• Light/Dark
  • Ever wanted an RSS feed of all your favorite gaming news sites? Go check out our new Gaming Headlines feed! Read more about it here.
  • We have made minor adjustments to how the search bar works on ResetEra. You can read about the changes here.

The Register: 5-30% performance hit for widespread Intel security vulnerablity patches coming soon

Status
Not open for further replies.
tokkun

tokkun

Member
Oct 27, 2017
5,409
tldr; All major OSes will be getting critical security patches soon to mitigate attacks that take advantage of a hardware bug in almost all modern Intel processors. The nature of the fix means that it will come with a noticeable performance hit in some applications. It's not clear to me where The Register is getting the 5-30% figure, so I'd take the exact number with a grain of salt - they may be exaggerating things a bit for clicks. The authors of a paper on Linux's solution to defending against the issue claim it is only a 0.3% overhead. However, I've personally seen some pretty big performance hits in certain benchmarks I have run at my job, so it's not nonsense.

Note that this is a different vulnerability than the IoT firmware bug Intel disclosed in the middle of last year. Information on this bug has been floating around in the tech world, but it has not been completely publicly disclosed yet.

Excerpts:

Programmers are scrambling to overhaul the open-source Linux kernel's virtual memory system. Meanwhile, Microsoft is expected to publicly introduce the necessary changes to its Windows operating system in an upcoming Patch Tuesday: these changes were seeded to beta testers running fast-ring Windows Insider builds in November and December.

Crucially, these updates to both Linux and Windows will incur a performance hit on Intel products. The effects are still being benchmarked, however we're looking at a ballpark figure of five to 30 per cent slow down, depending on the task and the processor model. More recent Intel chips have features – specifically, PCID – to reduce the performance hit.
Click to expand...
Click to shrink...

It is understood the bug is present in modern Intel processors produced in the past decade. It allows normal user programs – from database applications to JavaScript in web browsers – to discern to some extent the contents of protected kernel memory.

The fix is to separate the kernel's memory completely from user processes using what's called Kernel Page Table Isolation, or KPTI. At one point, Forcefully Unmap Complete Kernel With Interrupt Trampolines, aka FUCKWIT, was mulled by the Linux kernel team, giving you an idea of how annoying this has been for the developers.

Whenever a running program needs to do anything useful – such as write to a file or open a network connection – it has to temporarily hand control of the processor to the kernel to carry out the job. To make the transition from user mode to kernel mode and back to user mode as fast and efficient as possible, the kernel is present in all processes' virtual memory address spaces, although it is invisible to these programs. When the kernel is needed, the program makes a system call, the processor switches to kernel mode and enters the kernel. When it is done, the CPU is told to switch back to user mode, and reenter the process. While in user mode, the kernel's code and data remains out of sight but present in the process's page tables.
Click to expand...
Click to shrink...
The downside to this separation is that it is relatively expensive, time wise, to keep switching between two separate address spaces for every system call and for every interrupt from the hardware. These context switches do not happen instantly, and they force the processor to dump cached data and reload information from memory. This increases the kernel's overhead, and slows down the computer.
Click to expand...
Click to shrink...
However, it may be that the vulnerability in Intel's chips is worse than the above mitigation bypass. In an email to the Linux kernel mailing list over Christmas, AMD said it is not affected. The wording of that message, though, rather gives the game away as to what the underlying cockup is:

AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against. The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault.

A key word here is "speculative." Modern processors, like Intel's, perform speculative execution. In order to keep their internal pipelines primed with instructions to perform, the CPU cores try their best to guess what code is going to be run next, fetch it, and execute it.

It appears, from what AMD software engineer Tom Lendacky was suggesting above, that Intel's CPUs speculatively execute code potentially without performing security checks. It seems it may be possible to craft software in such a way that the processor starts executing an instruction that would normally be blocked – such as reading kernel memory from user mode – and completes that instruction before the privilege level check occurs.
Click to expand...
Click to shrink...

More details in the full article: https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/

For the more technically inclined, here is a technical paper on the KAISER system that is being added to the Linux kernel to defend against the vulnerability: https://gruss.cc/files/kaiser.pdf
 
Status
Not open for further replies.