We translated Intel's crap attempt to spin its way out of CPU security bug PR nightmare

As Linus Torvalds lets rip on Chipzilla


Analysis In the wake of The Register's report on Tuesday about the vulnerabilities affecting Intel chips, Chipzilla on Wednesday issued a press release to address the problems disclosed by Google's security researchers that afternoon.

To help put Intel's claims into context, we've annotated the text. Bold is Intel's spin.

Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed.

Translation: When malware steals your stuff, your Intel chip is working as designed. Also, this is why our stock price fell. Please make other stock prices fall, thank you.

By the way, here's what Linux kernel supremo Linus Torvalds had to say about this: "I think somebody inside of Intel needs to really take a long hard look at their CPUs, and actually admit that they have issues instead of writing PR blurbs that say that everything works as designed.

"Is Intel basically saying 'we are committed to selling you shit forever and ever, and never fixing anything'?"

What Intel described as "software analysis methods," security researchers describe thus: "Meltdown breaks all security assumptions given by the CPU’s memory isolation capabilities."

"Meltdown" is the name given to a side-channel attack on memory isolation that affects most Intel chips since 2010, as well as a few Arm cores. Intel's chips may be "operating as designed" but it is this processor design that's the issue; based on the research that has been published, the current design is inadequate and insecure.

Meltdown – on Intel CPUs and the Arm Cortex-A75 – allows normal applications to read protected kernel memory, allowing them to steal passwords and other secrets. It is easy to exploit, but easy to patch – and workarounds to kill the vulnerability are available for Windows and Linux, and are already in macOS High Sierra, for Intel parts. There are Linux kernel patches available for the Cortex-A75, which isn't even on the market yet.

There's also another security flaw named Spectre that affects, to varying degrees, Intel, AMD, and Arm. Depending on your CPU, Spectre allows normal apps to potentially steal information from other apps, the kernel, or the underlying hypervisor. Spectre is difficult to exploit, but also difficult to fully patch – and is going to be the real stinger from all of this.

You can find a summary of the Meltdown and Spectre bugs, here.

Intel believes these exploits do not have the potential to corrupt, modify or delete data.

Translation: Look, over here! Scary words! And we deny them! And you'll forget that this is about stealing information, not tampering with it.

Funnily enough, no one said the security flaws could be used to directly alter data. Instead of talking about what these exploits don't do, let's focus on what they make possible.

On vulnerable systems, Meltdown allows user programs to read from private and sensitive kernel address spaces, including kernel-sharing sandboxes like Docker or Xen in paravirtualization mode. And when you've stolen the keys to the kingdom, such as cryptographic secrets, you'll probably find you can indeed corrupt, modify or delete data, pal.

Recent reports that these exploits are caused by a “bug” or a “flaw” and are unique to Intel products are incorrect.

Translation: Pleeeeeease, pleeeeease do not sue us for shipping faulty products or make us recall millions of chips.

Bug. Flaw. Security shortcoming. Design oversight. Blueprint blunder. Bungled architecture. It's the same difference. Security researchers, describing Meltdown, said: "On the microarchitectural level (e.g., the actual hardware implementation), there is an exploitable security problem."

The exploits described this week against processors rely on unsafe system designs. Flawed system designs, if you will. Buggy system designs.

Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits.

Translation: We weren't the only one. And if we're going down, we're taking every last one of you with us.

Chipzilla doesn't want you to know that every Intel processor since 1995 that implements out-of-order execution is potentially affected by Meltdown – except Itanium, and the Atom before 2013.

Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively. Intel has begun providing software and firmware updates to mitigate these exploits. Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.

Translation: Just fucking leave us alone.

While Intel may be working with AMD, Arm, and other system vendors, any performance hit incurred from patching Meltdown is not an issue for these vendors. AMD isn't affected by the bug, and only the Arm Cortex-A75 is susceptible to the vulnerability.

