Intel processor security flaw requires OS kernel level fix

by Mark Tyson on 3 January 2018, 10:31

Tags: Intel (NASDAQ:INTC)

Quick Link: HEXUS.net/qadpcz

Add to My Vault: x

A significant redesign of the Windows, MacOS, and Linux kernels is needed to patch up an Intel processor security flaw. Modern Intel processors from the past decade are affected by the flaw. Exact details of the flaw is under wraps for now to give OS vendors time to patch, however it is thought that the code changes will have a significant impact on processor performance. The kernel changes could slow computers by between 5 and 30 per cent, depending upon task and processor model, reports The Register.

According to the source report the Intel x86-64 hardware flaw is such that kit cannot by fixed with a microcode update. "It has to be fixed in software at the OS level, or go buy a new processor without the design blunder," explains The Register. For Windows users it is expected that a patch is likely to be delivered for Patch Tuesday next week. Linux users have patches available but comments in the source code have been redacted so hackers don't have any insight into the issue.

Nature of the flaw

The flaw "allows normal user programs – from database applications to JavaScript in web browsers – to discern to some extent the layout or contents of protected kernel memory areas," according to the source. If hackers had a good grasp of this flaw now they would be able to make malware to read the contents of kernel memory which may contain hidden keys, passwords, caches and so on.

To patch this behaviour the kernel will have to be implemented with memory completely separated from user processes using KPTI, or Kernel Page Table Isolation. The separation will be impactful in the time taken by processes switching between two separate address spaces for every system call and hardware interrupt.

AMD processors don't have the KPTI flaw

"AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against," wrote Thomas Lendacky, a member of AMD's Linux OS group over the Xmas period. "The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault."

It will be interesting to find out the impact of the OS-level patch for Windows / Intel systems on the tasks important to HEXUS readers. Hopefully any practical impacts will be in the lower percentage range.

Linux specialist tech site Phoronix has already done some comparison testing on a Core i7-8700K processor and you can leaf through their set of results here. Some tasks are significantly impacted (one example shown above). However Linux gaming performance seems to remain unaffected by the patch.

Images from Phoronix.

UPDATE:

Intel has officially responded to today's security flaw reports in an email to HEXUS and via its official Newsroom Blog. In a nutshell it has issued a denial of sorts, saying that any exploits via flaws are not unique to Intel products. It then mentions how it is working closely with the likes of AMD, ARM Holdings and several operating system vendors to solve the issues discussed in the news above. Below is an excerpt of the statement for your convenience, or you can digest the full Intel blog post at the link above.

"Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. Intel believes these exploits do not have the potential to corrupt, modify or delete data.

Recent reports that these exploits are caused by a “bug” or a “flaw” and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits.

-Snip-

Intel believes its products are the most secure in the world and that, with the support of its partners, the current solutions to this issue provide the best possible security for its customers".


HEXUS Forums :: 185 Comments

Login with Forum Account

Don't have an account? Register today!
If I receive a serious performance hit due to their blunder then I will be rightly furious and I can see some compensation claims coming their way. Although with that being said, on the flip side, if only Intel performance gets hampered with these fixes, then AMD have just closed the gap for free and the competition is back on!

Bittersweet.
So which modern Intel CPU's don't suffer from this then if, as suggested in the article, I wanted to go out and buy a new processor to avoid the flaw?

As it seems to cover the i7 8700K which is a recent chip the answer may be none!? That's a bit of a shocker.
I'm am heavily interested in the performance impact of Hypervisor Clusters. This could cripple or poison Intel in this market.

Kanoe
So which modern Intel CPU's don't suffer from this then if, as suggested in the article, I wanted to go out and buy a new processor to avoid the flaw?

As it seems to cover the i7 8700K which is a recent chip the answer may be none!? That's a bit of a shocker.

They all do, just newer CPUs have less of a perf impact.
Up to 30 percent will kill some cpu's, my mums atom based tablet is slow enough as it is lol…. maybe this is intel's way to force upgrade old pc's, it's not like we have any other reason to upgrade these days.

They've seen how well it works for apple by using the software to ‘slow down’ their older models for the benefit of it's users of course so they're now having a go at it under the guise of a bug fix.
LSG501
Up to 30 percent will kill some cpu's, my mums atom based tablet is slow enough as it is lol…. maybe this is intel's way to force upgrade old pc's, it's not like we have any other reason to upgrade these days.

They've seen how well it works for apple by using the software to ‘slow down’ their older models for the benefit of it's users of course so they're now having a go at it under the guise of a bug fix.

Then they've hardly picked a good time with AMD at it's highest point for well over a decade and generally offering better value for most mid-high end users (the likes who will have the most to lose from this), Ryzen 2 coming and presumably their APU lineup will be getting fleshed out too.

As advertisements go it would hardly be a great incentive to upgrade your Intel CPU for another Intel CPU.