Security

Kernel-memory-leaking Intel processor design flaw forces Linux, Windows redesign

Speed hits loom, other OSes need fixes


Final update A fundamental design flaw in Intel's processor chips has forced a significant redesign of the Linux and Windows kernels to defang the chip-level security bug.

Programmers are scrambling to overhaul the open-source Linux kernel's virtual memory system. Meanwhile, Microsoft is expected to publicly introduce the necessary changes to its Windows operating system in an upcoming Patch Tuesday: these changes were seeded to beta testers running fast-ring Windows Insider builds in November and December.

Crucially, these updates to both Linux and Windows will incur a performance hit on Intel products. The effects are still being benchmarked, however we're looking at a ballpark figure of five to 30 per cent slow down, depending on the task and the processor model. More recent Intel chips have features – such as PCID – to reduce the performance hit. Your mileage may vary.

Similar operating systems, such as Apple's 64-bit macOS, will also need to be updated – the flaw is in the Intel x86-64 hardware, and it appears a microcode update can't address it. It has to be fixed in software at the OS level, or go buy a new processor without the design blunder.

Details of the vulnerability within Intel's silicon are under wraps: an embargo on the specifics is due to lift early this month, perhaps in time for Microsoft's Patch Tuesday next week. Indeed, patches for the Linux kernel are available for all to see but comments in the source code have been redacted to obfuscate the issue.

However, some details of the flaw have surfaced, and so this is what we know.

Impact

It is understood the bug is present in modern Intel processors produced in the past decade. It allows normal user programs – from database applications to JavaScript in web browsers – to discern to some extent the layout or contents of protected kernel memory areas.

The fix is to separate the kernel's memory completely from user processes using what's called Kernel Page Table Isolation, or KPTI. At one point, Forcefully Unmap Complete Kernel With Interrupt Trampolines, aka FUCKWIT, was mulled by the Linux kernel team, giving you an idea of how annoying this has been for the developers.

Whenever a running program needs to do anything useful – such as write to a file or open a network connection – it has to temporarily hand control of the processor to the kernel to carry out the job. To make the transition from user mode to kernel mode and back to user mode as fast and efficient as possible, the kernel is present in all processes' virtual memory address spaces, although it is invisible to these programs. When the kernel is needed, the program makes a system call, the processor switches to kernel mode and enters the kernel. When it is done, the CPU is told to switch back to user mode, and reenter the process. While in user mode, the kernel's code and data remains out of sight but present in the process's page tables.

Think of the kernel as God sitting on a cloud, looking down on Earth. It's there, and no normal being can see it, yet they can pray to it.

These KPTI patches move the kernel into a completely separate address space, so it's not just invisible to a running process, it's not even there at all. Really, this shouldn't be needed, but clearly there is a flaw in Intel's silicon that allows kernel access protections to be bypassed in some way.

The downside to this separation is that it is relatively expensive, time wise, to keep switching between two separate address spaces for every system call and for every interrupt from the hardware. These context switches do not happen instantly, and they force the processor to dump cached data and reload information from memory. This increases the kernel's overhead, and slows down the computer.

Your Intel-powered machine will run slower as a result.

How can this security hole be abused?

At best, the vulnerability could be leveraged by malware and hackers to more easily exploit other security bugs.

At worst, the hole could be abused by programs and logged-in users to read the contents of the kernel's memory. Suffice to say, this is not great. The kernel's memory space is hidden from user processes and programs because it may contain all sorts of secrets, such as passwords, login keys, files cached from disk, and so on. Imagine a piece of JavaScript running in a browser, or malicious software running on a shared public cloud server, able to sniff sensitive kernel-protected data.

Specifically, in terms of the best-case scenario, it is possible the bug could be abused to defeat KASLR: kernel address space layout randomization. This is a defense mechanism used by various operating systems to place components of the kernel in randomized locations in virtual memory. This mechanism can thwart attempts to abuse other bugs within the kernel: typically, exploit code – particularly return-oriented programming exploits – relies on reusing computer instructions in known locations in memory.

If you randomize the placing of the kernel's code in memory, exploits can't find the internal gadgets they need to fully compromise a system. The processor flaw could be potentially exploited to figure out where in memory the kernel has positioned its data and code, hence the flurry of software patching.

However, it may be that the vulnerability in Intel's chips is worse than the above mitigation bypass. In an email to the Linux kernel mailing list over Christmas, AMD said it is not affected. The wording of that message, though, rather gives the game away as to what the underlying cockup is:

AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against. The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault.

A key word here is "speculative." Modern processors, like Intel's, perform speculative execution. In order to keep their internal pipelines primed with instructions to obey, the CPU cores try their best to guess what code is going to be run next, fetch it, and execute it.

It appears, from what AMD software engineer Tom Lendacky was suggesting above, that Intel's CPUs speculatively execute code potentially without performing security checks. It seems it may be possible to craft software in such a way that the processor starts executing an instruction that would normally be blocked – such as reading kernel memory from user mode – and completes that instruction before the privilege level check occurs.

That would allow ring-3-level user code to read ring-0-level kernel data. And that is not good.

The specifics of the vulnerability have yet to be confirmed, but consider this: the changes to Linux and Windows are significant and are being pushed out at high speed. That suggests it's more serious than a KASLR bypass.

Also, the updates to separate kernel and user address spaces on Linux are based on a set of fixes dubbed the KAISER patches, which were created by eggheads at Graz University of Technology in Austria. These boffins discovered [PDF] it was possible to defeat KASLR by extracting memory layout information from the kernel in a side-channel attack on the CPU's virtual memory system. The team proposed splitting kernel and user spaces to prevent this information leak, and their research sparked this round of patching.

Their work was reviewed by Anders Fogh, who wrote this interesting blog post in July. That article described his attempts to read kernel memory from user mode by abusing speculative execution. Although Fogh was unable to come up with any working proof-of-concept code, he noted:

My results demonstrate that speculative execution does indeed continue despite violations of the isolation between kernel mode and user mode.

It appears the KAISER work is related to Fogh's research, and as well as developing a practical means to break KASLR by abusing virtual memory layouts, the team may have somehow proved Fogh right – that speculative execution on Intel x86 chips can be exploited to access kernel memory.

Shared systems

The bug will impact big-name cloud computing environments including Amazon EC2, Microsoft Azure, and Google Compute Engine, said a software developer blogging as Python Sweetness in this heavily shared and tweeted article on Monday:

There is presently an embargoed security bug impacting apparently all contemporary [Intel] CPU architectures that implement virtual memory, requiring hardware changes to fully resolve. Urgent development of a software mitigation is being done in the open and recently landed in the Linux kernel, and a similar mitigation began appearing in NT kernels in November. In the worst case the software fix causes huge slowdowns in typical workloads.

There are hints the attack impacts common virtualisation environments including Amazon EC2 and Google Compute Engine...

Microsoft's Azure cloud – which runs a lot of Linux as well as Windows – will undergo maintenance and reboots on January 10, presumably to roll out the above fixes.

Amazon Web Services also warned customers via email to expect a major security update to land on Friday this week, without going into details.

There were rumors of a severe hypervisor bug – possibly in Xen – doing the rounds at the end of 2017. It may be that this hardware flaw is that rumored bug: that hypervisors can be attacked via this kernel memory access cockup, and thus need to be patched, forcing a mass restart of guest virtual machines.

A spokesperson for Intel was not available for comment. ®

Updated to add

The Intel processor flaw is real. A PhD student at the systems and network security group at Vrije Universiteit Amsterdam has developed a proof-of-concept program that exploits the Chipzilla flaw to read kernel memory from user mode:

The Register has also seen proof-of-concept exploit code that leaks a tiny amount of kernel memory to user processes.

Finally, macOS has been patched to counter the chip design blunder since version 10.13.3, according to operating system kernel expert Alex Ionescu. And it appears 64-bit ARM Linux kernels will also get a set of KAISER patches, completely splitting the kernel and user spaces, to block attempts to defeat KASLR. We'll be following up this week.

Final update

Check out our summary of the processor bug, here, now that full details are known. Bear in mind there are two flaws at play here: one called Meltdown that mostly affects Intel, and what the above article is all about, and another one called Spectre that affects Intel, AMD, and Arm cores.

See our analysis of Intel's response here.

Additional reporting by John Leyden

Send us news
450 Comments

This week in AI: Man arrested after cops say he rode in backseat of Autopilot Tesla

Plus: Non-profit ML groups snub sponsorship money from Google

In Brief Highway patrol officers in California arrested a man this week accused of riding in the backseat of his Tesla while it was under Autopilot.

The super-cruise-control software should have disengaged without him in the driver seat, yet it is claimed 25-year-old Param Sharma managed to bypass that requirement so that the vehicle would drive itself with him in the back. You're also supposed to have your hands on the wheel even while Autopilot is active so that you can take over from the computer system as necessary.

Following reports of a driverless Tesla Model 3, a highway patrol officer spotted the vehicle travelling east-bound towards the Bay Bridge in San Francisco, and attempted to stop it. It is alleged Sharma climbed back into the driver’s seat before he pulled over for the police.

Continue reading

China says its first Mars rover Zhurong has landed on the Red Planet

'An important step in our country’s interplanetary exploration journey' – state media

Updated China's Zhurong rover today touched down on Mars from the Tianwen-1 orbiter, the nation's state media says.

We're told the machine will take carry out self-tests, and try to move itself to explore the Red Planet's surface.

"On May 15, our country’s first Mars exploration mission, Tianwen-1, landed in a pre-selected landing zone in the southern Utopia Planitia of Mars, leaving a Chinese footprint on Mars for the first time. It marks an important step in our country’s interplanetary exploration journey," Xinhua reported at 0837 in Beijing (1737 PT, 0037 UTC).

Continue reading

Google leads Big Tech effort to ensure H-1B spouses can continue working in America

Coalition of 41 organizations oppose labor rule challenge

Google is spearheading an effort to save a visa rule that allows the spouses of H-1B visa holders awaiting green cards to work in the US.

On Friday, Google and 40 other companies and organizations filed an amicus brief supporting the Department of Homeland Security's (DHS) H-4 employment authorization document (H-4 EAD) program, which faces a legal challenge by a group called Save Jobs USA.

Save Jobs USA, an association representing Southern California Edison workers who claim they lost their jobs to H-1B visa holders, is suing DHS in a Washington, DC court to undo the rule.

Continue reading

AMD promises to spend $1.6bn on 12nm, 14nm chips from GlobalFoundries

Also wriggles out of exclusivity deal

Amid fears the global semiconductor crisis may last until 2023, AMD has opted to extend its purchase agreement with GlobalFoundries, giving it access to a greater proportion of the fabricator's output.

AMD disclosed the existence of the deal in an 8-K regulatory filing submitted to the SEC earlier this week. The company has committed to buy $1.6bn worth of 12nm and 14nm node silicon wafers between now and December 31, 2024. It did not disclose a breakdown of the costs nor the exact quantity of output it had secured.

Should AMD fail to meet its purchase obligation, it has committed to pay GlobalFoundries a portion of the difference between its planned and actual spend. AMD has also agreed to pre-pay for an unspecified portion of these wafers in advance.

Continue reading

Audacity's new management hits rewind on telemetry plans following community outrage

Sorry for trying to add it or sorry for cocking up the comms?

Amid the smell of burning rubber, the new managers of open-source audio editor Audacity have announced a U-turn on plans to introduce "basic telemetry" into the product.

Audacity pitched up under the umbrella of Muse Group earlier this month and professed itself to be both "scared and excited."

Mere days later, an impressive number of users went for the former option and expressed alarm at a GitHub request introducing "basic telemetry."

Continue reading

Apple's expert witness grilled by Epic over 'frictionless' spending outside the app

How easy would it be for customers to depart the walled garden, legal eagles ask economist

Epic Games' lawyers had a chance to put Apple's expert witness through the wringer in the latest from its California bench trial.

Counsel for Apple called to the stand Lorin Hitt, an academic from the prestigious Wharton Business School in Pennsylvania.

Hitt – who had been selected as expert witness for Apple – questioned whether iOS was as effective at locking in users as previously claimed, citing a 26 per cent switch rate. He also debated whether users remained loyal to a platform because of switching costs, or because they simply like it.

Continue reading

Facebook Giphy merger stays on ice after failed challenge to UK competition regulator

Problem was of social network's own making, says unimpressed judge

Facebook has failed to neutralise an order from Britain's competition regulator freezing its buyout of Giphy after having "sat on its hands" and failed to answer questions, the Court of Appeal has found.

Judge Sir Geoffrey Vos said "the central problem in this case was entirely of Facebook's own making" as he dismissed its attempt to overturn an Initial Enforcement Order (IEO) made by Britain's Competition and Markets Authority (CMA) last year.

That IEO blocked the Mark Zuckerberg-owned social network from finishing off its $400m buyout of Giphy, a supplier of web tracking beacons cunningly disguised as funny little animated images used to spice up online chats and comment sections.

Continue reading

10.8 million UK homes now have access to gigabit-capable broadband, with much of the legwork done by Virgin Media

That's 37% of the country covered, and BT is expected to pick up the pace too

A new Ofcom report shows the number of UK homes with access to gigabit-capable broadband hit 10.8 million in January, representing 37 per cent of households.

The figures were part of Ofcom's Interim Connected Nations report [PDF] and covered September 2020 to January 2021.

Overall, the number of gigabit-capable lines increased by 37 per cent against August's figure [PDF] of 7.9 million.

Continue reading

Tor users, beware: 'Scheme flooding' technique may be used to deanonymize you

By probing for installed apps with custom URL schemes, it's possible to build a 32-bit unique fingerprint

FingerprintJS, maker of a browser-fingerprinting library for fraud prevention, on Thursday said it has identified a more dubious fingerprinting technique capable of generating a consistent identifier across different desktop browsers, including the Tor Browser.

That means, for example, if you browse the web using Safari, Firefox, or Chrome for some websites, and use the Tor browser to anonymously view others, there is a possibility someone could link your browser histories across all those sessions using a unique identifier, potentially deanonymize you, and track you around the web.

Doing this is non-trivial, it can be very inaccurate or unreliable, and so this is more of a heads up than anything else.

Continue reading

NASA pops old-school worm logo onto Orion spacecraft

Will be visible from the launchpad ... when it finally gets there

NASA has slapped its worm logo on the side of the Crew Module Adaptor (CMA) for the Orion spacecraft as the first Artemis mission to the Moon inches closer.

The logo had already been stuck on the underside of the CMA last year, but sticking it on the side will ensure it is visible once the Orion spacecraft and its European-built service module are stacked atop the Space Launch System (SLS) rocket and wheeled out to Kennedy's pad 39B.

Continue reading

Hospitals cancel outpatient appointments as Irish health service struck by ransomware

Russia-based criminals pick soft target in hope of easy gains

Ireland's nationalised health service has shut down its IT systems following a "human-operated" Conti ransomware attack, causing a Dublin hospital to cancel outpatient appointments.

The country's Health Service Executive closed its systems down as a precaution, local reports from the Irish public service broadcaster RTÉ said, reporting that Dublin's Rotunda Hospital had cancelled appointments for outpatients – including many for pregnant women.

"The maternity hospital said all outpatient visits are cancelled - unless expectant mothers are 36 weeks pregnant or later," reported RTÉ, adding: "All gynaecology clinics are also cancelled today."

Continue reading