There is some evidence that Intel processors have a bug that allows access to protected kernel memory. The solution would lie in a page table isolation patch, but at least in Linux this can lead to a significant performance drop in certain applications.
The vulnerability would affect multiple generations of Intel processors and require Windows, macOS and Linux to implement low-level patches. These would have a negative performance impact of 5 to 30 percent, depending on the applications.
Linux 4.15-rc6, which includes the patch, in combination with a system running the Intel Core i7-8700K, shows significant performance drops in Phoronix benchmarks in FS-Mark, Compile Bench, and PostgreSQL. A user of the PostgreSQL mailing list notes the same thing. Phoronix tests show no performance difference when gaming with the same Linux version. Applications that are limited to user space would not run slower due to the patch.
Intel has not yet published any details about the bug, nor have security companies, but Reddit, among others, has noted that a publication about a serious vulnerability seems imminent. This could be inferred from activity in the Linux community, among other things.
Developers for the Linux kernel have been working on so-called Kaiser patches for some time. At the beginning of December, these were renamed x86/kpti patches, where kpti stands for kernel page table isolation. Kpti is a security technique to better separate kernel memory from userland. By unmapping the kernel from pagetables as much as possible, it should be possible to derive as little as possible about the virtual memory space for the kernel.
Kpti makes a shadow copy of the page tables for user memory, with a minimal part for kernel memory. When accessing the kernel via syscalls and interrupts, the pagetables switch to the full kernel copy. This takes time and the performance of all applications involving syscalls and interrupts suffers as a result. This would be less the case with Intel processors with support for Context IDentifiers, or PCIs. These are Intel processors from the Haswell generation.
The patches are merged into Linux kernel 4.15, backporting to kernel version 4.14.10. The patches were implemented in a relatively short time, three months. Microsoft is working on similar security as Kaiser for Windows, with Alex Ionescu, a security expert and kernel development expert, let know that more information about the implementation would be announced in mid-January.
The work seems to be aimed at making address space layout randomization safer again. This technique should prevent an attacker from discovering memory addresses. Aslr works by designating random locations in virtual memory where programs can store important components. Vulnerabilities related to aslr have been identified in recent years, including by research group software security at the VU, early last year. The developers at the Austrian TU Graz published their first work on the Kaiser patch as a measure against side-channel attacks that circumvent aslr, in particular kernel address space layout randomization, or kaslr.
The blog Python Sweetness and then The Register are now speculating that the patches are being worked on in a hurry because Intel processors contain a more serious bug. Also on LWN it is noted that the patches seem to be implemented faster under pressure of a deadline. Additionally, AMD’s Tom Lendacky on the Linux kernel development mailing list reports that the attacks that kpti is supposed to protect against won’t work on AMD processors. He makes it clear that AMD chips do not support “speculative memory references” that allow access to higher privileged data, when running in a less privileged mode. If that access leads to a page error. However, the kpti patch in its current form does affect the performance of AMD systems. AMD has requested that page table isolation not be enabled when AMD processors are present.
Intel’s CPU pipeline uses speculative execution to speed up data processing, and G-Data’s Anders Fogh made breakthroughs last summer exploiting it for side-channel attacks. He did not manage to fully read kernel memory from user mode with his Core i3-5005U, but his results showed that the implementation had weaknesses and he spoke of ‘opening Pandora’s box’.
If the suspicions about the bug are correct, it would particularly impact cloud services such as Amazon’s EC2, Microsoft’s Azure and Google’s Compute Engine. There is a possibility that attackers may be able to access kernel memory of virtual machines running on the same Intel system. Microsoft has maintenance and a reboot announced for virtual machines on Azure. That must be done on January 10. Amazon has customers informed on a reboot of EC2 instances on January 5.
Update, 15.30: Passage on claims from AMD’s Tom Lendacky has been expanded. The original text only mentioned that AMD processors don’t support speculative memory references, which is incorrect.