UPDATE: Intel statement.
It appears that all modern Intel processors contain a hardware-level security flaw. Details are being suppressed while patches are developed, but it appears that a user process can put a reference to a privileged address in speculative execution, and thereby bypass privilege restrictions.
Since simply marking certain areas of the virtual memory space as privileged is insecure, operating systems will have to completely isolate their kernels, i.e., remove them from the virtual memory space of user processes. This will make context switching more expensive. Presumably, every OS call will now require swapping out the virtual memory map and flushing the page tables cache in the processor. Twice: one to go to the kernel, and once to return to the user process. This will be a significant performance hit: depending on the application, up to 30%.
This is apparently an Intel-specific bug; processors by other manufacturers are not affected. However, they may still suffer the performance hit: The changes to the OS are substantial, and it seems unlikely that OS manufacturers will, in the long-term, maintain two completely different kernel-access strategies for different processors.
Previously: Major Hardware Bug Quietly Being Patched in the Open
A bug that affects Intel processors requires Kernel Page Table Isolation in order to be mitigated:
It is understood the bug is present in modern Intel processors produced in the past decade. It allows normal user programs – from database applications to JavaScript in web browsers – to discern to some extent the layout or contents of protected kernel memory areas.
The fix is to separate the kernel's memory completely from user processes using what's called Kernel Page Table Isolation, or KPTI. At one point, Forcefully Unmap Complete Kernel With Interrupt Trampolines, aka FUCKWIT, was mulled by the Linux kernel team, giving you an idea of how annoying this has been for the developers.
The fix could dramatically lower performance for some workloads:
The Python Sweetness blog, which first reported on the bug, said the vulnerability was first identified by developers working on the Linux kernel, though it also affects Windows operating systems. It added that a number of major security patches for the Linux kernel have been pushed out over the Christmas and New Year holidays, which are likely to be an attempt to fix the new bug. These kernel updates have provided a workaround that can prevent attackers from exploiting the bug, but the problem is that doing so comes at a heavy cost. In technical terms, the fix involves using Kernel Page-Table Isolation or PTI to restrict processes so they can only access their own memory area. However, PTI also affects low-level features in the hardware, resulting in a performance hit of up to 35 percent for older Intel processors.
[...] "Urgent development of a software mitigation is being done in the open and recently landed in the Linux kernel, and a similar mitigation began appearing in NT kernels in November," the Python Sweetness blog reported Monday. "In the worst case the software fix causes huge slowdowns in typical workloads." These slowdowns were highlighted by Brad Spengler, lead developer of grsecurity, which is a set of patches for the Linux kernel which emphasize security enhancements. According to HotHardWare, Spengler said an Intel Core i7-3770S GPU will take a 34 percent performance hit, while the new Intel Core i7-6700 will run 29 percent slower.
The Linux fix can be disabled, which you will likely want to do if you use an AMD processor.
December 19, 2017: Intel's CEO Just Sold a Lot of Stock
Did Krzanich use that money to buy AMD stock?
[See also: How-To Geek, Phoronix, and Security Week. --martyb]
An Anonymous Coward contributed Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR.
Spotted over on HN:
The mysterious case of the Linux Page Table Isolation patches (archive)
tl;dr: there is presently an embargoed security bug impacting apparently all contemporary CPU architectures that implement virtual memory, requiring hardware changes to fully resolve. Urgent development of a software mitigation is being done in the open and recently landed in the Linux kernel, and a similar mitigation began appearing in NT kernels in November. In the worst case the software fix causes huge slowdowns in typical workloads. There are hints the attack impacts common virtualization environments including Amazon EC2 and Google Compute Engine, and additional hints the exact attack may involve a new variant of Rowhammer.
Turns out 2018 might be more interesting than first thought. So grab some popcorn and keep those systems patched!
(Score: 0) by Anonymous Coward on Wednesday January 03, @05:05PM (16 children)
Cloud providers will get fixed VMs to better isolate customers' resources, and programs will be re-written to consolidate/batch syscalls, so as to avoid context switching.
Consumers who would notice the a performance hit will just get an "Optimize for Performance" setting that will disable the workaround when playing video games, etc.
