Security

Critical bugs of Intel Processors revealed. AMD and ARM chips are also affected.

Critical Intel CPU security flaws, Meltdown and Spectre, affect desktops, laptops, servers, and mobile devices. Patches reduce performance by up to 30%.

What’s All the Fuss About the Intel Bugs?

At the beginning of this year, Googleโ€™s Project Zero made a bombshell of an announcement: they had discovered critical security flaws affecting Intel central processing units (CPUs) produced since 1995. Due to the fundamental design flaws in these processor chips, almost all desktops, laptops, servers (and, accordingly, virtual and cloud environments) and mobile devices are potentially under threat, and a wide audience is at high risk of sensitive data leaks. Even more shockingly, Intel is not the only vendor to blame: AMD and ARM chips were found to be exposed to similar vulnerabilities. The main issue is that the bugs are in the hardware itself, rather than being software-based, and affect billions of processors produced over the past 22 years. Just imagine the scope of the threats to data security worldwide!

Actually, this is not the first security flaw found in Intel products โ€“ in November 2017, bugs were discovered in the firmware, including Intel Management Engine, Intel Trusted Execution Engine, and Intel Server Platform Services, that made millions of computers vulnerable to both physical and remote attacks. The problem was so serious that the United States Computer Emergency Readiness Team (US-CERT), on behalf of the US government, encouraged administrators and users to update their Intel firmware according to the manufacturerโ€™s recommendations.

US-CERTs-Intel-Firmware-Vulnerability-Alert
US-CERT’s Intel Firmware Vulnerability Alert

Source: https://www.us-cert.gov/ncas/current-activity/2017/11/21/Intel-Firmware-Vulnerability

The present security flaws pose even more danger to the global community.

Processor Flaw: Brace for Impact

Generally, the chip security vulnerabilities just revealed can be exploited by intruders to steal sensitive data from your computer. By exploiting the processorsโ€™ speculative execution feature, which was developed to improve application performance, hackers are able to read a protected kernel memory from unprivileged user mode, bypassing memory isolation. Passwords, keys, images, messages, and other important data can be stored in such system memory areas that should be inaccessible for undefined users and applications. In fact, these memory areas have now been shown to be vulnerable, so there is a risk that your sensitive data could be stolen. This means that even JavaScript code running in the browser could constitute a threat to the confidential data on your machine. An application running on one virtual machine can potentially access the data from another virtual machine through the physical server they both are residing on. Containers are also affected.

Meltdown and Spectre Bugs

The attacks using the Intel CPU security flaws are called Meltdown and Spectre, and are classified as follows:

  • CVE-2017-5754 โ€“ Rogue data cache load (Meltdown)
  • CVE-2017-5753 โ€“ Bounds check bypass (Spectre)
  • CVE-2017-5715 โ€“ Branch target injection (Spectre)

Meltdown is so named because it melts the hardware-based security of memory address space isolation between the applications and the operating system by abusing the speculative execution technology. Meltdown is an attack that allows any user process to read the machineโ€™s kernel memory and physical memory, regardless of the operating system, as it is based on a hardware issue. With Meldtown, it is possible to dump kernel memory at up to 503 KB/s. Almost all Intel chips that were produced over the last 22 years and use out-of-order execution commands are affected. Some ARM processors are affected, while AMD processors appear to be safe at this point in time.

Spectre is an attack that is based on speculative execution technology that allows the memory address space isolation between different applications to be broken (while Meltdown breaks the memory address space isolation between the applications and the operating system). Spectre uses branch prediction to reach the speculative execution. This attack can be used for systems with Intel, AMD, and ARM processors, and is harder to mitigate than Meltdown.

How Do You Fix Major CPU Security Bugs?

As mentioned above, the Intel CPU flaw is at the hardware level (i.e., in the CPU architecture), so it cannot be fully resolved with a microcode or firmware update.

The most obvious way to avoid Meltdown and Spectre vulnerabilities is to produce new processors without these bugs in their microarchitecture. However, it will require some time for new processors to be developed, and this may prove expensive for customers, who will need to upgrade their hardware.

Another approach is to develop software patches that restrict kernel memory access for user processes. This requires a lot of time and effort from developers to rewrite the kernel code, but it is more affordable for customers to install such security patches. Today, there are no solutions that can comprehensively fix the security flaws of Intel, AMD, and ARM-based chips, but companies are already working on this. Intel is collaborating with other vendors in order to mitigate the impact of Meltdown and Spectre. The following patches have been already released:

  • Patches for Linux Kernel Page Table Isolation (KPTI, previously known as KAISER) are now available to mitigate the Meltdown attacks.
  • Microsoft has already released a security update for Windows 10 and promises to publish updates for other supported Windows versions. Note that your antivirus software should be temporary disabled while the patch is being installed in order to prevent errors that could result in the Blue Screen of Death (BSOD).
  • Apple has released mitigations that help defend against Meltdown in iOS 11.2, macOS 10.13.2, and tvOS 11.2. A security update for the Safari browser designed to help to defend against Spectre should be released soon.
  • Google has released security patches for their Pixel and Nexus devices with Android OS that use ARM chips. Version 63 of the Chrome browser includes a site isolation feature that forces websites use unique address spaces.
  • VMware has provided patches for their products (ESXi, Workstation, and Fusion) to help mitigate Spectre attacks.

