No, Intel can’t eliminate zero-day threats

A prominent security analyst has expressed skepticism over recent reports suggesting that technology developed by Intel will eliminate zero-day threats once and for all. 

“[Yes], you’d [certainly] be forgiven for thinking that we’re at the ‘Beginning of the End’ of vulnerabilities and exploits,” Sophos security analyst Paul Ducklin wrote in a recent blog post.

“[Of course], one might also think that all pigs are fueled and cleared for take-off.”

According to Ducklin, the concept of applying in-chip solutions to security problems is hardly new.

To be sure, Intel’s own 80286 processor was the corporation’s first mass-produced desktop PC chip which provided strong memory protection.

“Back in 1982, the 80286 supported byte-granularity memory management based on segments, descriptor tables and selectors. In 1985, the 80386 brought memory paging as well as the selector system, making both page-granularity – usually 4KByte – and byte-granularity memory overruns automatically detectable and preventable,” he explained.

“By 2004, Intel had followed AMD’s lead and added a no-execute bit (called XD, for Execute Disable, in Intel’s terminology) to its paging system so that memory pages – but not individual bytes – could be marked as ‘data only,’ preventing memory overruns from executing untrusted code injected into data buffers.”

Ducklin emphasized that while the above-mentioned initiatives helped OS vendors to significantly improve security, they did not “perfect” it.

“So is it likely that Intel will be able to do what has eluded it so far, and to eliminate zero-day exploits entirely through hardware? No.

 I’m sure Intel’s recently-promoted innovation is going to give one more headache – hopefully a very serious headache – to the Bad Guys. 

“But stories about eliminating attacks altogether just sound too good to be true, especially when they are shrouded in such secrecy – as in this case – that no details are revealed of how they might work.”