(Score: 0) by Anonymous Coward on Wednesday January 03, @05:26PM (14 children)
I doubt the average Joe benefits in any way from this patch. Anything worth knowing about a system like that already resides in ring3 and is readily grabbable if the user allows random code to execute (which is a necessity to leverage this). Unless this allows code to be injected into ring0 I don't see how this is as severe as it is made out to be from the scant information that is available right now. There are trivial ways to defeat ASLR type defenses if code is allowed to execute and the offset of the code in the file is known, simple arithmetic, no exploit.
Reply to This
(Score: 4, Insightful) by TheRaven on Wednesday January 03, @05:46PM (13 children)
It's still under embargo (and was meant to be until the 9th, but the Linux people were oh-so-clever and leaked it - I hope Intel won't give them embargoed security reports in the future), so this is speculation:
If this were just a KASLR bypass, it some of the people who are preparing patches wouldn't be involved, so it's almost certainly more than that. It's either kernel memory disclosure or kernel memory modification. In either case, normal users should care because they typically rely on the kernel for sandboxing. If you run Chrome, Edge, or Safari, the part of the program that deals with untrusted data is run in a de-privileged process with fairly narrow communication channels to the parent. Going from being able to inject code that can trigger, for example, a libpng or libavcodec vulnerability in the browser to being able to run code outside of this process usually requires chaining together a load of different vulnerabilities. With this, you have the possibility of writing an exploit that works reliably on any x86 operating system and browser and will let you jump out of the sandbox. That's very bad. Even if it's 'just' arbitrary kernel memory disclosure, there are often ways of turning that into privilege escalation.
sudo mod me up
(Score: 4, Insightful) by takyon on Wednesday January 03, @05:48PM (3 children)
I hope Intel loses market share and billions of dollars because of this.
[SIG] 10/28/2017: Soylent Upgrade v14
(Score: 0) by Anonymous Coward on Wednesday January 03, @06:01PM
Haven't you heard? The new business strategy is:
1. Get enough market share and label yourself "too big to fail"
2. Do whatever you can to get the most money
3. Cry when things go bad, get bailed out
It is a pretty foolproof plan, the hard part is getting the initial market share. After that you pay some idiots to push PR and you continue business as usual. Perhaps we'll get a miracle, I'm sure AMD will get a nice bump, but I'm not gonna hold my breath.
(Score: 0) by Anonymous Coward on Wednesday January 03, @07:56PM (1 child)
Intel will likely throw some money around behind the scenes to ensure that Microsoft, Apple and Red Hat do not make a conditional check in their kernels that lets AMD cpus run unfettered.
Of course it will be termed exactly that way - "too complicated to conditionally implement (for small minority of our customers)", along with some form of "you amd fanbois can choose a cup or a towel for your tears" conceit.
At least from Linux side it looks like a simple flag to bypass the problem for AMD, perhaps with a kernel recompile. But I'm sure Pottering and its minions are working on a way to "fix" things in systemd too.
(Score: 2) by Grishnakh on Wednesday January 03, @08:08PM
Intel will likely throw some money around behind the scenes to ensure that Microsoft, Apple and Red Hat do not make a conditional check in their kernels that lets AMD cpus run unfettered.... At least from Linux side it looks like a simple flag to bypass the problem for AMD, perhaps with a kernel recompile. But I'm sure Pottering and its minions are working on a way to "fix" things in systemd too.
Red Hat is only one of many, many Linux distros. Debian surely wouldn't adopt such a thing, since Debian isn't even a corporation, and all the Debian derivatives are unlikely to follow RH's lead too.
As for systemd, that seems like a silly accusation. systemd is many things, but it's not a kernel, and AFAICT here, this fix is something purely inside the kernel, not something that could somehow be baked into systemd to force all kernels on both Intel and AMD CPUs to work this way.
No, I think this is something that Intel isn't going to be able to hide from with any shenanigans. It's just too easy to use a different Linux distro, or compile your own kernel, esp. if the kernel team isn't complicit and makes it easy to enable or disable this fix depending on the CPU it's running on (they could perhaps even make it automatic--a simple runtime check at kernel boot-up could allow the kernel to see what it's running on and adopt the correct strategy). Then it'll be easy for anyone who can run some benchmarks on Linux to show just how awful performance is on Intel CPUs compared to AMD ones, and publish the results.
