Security

Kernel-memory-leaking Intel processor design flaw forces Linux, Windows redesign

Speed hits loom, other OSes need fixes


Final update A fundamental design flaw in Intel's processor chips has forced a significant redesign of the Linux and Windows kernels to defang the chip-level security bug.

Programmers are scrambling to overhaul the open-source Linux kernel's virtual memory system. Meanwhile, Microsoft is expected to publicly introduce the necessary changes to its Windows operating system in an upcoming Patch Tuesday: these changes were seeded to beta testers running fast-ring Windows Insider builds in November and December.

Crucially, these updates to both Linux and Windows will incur a performance hit on Intel products. The effects are still being benchmarked, however we're looking at a ballpark figure of five to 30 per cent slow down, depending on the task and the processor model. More recent Intel chips have features – such as PCID – to reduce the performance hit. Your mileage may vary.

Similar operating systems, such as Apple's 64-bit macOS, will also need to be updated – the flaw is in the Intel x86-64 hardware, and it appears a microcode update can't address it. It has to be fixed in software at the OS level, or go buy a new processor without the design blunder.

Details of the vulnerability within Intel's silicon are under wraps: an embargo on the specifics is due to lift early this month, perhaps in time for Microsoft's Patch Tuesday next week. Indeed, patches for the Linux kernel are available for all to see but comments in the source code have been redacted to obfuscate the issue.

However, some details of the flaw have surfaced, and so this is what we know.

Impact

It is understood the bug is present in modern Intel processors produced in the past decade. It allows normal user programs – from database applications to JavaScript in web browsers – to discern to some extent the layout or contents of protected kernel memory areas.

The fix is to separate the kernel's memory completely from user processes using what's called Kernel Page Table Isolation, or KPTI. At one point, Forcefully Unmap Complete Kernel With Interrupt Trampolines, aka FUCKWIT, was mulled by the Linux kernel team, giving you an idea of how annoying this has been for the developers.

Whenever a running program needs to do anything useful – such as write to a file or open a network connection – it has to temporarily hand control of the processor to the kernel to carry out the job. To make the transition from user mode to kernel mode and back to user mode as fast and efficient as possible, the kernel is present in all processes' virtual memory address spaces, although it is invisible to these programs. When the kernel is needed, the program makes a system call, the processor switches to kernel mode and enters the kernel. When it is done, the CPU is told to switch back to user mode, and reenter the process. While in user mode, the kernel's code and data remains out of sight but present in the process's page tables.

Think of the kernel as God sitting on a cloud, looking down on Earth. It's there, and no normal being can see it, yet they can pray to it.

These KPTI patches move the kernel into a completely separate address space, so it's not just invisible to a running process, it's not even there at all. Really, this shouldn't be needed, but clearly there is a flaw in Intel's silicon that allows kernel access protections to be bypassed in some way.

The downside to this separation is that it is relatively expensive, time wise, to keep switching between two separate address spaces for every system call and for every interrupt from the hardware. These context switches do not happen instantly, and they force the processor to dump cached data and reload information from memory. This increases the kernel's overhead, and slows down the computer.

Your Intel-powered machine will run slower as a result.

How can this security hole be abused?

At best, the vulnerability could be leveraged by malware and hackers to more easily exploit other security bugs.

At worst, the hole could be abused by programs and logged-in users to read the contents of the kernel's memory. Suffice to say, this is not great. The kernel's memory space is hidden from user processes and programs because it may contain all sorts of secrets, such as passwords, login keys, files cached from disk, and so on. Imagine a piece of JavaScript running in a browser, or malicious software running on a shared public cloud server, able to sniff sensitive kernel-protected data.

Specifically, in terms of the best-case scenario, it is possible the bug could be abused to defeat KASLR: kernel address space layout randomization. This is a defense mechanism used by various operating systems to place components of the kernel in randomized locations in virtual memory. This mechanism can thwart attempts to abuse other bugs within the kernel: typically, exploit code – particularly return-oriented programming exploits – relies on reusing computer instructions in known locations in memory.

