Huge Intel CPU Bug Allegedly Causes Kernel Memory Vulnerability With Up To 30% Performance Hit In Windows And Linux
If the reports are accurate, it appears that Intel might have a pretty severe chip-level security bug on its hands that cannot be simply swatted away with a microcode update. The bug affects all modern Intel processors dating back at least a decade.
We should note that squashing the bug requires a patch at the OS level; and Linux patches have already been distributed.
Microsoft is expected to address the bug in its monthly Patch Tuesday update. The circumstances surrounding the exploit are currently under embargo, but some details are starting to make their way to the public spotlight.
There's one big problem, however. Fixing this vulnerability in software also comes with a big hit on performance. Additional overhead is introduced to maintain a barrier between memory address spaces, which can result in a performance handicap of 30 percent or more. However, recent Intel processors with PCID (Process-Context Identifiers) enabled could have the performance impact lessened somewhat.
The hardware bug is apparently severe enough to make it ripe for exploitation, with some of the biggest targets being companies that use virtualized environments.
"Urgent development of a software mitigation is being done in the open and recently landed in the Linux kernel, and a similar mitigation began appearing in NT kernels in November," wrote the Python Sweetness blog on Monday. "In the worst case the software fix causes huge slowdowns in typical workloads.
"There are hints the attack impacts common virtualization environments including Amazon EC2 and Google Compute Engine."
In addition, apparently both Microsoft Azure and Amazon Web Services have scheduled maintenance that will take place over the next week, although there is no detailed explanation for the downtime. However, rampant speculation suggests that the maintenance could be to put the software fixes in place for this specific Intel CPU hardware bug. Literally, in some cases, it appears operating systems will need to be overhauled to deal with the issue.
You may have noticed that we haven't mentioned AMD once in this article up to this point. Well, AMD processors aren't affected by the bug due to security protections that the company has in place. This also means that AMD processors shouldn't be affected by any performance hits.
Further, AMD"s latest EPYC data center server chips and Ryzen Pro enterprise desktop CPUs have Secure Memory Encryption technology on board, for additional protection against just these sorts of threat vectors.
Regardless, given that the patches are currently under embargo and that Intel is understandably staying tight-lipped, it may still be a few days before we are made privy to all pertinent details surrounding the bug and how damaging it will be to existing computing platforms. However, all of this is looking very real at this point. The Linux update detailing its patch has been posted here by Linus Torvalds himself.
Update, 10:02 PM - 1/2/18 - Initial performance results on Linux platforms are beginning to surface now on the web. Early numbers are showing IO-intensive workloads are especially sensitive to the Kernel Page Table Isolation patch.
Linux performance enthusiast site Phoronix has posted some early benchmark numbers, post-patch. Some results are coming in with a 17 - 18 percent degradation overall.
Update, 10:56 PM - 1/2/18 - As it turns out, apparently the Linux patch that is being rolled out is for ALL x86 processors including AMD, and the Linux mainline kernel will treat AMD processors as insecure as well. As a result, AMD CPUs will feel a performance hit as well, though the bug only technically affects Intel CPUs and AMD recommends specifically not to enable the patch for Linux. How Microsoft specifically will address the issue with the Windows operating system remains unclear until the company's formal Patch Tuesday update is made known, hopefully soon.