A fundamental design and security flaw has been discovered in Intel chips which would require a redesign of the Linux, macOS and Windows kernel to patch it. The workaround, however, will lead to a performance hit of anywhere between 5 to 30 percent.
On recent Intel chips with PCID, the performance impact would be smaller but still noticeable. The bug is present in all Intel processors released in the last decade and cannot be fixed through a microcode update. The bug allows normal applications like web browsers and database apps to recognize at least some part of the content stored in the protected kernel memory area. In the wrong hands, this exploit can be used by hackers and malware to read your sensitive information which is usually stored in the kernel memory space.
The fix will require separating the kernel’s memory area from the user processes through Kernel Page Table Isolation.
Whenever a running program needs to do anything useful – such as write to a file or open a network connection – it has to temporarily hand control of the processor to the kernel to carry out the job. To make the transition from user mode to kernel mode and back to user mode as fast and efficient as possible, the kernel is present in all processes’ virtual memory address spaces, although it is invisible to these programs. When the kernel is needed, the program makes a system call, the processor switches to kernel mode and enters the kernel. When it is done, the CPU is told to switch back to user mode, and reenter the process. While in user mode, the kernel’s code and data remains out of sight but present in the process’s page tables.
The KPTI patches will move the kernel into a separate address space which means it won’t be present at all in a running process. Switching between two different address space is not efficient as it would require dumping of cache data and reloading information from the memory. This would lead to an increase in kernel overhead and have an impact on the overall performance of the PC.
An AMD engineer has already confirmed that AMD processors are not vulnerable to this security flaw.
Microsoft has been testing patches for this security flaw via its Insider Ring since November-December and is expected to make the patch public in an upcoming Patch Tuesday. Linux developers are also scrambling to fix this low-level bug with updates to the kernel. While there is no word from Apple, the company is also expected to soon make a patch available for macOS. Major cloud platforms will also undergo maintenance and reboots to apply this fix. Microsoft’s Azure is scheduled to undergo maintenance on January 10, while Amazon has already informed customers that AWS will get a major security update this Friday.
You can read all about this major design flaw in Intel CPUs over at the source link below.
[Via The Register]Like this post? Share it!