Ongoing Product Security Assurance
Customer Spotlight: Dell Technologies
Lisa Bradley, PhD, Sr. Director, Product & Application Security, Dell Technologies
PSIRT
Intel PSIRT Mission: Minimizing Impact Through Vulnerability Mitigation and Disclosure
The Intel Product Security Incident Response Team (PSIRT) works to minimize customer impact through mitigating and public disclosure of security vulnerabilities. Intel PSIRT supports and governs policies, processes, and guidelines for addressing security vulnerabilities that may affect Intel shipped and supported products.
Intel PSIRT
Intel’s PSIRT helped define and role model industry-approved methods for how we support product engineering in the identification, management, and disclosure of security vulnerabilities that may affect shipped and supported products. PSIRT is the central point for managing Intel’s response to product security vulnerabilities, including:
- Setting policy, process, and tooling to ensure consistent handling, disposition, and disclosure of product security vulnerabilities.
- Advising Intel businesses and engineering on product security vulnerability handling.
- Maintaining relationships with partner, customer, government agency PSIRTs, and vulnerability handling organizations.
- Creating and actively participating in industry groups and standards to help influence the creation of best practices and standards.
Intel’s PSIRT holds deep industry expertise, with team members averaging 18 years of experience.
Intel Bug Bounty Program
Intel’s PSIRT manages the Intel Bug Bounty program. This program provides recognition to encourage external researchers to report security vulnerabilities on Intel products and collaborate on disclosure. Intel has worked with more than 250 external researchers through the Bug Bounty program since its inception.
Intel’s Bug Bounty includes both a continuous, public Vulnerability Disclosure Program and the Project Circuit Breaker program. The latter is a series of targeted events such as “Show and Tell” videos, live hacking, Capture the Flag, and immersive training to build proactive, positive engagement with the security research community.
Intel PSIRT Process
Intel PSIRT outlines comprehensive and repeatable processes for addressing issues within the company. For example, potential security vulnerabilities are prioritized based on severity and impact, with handling done in three phases: Identify, Mitigate, and Disclose.
Coordinated Vulnerability Disclosure
Intel is committed to rapidly addressing security vulnerabilities affecting our customers and providing clear guidance on the solution, impact, severity, and mitigation. Intel PSIRT policies, processes, and guidelines are designed to support and encourage the principles and practices of Coordinated Vulnerability Disclosure.
Intel PSIRT: Industry Participation
Intel PSIRT is a member of First.org and participates across many industry special interest groups (SIG) and work groups (WG).
Intel's Josh Dembling on the role of PSIRT
Intel Platform Update
Intel's Zimo Ma and Carl Schmidt discuss the Intel Platform Update
Driving a Predictable Cadence of Product Updates
As part of our drive to deliver robust product and security assurance, we regularly release functional and security updates for supported products and services. Due to the highly integrated nature of hardware, firmware, and software, product updates often require additional validation and integration from Intel’s ecosystem of partners participating in the coordinated vulnerability handling process.
Ecosystem partners include operating systems vendors, cloud service providers, independent firmware vendors, original equipment manufacturers, and systems integrators who release validated updates through direct channels to their customers. The Intel Platform Update process facilitates the ecosystem coordination and vulnerability handling process, leading to the release of validated updates.
Bug Bounty Program
The community of security researchers from around the world continues to contribute to improving the security of technology. Collaboration on security research yields improved identification and mitigation of potential vulnerabilities, and coordinated vulnerability disclosure allows all parties time to develop and deploy mitigations. We value these contributions and aim to reward researchers through our Bug Bounty program.
2022 Top Ten Researchers by Payout
edward, nbit, max_wang, HackingThings, Zwink, Falconcorruption, mmg, malcolmst, sheikhrishad, mohammed
Intel’s Katie Noble and Chris Holt on Intel Bug Bounty programs
Bug Bounty Submissions by Product Category and Severity
While software continues to be the primary category for Bug Bounty submissions, as we have implemented new bounty programs such as Project Circuit Breaker, we are beginning to see more external research at the firmware level, which is one of the goals of the program.
Bug Bounty Total Payout by Year
Since our public Bug Bounty program started in 2017, Intel has paid out $4,115,251 in bounties.
Unique Researchers Engaged by Year
Programs like Project Circuit Breaker (launched in 2022) are designed to engage researchers at an engineering level and draw more researchers down to the hardware layer.
Project Circuit Breaker
For the first time, security researchers can work directly with Intel’s product and security teams through live hacking events that may include bounty multipliers. Capture the flag contests and other training will help prepare researchers for challenges, which may include access to beta software and/or hardware and other unique opportunities.
Meet the researchers where they are!
Security Researcher, Seperdad, on participating in the Project Circuit Breaker Trusted Crossings event.
Technical Guidance from Intel
Microarchitectural security is a priority for Intel. Intel is committed to supporting the software development ecosystem through the following:
- Transparency: We do our best to inform customers of microarchitectural issues affecting our products.
- Software guidance: We help software partners make informed decisions and update software as needed to mitigate relevant issues – balancing concerns about software complexity and performance considerations.
- Hardware: Where feasible, mitigations are supported by hardware, and speculation features can be limited or disabled.
- Research and education: We invest in fostering academic research and educating customers about microarchitectural security.
Intel’s commitment to transparency involves documenting the architectural and microarchitectural origins of security issues, and then developing, describing, and deploying mitigations in software and/or hardware for affected processors. This transparency allows researchers, industry experts, developers, and customers to understand the root cause, whether and how the issue affects their computing environment, and what actions they need to take to address it. Researchers may use this information to focus their work better and build upon Intel’s mitigations. Customers also use our documentation to understand the potential tradeoffs and implications of mitigations on their environments and workloads.
In 2022, Intel Published 16 technical papers related to side-channel issues.
Paper Category | Title
|
---|---|
Technical guidance for Intel Security Advisories | State Data Read from Legacy xAPIC
|
Software Security Guidance | CPUID Enumeration and Architecture MSRs Frequency Throttling Side Channel Methods Refined Speculative Execution Terminology Securing Workloads Against Side Channel Methods |
Hardware Features and Controls | Data Operand Independent Timing Guidance Fast Store Forwarding Predictor Data Dependent Prefetcher You Cannot Always Win the Race: Analyzing the LFENCE/JMP Manipulation for Branch Target Intel Research on Disclosure Gadgets at Indirect Branch Targets in the Linus Kernel |
Annie Leong, Security Program Manager
Long-Term Retention Lab
Intel realized a need to preserve platforms and their respective design collateral and create a system for teams to track and identify what’s being kept in various locations. By storing products and information about configurations, Intel scaled its engineers’ ability to analyze security and functional issues on supported products more efficiently while better enabling proactive research for the continuous improvement of products.
When the lab started, the main goal was to create a centralized location for storing hardware; this later expanded to retaining thousands of live platforms along with design, software, and documentation collateral. These systems are available to Intel engineers around the globe 24x7 and can be made ready for testing in a matter of minutes.
Intel's Vivek Tiwari and Fawn Taylor about the implementation and operation of the Long-Term Retention Lab.
Over 5,500 boards covering 100 platform families
35,000 silicon items in inventory for product support
Oldest product: Bloomfield Newest platforms: Catlow
2023 Intel Product Security Report
Now in its fifth year, the report reflects our ongoing industry leadership in product security assurance investments. This year, the report examines how those investments stack up competitively, and the numbers are telling.
AMD had over 3.5x as many vulnerabilities in their Chain of Trust/Secure Boot components and features than Intel. Read the report to learn more.