Intel is grappling with a processor design flaw impacting CPUs used in Linux, Windows and some macOS systems. The flaw is tied to Intel’s kernel virtual memory system that could allow an attacker to access kernel-protected data such as passwords and login keys.
The flaw’s impact is far reaching, affecting Intel endpoint computers, but also cloud computing environments such as Amazon EC2, Microsoft Azure and Google Compute Engine, according to an analysis of the flaw by a developer blogging at Python Sweetness.
Some details of the bug affecting the Linux kernel have been made public, however a complete analysis of the flaw are being withheld pending an embargo of the specifics. Intel, Microsoft and other stakeholders are expected to reveal technical details of the flaw’s impact later this month. Intel has not publicly confirmed the bug and did not return requests for comment.
The Intel design flaw requires programmers to overhaul both the Linux and NT kernel’s virtual memory system in order to fix the problem. Microsoft introduced fixes to beta testers of its Windows operating system in November and December. Microsoft is expected to rollout patches for bug next week during its Patch Tuesday security update.
Security patches addressing the flaw in the Linux kernel were pushed last week. Apple’s 64-bit macOS, will also need to be updated, according to reports of the flaw.
The fixes have tradeoffs and impact Intel CPU performance by as much as five to 30 percent depending on the workload, said Python Sweetness.
“In the worst case the software fix causes huge slowdowns in typical workloads. There are hints the attack impacts common virtualization environments including Amazon EC2 and Google Compute Engine, and additional hints the exact attack may involve a new variant of Rowhammer,” wrote the Python Sweetness developer.
Still other researchers, such as Max Goryachy, security researcher at Positive Technologies, don’t believe a patch can fully mitigate the vulnerability. “This problem could be completely fixed only in new chip versions,” he said.
As of yet the flaw doesn’t have an official name. However, researchers are calling the flaw either KPTI (Kernel Page Table Isolation) and KAISER (Kernel Address Isolation to have Side-channels Efficiently Removed).
The CPU design flaw is tied to how the Intel processor manages memory between “kernel mode” and “user mode.” Specifics of the flaw have yet to be released, but an article by The Register delves into some of the details.
Developers separate the kernel’s memory from the userland process using a Kernel Page Table Isolation (KPTI). “These KPTI patches move the kernel into a completely separate address space, so it’s not just invisible to a running process… this shouldn’t be needed, but clearly there is a flaw in Intel’s silicon that allows kernel access protections to be bypassed in some way,” The Register wrote.
“Whenever a running program needs to do anything useful – such as write to a file or open a network connection – it has to temporarily hand control of the processor to the kernel to carry out the job. To make the transition from user mode to kernel mode and back to user mode as fast and efficient as possible, the kernel is present in all processes’ virtual memory address spaces, although it is invisible to these programs. When the kernel is needed, the program makes a system call, the processor switches to kernel mode and enters the kernel. When it is done, the CPU is told to switch back to user mode, and reenter the process. While in user mode, the kernel’s code and data remains out of sight but present in the process’s page tables,” The Register writes.
The flaw takes advantage of the way the Intel processor switches address spaces, dumps cached data and reloads information from memory.
“It is possible the bug could be abused to defeat KASLR: kernel address space layout randomization. This is a defense mechanism used by various operating systems to place components of the kernel in randomized locations in virtual memory. This mechanism can thwart attempts to abuse other bugs within the kernel: typically, exploit code – particularly return-oriented programming exploits – relies on reusing computer instructions in known locations in memory,” according to the report.
The Intel design flaw allows an attacker to predict where data and code is stored and positioned in memory by the kernel. Predict the location, and an attacker could circumvent the wall between userland and the kernel allowing the adversary to launch malware, steal data, manipulate hardware and eavesdrop on network traffic.
Because the attack scenario requires an attacker to already have a foothold on the targeted system, the risk is not considered critical when it comes to laptops and desktop clients. But for virtual machines, where the kernel serves to keep multiple users and programs apart the risks are considered much higher.
Because the flaw is specific to Intel processors, rival chip maker AMD’s CPUs are not impacted by the KAISER issue, according to AMD Linux kernel developer Tm Lendacky. He wrote in a recent Linux Kernel Mailing List message: “AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against. The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault.”