What sucks is that the selection of AMD CPUs just isn't very good: I can't easily purchase a business-grade laptop with an AMD processor. Lenovo doesn't use them, Dell doesn't use them (for the Latitudes), and HP doesn't use them (for their ugly business laptops, whatever they're called). You have to resort to some plastic-cased crappy-keyboard consumer laptop to get an AMD, as far as I can tell. Hopefully the business laptop makers will start offering AMDs now.
(Score: 1, Interesting) by Anonymous Coward on Wednesday January 03, @05:50PM
Leave non-Internetty things running as usual.
Hell, you could even run certain trusted website code without the new protections. It just won't matter in the end; all of the headache will belong to the programmers, not the users.
(Score: 4, Informative) by Anonymous Coward on Wednesday January 03, @05:55PM (5 children)
The key detail was leaked on the linux-kernel mailing list, but not by some random Linux developer. It was leaked by an AMD employee who was providing a patch to exclude AMD processors from the bug work-around.
(Score: 0) by Anonymous Coward on Wednesday January 03, @05:56PM
Might be FUD in that case. The bug is certainly real, but if all the speculation is based on that it's pretty suspect.
(Score: -1, Offtopic) by Anonymous Coward on Wednesday January 03, @06:19PM (1 child)
(Score: -1, Offtopic) by Anonymous Coward on Wednesday January 03, @06:27PM
Is this rabid praise or feral bleating?
(Score: 2) by MrGuy on Wednesday January 03, @07:28PM (1 child)
Wait - what??? Citation needed.
If I read your comment correctly, the flaw was identified, and a fix was identified, on the linux-kernel mailing list. That's a public forum. [lkml.org]
You're saying an AMD employee making a patch ON TOP OF the patch to fix the Intel issue to exclude unaffected AMD processors is the point where the issue was "leaked" to the public?
How does THAT work? How could the AMD patch to exclude AMD processors precede a discussion/patch to fix the issue on Intel processors? There was zero discussion on the linux-kernel list of the issue before the AMD patch-to-a-patch was suggested?
(Score: 0) by Anonymous Coward on Wednesday January 03, @08:09PM
https://lkml.org/lkml/2017/12/27/2 [lkml.org]
His second sentence gives away the key info.
Prior to that, the description of the bug was still pretty vague. Now we have some excellent guesses. We can be almost certain that this is a timing-related attack on the kernel address space.
(Score: 2) by takyon on Wednesday January 03, @06:12PM (1 child)
Maybe we should give Intel's CEO a jail cell for selling as much stock as possible during the embargo.
[SIG] 10/28/2017: Soylent Upgrade v14
(Score: 2) by frojack on Wednesday January 03, @07:05PM
Since they sell stock as a matter of pre-programmed trades (outside of their personal control), any change of pattern during the embargo would constitute insider trading.
No, you are mistaken. I've always had this sig.
(Score: 2) by DannyB on Wednesday January 03, @05:46PM
Non Cloud users can get a new sticker from Intel to affix to their computer.
(Score: 0) by Anonymous Coward on Wednesday January 03, @05:07PM (2 children)
My understanding (I've not read the patch set) is that the kernel will still maintain the trampoline stack to preserve KASLR?
(Score: 5, Informative) by takyon on Wednesday January 03, @05:12PM (1 child)
[SIG] 10/28/2017: Soylent Upgrade v14
(Score: 0) by Anonymous Coward on Wednesday January 03, @05:26PM
https://mobile.twitter.com/grsecurity/status/948325691078082560?p=p [twitter.com]
(Score: 5, Funny) by fyngyrz on Wednesday January 03, @05:09PM (5 children)
Apple: We might see some backlash for making people's phones run slower.
Intel: Hold my beer…
The eyes are the windows to the soul.
Sunglasses are the window shades.
(Score: 1, Insightful) by Anonymous Coward on Wednesday January 03, @05:36PM
Intel is actually seeing a backlash for making people's computers run faster.
It turns out that Intel's cleverness isn't secure.
(Score: 2, Informative) by Anonymous Coward on Wednesday January 03, @05:57PM (3 children)
The bug is in some 64-bit ARM processors as well. Apple makes those for the iPhone.
