[German]A design flaw in existing Intel x86 CPUs seems to have serious implications for all operating systems running on these CPUs. The Linux kernel has already been patched. But what about Windows and other operating systems running on these CPUs?
First details …
There is still some speculation – but two days ago I read the report The mysterious case of the Linux Page Table Isolation patches containing the following details:
there is presently an embargoed security bug impacting apparently all contemporary CPU architectures that implement virtual memory, requiring hardware changes to fully resolve. Urgent development of a software mitigation is being done in the open and recently landed in the Linux kernel, and a similar mitigation began appearing in NT kernels in November. In the worst case the software fix causes huge slowdowns in typical workloads. There are hints the attack impacts common virtualization environments including Amazon EC2 and Google Compute Engine, and additional hints the exact attack may involve a new variant of Rowhammer.
While Linx kernels seems to be patched, other operating system are still vulnerable. In order to mitigate the security problem, it is necessary to patch the operating system software. A patch has recently landed in the Linux kernel, and a similar fix was introduced in the Windows NT kernel from November 2017. The latter information comes from this Tweet.
Windows 17035 Kernel ASLR/VA Isolation In Practice (like Linux KAISER). First screenshot shows how NtCreateFile is not mapped in the kernel region of the user CR3. Second screenshot shows how a 'shadow' kernel trap handler, is (has to be). pic.twitter.com/7PriLIJHe1
— Alex Ionescu (@aionescu) 14. November 2017
As far as I know, the NT kernal patch is now in test within Windows 10 Insider Preview. However, these software fixes lead to massive slowdowns of typical workloads. There is evidence that the attack has an impact on popular virtualization environments such as Amazon EC2 and Google Compute Engine, and additional evidence that the exact attack includes a new variant of Rowhammer.
Linux developers have fixed the kernel
Around the Christmas holidays of 2017, Linux kernel developers were busy with a lot of activities. In the last few weeks, parts of the Virtual-Memory-Subsystem has been heavily patched. Specifically, the Kernel Page-Table Isolation (KPTI) forces that the memory area of the kernel is no longer mapped to the memory area of the processes.
The rebuilds do not only refer to the Linux kernel 4.15, which is currently being released. The patches also apply to older Linux kernel versions 4.9 and 4.14. This time it happened without much discussion and controversy, so there must be a good reason for the rebuild.
Rowhammer attack possible in Intel CPUs
Rowhammer is a hardware-based vulnerability that has been detected for the first time on Android devices. Memory cells in the RAM can be manipulated using a technique called Flip Feng Shui (FFS).
On Intel CPUs, memory areas can be speculatively loaded due to incorrect implementation of virtual memory management. This memory area is then accessed without further checking whether the process has the required rights. This puts the systems at risk, because it allows any unprivileged process to access the kernel's memory to read at least sensitive data.
Beside Linux there are more operating systems are available for Intel CPUs based on the x86 architecture are. As I explained above, Microsoft had already started with kernel updates in November 2017 to mitigate this security issue in Windows clients. But there are even more vulnerable operating systems. What's about the cloud? It also runs on computers that use Intel CPUs.
Cloud providers such as Amazon (AWS) and Google are likely to be just as affected as Microsoft with its Azure. Apple should also have to make improvements in macOS. The Register reports here that actually all operating systems have to be redesigned. The article contains some details about the attack scenarios.
Furthermore, there are speculations that the security technology used as "Defense in Depth" could be levered out of Address Space Layout Randomization (ASLR) of the kernel.
Patch for Azure VMs on January 10, 2018
Microsoft plans to patch its Azure virtual machines on January 10, 2018 patchday, according to Microsoft Azure forum post:
Your Azure Virtual Machines (VMs) require an important security and maintenance update. The vast majority of Azure updates are performed without impact but, for this specific update, a reboot of your VMs is necessary.
Workaround slowdown systems
At the end of the year, there was a rather strange tweet from grsecurity, in which performance losses on an AMD system were reported as a result of (K)PTI.
— grsecurity (@grsecurity) 31. Dezember 2017
However, it is strange that the AMD CPUs are not affected by the PTI. There is a very interesting discussion thread on this topic at reddit.com. Some users are reporting performance lost of 30 % (with a bandwith between 5% up to 50 %). First benchmarks has been published here (and within this Tweet). A user of a PostgreSQL database has published a benchmark how PTI affects the performance of the database.
AMD CPUs not affected
The AMD CPU family is not affected, according to this statement by AMD.
AMD processors are not subject to the types of attacks that the kernel
page table isolation feature protects against. The AMD microarchitecture
does not allow memory references, including speculative references, that
access higher privileged data when running in a lesser privileged mode
when that access would result in a page fault.
Disable page table isolation by default on AMD processors by not setting
the X86_BUG_CPU_INSECURE feature, which controls whether X86_FEATURE_PTI
Intel hasn't release a statement yet (afaik). Update: Intel has released a (lame) statement about this major design flaw here.
Design flaw in Intel CPUs set operating systems at risk
Microsoft releases Windows 10 Patch to fix Intel Bug
Critical Updates for Windows and Browser (01/03/2018)
Windows 10: Critical Updates (01/03/2018)
Cookies helps to fund this blog: Cookie settings