.