The performance hit is due to implementing Kernel Page Table Isolation, or KPTI (previously called KAISER) to close the security hole. This pushes the kernel into a separate address space so it cannot be accessed at all by the running processes. The downside is that whenever an application needs the kernel to do something useful, such as read a file or send some network traffic, the CPU has to switch over to the kernel's virtual address space. This takes time, and doing it a lot will slow down the machine.

The KPTI overhead for the Cortex-A75 isn't known at the moment, and is estimated to be minimal. Arm may even rejig the A75 in light of these discoveries. As for Intel systems, we stated in our original report:

The effects are still being benchmarked, however we're looking at a ballpark figure of five to 30 per cent slow down, depending on the task and the processor model. More recent Intel chips have features – such as PCID – to reduce the performance hit. Your mileage may vary.

These figures were based on estimates from people working on the KPTI patches, and from simple benchmarks, such as asking a PostgreSQL database to select all records in a data store, and adding up all file sizes of documents on a disk. Some people have already reported noticeable degraded performance from their cloud-hosted virtual machines after applying the Meltdown patches. Some cloud vendors insist there won't be a problem.

It really boils down to – as we said, and Intel pointed out – your workload. If you just play games on your PC, you will not see a slowdown, beyond any delays caused by file loading, because the software rarely jumps to the kernel during gameplay. Your game will be mostly talking to the graphics processor.

If all you do is browse Twitter, write emails, and type away in a word processor, you probably won't notice any difference. If you do a lot of in-memory number crunching, you won't see much of an impact because again the kernel isn't getting in the way. If you have PCID support enabled on your hardware and in your kernel, any performance hit should be minimized.

If you hammer the disk, the network, or use software that makes lots of system calls in and out of the kernel, and you're lacking working PCID support, you will see a performance hit. And it's a good idea to warn you, right?

It's a given for this particular issue that any slowdown is dependent upon the kind of work the affected system is being asked to do. Gamers will maintain their frame rates, but that's not what this is about. It's about enterprise workloads and data centers. With reports of SQL database slowdowns of up to 20 or so per cent, it seems premature to say the impact should not be significant. If a company's AWS, Microsoft Azure, or Google Cloud bill ends up being, say, three, five or eight per cent higher as a consequence of prolonged compute times, that's significant.

No doubt the patches will be benchmarked, and we'll write about them.

Intel is committed to the industry best practice of responsible disclosure of potential security issues, which is why Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available. However, Intel is making this statement today because of the current inaccurate media reports.

Translation: We were gonna say something next week, but those bastards at The Register blew the lid on it early so, uh, so, fake news! Fake news! NO PUPPET!

The preferred phrase at present is "coordinated disclosure." "Responsible disclosure" suggests the media and security researchers have been irresponsible for reporting on this issue before Intel was ready to go public. Once we get into assigning blame, that invites terms like "responsible microarchitecture design" or "responsible sales of processors known to contain vulnerabilities" or "responsible handling of security disclosures made last June."

Also, it's not clear which media reports are inaccurate, since Intel is not addressing anyone specifically.

Check with your operating system vendor or system manufacturer and apply any available updates as soon as they are available. Following good security practices that protect against malware in general will also help protect against possible exploitation until updates can be applied.

Translation: Don't click on any bad links or emails, you rubes.

Thanks for that. And remember to lock your doors at night.

Intel believes its products are the most secure in the world and that, with the support of its partners, the current solutions to this issue provide the best possible security for its customers.

Translation: Who else are you gonna buy this stuff from?

One step below security by obscurity, there's security by belief. Demand more. ®

Similar topics

Broader topics


Other stories you might like

  • Monero-mining botnet targets Windows, Linux web servers
    Sysrv-K malware infects unpatched tin, Microsoft warns

    The latest variant of the Sysrv botnet malware is menacing Windows and Linux systems with an expanded list of vulnerabilities to exploit, according to Microsoft.

    The strain, which Microsoft's Security Intelligence team calls Sysrv-K, scans the internet for web servers that have security holes, such as path traversal, remote file disclosure, and arbitrary file download bugs, that can be exploited to infect the machines.

