'Kernel memory leaking' Intel processor design flaw forces Linux, Windows redesign

https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/

 

Well **** me.

"....Crucially, these updates to both Linux and Windows will incur a performance hit on Intel products. The effects are still being benchmarked, however we're looking at a ballpark figure of five to 30 per cent slow down, depending on the task and the processor model. More recent Intel chips have features – specifically, PCID – to reduce the performance hit...."

 

This is huge !

 

Great way to ensure the market for new computer sales. Create a "flaw" that can only be fixed by us slowing down your PC or by you buying a new one. Its almost funny.

 

Yes, they are learning from Apple

 

But AMD does not share this vulnerability
There are patches for ARMv8 (aka ARM64), so it suggests that at least one microarchitecture implementation of ARMv8 is vulnerable.

 

Or maybe Volkswagen!

 

Link: https://twitter.com/aionescu/status/948344914990964736

 

According to this the problem was introduced in 2004. More than a decade and would go back to the Pentium 4 days.
http://www.popularmechanics.com/tec...ity-flaw-affects-decades-of-intel-processors/
Time to shoot for a bigger overclock I guess.

 

FWIW RE: AMD:

"...A post by Thomas Lendacky, a PMTS software engineer for AMD, on LKML.org explains that AMD CPUs are not impacted by the same bug. Lendacky says that the PTI patch should not be enabled on AMD CPUs, as its memory controller doesn't allow the same memory references that would allow for less privileged calls to access high-privileged data..."

http://www.pcgamer.com/serious-inte...-but-probably-wont-affect-gaming-performance/

Lendacky's post:

https://lkml.org/lkml/2017/12/27/2

 

http://markets.businessinsider.com/...ambles-to-fix-security-flaw-2018-1-1012439374

 

It changed value of company, but it is not that much as some would think. AMD minimum price per share was $9.42 in lowest point last year in chart and $15.65 was AMD's maximum price per share in last year chart. It means 66% difference between some points in one year.

 

Is this a hardware problem that's fixed by software updates? If I don't update how in laymen terms does this affect my sytem's security?

Or is this a hardware problem that's fixed by flashing the hardware?

I'd appreciate it if somebody would explain this simply.

Edit: This seems to be a local hands on exploit & not a remote one. Correct?

 

As I understand it it's some kind of hardware design flaw, that can be fixed by either replacing hardware ( in this case CPU ) or mitigating it on software level (in this case OS). There's not much info out there yet. I guess we'll know more in coming weeks.

 

https://www.techspot.com/news/72550-massive-security-flaw-found-almost-all-intel-cpus.html

 

"...The bug is a hardware bug, so there's no easy fix except to wait for Intel to implement a fix in its next generation of CPUs. The flaw affects multiple generations of Intel CPUs.

The expected short term solution will come from OSes: operating systems can apply what's called a kernel Page Table Isolation (PTI) that cloaks kernel memory addresses. The caveat is that the fix will force the CPU to constantly flush its caches that hold its TLBs, or translation look-aside buffers, which are essentially caches that allow the CPU to quickly access user memory..."

http://www.pcgamer.com/serious-inte...-but-probably-wont-affect-gaming-performance/

 

"Intel says ‘design flaw’ report is inaccurate, ...

'Recent reports that these exploits are caused by a ‘bug’ or a ‘flaw’ and are unique to Intel products are incorrect,' Intel said in a statement. 'Based on the analysis to date, many types of computing devices—with many different vendors’ processors and operating systems—are susceptible to these exploits.'

The company continued: 'Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industrywide approach to resolve this issue promptly and constructively.'...”

Published: Jan 3, 2018 3:21 p.m. ET

https://www.marketwatch.com/story/i...n-chip-design-flaw-report-2018-01-03?mod=bnbh

 

Here is Intel's full statement:

"Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. Intel believes these exploits do not have the potential to corrupt, modify or delete data.

Recent reports that these exploits are caused by a "bug" or a "flaw" and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices — with many different vendors' processors and operating systems — are susceptible to these exploits.

Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively. Intel has begun providing software and firmware updates to mitigate these exploits. Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.

Intel is committed to the industry best practice of responsible disclosure of potential security issues, which is why Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available. However, Intel is making this statement today because of the current inaccurate media reports.

Check with your operating system vendor or system manufacturer and apply any available updates as soon as they are available. Following good security practices that protect against malware in general will also help protect against possible exploitation until updates can be applied.

Intel believes its products are the most secure in the world and that, with the support of its partners, the current solutions to this issue provide the best possible security for its customers."

https://www.axios.com/massive-chip-flaw-not-limited-to-intel-2522178225.html?utm_source=sidebar

 

Notice Intel throws AMD & ARM under the bus.

 

AMD is not affected by this vulnerability, as far as we know. AMD is only a victim of performance regression by some not fine-grained patches needed to mitigate Intel vulnerability.

So why they are working so hard with so many vendors including AMD, ARM, Microsoft, Amazon, Apple, RedHat and others to mitigate this?
Maybe they mean direct modification is not possible. Only read-only access In several steps this read-only access can be exploited to obtain credentials, private keys, but it is not direct write, so as Intel suggests its nothing.

Some claims that games (or other other resource-consuming program Jon Doe can use) will have drop to 70% or even 50% of current frame-rate are not valid, so this is justified statement.

So does these exploits have the potential to corrupt, modify or delete data? I get it: not directly.

 

I'm so glad I had my desktop built with an AMD processor.

 

No, it is not that vulnerability.

Phoronix provided initial benchmarks and Gnu/Linux games (Steam) are neglibly affected by KPTI patches:
https://www.phoronix.com/scan.php?page=news_item&px=x86-PTI-Initial-Gaming-Tests

Here are some details from Google:
https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
Actually Google Project Zero team says that some AMD CPUs can be affected...

 

It looks like there are 2 new vulnerabilities/security flaws.
1 is "Meltdown", described in this thread. Can only be fixed by new hardware but can be mitigated against through software updates, though there is a performance penalty.
2 is "Spectre", also affecting ARM and AMD, can only be fixed by new hardware and cannot be mitigated with software updates, though it is harder to exploit than "Meltdown."
https://twitter.com/nicoleperlroth/status/948684376249962496?p=v
https://www.nytimes.com/2018/01/03/business/computer-flaws.html