(Score: 2) by bob_super on Wednesday January 03, @06:46PM
Apple also sells a lot of Intel-based machines ...
(Score: 2) by Azuma Hazuki on Wednesday January 03, @08:21PM (1 child)
I don't know who modded you down but you get a +1 Informative from me. How in the hell could what you posted be considered Flamebait anyway?
(Score: 2) by takyon on Wednesday January 03, @08:55PM
Here's some sauce from El Reg:
Ars [arstechnica.com]:
[SIG] 10/28/2017: Soylent Upgrade v14
(Score: 0) by Anonymous Coward on Wednesday January 03, @05:23PM (4 children)
There chips have been suspect since the original pentium, and are suspiciously defective by design, I haven't bought one that wasn't a laptop since my XT which admittedly had the best and easiest to access case I ever had
(Score: 3, Informative) by Anonymous Coward on Wednesday January 03, @05:55PM
It just so happens that the best stuff is still mediocre.
People want x86 processors.
People want drivers that work; Intel's Linux support has been pretty strong, while AMD GPUs not so much.
Alternative architecures suck.
POWER stuff is built for high-end servers.
ARM stuff is built for OEM secrecy. Seriously; that shit is not FOSS friendly.
RISC-V is vaporware.
Other processors are for low-end and embedded stuff.
(Score: 1) by Crash on Wednesday January 03, @08:10PM
Claiming haven't done X, except for Y... Doesn't count.
I actually have never purchased an Intel CPU, and it was a complete PITA trying to find a laptop in 2015.
This AMD version of the Lenovo IdeaPad Y700 [newegg.com] wasn't even listed on Lenovo's own damned website!
(Score: 2) by Grishnakh on Wednesday January 03, @08:11PM (1 child)
since my XT which admittedly had the best and easiest to access case I ever had
Huh? You must have been buying a lot of crappy cases then. There've been tons of cases since the XT days which were better and easier to access. If you have to use a screwdriver to open the case, it's really not that easy to access. If you have to use a screwdriver to remove any of the drives, it's really not easy to access.
Reply to This
Parent
(Score: 0) by Anonymous Coward on Wednesday January 03, @10:01PM
Granted, mine was an XT clone, but...
It was a full-size case that lay flat. You'd put a monitor on top probably. The sides had hinges at the rear and release buttons at the front. Put one hand on each side near the front, press the buttons, and lift. The top half of the case, excluding the front panel (drive bays and speaker) and rear panel (card slot openings and power cord) would lift up. It even had something to keep it from falling down.
I like the screws better, at least if they go into something solid that won't strip. Screws are light weight and won't open by accident.
(Score: 2) by Justin Case on Wednesday January 03, @05:26PM (6 children)
From what we know so far, this sounds like a privilege escalation and/or cross-VM flaw.
Will Joe Sixpack or Grandma care? Especially when they either run as admin already, or whack-a-mole click OK on everything that pops up.
Timmy played Nintendo all night then slept till 2PM. Johnny earned $20 mowing lawns. How much is Timmy entitled to take?
(Score: 2) by takyon on Wednesday January 03, @05:34PM (1 child)
Let's see what happens to Windows computers on Patch Tuesday. If almost all personal computers worldwide slow down, will Grandma Sixpack notice?
[SIG] 10/28/2017: Soylent Upgrade v14
(Score: 1, Interesting) by Anonymous Coward on Wednesday January 03, @05:36PM
The bright side is that the already barely useable crapware that modern software has devolved into should become completely unuseable if the performance hit on windows is as severe as the one in implied for linux. Maybe brogrammers will be forced to optimize their warez again.
(Score: 0) by Anonymous Coward on Wednesday January 03, @05:38PM (2 children)
Yes, they'll care. Javascript on any web page being able to access kernel memory is a Really Bad Thing.
They probably WON'T care about a 33% CPU slowdown.
(Score: 0) by Anonymous Coward on Wednesday January 03, @05:40PM (1 child)
"access" and "guess/deduct things about" are not the same thing.
(Score: 0) by Anonymous Coward on Wednesday January 03, @05:47PM
Meaning you can inject code into privileged pages, but not read out the contents of them, by inferring the timing of the page walks for where an address is in relation to your code.
(Score: 4, Interesting) by TheRaven on Wednesday January 03, @05:48PM
Yes, because even when they run as admin, programs such as web browsers and mail clients (and dchp clients and so on) that expect to deal with untrusted data will drop privileges from child processes that are exposed to an attacker. That normally gives you a lot of protection, but it amounts to nothing when the CPU lets you bypass any kernel security mechanism and go from code running in an unprivileged process to code running in ring 0.
sudo mod me up
(Score: 5, Interesting) by takyon on Wednesday January 03, @05:43PM (1 child)
Search for "Brian Krzanich stock". [google.com]
No results for the Dec. 19th Motley Fool story.
A search for "Motley Fool" [google.com] brings up the news source repeatedly, so the news source is not delisted from Google News.
Tom's Hardware says [tomshardware.com]:
However, the Dec. 19th Motley Fool story says:
[SIG] 10/28/2017: Soylent Upgrade v14
(Score: 2, Interesting) by frojack on Wednesday January 03, @07:56PM
Never trust Motley Fool. Any random joe can post there and you have to read a mountain of replies to see if he even knows what he is talking about.
All Krzanich's trades [yahoo.com] have been programmed trades and automatic sales. He has no involvement in these. He's following best practices to avoid holding too much intc stock such that every daily decision he has to makes would be tainted by charges of feathering his own nest.
A CEO is a hired manager. He's supposed to look out for the company, not his own holdings. You want to look for insider trading you won't find it among the day to day operators. Check out the institutional holders [yahoo.com]. Those guys have huge exposures, any one of which exceeds ALL of the insiders, and those institutions do that sort of stuff all the time.
In fact all Krzanich's large Automatic sales are concurrent with Open market Options Executions (programmed) for very large amounts.
He's pretty much hands off on intc holdings, as required by law. Its all pre-programmed formula driven trades [investopedia.com] and not handled by him.
Yet there is always someone who jumps up and claims insider trading on automated trades dictated by the Rule 10b-5 plan. And most of the time you find them posting on Motley Fool.
There's no there there.
No, you are mistaken. I've always had this sig.
(Score: 4, Interesting) by Anonymous Coward on Wednesday January 03, @06:09PM
The currently proposed fix still leaves a little bit of kernel code mapped. The assembly code for entry and exit is still mapped in. It is this code that updates CR3, which points at the page table tree, to do the memory mapping isolation.
An x86 processor has a built-in capability to do that.
The GDT, IDT, and TSS are all in virtual memory. If a normal fault, such as an IRQ or system call, is unable to be handled then you get a doublefault. (if that can't be handled then you get a triplefault which resets the CPU) Any fault can be make to do a task switch. Hardware task switching loads a new CR3 value, which changes all of virtual memory. That means it changes the GDT, IDT, and TSS.
So you don't need any kernel code mapped at all. You don't need even one byte mapped.
Historically, the task switch mechanism has been avoided due to slowness. Much of that comes from loading CR3... which we're now doing anyway. We might as well let the hardware do that, letting us gain the advantage of having no code mapped.
Reply to This
(Score: 0) by Anonymous Coward on Wednesday January 03, @06:53PM (1 child)
Attorney files massive class action lawsuit for trillion$.
(Score: 2) by takyon on Wednesday January 03, @07:06PM
I hope I can get a 0.05 cent coupon for my Celeron N2840.
[SIG] 10/28/2017: Soylent Upgrade v14
(Score: 2) by looorg on Wednesday January 03, @07:25PM (8 children)
Considering there will be billions of unpatched machines with an Intel CPU at its core I do wonder how screwed they'll be or how high the risk will be to run unpatched machines at home. I doubt a lot of people would want to take a 30% performance hit. Gamers and people that run a lot of computations would want that.
(Score: 0) by Anonymous Coward on Wednesday January 03, @07:33PM
As long as nothing can execute (so no web scripting or running untrusted code) and thus leverage the attack (whatever it turns out to be) it shouldn't matter. Both of these things are already unadviseable to do and can be avoided.
(Score: 0) by Anonymous Coward on Wednesday January 03, @07:35PM (6 children)
The figures are 0.28 - 5%. The worst case figures are for unrealistic syscall, heavy synthetic benchmarks where the ~20% figure is for database servers (additional context switch overhead). The performance hit will not be as severe on more modern processors with PCID.
