Intel Kernel Memory Vulnerability

Forums › Desktop computing › Intel Kernel Memory Vulnerability

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9

363 posts

Ultimate Geek
+1 received by user: 92

Reply # 1931132 6-Jan-2018 08:38

One person supports this post

Batman:

djtOtago:

Why is this being blamed on the hardware (Intel/AMD/ARM) when it appears to be a problem with the way the OS is managing memory access?

Presumably (no I didn't take computer science at uni lol) it's a matter of time before people discover a similar "bug" with other things eg routers, ATMs, bank computers, power companies, traffic management, etc (that may use other CPUs)?

Hardware appliances such as routers/firewalls/switches don't usually run 3rd party apps - so even if their CPUs would be vulnerable you could not take advantage of it. ATMs/bank computers usually run a locked down OS like Windows, and traffic management systems usually do the same controlling SCADA devices.

For desktop operations antivirus solutions will be the usual line of defense against this vulnerability. And there are already AV signatures out for such code.

The real concern is for cloud and virtualized systems. Say you had some services deployed in cloud, and you had a malicious "neighbour" running on the same infrastructure - they may run this code to snoop on your system.

clinty

556 posts

Ultimate Geek
+1 received by user: 107

Reply # 1931596 7-Jan-2018 07:59

A good summary of the companies technical responses from Peter Bright at Ars, including white papers etc

https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-heres-what-intel-apple-microsoft-others-are-doing-about-it/

Clint

alexx

608 posts

Ultimate Geek
+1 received by user: 38

Reply # 1931749 7-Jan-2018 15:08

There is quite a good explanation here (although most of this appears to be limited to Meltdown):

https://arstechnica.com/gadgets/2018/01/whats-behind-the-intel-design-flaw-forcing-numerous-patches/

The solution that both the Windows and Linux developers have picked is substantially the same, and derived from that KAISER work: the kernel page table entries are no longer shared with each process. In Linux, this is called Kernel Page Table Isolation (KPTI).

The impact of this will vary depending on the workload. Every time a program makes a call into the kernel—to read from disk, to send data to the network, to open a file, and so on—that call will be a little more expensive, since it will force the TLB to be flushed and the real kernel page table to be loaded. Programs that don't use the kernel much might see a hit of perhaps 2-3 percent—there's still some overhead because the kernel always has to run occasionally, to handle things like multitasking.

But workloads that call into the kernel a ton will see much greater performance drop off.

While Intel systems are the ones known to have the defect, they may not be the only ones affected. Some platforms, such as SPARC and IBM's S390, are immune to the problem, as their processor memory management doesn't need the split address space and shared kernel page tables; operating systems on those platforms have always isolated their kernel page tables from user mode ones.

For people running VMs:

https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html

Result of exploitation may allow for information disclosure from one Virtual Machine to another Virtual Machine that is running on the same host. The remediation listed in the table below is for the known variants of the Bounds Check Bypass and Branch Target Injection issues.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2017-5753 (Bounds Check bypass) and CVE-2017-5715 (Branch Target Injection) to these issues.

Running a cloud/vm infrastructure without patching would be irresponsible, but if a significant percentage of cloud/vm workloads are databases (perhaps the most likely to be affected), then the total performance degradation on a huge cloud/vm environment might be significant.

#include <standard.disclaimer>

allio

484 posts

Ultimate Geek
+1 received by user: 268

Reply # 1931953 8-Jan-2018 09:23

djtOtago:

Just updated my older laptop.

Similar result.

Edit: Just re-encoded one of my test videos.
Took exactly the same time to encode as before the update.

As far as I can tell you will not get a 100% positive result on this test without both the windows patch and a BIOS update. You will also need a post-Haswell CPU for PCID optimisation (not required for security, but mitigates the performance loss somewhat).

My Haswell laptop is fully protected after a BIOS update.

freitasm

BDFL - Memuneh
62066 posts

Uber Geek
+1 received by user: 12674

Administrator

Trusted

Geekzone

Lifetime subscriber

Reply # 1932005 8-Jan-2018 09:59

BIOS or microcode/firmware update?

Backblaze cloud backup (personal and business) | Geekzone broadband switch | Amazon (Geekzone aff) | MightyApe (Geekzone aff) |

My technology disclosure | Business Transformation | Enterprise Content Management | Customer Relationship Management | Sharesies investment fund

allio

484 posts

Ultimate Geek
+1 received by user: 268

Reply # 1932017 8-Jan-2018 10:08

freitasm:

BIOS or microcode/firmware update?

Either, I suppose. I should have said you will need updates from both Microsoft and your motherboard/system manufacturer. As I understand it the latter could be either a microcode update (via Windows Update) or a BIOS update.

freitasm

BDFL - Memuneh
62066 posts

Uber Geek
+1 received by user: 12674

Administrator

Trusted

Geekzone

Lifetime subscriber

Reply # 1932018 8-Jan-2018 10:13

Yes, this was expanded in the previous page. AFAIK it is a microcode update. In the case of Surface it will he delivered as a firmware update. Other manufacturers may call it BIOS but really BIOS and firmware are different things.

Backblaze cloud backup (personal and business) | Geekzone broadband switch | Amazon (Geekzone aff) | MightyApe (Geekzone aff) |

My technology disclosure | Business Transformation | Enterprise Content Management | Customer Relationship Management | Sharesies investment fund

FineWine

587 posts

Ultimate Geek
+1 received by user: 139

Reply # 1932990 9-Jan-2018 17:15

Apple has today released their security supplemental updates to High Sierra 10.13.2 & El Capitan and iOS to address this issue. Though on my iMac High Sierra the size was only 148Mb but it took approx ½ hour, after download , to install with 3 restarts.

iMac 27" (late 2013), Airport Time Capsule + Airport Express, iPhone7, iPad6, iPad Mini2

Panasonic Blu-ray PVR DMR-BWT835 + Panasonic Viera TH-L50E6Z, Chromecast Ultra

freitasm

BDFL - Memuneh
62066 posts

Uber Geek
+1 received by user: 12674

Administrator

Trusted

Geekzone

Lifetime subscriber

Reply # 1935371 10-Jan-2018 10:18

Microsoft has posted "Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems".

From the blog:

With Windows 10 on newer silicon (2016-era PCs with Skylake, Kabylake or newer CPU), benchmarks show single-digit slowdowns, but we don’t expect most users to notice a change because these percentages are reflected in milliseconds.
With Windows 10 on older silicon (2015-era PCs with Haswell or older CPU), some benchmarks show more significant slowdowns, and we expect that some users will notice a decrease in system performance.
With Windows 8 and Windows 7 on older silicon (2015-era PCs with Haswell or older CPU), we expect most users to notice a decrease in system performance.
Windows Server on any silicon, especially in any IO-intensive application, shows a more significant performance impact when you enable the mitigations to isolate untrusted code within a Windows Server instance. This is why you want to be careful to evaluate the risk of untrusted code for each Windows Server instance, and balance the security versus performance tradeoff for your environment.
For context, on newer CPUs such as on Skylake and beyond, Intel has refined the instructions used to disable branch speculation to be more specific to indirect branches, reducing the overall performance penalty of the Spectre mitigation. Older versions of Windows have a larger performance impact because Windows 7 and Windows 8 have more user-kernel transitions because of legacy design decisions, such as all font rendering taking place in the kernel. We will publish data on benchmark performance in the weeks ahead.

Backblaze cloud backup (personal and business) | Geekzone broadband switch | Amazon (Geekzone aff) | MightyApe (Geekzone aff) |

My technology disclosure | Business Transformation | Enterprise Content Management | Customer Relationship Management | Sharesies investment fund

TLD

695 posts

Ultimate Geek
+1 received by user: 153

Reply # 1935671 10-Jan-2018 15:28

Toms put this up ten minutes ago. It's sounding like a double hit for older systems. They will inherently have less performance than newer systems to start with, and will suffer the greater slow down.

http://www.tomshardware.com/news/microsoft-intel-slowdown-old-chips,36293.html

So for my wife who has a elderly two core AMD system, and just uses it for Internet and Office, can she ignore the updates/patches? It only has to hold together till my 7900X system arrives, after which she will use my old 3930K system.

[EDIT] In fact it's even worse than a slow down, because Toms also put this up at lunch time which says the patch are making some old AMD systems unbootable! Methinks I'll turn off auto updates on her old system.

http://www.tomshardware.com/news/meltdown-spectre-update-amd-unbootable,36291.html

Trevor Dennis
Rapaura (near Blenheim)

TwoSeven

1302 posts

Uber Geek
+1 received by user: 149

Reply # 1935687 10-Jan-2018 15:41

allio:
freitasm:

BIOS or microcode/firmware update?

Either, I suppose. I should have said you will need updates from both Microsoft and your motherboard/system manufacturer. As I understand it the latter could be either a microcode update (via Windows Update) or a BIOS update.

From memory, an errata (the name for a change to the CPU spec) is loaded into the CPU during startup (during the init phase I think) and is stored in non-volatile memory (NVM) - I think your bios.

For an update to the OS kernel itself, this would I think be a normal windows update.

As I understand it, although not really following the issue, I think two of the three Meltdown fixes are OS updates and the third requires both an OS and Microcode update. I suspect there will be more updates at some stage as part of the usual update process.

Software Engineer

kiwifidget

1508 posts

Uber Geek
+1 received by user: 323

Lifetime subscriber

Reply # 1935698 10-Jan-2018 16:00

Is there a simple way for your average pc user to test for the vulnerability?

I had a go at the powershell thing mentioned earlier but it was bit beyond my capability.

Life is too short to remove USB safely.

freitasm

BDFL - Memuneh
62066 posts

Uber Geek
+1 received by user: 12674

Administrator

Trusted

Geekzone

Lifetime subscriber

Reply # 1935699 10-Jan-2018 16:03

Updated my Windows 7 dev VM today with latest security patches... And this happened:

Remember, as per above "Windows 7 and Windows 8 have more user-kernel transitions because of legacy design decisions, such as all font rendering taking place in the kernel."

Damn.

Backblaze cloud backup (personal and business) | Geekzone broadband switch | Amazon (Geekzone aff) | MightyApe (Geekzone aff) |

My technology disclosure | Business Transformation | Enterprise Content Management | Customer Relationship Management | Sharesies investment fund

UHD

656 posts

Ultimate Geek
+1 received by user: 303
Inactive user

Reply # 1936097 11-Jan-2018 11:33

So what are the chances of microcode updates for hardware from Intel that is 6+ years old? I think the last BIOS updates they offer are from 2014 am I right in betting engineers won't be bothering?

Coil

6497 posts

Uber Geek
+1 received by user: 2079

Trusted

Reply # 1936141 11-Jan-2018 11:58

Should I do it or should I not?
Anyone got any idea on the performance hit?

Cheers

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9