IMPORTANT INCS INFORMATIONAL NOTICE – PLEASE READ
To all our INCS clients, friends and family, and acquaintances: Widely-used CPU chips have a critical design flaw that presents a possible security risk. Fixing it is a high-priority activity, and the fix may slow performance slightly. The fastest way to fix this will be through patching the operating system.
The faulty design has been present in chips for years and it will force a modification of the Windows, Mac and Linux operating system kernels – the software code that forms the foundation of an operating system. There are two similar flaws that have just been made public, known as Meltdown and Spectre.
Here are the key points:
- Intel processors going back 10-15 years all share a design flaw that could allow an attacker to read adjacent information that should not be accessible, which poses a security risk. So far, there’s no evidence this has been exploited maliciously.
- Fixing the problem will cause some extra overhead with a possible slowdown in the real world of 5-10%. This will depend highly on how a system is used day-to-day.
- INCS is ready to push out these patches as soon as they are proven and available, which we anticipate starting any day (written on 1/6/18). This could include activity starting immediately, as the patches come out. It’s important these flaws get fixed as quickly as possible.
- We are available to answer your questions, 704-362-1682, Monday-Friday 8:00 to 5:00.
See our website at www.incsnow.com for more details.
Thank you for your continued trust in us as we partner with you on secure and effective modern IT.
The INCS Team
Intel makes the CPU chips in the vast majority of desktops, laptops and servers. This design defect is a result of trying to make the chips run as fast as possible, but in doing so they’ve introduced a possible security risk when the CPU chip is asked to switch the task it’s working on. This switching happens continuously under normal user behavior. While Intel has the vast majority of market share in these areas, their competitors are using some of the same techniques that create the vulnerability.
Since the flaw is built into the silicon itself, the fastest fix is going to require urgent updates to Windows, Mac, iOS, Linux and any other operating system running on these platforms, which today is almost all computers and many other computerized devices.
The flaw was discovered months ago and disclosed quietly to the companies that make the affected products. They are now scrambling to release updates to protect against Meltdown and Spectre after news of the vulnerabilities started slipping out ahead of a planned coordinated announcement.
In short, Linux, Microsoft, Apple, and others will have to make serious changes to their OS kernels to separate the what’s called the user side from the kernel page tables. Users won’t see any changes to their interface – the changes don’t affect what’s displayed – but there may be expect a discernible performance impact.
Any machine running off an Intel chip made in the past 10-15 years could be affected, and that could include cloud virtualization solutions like Amazon EC2, AWS, Microsoft Azure, and Google Compute.
Intel CEO says no chip recall after Meltdown and Spectre, sells most of his stock (from CNET)
CEO Brian Krzanich says the new security vulnerabilities may be deep but they’re also being fixed with software updates. Intel CEO Brian Krzanich said the new problems are much more easily fixed — and indeed are already well on their way to being fixed, at least in the case of Intel-powered PCs and servers. Intel said Thursday (1/4/18) that 90 percent of computers released in the last 5 years will have fixes available by the end of next week, which is 1/12/18.
The vulnerabilities, announced Wednesday by Google and other researchers, open a new avenue of attack on PCs, phones, and servers — computing devices using chips designed by Intel, Arm and, to a lesser degree, AMD. If an attacker manages to place malicious software on your device, it could use Meltdown or Spectre to listen in on other software whose data is supposed to be secure from eavesdropping within the system. That could mean an attacker could get access to passwords, encryption keys and other extremely sensitive data.
The attacks involve a modern chip feature called speculative execution. Patches to fix the problem affect operating systems, web browsers and the operation of the processors themselves. Tech companies are scrambling to release updates to protect against Spectre and Meltdown after news of the vulnerabilities started slipping out ahead of a planned coordinated announcement.
One concern has been that the fixes for Meltdown and Spectre will degrade performance. Krzanich flatly denied it. “For the real-world applications… it’s minimal impact,” he said.
Intel also is fixing the problem in future chips, starting with products that will arrive later this year, Smith said. Intel is effectively taking the software fixes being released now and building them directly into hardware, he said. “We’re putting those mitigations in our designs, we’re not turning off the benefits of speculation.”
The problems occur only when the chip is switching from one level of privilege to another, for example the change from running a computer user’s software like Photoshop to the computer’s operating system, which gets deeper access to the processor. The fixes will address those cases where the programs are moving from one level of protection to another.
The issue is a particular concern for data centers run by companies like Google, Amazon and Microsoft, where many computing processes run side by side in different compartments on the same hardware. Google, Amazon and Microsoft all say they’ve updated their systems to protect against Spectre and Meltdown.
Intel chips from the last 15 years are affected, the company said. That’s an awful lot of computers, though Intel declined to say how many chips it’s shipped since then, and in any event it’s impossible to know how many are still in use.
“You don’t know, if somebody went out and bought a PC five years ago, whether someone owns that PC, whether it’s operational or whether they’ve turned it into a paperweight,” Krzanich said. “The mitigations we’re providing — the ones that will roll out by next week from the [computer makers] and the ones cloud service providers have already put in place — solve both problems.”
Krzanich sold hundreds of thousands of Intel shares in November, based on a plan filed in October, both months after Google told the company of the vulnerabilities in June 2017. But the stock sale was unrelated, Intel said.
“It wasn’t something where I had information that allowed me to trade,” Krzanich said. “Intel has a very rigorous process for how I manage my stock. I have a stock trading plan that is defined over time, so when socks sell it’s defined up front and I have no control over that. Those [plans] are reviewed by the company.”
And though he sold lots of stock, Krzanich still has 250,000 shares, the minimum required by his employment contract. “To me, 250,000 shares is still quite a bit of stock to be owning,” he said. “I’m a strong believer in Intel’s stock. That’s a large amount of my net worth, and I’m passionate about Intel’s future.”
