Results 1 to 6 of 6

Thread: Intel CPU kernel bug FAQ: Fix for massive security flaw could slow down PCs and Macs

  1. #1
    #DeSantis2024 Teh One Who Knocks's Avatar
    Join Date
    Jan 2011
    Location
    5280' Above Sea Level
    Posts
    256,044
    vCash
    10966
    Mentioned
    20 Post(s)
    Thanks
    23,810
    Thanked 113,085 Times in 59,902 Posts

    Notice Intel CPU kernel bug FAQ: Fix for massive security flaw could slow down PCs and Macs

    By Brad Chacos and Michael Simon - PCWorld




    A massive, mysterious security flaw in Intel CPUs is forcing a redesign of the kernel software at the heart of all major operating systems, The Register is reporting. Since the issue lies directly in Intel’s x86-64 hardware, Windows, Linux, and Mac all need to protect against it. Processors from other companies may also be affected. And worse, it appears that plugging the hole will negatively affect your PC’s performance.

    It’s hard to dive too technically into the issue, as major hardware and software vendors are working together quietly to fix the kernel issue before making the vulnerability public. But The Register’s reporting and comments on patch code coming in hot to the Linux kernel—with details redacted to obscure the exact nature of the vulnerability—give us insight into issue.

    Here’s a high-level look at what we know so far about the Intel CPU kernel bug affecting Linux, Windows, and presumably Macs. Expect it to be updated repeatedly as the problem becomes more clear.

    Intel processor kernel bug FAQ

    Editor’s note: This article was most recently updated to include comments from an Intel statement about the kernel exploit and its performance concerns throughout.

    Give it to me straight—what’s the issue here?

    The bug in play here is extremely technical, but in a nutshell, the chip’s kernel is leaking memory, which could lead to extremely sensitive data being exposed to apps and hackers, or make it easier for attackers to inject malware into your PC.

    Intel says that “these exploits do not have the potential to corrupt, modify or delete data,” though simply being able to read the contents of protected kernel memory could give attackers access to your passwords, login keys, and much more.

    What’s a kernel?

    The kernel inside a chip is basically an invisible process that facilitates the way apps and functions work on your computer. It has complete control over your operating system. Your PC needs to switch between user mode and kernel mode thousands of times a day, making sure instructions and data flow seamlessly and instantaneously. Here’s how The Register puts it: “Think of the kernel as God sitting on a cloud, looking down on Earth. It’s there, and no normal being can see it, yet they can pray to it.”

    How do I know if my PC is at risk?

    Short answer: It is. There isn’t any concrete data yet, but speculation is that the bug affects all Intel x86 CPUs produced over the past 10 years, regardless of the OS you’re running or whether you have a desktop or laptop. There are some reports that say newer Intel CPUs are less impacted than older ones, but the full extent is unclear.

    A Linux kernel patch is also being prepared for 64-bit ARM processors. Details are murky, though a statement from Intel says that “many types of computing devices—with many different vendors’ processors and operating systems—are susceptible to these exploits.”


    Intel’s Core i7-8700K “Coffee Lake” CPU.

    So if it’s a chip problem, then Intel needs to fix it?

    Yes and no. While Intel (and any other affected CPU manufacturers) will surely address the problem in future chips, the fix for PCs in the wild needs to come from the OS manufacturer, as a microcode update won’t be able to properly repair it.

    Linux developers are working furiously to address the flaw in a new kernel update. Microsoft is expected to patch the problem during its Patch Tuesday updates on January 9, after testing it on recently released Windows Insider preview builds. That timeline appears to have been corroborated by Intel’s statement, which says, “Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available.”

    I use a Mac, so I’m OK, right?

    Not this time. The vulnerability here affects all Intel x86 chips, so that means Macs are at risk too. However, Apple quietly protected against the exploit is macOS 10.13.2, which released on December 6, according to developer Alex Ionescu. Additional safeguards will be found in macOS 10.13.3, he says.

    So, what can I do?

    Not much besides updating your PC when a fix becomes available. Since the issue is such a deeply technical one there isn’t anything users can do to mitigate the potential issue other than wait for a fix to arrive. Definitely make sure you’re running security software in the meantime—advice that Intel also stresses.

    Do you know when a fix will come?

    Linux developers are working furiously to address the flaw in a new kernel update. Expect it soon.

    Microsoft is expected to patch the problem during its Patch Tuesday updates on January 9, after testing it on recently released Windows Insider preview builds. That timeline appears to have been corroborated by Intel’s statement, which says, “Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available.”

    With macOS High Sierra, it seems as though Apple is already working on the issue. As noted above, a developer discovered a patch already exists in macOS 10.13.2.

    So once the fix arrives then I’m good?

    Well, the patch will plug the risk, but you might not like the side effects. While the fix will prevent the chip’s kernel from leaking memory, it brings some unfortunate changes to the way the OS interacts with the processor. And that could lead to slowdowns.

    How much slower will my Intel PC become?

    It’s complicated.

    More recent Intel processors from the Haswell (4th-gen) era onward have a technology called PCID (Process-Context Identifiers) enabled and are said to suffer less of a performance hit. Plus, some applications—most notably virtualization tasks and data center/cloud workloads—are affected more than others. The Register says “we’re looking at a ballpark figure of five to 30 percent slow down, depending on the task and the processor model.” Intel confirmed that the performance loss will be dependent on workload, and “should not be significant” for average home computer users.

    “Obviously it depends on just exactly what you do,” Linux creator Linus Torvalds wrote in the Linux Kernel Mailing List. “Some loads will hardly be affected at all, if they just spend all their time in user space. And if you do a lot of small system calls, you might see double-digit slowdown.

    “It will depend heavily on the hardware too,” he continued. “Older CPUs without PCID will be impacted more by the isolation. And I think some of the back-ports won’t take advantage of PCID even on newer hardware.”



    Michael Larabel, the open-source guru behind the Linux-centric Phoronix website, has run a gauntlet of benchmarks using Linux 4.15-rc6, an early release candidate build of the upcoming Linux 4.15 kernel. It includes the new KPTI protections for the Intel CPU kernel flaw. The Core i7-8700K saw a massive performance decrease in FS-Mark 3.3 and Compile Bench, a pair of synthetic I/O benchmarks. PostgreSQL and Redis suffered a loss, but to a far lesser degree. Finally, H.264 video encoding, timed Linux kernel compilation, and FFmpeg video conversion tasks didn’t lose anything.

    Your mileage will indeed vary, it seems. Keep in mind that Phoronix’s testing was conducted on a non-final release, and that the Linux and Windows kernels are two very different beasts, so don’t treat these as a locked-in look at what to expect from the eventual fixes for the Intel x86 kernel bug. We won’t know the full extent of the slowdown on Windows and macOS machines until a patch lands.

    Will my games get slower?

    Maybe not. Phoronix also tested Dota 2, Counter-Strike: Global Offensive, Deus Ex: Mankind Divided, Dawn of War III, F1 2017, and The Talos Principle on a Linux 4.15-rc6 machine with a Core i7-8700K and Radeon Vega 64. None saw a frame rate change outside the margin of error range.

    None of those run on Microsoft’s DirectX technology though, which integrates deeply with the Windows operating system. It remains to be seen how DX games perform in the wake of the forthcoming patches.

    Are AMD processors affected?



    It doesn’t appear so. In a message to the Linux Kernel Mailing List, AMD’s Tom Lendacky asked for Linux’s “Kernel Page Table Isolation” (KPTI) fix to not apply to Team Red’s processors.

    “AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against,” he wrote. “The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault.”

    AMD CPUs could potentially wind up suffering a performance hit as collateral damage, though. It depends on how the final patches for the Intel CPU kernel bug vulnerability are implemented. Operating system makers could code in exceptions for AMD processors to keep them at full speed, as Lendacky requested for the Linux kernel. But operating system vendors may also take a salted earth approach and force the fix onto all x86 processors just to be safe.

    Again, we won’t know which approaches are taken until the patches are made public. The performance war between Intel’s chips and AMD’s new Ryzen CPUs may get even tighter, though.

    That sucks! There’s nothing I can do!?

    We feel your pain. But security trumps performance, so we’d rather our PCs be a little slower than exposed to hackers.

  2. #2
    Take Box B DemonGeminiX's Avatar
    Join Date
    Jan 2011
    Location
    Bum Fuck Egypt, East Jabip
    Posts
    64,803
    vCash
    27021
    Mentioned
    25 Post(s)
    Thanks
    45,041
    Thanked 16,891 Times in 11,966 Posts


    Warning: The posts of this forum member may contain trigger language which may be considered offensive to some.

    Music was better when ugly people were allowed to make it.

  3. The Following User Says Thank You to DemonGeminiX For This Useful Post:

    Teh One Who Knocks (01-05-2018)

  4. #3
    #DeSantis2024 Teh One Who Knocks's Avatar
    Join Date
    Jan 2011
    Location
    5280' Above Sea Level
    Posts
    256,044
    vCash
    10966
    Mentioned
    20 Post(s)
    Thanks
    23,810
    Thanked 113,085 Times in 59,902 Posts

    Update Major Linux redesign in the works to deal with Intel security flaw

    By Steven J. Vaughan-Nichols for Linux and Open Source


    Long ago, Intel made a design mistake in its 64-bit chips -- and now, all Intel-based operating systems and their users must pay the price.

    Linux's developers saw this coming early on and patched Linux to deal with it. That's the good news. The bad news is it will cause at least a 5-percent performance drop. Applications may see far more serious performance hits. The popular PostgreSQL database is estimated to see at least a 17-percent slowdown.

    How bad will it really be? I asked Linux's creator Linus Torvalds, who said: "There's no one number. It will depend on your hardware and on your load. I think 5 percent for a load with a noticeable kernel component (e.g. a database) is roughly in the right ballpark. But if you do micro-benchmarks that really try to stress it, you might see double-digit performance degradation."

    Some applications won't see much of a hit. Torvalds said, "A number of loads will spend almost all their time in user space, and not see much of an impact at all." But to really know what's going on, Greg Kroah-Hartman, the Linux kernel maintainer for the stable branch, said you'll need to benchmark your particular machine and load to see what you can expect.

    Windows, macOS, and other Intel-based operating systems face similar performance problems. Microsoft has patched the problem as well, but some users are having trouble getting them thanks to anti-virus software. Apple has also repaired it in macOS 10.13.2.

    If you use AMD processors, you may be safe. In a Linux Kernel Mailing List (LKML), AMD stated that its "processors are not subject to [these] types of attacks."

    ARM CPUs, however, also have this hole, and the fix will give these systems similar performance problems.

    Intel's blunder was to allow user programs to be able to gather hints about how the kernel address space is laid out. As discovered by Austria's university researchers this summer, "Modern operating system kernels employ address space layout randomization (ASLR) to prevent control-flow hijacking attacks and code-injection attacks. While kernel security relies fundamentally on preventing access to address information, recent attacks have shown that the hardware directly leaks this information."

    ASLR is vital to today's operating systems' defense against malware. The Intel vulnerability isn't so much a new hole as it is a way of making all those many existing attack methods against ASLR-defended operating systems much stronger.

    The researchers' solution was KAISER, a system for Linux kernel address isolation. In November, these patches were proposed for the Linux kernel. Realizing just how dangerous these attacks could be, the Linux kernel developers quickly started revising these patches.

    Their solution, which amounts to more than 51 patches to date, separates the Linux kernel page tables kernel from the user space tables. Going forward, Linux will have two sets of memory page tables.

    Besides making memory management more complicated, this also means many program instructions must keep switching between the two address spaces for every system call and for every hardware interrupt. This is what will slow down many, but not all, operating system functions and applications.

    As LWN.net editor and Linux kernel developer Jonathan Corbet explained, "This is a fundamental change to how the kernel's memory management works and is the sort of thing that one would ordinarily expect to see debated for years, especially given its associated performance impact."

    To say Linux developers were unhappy about this would be a massive understatement. When the set of fixes' name was changed from KAISER to Kernel Page Table Isolation (KPTI), some of the suggested names were User Address Space Separation, prefix uass_ and Forcefully Unmap Complete Kernel With Interrupt Trampolines, prefix fuckwit_.

    Angry they may be, but Linux had to be secured. Torvalds already merged in some early KPTI patches. The fixed code is in 4.14.11, which was released on January 3. Torvalds has also already placed the patched code in Linux 4.15. This new Linux release will be out in a few weeks. All these fixes will be backported to long-term support Linux kernels.

    Linux users, especially those who run enterprise software on servers and the cloud, should ready themselves to do performance testing on the new release as soon as possible. Whether you run your application in a server room or any of the clouds -- Amazon Web Services (AWS), Google Engine, Azure, and so on -- you must adjust the number of server or container instances to maintain the speed and performance you demand from your programs and services.

  5. #4
    transracial Hal-9000's Avatar
    Join Date
    Jan 2011
    Location
    On the Discovery
    Posts
    92,141
    vCash
    1000
    Mentioned
    1 Post(s)
    Thanks
    5,799
    Thanked 11,829 Times in 8,168 Posts
    keep a happy thought eh?

  6. #5
    #DeSantis2024 Teh One Who Knocks's Avatar
    Join Date
    Jan 2011
    Location
    5280' Above Sea Level
    Posts
    256,044
    vCash
    10966
    Mentioned
    20 Post(s)
    Thanks
    23,810
    Thanked 113,085 Times in 59,902 Posts
    Can't wait for the patch to come out next week and see how much slower the PC will be.

  7. #6
    transracial Hal-9000's Avatar
    Join Date
    Jan 2011
    Location
    On the Discovery
    Posts
    92,141
    vCash
    1000
    Mentioned
    1 Post(s)
    Thanks
    5,799
    Thanked 11,829 Times in 8,168 Posts
    From what I've read above, it's a total hardware build screw up. So Intel should replace every processor for free, at the point of sale on Intel's dime.


    And no PC shall be out of service for more than 24 hours


    Sounds like the software patch will create more problems and that's just not right for us consumers.

  8. The Following User Says Thank You to Hal-9000 For This Useful Post:

    Godfather (01-06-2018)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •