UPDATED 20:54 EST / JANUARY 02 2018

INFRA

Intel patches critical processor security bug, but the fix imposes a 35% performance hit

Intel Corp. is having a rough start to the new year, with reports of a critical flaw in its central processing unit chips for computers that needs urgent patching.

The bug is said to be causing Intel headaches not because vulnerabilities like this are anything new, but in this case because fixing it can reportedly slow the performance of its CPUs by up to 35 percent.

The bug is also said to be a pretty beastly one, although details of the exploit have been placed under embargo in order to give Intel time to push out a fix. However, the Register said the bug causes Intel CPUs to prefetch system memory sectors and gain control of various software applications, which could in theory allow for a virtual machine on shared hosting to overwrite another VM. This is particularly worrying for public cloud providers such as Amazon Web Services Inc. and Microsoft Corp., which could suffer enormous damage if the bug were to hit any of their VMs.

The Python Sweetness blog, which first reported on the bug, said the vulnerability was first identified by developers working on the Linux kernel, though it also affects Windows operating systems. It added that a number of major security patches for the Linux kernel have been pushed out over the Christmas and New Year holidays, which are likely to be an attempt to fix the new bug.

These kernel updates have provided a workaround that can prevent attackers from exploiting the bug, but the problem is that doing so comes at a heavy cost. In technical terms, the fix involves using Kernel Page-Table Isolation or PTI to restrict processes so they can only access their own memory area. However, PTI also affects low-level features in the hardware, resulting in a performance hit of up to 35 percent for older Intel processors.

“Urgent development of a software mitigation is being done in the open and recently landed in the Linux kernel, and a similar mitigation began appearing in NT kernels in November,” the Python Sweetness blog reported Monday. “In the worst case the software fix causes huge slowdowns in typical workloads.”

These slowdowns were highlighted by Brad Spengler, lead developer of grsecurity, which is a set of patches for the Linux kernel which emphasize security enhancements. According to HotHardWare, Spengler said an Intel Core i7-3770S CPU will take a 34 percent performance hit, while the new Intel Core i7-6700 will run 29 percent slower.

Python Sweetness added that the bug will also have a big impact on “common virtualization environments” such as Amazon and Microsoft, both of which have scheduled maintenance updates this week to try to address the problem. There’s no word yet on a fix for Windows users, with Microsoft reportedly working to create an isolation feature similar to PTI.

Unfortunately for Intel, main rival Advanced Micro Devices Inc. is already taking advantage of the bug to promote its own processors as an alternative. AMD’s chips are said to be unaffected by the bug as their architecture has extra security protections in place.

“This comes at an ugly time for Intel largely because AMD is executing really well and largely held back by the fading belief that Intel’s parts are better,” said Rob Enderle, president and principal analyst at Enderle Group. “This will challenge that belief and create distrust which may help AMD carry their message that they are equal to or better than Intel in the market. I’ll bet the Microsoft and Linux folks who have had to deal with this are suddenly thinking of AMD far more fondly at the moment.”

Indeed, AMD took the opportunity to crow. “AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against,” Thomas Lendacky, a member of the Linux OS group at AMD, wrote in a forum post. “The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault.”

Nonetheless, the speed at which Intel has pushed out a patch was a positive sign, according to one analyst.

“Security vulnerabilities are always unfortunate and need to be addressed ASAP,” said Holger Mueller, principal analyst and vice president at Constellation Research Inc. “It seems that in this case Intel and the relevant users are working well together. But security always comes with a performance penalty, even when it’s implemented at the hardware level.”

Image: JiahuiH/Flickr

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU