Stuclark
Stuclark

Updated: Patches required after major intel chip bug found

    Details emerged last night of a major security snaffu in current and previous generation intel x86 processors (CPUs) along with those of some other manufacturers. This has resulted in Microsoft, Linux, Google and Apple needing to immediately make available kernel patches which are expected to cause between 5 and 30% performance degradation on most devices.

To quote The Register's original article revealing this issue (available here: www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw)

Quote

 

A fundamental design flaw in Intel's processor chips has forced a significant redesign of the Linux and Windows kernels to defang the chip-level security bug...

Similar operating systems, such as Apple's 64-bit macOS, will also need to be updated – the flaw is in the Intel x86-64 hardware, and it appears a microcode update can't address it. It has to be fixed in software at the OS level, or go buy a new processor without the design blunder.

 

AMD have been quick to issue a statement, stirring the waters a touch by somewhat-incorrectly stating their CPUs aren't affected, while indulging in some intel bashing along the way:

Quote

AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against. The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault.

... and there you go... it seems you should run out and buy an AMD processor and motherboard right now! But hang on a minute... it's not quite as simple as that - lets look at what the bugs actually are, and what they actually affect.

What's the big deal?
Details of the bugs are still being kept somewhat under wraps, but the major high level details, including example exploitations, have now been revealed (here: meltdownattack.com). There are in fact two separate, but related bugs, which have been called Meltdown & Spectre. While related, they work in slightly different ways and use slightly different attack techniques to trick the affected CPU to incorrectly allow access to what should be secure memory locations. Both bugs are significant and both have a high impact on anything and anyone running an affected CPU.

In essence, these bugs affect any CPU which features "Speculative Execution". Speculative Execution is a feature designed into modern CPUs whereby a processor looks at the code currently being run and "guesses" what code may be needed next. It then goes and runs that code (using another feature known as "Out Of Order Execution") in case the user / application requests it, thus speeding up the overall response of a system. The bugs relate to the way in which CPUs perform that speculative execution and the security the place around the contents of memory produced as a result of, or accessed during, that speculative execution.

Meltdown:
Meltdown is a bug which affects mostly intel CPUs - it involves a process whereby the CPU can be tricked into allowing "user mode" applications to access "kernel mode" memory locations. (User mode in this case equates to what an application sees as being available; kernel mode equates to a highly restricted, god-like, see-all-do-all view of what data is available) This has the potential to allow for a malicious application to read the contents of kernel memory and reveal important, secure, information such as system passwords or other restricted information. Meltdown is so named because the bug "melts security boundaries which are normally enforced by the hardware".

Spectre:
Spectre is a bug which affects pretty much any CPU, certainly any which features Speculative Execution, specifically pretty much any intel CPU, pretty much any AMD CPU, pretty much any ARM CPU and probably many others. It involves a process where an application tricks the CPU into giving access to, and reading, memory allocated to (and therefore supposedly protected by) another application. Again, this has the potential to allow for a malicious application to read the contents of any other application's memory and reveal important, secure, information such as system passwords or other restricted information. Spectre is named after the root cause of the bug - "Speculative Execution".

What is affected?
Meltdown affects any device running an intel CPU. This includes some tablets; most laptop computers; most desktop computers; most servers (physical and virtual) and most of the hardware behind Cloud services. In other words, all Apple Mac computers; most Windows computers; most Linux (or *nix) computers; most Windows servers; Google Cloud servers; Amazon AWS Cloud servers; Microsoft Azure Cloud servers; VMWare servers; XEN servers; HyperV servers etc.

Spectre affects pretty much any device with a modern CPU within it. This includes all Apple iPhones; all Apple iPads; all Android tablets; all Android phones; all Windows phones; all laptops, desktops, servers etc. running AMD processors; network switches; robot vacuums etc.

Mitigation:
Mitigation against these bugs is not easy. Spectre especially will be with us for some time as the only way to actually "fix" the bug is to re-design the processor architectures to avoid the issue occurring. Meltdown can be mitigated by re-writing the kernel (or base level) code used by devices. The fix involves moving the kernel-level memory to a different physical location within a processor's memory system, thus making it impossible for the bug to be used to read that memory. Unfortunately doing so introduces a performance hit to the system that kernel is running. This is currently being estimated as being between 5% and 30%, depending on the task being undertaken.

Microsoft, Apple, Google, Cisco & Linux have all now confirmed patches for their relevant systems, although in some cases actually getting those patches may not be as easy as it should be. Below is a breakdown of what is know of each company's patches at the moment:

Microsoft:
Microsoft have released patches for Windows 7, 8, 8.1 and 10, along with all supported versions of Windows Server. However, for the patch to be enabled, there has to be an update to, and co-operation with, any installed Anti-Virus software. This is to ensure against an old (bad) anti-virus software causing a system crash as a result of the Microsoft patch. Most AV software has now also been updated, but if you're not sure, uninstall your third party AV and let Windows Defender do the work - it is up to date and does enable the patches to function.

Apple:
Apple have stated that their latest iOS (iPhone and iPad) and MacOS (Macbook, iMac etc.) releases already contain patches to mitigate against these bugs.

Google:
Google say that if you are running the "latest security patches" for Android, then you are already protected from these bugs. However, due to the unique way Android works, your device manufacturer (Motorola, Samsung, LG, One+ etc) may not have released those patches yet. Indeed, even if the manufacturer has released the patches, your phone network provider (O2, Vodafone, EE, 3 (in the UK)) may not yet have approved them.

Cisco:
Cisco have released patches for their networking equipment "just in case". To get these patches you'll need a device that is still in support, plus a valid support contract from Cisco.

Linux:
The latest Linux kernels contain patches to mitigate against these bugs. It is of course up to individual Linux distributions to package those kernels into their software.

 

...we'll keep updating this article as and when more information becomes available...

Edited by Stuclark



User Feedback


Quote

The fix is to separate the kernel's memory completely from user processes using what's called Kernel Page Table Isolation, or KPTI. At one point, Forcefully Unmap Complete Kernel With Interrupt Trampolines, aka F.U.C.K.W.I.T, was mulled by the Linux kernel team, giving you an idea of how annoying this has been for the developers.

I so wish the original name for the bug as quoted above from The Register article was used by the media...

Share this comment


Link to comment
Share on other sites