Fix for Intel Chip Flaw Comes with a Cost: Much Slower Performance
Programmers at Intel, Microsoft, and other organizations are working to patch a serious security flaw in Intel processors that could leave protected data on PCs and servers vulnerable to hacks and malicious software.
The flaw, which appears to affect all Intel chips made over the past 10 years or so, opens up the potential for bad actors to exploit the kernels at the heart of Linux- and Windows-based operating systems. Details about how such exploits might work have been kept largely under wraps until patches can be developed and applied. And Intel has yet to comment publicly on the processor vulnerability.
Some Linux patches have already been released, and Microsoft could make a fix available during next week's Patch Tuesday. However, those solutions could significantly slow device speeds -- anywhere between 5 percent and 30 percent, according to recent reports. That could affect not only business and consumer PCs but servers run by cloud services giants, such as Amazon, Google, and Microsoft.
Flaw Details under Embargo
While news about the Intel chip flaw and its possible fixes have been circulating in the developer and programmer world for a few months, the problem has just recently come to light for mainstream computer users. The Register noted yesterday that details about the bug are currently embargoed pending the release of effective patches.
The problem with such KPTI fixes is that they require systems to switch from one address space for process virtual memory to a separate address for kernel memory every time a program needs to access kernel mode.
"The effects are still being benchmarked, however we're looking at a ballpark figure of five to 30 percent slow down, depending on the task and the processor model," The Register reported. "More recent Intel chips have features -- such as PCID [process-context identifiers] -- to reduce the performance hit."
The Register also noted that some Linux developers working on a patch were frustrated to the point they considered naming the fix, "Forcefully Unmap Complete Kernel With Interrupt Trampolines," or F*CKWIT.
No Issue with AMD Chips
Microsoft has scheduled a Jan. 10 security and maintenance update for customers running cloud-based Azure virtual machines, and Amazon has notified its EC2 cloud customers that it's planning similar updates sometime between Friday and Saturday. Both appear to be aimed at addressing the Intel processor vulnerability.
On Monday, a developer who blogs under the name Python Sweetness posted an overview of Linux Page Table Isolation patch activity that noted the flaw could also impact users of Google's Compute Engine. He cited recent discussions on the Linux and Unix news site LWN.net.
"On the kernel mailing list we can see, in addition to the names of subsystem maintainers, e-mail addresses belonging to employees of Intel, Amazon and Google," Python Sweetness said. "The presence of the two largest cloud providers is particularly interesting, as this provides us with a strong clue that the work may be motivated in large part by virtualization security."
On another Linux site, the Linux Kernel Mailing List, AMD software engineer Thomas Lendacky observed in late December that AMD processors do not appear to have the same vulnerability as Intel chips. Coupled with the latest revelations about the Intel flaw, that news appears to have helped drive up the value of AMD shares today, while Intel's stock price has dropped significantly.
Read more on: Intel
, Data Security
, Top Tech News
Posted: 2018-01-05 @ 6:41am PT
More feedback from Intel, Thursday afternoon (Jan. 4):
As Intel and others across the industry partner to protect customers from the exploits (referred to as "Spectre" and "Meltdown") reported Wednesday, extensive testing has been conducted to assess any impact to system performance from the recently released security updates. Apple, Amazon, Google and Microsoft are among those reporting that they are seeing little to no performance impact.
Specific findings include:
Apple: "Our testing with public benchmarks has shown that the changes in the December 2017 updates resulted in no measurable reduction in the performance of macOS and iOS as measured by the GeekBench 4 benchmark, or in common Web browsing benchmarks such as Speedometer, JetStream, and ARES-6."
Microsoft: "The majority of Azure customers should not see a noticeable performance impact with this update. We've worked to optimize the CPU and disk I/O path and are not seeing noticeable performance impact after the fix has been applied."
Amazon: "We have not observed meaningful performance impact for the overwhelming majority of EC2 workloads."
Google: "On most of our workloads, including our cloud infrastructure, we see negligible impact on performance."
Intel continues to believe that the performance impact of these updates is highly workload-dependent and, for the average computer user, should not be significant and will be mitigated over time.
Posted: 2018-01-04 @ 2:24pm PT
Another update shared by Intel this afternoon:
Intel has developed and is rapidly issuing updates for all types of Intel-based computer systems -- including personal computers and servers -- that render those systems immune from both exploits (referred to as "Spectre" and "Meltdown") reported by Google Project Zero. Intel and its partners have made significant progress in deploying updates as both software patches and firmware updates.
Intel has already issued updates for the majority of processor products introduced within the past five years. By the end of next week, Intel expects to have issued updates for more than 90 percent of processor products introduced within the past five years. In addition, many operating system vendors, public cloud service providers, device manufacturers and others have indicated that they have already updated their products and services
Intel continues to believe that the performance impact of these updates is highly workload-dependent and, for the average computer user, should not be significant and will be mitigated over time. While on some discrete workloads the performance impact from the software updates may initially be higher, additional post-deployment identification, testing and improvement of the software updates should mitigate that impact.
System updates are made available by system manufacturers, operating system providers and others.
Intel will continue to work with its partners and others to address these issues, and Intel appreciates their support and assistance. Intel encourages computer users worldwide to utilize the automatic update functions of their operating systems and other computer software to ensure their systems are up-to-date.
For information and links to useful resources, visit the security research findings page on Intel.com.
Posted: 2018-01-03 @ 1:06pm PT
Intel just issued this public response:
Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. Intel believes these exploits do not have the potential to corrupt, modify or delete data.
Recent reports that these exploits are caused by a "bug" or a "flaw" and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices -- with many different vendors' processors and operating systems -- are susceptible to these exploits.
Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively. Intel has begun providing software and firmware updates to mitigate these exploits. Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.
Intel is committed to the industry best practice of responsible disclosure of potential security issues, which is why Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available. However, Intel is making this statement today because of the current inaccurate media reports.
Check with your operating system vendor or system manufacturer and apply any available updates as soon as they are available. Following good security practices that protect against malware in general will also help protect against possible exploitation until updates can be applied.
Intel believes its products are the most secure in the world and that, with the support of its partners, the current solutions to this issue provide the best possible security for its customers.