Intel, AMD, Google Respond To US Government Meltdown/Spectre Inquiry

In a response to a U.S. government inquiry on the Meltdown/Spectre incident, Intel and other companies agreed that embargoing the disclosure of the vulnerabilities was the correct choice.

The Meltdown/Spectre incident brought the tech industry’s disclosure process for security issues to the public’s attention. As we reported before, the vulnerabilities were discovered by Google’s Project Zero research team. A multi-company initiative to fix them began in June 2017. To ensure there was enough time to develop fixes, the companies agreed to a non-disclosure policy that set the official reveal of the vulnerabilities on January 9. However, the story was leaked earlier, which ultimately forced the reveal to occur on January 3.

The U.S. government was not among those with advance knowledge of the vulnerabilities--it learned of them when the public did. Congress began an inquiry into the incident and sent letters to companies such as Intel, Amazon, Apple, Google, Microsoft, AMD, and Arm. The letter is published here and contains nine questions. The ones of particular interest are why the companies chose to embargo information about the vulnerabilities and whether the companies analyzed the risk of the vulnerabilities to U.S. infrastructure or the risk of delaying disclosure.

The response letters from the companies have been published, and they give an interesting view into the lead up to the Meltdown/Spectre incident. They make it pretty clear that Google began the initiative by disclosing the vulnerabilities to other companies, all of which collectively agreed to its standard policy, which provides a 90-day window for fixes to be developed before it makes a public disclosure. Due to the extent of the problem, the companies and Google agreed to extend the period to reach the originally intended disclosure date of January 9.

The focus will of course be on Intel’s letter. The company said it believes it acted correctly by maintaining, and later extending, the embargo. Its reasoning was that limited disclosure would allow for fixes to be developed, while public disclosure would only have increased the speed with which attackers could develop exploits, potentially outpacing the companies as they scrambled to patch the vulnerabilities.

Intel also didn’t believe that Meltdown/Spectre was a risk to the U.S. infrastructure. The company said there was no evidence that the vulnerabilities had been exploited and that any exploit code would have to be run locally. Because Intel understood that most U.S. infrastructure uses embedded systems that run embedded code, have no access to the internet, and cannot run multiple programs simultaneously, it did not see Meltdown/Spectre as a threat in that area.

Intel did not say why it chose not to disclose the vulnerabilities to the U.S. government, but it did admit to disclosing the issues to some partners, however. In late January, rumors circulated that Intel had discussed the vulnerabilities during the embargo with Chinese firms that are closely connected to the Chinese government, but Intel did not name any specific firms in its letter.

The response from Google is also interesting. The company sees its real responsibility as a neutral player that finds and notifies other companies of their vulnerabilities. The 90-day window is a policy that other companies can choose whether or not to follow. The decision on whether or not to disclose with the U.S. government, or any other parties, is left to them. Google is straightforward in its response: they don’t analyze the risk from others’ vulnerabilities. This response is a little different from the other software companies which effectively point fingers at the chipmakers.

AMD's and Arm’s responses are predictable. AMD agreed to Google’s deadlines and did not disclose the vulnerabilities to any parties. Its letter makes few references to the Spectre vulnerabilities, which AMD has admitted it is vulnerable to. Arm points out that its business model includes direct IP licensing and architecture IP licensing, but not chipmaking. Hence, the company has partial responsibility for chips that license its designs, but it has no ability to fix them. Arm said it worked with its customers on the issue.

Clearly, Intel continues to be the center of attention in the ongoing Meltdown/Spectre issue. Why it chose not to disclose with the U.S. government is up for question. Perhaps it was because the company thought it was useless to do so without having a fix in place. It’s easy to place blame on Intel, but let’s not forget that AMD and Arm CPUs are both partially involved in this incident too, and neither of them chose to disclose the vulnerabilities either.

  • Snipergod87
    Why would they need to disclose it to them, it is not like there were fixes in place yet, maybe the NSA wanted to exploit them?
    Reply
  • Brian_R170
    Exactly SniperGod87
    Reply
  • Kennyy Evony
    because usa wants to control the world. its very greedy and they think everything no matter what it is or weather it is located even in another galaxy, usa has the right to put its name on it.
    Reply
  • derekullo
    20736335 said:
    because usa wants to control the world. its very greedy and they think everything no matter what it is or weather it is located even in another galaxy, usa has the right to put its name on it.

    It's not like they traveled to another celestial object and placed a US flag on its surface .... O wait nvm

    To be fair, the people who actually name stars, International Astronomical Union, are based in France.

    Although a name like J05552+0724AP, hardly sounds French or American.

    https://www.google.com/search?q=J05552%2B0724AP

    And yes I do see the irony in the first letter being J and the last 2 being AP ...

    Reply
  • anthonywadie
    My thoughts exactly !
    Reply
  • USAFRet
    Intel did not say why it chose not to disclose the vulnerabilities to the U.S. government, but it did admit to disclosing the issues to some partners, however. In late January, rumors circulated that Intel had discussed the vulnerabilities during the embargo with Chinese firms that are closely connected to the Chinese government, but Intel did not name any specific firms in its letter.

    This is the problem.
    They disclosed to some 'partners', and the Chinese govt. But not the US or any other govt.

    If you're going to tell 'some'...other entities WILL be pissed off.
    Reply
  • hannibal
    It was a good choise!
    The attackers did get their exploitation tools ready very quickly after some madman did leak the information out.
    If there would not have been leak, there would have been more time to make the patch right in the first place!
    After this incident I would avoid giving any information to any Linux developers because they seems to leak everything out without caring the consequences... And that is pity! Because most Linux programmer are pro stuff and very reliable, but there are not so wise among them...
    Reply
  • redgarl
    AMD at that time was thinking they were almost immune. Why would the issue a statement if they were thinking their architecture was having almost zero risk?

    Ohhh, that's right, because on TH AMD is evil... I get it now.
    Reply
  • rroot
    Enough time has been wasted on this alleged Google discovered CPU "bug" crap. These are not necessarily bugs. They are business and home users decisions that can be explained and both CPU and Operating System design should be allowed to go separate ways with most likely more expensive CPU and Operating Systems for users that depend on things like unprivileged users for security and not slowing down progress for environments that do not depend on unprivileged users in implementing security.

    Again, it is not necessarily a bug for a kernel process to share memory space with a user process. Both CPU's and Operating System can change and will be slower that accommodate the need to not have that happen but that is not something that those organizations and home users that do not need to depend on unprivileged user type security as anything but a convenience should have forced upon us slowing down our computers and costing us more money.
    Reply
  • rroot
    Enough time has been wasted on this alleged Google discovered CPU "bug" crap. These are not necessarily bugs. They are business and home users decisions that can be explained and both CPU and Operating System design should be allowed to go separate ways with most likely more expensive CPU and Operating Systems for users that depend on things like unprivileged users for security and not slowing down progress for environments that do not depend on unprivileged users in implementing security.

    Again, it is not necessarily a bug for a kernel process to share memory space with a user process. Both CPU's and Operating System can change and will be slower that accommodate the need to not have that happen but that is not something that those organizations and home users that do not need to depend on unprivileged user type security as anything but a convenience should have forced upon them.

    Google has had enough publicity over this. They are simply wrong. These were not and are not necessarily bugs. AMD and Intel and most other CPU manufacture unless they clearly told people to depend on unprivileged methods for security in operating systems and hypervisors, etc., are simply not at fault.
    Reply