(INCS comment: It should be noted that his statement above leaves out the fact that this controlled process for company officers to sell their shares starts with a request from the officer, as they are not required to sell if they don’t want to.)
In short, Linux, Microsoft, and Apple, will have to make serious changes to their OS kernels to separate the user side from the kernel page tables. Users won’t see any major changes to their interface – the changes don’t affect what’s displayed-but all can expect discernible performance impact.
What we know about the flaw-details
Spectre includes a bounds check bypass covered in CVE-2017-5753 and branch target injections covered in CVE-2017-5715. Meltdown is a rogue data cache load, which is covered in CVE-2017-5754. These vulnerabilities allow attackers to read system memory that would not otherwise be accessible by a program. Of the two, Meltdown is faster (about 120 KB per second), while Spectre has been demonstrated only at 1500-2000 bytes per second. Meltdown and the Spectre bounds check bypass are exploitable after boot, though branch target injection vulnerability requires 10-30 minutes for initialization on a system with 64 GB RAM, which is anticipated to scale “roughly linearly” with increases in host RAM size.
Statements have been released by AMD, ARM, Mozilla, Red Hat, and Red Hat again.
In the wake of the Meltdown and Spectre architectural flaws, cloud firms are scrambling to apply patches to these vulnerabilities. Both AMD and Intel processors are affected by the pair, but only Intel processors are vulnerable to all the attack variants. While these architectural flaws are possible to partially mitigate using software patches, the core issue—an oversight in design that requires revised hardware—still remains.
The first patch, Kernel Page Table Isolation (KPTI), has been the subject of much speculation as early reports estimated a performance regression of 30%. As it is, real-world impact has been lower than that figure bandied about thus far. Naturally, all performance is workload-dependent. While synthetic tests can be used as a good indicator of the speed of certain operations, they often exaggerate highs and lows compared to real world workloads.
Demystifying claims of KPTI slowdown
KPTI corrects part of the vulnerability by separating user-space and kernel-space page tables. This necessarily introduces a performance penalty, as system calls or interrupts have context switching overheads. Because of this, workloads that extensively rely on those will be impacted the most after patching. However, the introduction of process-context identifiers (PCIDs) reduces that overhead, as this feature prevents processes from looking at data not associated with the active process in the translation lookaside buffer (TLB). With this added protection, the cycle of flushing and repopulating the TLB can be avoided.
Hardware support for PCIDs was introduced with the Westmere generation of processors, though support for the feature was only enabled in version 4.14 of the Linux kernel. While KPTI has been backported to the 4.4 and 4.9 kernels, support for PCIDs has not been. Comparing results between the three kernels with KPTI enabled and disabled is perhaps the best current available indicator of performance regressions between the two. By means of Open Benchmarking, a few test benchmarks have been performed.
The most interesting comparison to make here is the performance of PostgreSQL, as developer Andres Freund posted benchmarks on January 2nd indicating regressions of 7-17%, and 16-23% without PCID. While the systems tested, and exact configuration of pgbench differ slightly, the Open Benchmarking test bears out the 23% figure in the worst case scenario. However, three different tests between the 4.4 kernel with KPTI disabled and PCID support not present with the 4.14 kernel with KPTI and PCID shows a performance increase of 9.9% for normal load, 6.0% for single threaded, and 17.95% for heavy contention. While the benchmarks absolutely indicate a performance regression for lateral kernel upgrades, upgrading to the newest kernel eliminates performance penalties in this situation.
This effect is not limited to PostgreSQL. Similar comparisons for Redis show a 30% performance increase for GET and 33.5% performance increase for SET benchmarks.
However, not all use cases see a performance increase when moving from an insecure 4.4 to secure 4.14 kernel. Rendering in Blender, as well as compiling Apache or the Linux kernel show only marginal differences, while static page serving in Apache is roughly 20% slower, though the application of KPTI only shows a 5% performance penalty—as such, newer kernels seemingly have a performance regression for other reasons. With PostgreSQL, Linux 4.14 overall is the fastest in this database benchmark, and this is one of the I/O workloads where Kernel Page Table Isolation does cause a performance increase. But the relative performance for the three tested kernels with KPTI on/off were about the same with no significantly different performance out of the older kernels lacking PCID optimizations.
As an overall view, Linus Torvalds, the founder of the Linux operating system, suggested that performance penalties should be around 5%.
New measures against Meltdown and Spectre
To combat the chip flaws, Google has announced its homegrown solution Reptoline, which requires recompiling the operating system and applications that may execute untrusted code. This fix, along with a microcode update from Intel that introduces indirect branch restricted speculation (IBRS) for Skylake and newer series processors, can defend against both variants of Spectre. Reptoline has already been deployed on Google Cloud Platform.
Customer machines will always need to be continually updated as more techniques are found that exploit the flaws, such as the ones found this week, or any future bugs in the modern computing stack.
Patching software is the fundamental solution to staying secure – software bugs are never going away. Cloud provider hypervisors are getting increasingly customized and stripped down to suit each provider’s needs and reduce the attack surface area.
Vendor Patch Information (see table below):
|Vendor Patch Information||Date Added|
|Amazon||January 4, 2018|
|AMD||January 4, 2018|
|Android||January 4, 2018|
|ARM||January 4, 2018|
|Citrix||January 4, 2018|
|January 4, 2018|
|IBM||January 4, 2018|
|Intel||January 4, 2018|
|Lenovo||January 4, 2018|
|Linux||January 4, 2018|
|Microsoft / Azure||January 4, 2018|
|Microsoft Windows||January 4, 2018|
|Red Hat||January 4, 2018|
|VMware||January 4, 2018|