    The vulnerabilities, all of which have patches available, include flaws in WordPress plugins such as the recently uncovered remote code execution hole in the Spring Cloud Gateway software tracked as CVE-2022-22947 that Uncle Sam's CISA warned of this week.

    Continue reading
  • Red Hat Kubernetes security report finds people are the problem
    Puny human brains baffled by K8s complexity, leading to blunder fears

    Kubernetes, despite being widely regarded as an important technology by IT leaders, continues to pose problems for those deploying it. And the problem, apparently, is us.

    The open source container orchestration software, being used or evaluated by 96 per cent of organizations surveyed [PDF] last year by the Cloud Native Computing Foundation, has a reputation for complexity.

    Witness the sarcasm: "Kubernetes is so easy to use that a company devoted solely to troubleshooting issues with it has raised $67 million," quipped Corey Quinn, chief cloud economist at IT consultancy The Duckbill Group, in a Twitter post on Monday referencing investment in a startup called Komodor. And the consequences of the software's complication can be seen in the difficulties reported by those using it.

    Continue reading
  • Infosys skips government meeting - and collecting government taxes
    Tax portal wobbles, again

    Services giant Infosys has had a difficult week, with one of its flagship projects wobbling and India's government continuing to pressure it over labor practices.

    The wobbly projext is India's portal for filing Goods and Services Tax returns. According to India’s Central Board of Indirect Taxes and Customs (CBIC), the IT services giant reported a “technical glitch” that meant auto-populated forms weren't ready for taxpayers. The company was directed to fix it and CBIC was faced with extending due dates for tax payments.

    Continue reading
  • Google keeps legacy G Suite alive and free for personal use
    Phew!

    Google has quietly dropped its demand that users of its free G Suite legacy edition cough up to continue enjoying custom email domains and cloudy productivity tools.

    This story starts in 2006 with the launch of “Google Apps for Your Domain”, a bundle of services that included email, a calendar, Google Talk, and a website building tool. Beta users were offered the service at no cost, complete with the ability to use a custom domain if users let Google handle their MX record.

    The service evolved over the years and added more services, and in 2020 Google rebranded its online productivity offering as “Workspace”. Beta users got most of the updated offerings at no cost.

    Continue reading
  • GNU Compiler Collection adds support for China's LoongArch CPU family
    MIPS...ish is on the march in the Middle Kingdom

    Version 12.1 of the GNU Compiler Collection (GCC) was released this month, and among its many changes is support for China's LoongArch processor architecture.

    The announcement of the release is here; the LoongArch port was accepted as recently as March.

    China's Academy of Sciences developed a family of MIPS-compatible microprocessors in the early 2000s. In 2010 the tech was spun out into a company callled Loongson Technology which today markets silicon under the brand "Godson". The company bills itself as working to develop technology that secures China and underpins its ability to innovate, a reflection of Beijing's believe that home-grown CPU architectures are critical to the nation's future.

    Continue reading
  • China’s COVID lockdowns bite e-commerce players
    CEO of e-tail market leader JD perhaps boldly points out wider economic impact of zero-virus stance

    The CEO of China’s top e-commerce company, JD, has pointed out the economic impact of China’s current COVID-19 lockdowns - and the news is not good.

    Speaking on the company’s Q1 2022 earnings call, JD Retail CEO Lei Xu said that the first two years of the COVID-19 pandemic had brought positive effects for many Chinese e-tailers as buyer behaviour shifted to online purchases.

    But Lei said the current lengthy and strict lockdowns in Shanghai and Beijing, plus shorter restrictions in other large cities, have started to bite all online businesses as well as their real-world counterparts.

    Continue reading
  • Foxconn forms JV to build chip fab in Malaysia
    Can't say when, where, nor price tag. Has promised 40k wafers a month at between 28nm and 40nm

    Taiwanese contract manufacturer to the stars Foxconn is to build a chip fabrication plant in Malaysia.

