Obsessed with technology?
Subscribe to the latest tech news as well as exciting promotions from us and our partners!
By subscribing, you indicate that you have read & understood the SPH's Privacy Policy and PDPA Statement.
News Categories

Intel CPUs reportedly have a security flaw, and the patch could cause a huge performance hit

By Koh Wanzi - on 3 Jan 2018, 9:13pm

Intel CPUs reportedly have a security flaw, and the patch could cause a huge performance hit

Image Source: Intel

Updated on 4 January 2018: Google's Project Zero has revealed more details of the vulnerability, and says AMD chips are not immune. In response, AMD released another statement saying that it still believes there is "near zero risk" to AMD chips at this time.

Originally published on 3 January 2018: 

Reports have surfaced of a hardware bug in modern Intel CPUs that potentially allows an attacker to access low-level kernel memory, which is normally shielded from access by user programs.

At first glance, this means that hackers could more easily exploit other security bugs, but the more worrying scenario is when the vulnerability inadvertently allows programs and logged-in users to read the contents of the kernel’s memory.

This memory space may contain sensitive information, such as passwords and files cached from the disk.

All Intel processors produced in the past decade are thought to be affected, and the bug requires an OS kernel patches to fix, spanning major platforms like Windows, OS X, and Linux. That’s because the flaw is in Intel’s x86-64 hardware, and can’t be addressed with a microcode update.

A true solution would be new processors without the design flaw, so the OS patches are just a short-term measure. It involves separating the kernel’s memory completely from user processors using something called Kernel Page Table Isolation (KPTI).

Image Source: python sweetness

When a running program performs an action, it needs to temporarily hand control of the processor to the kernel. This means a transition from user mode to kernel mode and then back again, where the kernel is present in the virtual memory address spaces of all processes to make the switch as quick as possible.

However, the kernel is invisible to these programs, even though the code and data is technically present.

What these KPTI patches do is move the kernel into a completely separate address space, so not only is it invisible to the running process, it’s not even there. Unfortunately, the fix comes with a performance penalty, as it can be quite time consuming to always have to switch between two different address spaces for every system call and hardware interrupt.  

Furthermore, these context switches don’t happen instantly, so the CPU has to constantly flush cached data and reload it from slower system memory.

Ultimately, this increases the kernel’s overhead, and leads to a slower machine. That said, newer Intel chips have features like Process-Context Identifiers that can reduce the performance penalty, which is said to be anywhere from five to 30 per cent, depending on the task and your hardware.

But don’t panic yet, because it seems like it’s the big-name cloud services that run large-scale applications, and not single users, that are the most affected. Early numbers on Linux platforms also show that I/O-intensive workloads are particularly sensitive to the KPTI changes.

Image Source: Phoronix

Gaming performance doesn't seem to be affected at the moment, although we may not know how Microsoft intends to address this on Windows until its regular Tuesday patch.

In the meantime, AMD has put out a statement asserting that its chips are not affected.

Source: Hot Hardware