Intel’s processors have been found fostering a serious security flaw that can be used to manipulate and hijack CPU activity. Unfortunately the flaw is so big that fixing involves modifying OS kernels which will slow systems down by up to 30%.
A message posted on PostgreSQL revealed the vulnerability in the Linux kernel, which pointed to a widespread CPU issue and the resulting fix which will impact performance.
While Intel is concealing the details of the flaw it has circulated an update to the fast-ring beta testers in the Windows Insider program, and a subsequent patch for this loophole is expected to hit stable builds on the coming Tuesday i.e. January 9, 2018.
Likewise, Apple will also have to update macOS to dodge the issue, and like in rival operating systems, the fix will slow Macs down.
The root of the security loophole lies in the allocation of virtual memory spaces on the kernel. These spaces are used by the CPU to perform processes which interact with the hardware and are not visible to the user. Since the flaw allows notorious programs and rogue users access to these virtually allocated spaces, the last resort – in fact, the only one – is to isolate the Kernel Page Table or the database of the virtual addresses.
Here’s a relatable analogy:
You’re at a supermarket and your objective is to buy a cake – this is a process initiated by the user. You pick the cake up and head over to the billing counter – or the CPU – where a billing executive (aka kernel) charges you for the cake by inputting the details in the billing system (microkernel) and the process is completed as you walk away with the cake.
The problem occurs when the billing executive uses the store’s billing system and another customer (i.e user or program) peep into the system to steal some money from the register (i.e use CPU resources) or snoop on your purchase (piggy-back to spy on your activities).
The solution is to create a kiosk where no customer – rogue or friendly- has knowledge of the available cash or inventory in the store. But now the store has to depute a devoted manager (“Kernel Page Table Isolation”) to complete the billing tasks. While this watchful manager is alert to securing information, this adds an extra step in the process of billing, so your cake is delayed a little bit.
Similarly, the addition of an isolation protocol will slow down user processes in order to fend off any malicious user or malware from snooping on the protected data within the kernel memory.
AMD Processors Unaffected by the Flaw:
AMD has claimed in an email to The Register that its processors automatically prioritize tasks without cataloging sensitive information about the processes in a virtual database. This makes them secure against attacks which Intel’s processors are susceptible to.
AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against. The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault.
Meanwhile, companies using Intel’s hardware for online databases and cloud servers – including Amazon AWS – have informed users of a major incoming patch without detailing the issue, especially regarding the slow-downs.