What is it?
A fundamental design flaw in Intel’s processor chips has forced a significant redesign of the Linux and Windows kernel, to defang the chip-level security bug.
Programmers have been scrambling to overhaul the open-source Linux kernel’s virtual memory system. Meanwhile, Microsoft is expected to publicly introduce the necessary changes to its Windows operating system, in an upcoming Patch on 9th February 2018. These changes were seeded to beta testers running fast-ring Windows Insider builds, in November and December 2018.
Who is affected?
This affects any system running Intel chips, released in the last decade. However, recent Intel processors enabled with PCID (Process-Context Identifiers), could have the performance impact lessened somewhat.
The alleged bug is so severe, that it cannot be corrected with a microcode update. Instead, manufacturers are attempting to fix the bug with software patches, which in some instances requires a redesign of the core system kernel. However, early benchmark stats confirm it can slow down systems between 5-30%. This amount will vary, based on the workloads running on the system.
The Proposed Fix for the Kernel
The fix is to separate the kernel’s memory completely from user processes, using what’s called Kernel Page Table Isolation, or KPTI.
Whenever a running program needs to do anything useful, such as write to a file, or open a network connection, it has to temporarily hand control of the processor to the kernel, to carry out the job. In order to quickly and efficiently transition from user mode to kernel mode and back, the kernel is present in all processes’ virtual memory address spaces. Although, it is invisible to these programs. When the kernel is needed, the program makes a system call, the processor switches to kernel mode and enters the kernel. When it is done, the CPU is told to switch back to user mode, and reenter the process. While in user mode, the kernel’s code and data remains out of sight, but present in the processes’ page tables.
These KPTI patches move the kernel into a completely separate address space, so it’s not just invisible to a running process, it’s not even there at all. Ideally, this shouldn’t be needed, but clearly there is a flaw in Intel’s silicon, that allows kernel access protections to be bypassed in some way.
Intel acknowledges that the exploit has “the potential to improperly gather sensitive data from computing devices that are operating as designed.” The company further goes on to state that “these exploits do not have the potential to corrupt, modify or delete data.” To help quiet hysteria in the general populous, Intel says that the “average computer user” will be negligibly affected by any software fixes, and that any negative performance outcomes “will be mitigated over time.”
Microsoft Have Their Say
“We’re aware of this industry-wide issue and have been working closely with chip manufacturers, to develop and test mitigations to protect our customers. We are in the process of deploying mitigations to cloud services and are releasing security updates today, to protect Windows customers against vulnerabilities affecting supported hardware chips from AMD, ARM, and Intel. We have not received any information to indicate that these vulnerabilities had been used to attack our customers.”
What Frontier Technology Have to Say About It
As a responsible service provider, it is our responsibility to update our customers with the latest trends in technology and help them to adopt relevant changes seamlessly. In relation to this issue, our advice would be to;
- Review your systems. If your average CPU usage is over 70%, you need to monitor performance impact closely after a patch update.
- Patch the system with a plan. First apply it to a non-production environment and review the performance impact closely.
- Check if your Intel chips are running with PCID (Process-Context Identifiers). It will help to reduce the impact.
If you are a cloud customer, you are in safe hands. We will manage our underlying infrastructure, to keep your environment safe.