If the reports are accurate, it appears that Intel might have a pretty severe chip-level security bug on its hands that cannot be simply swatted away with a microcode update. The bug affects all modern Intel processors dating back at least a decade.
— brainsmoke (@brainsmoke) January 3, 2018
We should note that squashing the bug requires a patch at the OS level; and Linux patches have already been distributed (with redacted comments). Microsoft is expected to address the bug in its monthly Patch Tuesdayupdate. The circumstances surrounding the exploit are currently under embargo, but some details are starting to make their way to the public spotlight, thanks to reporting over at Python Sweetness and The Register.
In a nutshell, the bug allows everyday programs to “illegally” access certain contents in protected kernel memory. The “fix”, so to speak, is to implement Kernel Page Table Isolation (PTI), which, for all intents and purposes, makes the kernel invisible to running processes. In a perfect world, such training wheels shouldn’t be needed to isolate the kernel, but software patches that are nearing release for Windows, Linux and macOS systems will address the exploit head-on.
There’s one big problem, however. Fixing this vulnerability in software also comes with a big hit on performance. Additional overhead is introduced to maintain a barrier between memory address spaces, which can result in a performance handicap of 30 percent or more. However, recent Intel processors with PCID (Process-Context Identifiers) enabled could have the performance impact lessened somewhat.
The hardware bug is apparently severe enough to make it ripe for exploitation, with some of the biggest targets being companies that use virtualized environments.
“Urgent development of a software mitigation is being done in the open and recently landed in the Linux kernel, and a similar mitigation began appearing in NT kernels in November,” wrote the Python Sweetness blog on Monday. “In the worst case the software fix causes huge slowdowns in typical workloads. There are hints the attack impacts common virtualization environments including Amazon EC2 and Google Compute Engine.”
In addition, apparently both Microsoft Azure and Amazon Web Services have scheduled maintenance that will take place over the next week, although there is no detailed explanation for the downtime. However, rampant speculation suggests that the maintenance could be to put the software fixes in place for this specific Intel CPU hardware bug. Literally, in some cases, it appears operating systems will need to be overhauled to deal with the issue.
You may have noticed that we haven’t mentioned AMD once in this article up to this point. Well, AMD processors aren’t affected by the bug due to security protections that the company has in place. This also means that AMD processors shouldn’t be affected by any performance hits.
Thomas Lendacky, a member of the Linux OS group at AMD, posted the following over at LKML:
AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against. The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault.
Further, AMD”s latest EPYC data center server chips and Ryzen Pro enterprise desktop CPUs have Secure Memory Encryption technology on board, for additional protection against just these sorts of threat vectors.
Regardless, given that the patches are currently under embargo and that Intel is understandably staying tight-lipped, it may still be a few days before we are made privy to all pertinent details surrounding the bug and how damaging it will be to existing computing platforms. However, all of this is looking very real at this point. The Linux update detailing its patch has been posted here by Linus Torvalds himself.
Update, 10:02 PM – 1/2/18 – Initial performance results on Linux platforms are beginning to surface now on the web. Early numbers are showing IO-intensive workloads are especially sensitive to the Kernel Page Table Isolation patch.
Linux performance enthusiast site Phoronix has posted some early benchmark numbers, post-patch. Some results are coming in with a 17 – 18 percent degradation overall.
Update, 10:56 PM – 1/2/18 – As it turns out, apparently the Linux patch that is being rolled out is for ALL x86 processors including AMD, and the Linux mainline kernel will treat AMD processors as insecure as well. As a result, AMD CPUs will feel a performance hit as well, though the bug only technically affects Intel CPUs and AMD recommends specifically not to enable the patch for Linux. How Microsoft specifically will address the issue with the Windows operating system remains unclear until the company’s formal Patch Tuesday update is made known, hopefully soon.