    The planned factory will emit 12-inch wafers, with process nodes ranging from 28 to 40nm, and will have a capacity of 40,000 wafers a month. By way of comparison, semiconductor-centric analyst house IC Insights rates global wafer capacity at 21 million a month, and Taiwanese TSMC’s four “gigafabs” can each crank out 250,000 wafers a month.

    In terms of production volume and technology, this Malaysian facility will not therefore catapult Foxconn into the ranks of leading chipmakers.

    Continue reading
  • NASA's InSight doomed as Mars dust coats solar panels
    The little lander that couldn't (any longer)

    The Martian InSight lander will no longer be able to function within months as dust continues to pile up on its solar panels, starving it of energy, NASA reported on Tuesday.

    Launched from Earth in 2018, the six-metre-wide machine's mission was sent to study the Red Planet below its surface. InSight is armed with a range of instruments, including a robotic arm, seismometer, and a soil temperature sensor. Astronomers figured the data would help them understand how the rocky cores of planets in the Solar System formed and evolved over time.

    "InSight has transformed our understanding of the interiors of rocky planets and set the stage for future missions," Lori Glaze, director of NASA's Planetary Science Division, said in a statement. "We can apply what we've learned about Mars' inner structure to Earth, the Moon, Venus, and even rocky planets in other solar systems."

    Continue reading
  • The ‘substantial contributions’ Intel has promised to boost RISC-V adoption
    With the benefit of maybe revitalizing the x86 giant’s foundry business

    Analysis Here's something that would have seemed outlandish only a few years ago: to help fuel Intel's future growth, the x86 giant has vowed to do what it can to make the open-source RISC-V ISA worthy of widespread adoption.

    In a presentation, an Intel representative shared some details of how the chipmaker plans to contribute to RISC-V as part of its bet that the instruction set architecture will fuel growth for its revitalized contract chip manufacturing business.

    While Intel invested in RISC-V chip designer SiFive in 2018, the semiconductor titan's intentions with RISC-V evolved last year when it revealed that the contract manufacturing business key to its comeback, Intel Foundry Services, would be willing to make chips compatible with x86, Arm, and RISC-V ISAs. The chipmaker then announced in February it joined RISC-V International, the ISA's governing body, and launched a $1 billion innovation fund that will support chip designers, including those making RISC-V components.

    Continue reading
  • FBI warns of North Korean cyberspies posing as foreign IT workers
    Looking for tech talent? Kim Jong-un's friendly freelancers, at your service

    Pay close attention to that resume before offering that work contract.

    The FBI, in a joint advisory with the US government Departments of State and Treasury, has warned that North Korea's cyberspies are posing as non-North-Korean IT workers to bag Western jobs to advance Kim Jong-un's nefarious pursuits.

    In guidance [PDF] issued this week, the Feds warned that these techies often use fake IDs and other documents to pose as non-North-Korean nationals to gain freelance employment in North America, Europe, and east Asia. Additionally, North Korean IT workers may accept foreign contracts and then outsource those projects to non-North-Korean folks.

    Continue reading
  • Elon Musk says Twitter buy 'cannot move forward' until spam stats spat settled
    A stunning surprise to no one in this Solar System

    Elon Musk said his bid to acquire and privatize Twitter "cannot move forward" until the social network proves its claim that fake bot accounts make up less than five per cent of all users.

    The world's richest meme lord formally launched efforts to take over Twitter last month after buying a 9.2 per cent stake in the biz. He declined an offer to join the board of directors, only to return asking if he could buy the social media platform outright at $54.20 per share. Twitter's board resisted Musk's plans at first, installing a "poison pill" to hamper a hostile takeover before accepting the deal, worth over $44 billion.

    But then it appears Musk spotted something in Twitter's latest filing to America's financial watchdog, the SEC. The paperwork asserted that "fewer than five percent" of Twitter's monetizable daily active users (mDAUs) in the first quarter of 2022 were fake or spammer accounts, which Musk objected to: he felt that figure should be a lot higher. He had earlier proclaimed that ridding Twitter of spam bots was a priority for him, post-takeover.

    Continue reading

Biting the hand that feeds IT © 1998–2022