US-CERT, already mentioned above, showed its commitment to global data security by promptly publishing its Meltdown and Spectre Side-Channel Vulnerability Guidance. The Alert includes links to vendor information, advisories, and patches published in response to security flaws in processors.

US-CERTs-guidance-to-mitigate-Meltdown-and-Spectre-1
US-CERT’s guidance to mitigate Meltdown and Spectre

Source: https://www.us-cert.gov/ncas/alerts/TA18-004A

The patches will certainly help reduce the risk of security being compromised by the recently discovered bugs in Intel, AMD and ARM processors, and we highly recommend that you install them as soon as possible. However, these solutions could have serious drawbacks, which we will consider below.

Up to 30% Performance Reduction in Windows and Linux

The main issue that occurs after software patching against Meltdown and Spectre is the reduction of performance of your device by up to 30%, depending on the CPU model and the tasks being run. This patching presents a much greater impact in corporate sector than for home users. It poses a serious problem for software giants, such as Microsoft, Google, Amazon, and Apple, as they use Intel processors, in particular, to build their cloud environments, and patching the systems could significantly slow down the performance of their servers and virtual machines. Ordinary customers will not be happy either, because they will receive less performance and may find themselves needing to buy extra virtual environment from cloud providers to compensate.

Researchers are running benchmarks in order to explore the influence of software patches on computer performance. The initial results show us that the degree of performance slowdown varies greatly depending on the applications running on the machine.

For example, after running an input/output synthetic benchmark (FSMark v.3.3) on a Linux machine patched with KPTI, the worst measured slowdown was about 50% for the Intel i7 7800K processor: its performance dropped from 293.6 files per second before patching to 135.2 files per second after patching. However, its older relative, the Intel i7 6800K, showed different results, with the gap of less than 5% (51.87 vs. 50.67). In other tests, the difference for the Intel i7 7800K chip was not so significant and measured only in the 1- 5%. Thus, more tests are required to gain a better understanding of the extent of the patchโ€™s effect.

How Can You Protect Your Own Device?

Despite the fact that there is no solution that can completely fix the Meltdown and Spectre CPU flaws, it is highly recommended to update your software and install the security patches, even if they degrade system performance somewhat. It is also recommended to update the browser you use to the latest version. The general advice is to respect the security policy. Follow the particular recommendations depending on the software you use.

Please note: You should always back up your data before patching your system to protect it, should something go wrong; for VMware and Hyper-V VMs and AWS EC2 instances, use NAKIVO Backup & Replication.

If you use Microsoft Windows, do the following:

  • Check for, and download, the appropriate security update, either manually or via the automatic Windows update service;
  • Disable your antivirus solution for the duration of the update process to prevent system errors that may trigger the BSOD;
  • Install the updates and reboot;
  • Re-enable your antivirus program.

If you use Linux, do the following:

  • Make sure that a new version of kernel is available for your distribution;
  • Install the patch with your packet manager or download the compiled files to install it manually according to the documentation.

If you use VMware ESXi 5.5, 6.0, 6.5, Workstation 12, or Fusion 8, follow the recommendations of VMware and install patches for these products either manually or with the update manager.

Although AWS snapshots can help you protect your data stored in the Amazon cloud, if you create backups with instead, you can save 4X on data storage costs, reduce security risks, and spend less time on backup administration. Download the White Paper โ€œAWS Snapshot vs. Backupโ€ and learn more about these benefits.

Conclusions

The recently discovered critical security bugs in Intel, AMD and ARM CPUs affect billions of devices with different operating systems and other software, and were an unpleasant surprise for everyone. In our blog post, we have outlined the methods available to reduce your chances to be attacked by malware that exploits these security flaws. However, the number of fixes that still need to be implemented is high, so there is a lot of work ahead. Please regularly check for updates of software you are using in order to protect your personal data against unpermitted access

More Meltdown and Spectre Posts:

Subscribe to VirtualizationHowto via Email ๐Ÿ””

Enter your email address to subscribe to this blog and receive notifications of new posts by email.



Brandon Lee

Brandon Lee is the Senior Writer, Engineer and owner at Virtualizationhowto.com, and a 7-time VMware vExpert, with over two decades of experience in Information Technology. Having worked for numerous Fortune 500 companies as well as in various industries, He has extensive experience in various IT segments and is a strong advocate for open source technologies. Brandon holds many industry certifications, loves the outdoors and spending time with family. Also, he goes through the effort of testing and troubleshooting issues, so you don't have to.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.