If you randomize the placing of the kernel's code in memory, exploits can't find the internal gadgets they need to fully compromise a system. The processor flaw could be potentially exploited to figure out where in memory the kernel has positioned its data and code, hence the flurry of software patching.

However, it may be that the vulnerability in Intel's chips is worse than the above mitigation bypass. In an email to the Linux kernel mailing list over Christmas, AMD said it is not affected. The wording of that message, though, rather gives the game away as to what the underlying cockup is:

AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against. The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault.

A key word here is "speculative." Modern processors, like Intel's, perform speculative execution. In order to keep their internal pipelines primed with instructions to obey, the CPU cores try their best to guess what code is going to be run next, fetch it, and execute it.

It appears, from what AMD software engineer Tom Lendacky was suggesting above, that Intel's CPUs speculatively execute code potentially without performing security checks. It seems it may be possible to craft software in such a way that the processor starts executing an instruction that would normally be blocked – such as reading kernel memory from user mode – and completes that instruction before the privilege level check occurs.

That would allow ring-3-level user code to read ring-0-level kernel data. And that is not good.

The specifics of the vulnerability have yet to be confirmed, but consider this: the changes to Linux and Windows are significant and are being pushed out at high speed. That suggests it's more serious than a KASLR bypass.

Also, the updates to separate kernel and user address spaces on Linux are based on a set of fixes dubbed the KAISER patches, which were created by eggheads at Graz University of Technology in Austria. These boffins discovered [PDF] it was possible to defeat KASLR by extracting memory layout information from the kernel in a side-channel attack on the CPU's virtual memory system. The team proposed splitting kernel and user spaces to prevent this information leak, and their research sparked this round of patching.

Their work was reviewed by Anders Fogh, who wrote this interesting blog post in July. That article described his attempts to read kernel memory from user mode by abusing speculative execution. Although Fogh was unable to come up with any working proof-of-concept code, he noted:

My results demonstrate that speculative execution does indeed continue despite violations of the isolation between kernel mode and user mode.

It appears the KAISER work is related to Fogh's research, and as well as developing a practical means to break KASLR by abusing virtual memory layouts, the team may have somehow proved Fogh right – that speculative execution on Intel x86 chips can be exploited to access kernel memory.

Shared systems

The bug will impact big-name cloud computing environments including Amazon EC2, Microsoft Azure, and Google Compute Engine, said a software developer blogging as Python Sweetness in this heavily shared and tweeted article on Monday:

There is presently an embargoed security bug impacting apparently all contemporary [Intel] CPU architectures that implement virtual memory, requiring hardware changes to fully resolve. Urgent development of a software mitigation is being done in the open and recently landed in the Linux kernel, and a similar mitigation began appearing in NT kernels in November. In the worst case the software fix causes huge slowdowns in typical workloads.

There are hints the attack impacts common virtualisation environments including Amazon EC2 and Google Compute Engine...

Microsoft's Azure cloud – which runs a lot of Linux as well as Windows – will undergo maintenance and reboots on January 10, presumably to roll out the above fixes.

Amazon Web Services also warned customers via email to expect a major security update to land on Friday this week, without going into details.

There were rumors of a severe hypervisor bug – possibly in Xen – doing the rounds at the end of 2017. It may be that this hardware flaw is that rumored bug: that hypervisors can be attacked via this kernel memory access cockup, and thus need to be patched, forcing a mass restart of guest virtual machines.

A spokesperson for Intel was not available for comment. ®

Updated to add

The Intel processor flaw is real. A PhD student at the systems and network security group at Vrije Universiteit Amsterdam has developed a proof-of-concept program that exploits the Chipzilla flaw to read kernel memory from user mode:

The Register has also seen proof-of-concept exploit code that leaks a tiny amount of kernel memory to user processes.

Finally, macOS has been patched to counter the chip design blunder since version 10.13.3, according to operating system kernel expert Alex Ionescu. And it appears 64-bit ARM Linux kernels will also get a set of KAISER patches, completely splitting the kernel and user spaces, to block attempts to defeat KASLR. We'll be following up this week.