Reply to This
Parent
(Score: 1, Funny) by Anonymous Coward on Wednesday January 03, @07:38PM
Should have been "syscall-heavy" but readers are welcome to read it in your best Shatner voice for dramatic effect.
(Score: 0) by Anonymous Coward on Wednesday January 03, @08:03PM (3 children)
I've seen the figure given as:
5-35% (the title of the summary here)
"upwards of 30%" (aka 30% is the minimum performance hit, not the maximum) elsewhere
and not 0.28-5% in your comment.
Which of these is real?
(Score: 2) by takyon on Wednesday January 03, @08:11PM
Synthetic benchmarks seem to be impacted, gamers might not be impacted at all.
http://www.legitreviews.com/intel-cpu-bug-bring-massive-performance-hit-applications_201307 [legitreviews.com]
https://www.phoronix.com/scan.php?page=article&item=linux-415-x86pti [phoronix.com]
https://www.phoronix.com/scan.php?page=news_item&px=x86-PTI-Initial-Gaming-Tests [phoronix.com]
Things will be more clear in a week or two.
[SIG] 10/28/2017: Soylent Upgrade v14
(Score: 0) by Anonymous Coward on Wednesday January 03, @09:42PM (1 child)
The 2.8% was from one of the KEISER papers, the 5% figure from a kernel dev, reproduced here: https://en.wikipedia.org/wiki/Kernel_page-table_isolation#Implementation [wikipedia.org]
(Score: 0) by Anonymous Coward on Wednesday January 03, @09:47PM
0.28% damn, I got it right from memory but not copying direct from a source. Too much time following this, I'm off to drink, heavily.
(Score: 0) by Anonymous Coward on Wednesday January 03, @09:10PM
The problem is that PCID support was only added to the Linux kernel in 2017, so no LTS kernel has that support.
(Score: 3, Informative) by takyon on Wednesday January 03, @08:57PM (2 children)
https://newsroom.intel.com/news/intel-responds-to-security-research-findings/ [intel.com]
https://www.barrons.com/articles/intel-refutes-chip-bug-inaccurate-media-reports-1515010736 [barrons.com]
https://www.bloomberg.com/news/articles/2018-01-03/intel-says-research-showed-design-element-created-vulnerability [bloomberg.com]
[SIG] 10/28/2017: Soylent Upgrade v14
(Score: 3, Funny) by Justin Case on Wednesday January 03, @09:32PM
Wow the spin is heavy in that one!
See? It's not just us! Other companies have been... made aware. Oh. Nevermind.
Nothing to see here. We designed this flaw, so everything's OK.
In other news, it is utterly false that Martians landed on the White House lawn this morning. Oh, wait -- that wasn't ever claimed? But, you have to admit, it is still utterly false that Martians landed on the White House lawn this morning.
No, the exploit (maybe) lets the attacker discover secrets. Then the attacker can do other badness using those secrets. What badness? Who knows? Maybe even land on the White House lawn!
This is an "if" statement with two parts separated by an "and". One part may be false, so the compound condition is false. But they want you to assume both parts are false.
Yeah, so committed we allowed this to happen and never discovered, reported, or fixed it for $MANY years. The "we are committed" is standard language whenever someone gets caught with their pants down. It is non-measurable and meaningless.
I am committed to world peace. Now, where did I leave my red button that is bigger than Trump's or North Korea's?
Timmy played Nintendo all night then slept till 2PM. Johnny earned $20 mowing lawns. How much is Timmy entitled to take?
(Score: 0) by Anonymous Coward on Wednesday January 03, @10:15PM
To be fair to Intel, it is informed speculation at this point. First we have the Gruss paper: [gruss.cc]
A good assumption here is that they're talking about the x86 ISA. Then we have Tom Lendacky's patch: [lkml.org]
That says this specific issue is not the ISA and not limited to the ISA prefetch instruction which (presumably) could be patched via microcode but is limited to Intel chips. This leaves automatic prefetch as a result of branch prediction and speculative execution with the (assumed) bug being that information is available in cache despite a page table fault. It is not an unreasonable assumption for people to have made based on the available evidence. The KASLR issue is separate from this specific bug although it comes from the same batch of papers. [gruss.cc]