Final update

Check out our summary of the processor bug, here, now that full details are known. Bear in mind there are two flaws at play here: one called Meltdown that mostly affects Intel, and what the above article is all about, and another one called Spectre that affects Intel, AMD, and Arm cores.

See our analysis of Intel's response here.

Additional reporting by John Leyden

Send us news
450 Comments

Treaty of Roam finally in ashes: O2 cracks, joins rivals, adds data roaming charges for heavy users in EU

That's £3.50 per GB for anything over 25GB

We didn't see this on the side of a bus. Five years to the day that Britain heard the results of the Brexit referendum, O2 has caved as the last of the UK's Big Four networks to re-introduce roaming charges in Europe for its customers.

For its pay monthly punters, each gigabyte of data over 25GB will now be charged at £3.50 per GB.

In a message sent to customers, the carrier wrote: “As your monthly UK data allowance is over 25GB, you can still use your data in our Europe Zone. But it’s now subject to a Roaming Limit of 25GB. Once you’ve reached this limit you’ll be charged an additional cost of £3.50/GB.”

Continue reading

The present is virtual, the future should be too

Containers are visitors from hyperscale-land. They should respect your ways when you invite them in

Register Debate Welcome to the latest Register Debate in which writers discuss technology topics, and you – the reader – choose the winning argument. The format is simple: we propose a motion, the arguments for the motion will run this Monday and Wednesday, and the arguments against on Tuesday and Thursday.

During the week you can cast your vote on which side you support using the embedded poll, choosing whether you're in favor or against the motion. The final score will be announced on Friday, revealing whether the for or against argument was most popular. It's up to our writers to convince you to vote for their side.

This week's motion is: Containers will kill virtual machines

Continue reading

Stop. Look... Install Linux? The Reg solves Microsoft's latest Windows teaser

Going backwards to the future

Fans eagerly awaiting the emission of Windows 11 have been treated to a teaser of today's big event, ending with Microsoft giving us all... the finger?

"Feel what's next for Windows," exhorts Microsoft. Based on Vista and Windows 8, we'd have to say we're getting a sense of impending doom. Or perhaps we should be feeling fluffy… like a cloud. Which, after all, is the direction of travel for Microsoft.

Continue reading

UK watchdog fines biz £130k for 90,000+ direct marketing calls to folk who had opted out

Colour Coat accused of lying, being rude and aggressive, and hanging up on cold-call victims

A home improvement biz based in East Sussex is facing a fine of £130,000 for making upwards of 900,000 unsolicited marketing calls to individuals and businesses that had enrolled on the Telephone Preference Service (TPS).

Colour Coat of St Leonards-on-Sea made almost 970,000 connected calls between 1 August 2019 and 31 March last year, the Information Commissioner's Office (ICO) found, of which more than 452,000 were to folk or entities registered with TPS or the corporate equivalent.

The ICO said it was tipped off to the company's practices when it received more than 50 complaints from unsuspecting cold-call casualties. This included repeated calls to people that told the company not to contact them again.

Continue reading

Hungover Brits declare full English breakfast the solution to all their ills

For the 3% who craved sweet and sour pork balls, it might be time to stop drinking

British revellers have been asked for their favourite hangover cures, with some frankly bizarre results.

Those polled in the survey, which was commissioned by the makers of Tabasco sauce, declared that a full English breakfast was by far their favourite way of dealing with the consequences of a heavy night, with 32 per cent giving it the thumbs-up.

The podium places for confronting a thumping headache and a furry tongue were filled out by strong coffee (26 per cent), which narrowly edged out bacon sandwiches (25 per cent) into third in a near dead heat.

Continue reading

UK urged to choo-choo-choose hydrogen-powered trains in pursuit of carbon-neutral economic growth

Meanwhile, Porterbrook's Hydroflex trials continue

A railway pressure group is calling on the UK government to throw its weight behind a new fleet of hydrogen-powered trains to help modernise existing rolling stock and get the nation's transport policy back on track.

The Railway Industry Association (RIA) – which can trace its roots back more than 140 years to when its members were busy building steam locos – wants government to support pilot projects to test the viability of hydrogen not only as a clean source of fuel but as a way to boost economic growth.

"Hydrogen trains will have a vital role to play – alongside conventional electrification – as the UK looks to develop a Net Zero economy by 2050," said the RIA in a briefing note.

Continue reading

Fashion firm French Connection says 'FCUK' as REvil-linked breach sees company data stolen

Attack on an internal system shouldn't put customers at risk, company claims

Cheeky clothing firm French Connection, also known as FCUK, has become the latest victim of ransomware, with a gang understood to be linked to REvil having penetrated its back-end - making off with a selection of private internal data.

Founded in 1972 by current chief executive Stephen Marks, French Connection made a name for itself when it adopted the not-actually-rude-honest slogan "FCUK" in its advertising in the early 2000s. Originally founded as a mid-market women's fashion brand, the company has since expanded into menswear, watches, toiletries, and even glasses.

Sadly, attackers understood to be related to the REvil ransomware gang needed no such optical enhancements to spot a security vulnerability in the company's back-end systems. As a result, they've made off with a trove of internal company data.

Continue reading

Enterprise databases deployed in Kubernetes? Proceed with caution, warns seasoned analyst

Deploying the ultimate stateful code in a stateless environment is a 'tricky business' IDC guru opines

A leading analyst has warned big, non-tech companies against database deployments in the Kubernetes, dubbing the approach as “emerging technology” for enterprises.

While developers might want the flexibility and agility the stateless container orchestrator promised, Carl Olofson, research vice president, data management software, IDC urged caution with enterprise deployments.

Speaking at the Postgres Vision 2021 conference this week, the seasoned database expert said: “You really need to make sure you're using functions that are well established. You want to be conservative. Kubernetes is open source, so the updates and the testing and all that, follows a rather slow formal process from the time that submission comes to the timer that goes out. Kubernetes is still rapidly evolving. Like any technology: if you're trying to commit your enterprise to functions that run on an emerging technology, then you are accepting some risks.”

Continue reading

India tweaks telecoms laws to make itself an even more attractive offshoring destination

Allows cloud PABXs, VPNs, and data sharing, so that locals can participate in multinational workflows

India’s department of telecommunications has tweaked some rules in the hope they make the nation a more attractive offshoring destination. The revised rules make it possible for call centres and similar businesses to use resources in the cloud, and more easily operate as part of global customer service organisations.

The core of the changes is permitting what India calls “other service providers” (OSPs) — a term that describes any business conducted remotely by voice — to use networked resources, while removing plenty of red tape.

Previous arrangements meant such companies found it hard to work as part of a global operation, as they were forced to use telecoms infrastructure within India, to provide detailed technical schemas explaining how they routed calls as part of an onerous registration process, and could not share data with offshore entities.

Continue reading

Advert for coronavirus 'destroying' air 'purifier' exterminated by UK watchdog

If only it were that easy

The UK’s advertising watchdog has given a socially distanced, liberally hand-sanitised slap to a firm marketing a gizmo it claimed could clear the air of the coronavirus that causes the COVID-19 respiratory disease.

The online ad for the Go-Vi Eradicator 19 claimed to zap both airborne and surface nasties in a split second – which if true, should not be sniffed at. Snag is, someone at the Advertising Standards Authority (ASA) did.

The regulator took a close mask-wearing look at the manufacturer's claim that it was “proven to destroy Coronavirus cells” and wanted to know more about this “air purification system” that, it was claimed, had been tested by independent laboratories.

Continue reading

Mysterious ‘security update’ to Google Drive cloud storage locker will break links to some files

Admins given a whole month to sort it out. Choose wisely — after July 23rd, users won't be told what's happening

Google has advised administrators of its Workspace productivity suite that it’s set to improve security of its Drive cloud storage locker, but that the fix will break links to some files.

The ad giant’s advisory to Workspace admins doesn’t mention the reason for the update, other than saying it’s an enhancement.

The little detail offered states that the update “changes the URLs for some Google Drive files and folders. The new links include a resource key in a file’s URL.”

Continue reading