What’s All the Fuss About the Intel Bugs?
At the beginning of this year, Google’s Project Zero made a bombshell of an announcement: they had discovered critical security flaws affecting Intel central processing units (CPUs) produced since 1995. Due to the fundamental design flaws in these processor chips, almost all desktops, laptops, servers (and, accordingly, virtual and cloud environments) and mobile devices are potentially under threat, and a wide audience is at high risk of sensitive data leaks. Even more shockingly, Intel is not the only vendor to blame: AMD and ARM chips were found to be exposed to similar vulnerabilities. The main issue is that the bugs are in the hardware itself, rather than being software-based, and affect billions of processors produced over the past 22 years. Just imagine the scope of the threats to data security worldwide!
Actually, this is not the first security flaw found in Intel products – in November 2017, bugs were discovered in the firmware, including Intel Management Engine, Intel Trusted Execution Engine, and Intel Server Platform Services, that made millions of computers vulnerable to both physical and remote attacks. The problem was so serious that the United States Computer Emergency Readiness Team (US-CERT), on behalf of the US government, encouraged administrators and users to update their Intel firmware according to the manufacturer’s recommendations.
The present security flaws pose even more danger to the global community.
Processor Flaw: Brace for Impact
Meltdown and Spectre Bugs
The attacks using the Intel CPU security flaws are called Meltdown and Spectre, and are classified as follows:
- CVE-2017-5754 – Rogue data cache load (Meltdown)
- CVE-2017-5753 – Bounds check bypass (Spectre)
- CVE-2017-5715 – Branch target injection (Spectre)
Meltdown is so named because it melts the hardware-based security of memory address space isolation between the applications and the operating system by abusing the speculative execution technology. Meltdown is an attack that allows any user process to read the machine’s kernel memory and physical memory, regardless of the operating system, as it is based on a hardware issue. With Meldtown, it is possible to dump kernel memory at up to 503 KB/s. Almost all Intel chips that were produced over the last 22 years and use out-of-order execution commands are affected. Some ARM processors are affected, while AMD processors appear to be safe at this point in time.
Spectre is an attack that is based on speculative execution technology that allows the memory address space isolation between different applications to be broken (while Meltdown breaks the memory address space isolation between the applications and the operating system). Spectre uses branch prediction to reach the speculative execution. This attack can be used for systems with Intel, AMD, and ARM processors, and is harder to mitigate than Meltdown.
How Do You Fix Major CPU Security Bugs?
As mentioned above, the Intel CPU flaw is at the hardware level (i.e., in the CPU architecture), so it cannot be fully resolved with a microcode or firmware update.
The most obvious way to avoid Meltdown and Spectre vulnerabilities is to produce new processors without these bugs in their microarchitecture. However, it will require some time for new processors to be developed, and this may prove expensive for customers, who will need to upgrade their hardware.
Another approach is to develop software patches that restrict kernel memory access for user processes. This requires a lot of time and effort from developers to rewrite the kernel code, but it is more affordable for customers to install such security patches. Today, there are no solutions that can comprehensively fix the security flaws of Intel, AMD, and ARM-based chips, but companies are already working on this. Intel is collaborating with other vendors in order to mitigate the impact of Meltdown and Spectre. The following patches have been already released:
- Patches for Linux Kernel Page Table Isolation (KPTI, previously known as KAISER) are now available to mitigate the Meltdown attacks.
- Microsoft has already released a security update for Windows 10 and promises to publish updates for other supported Windows versions. Note that your antivirus software should be temporary disabled while the patch is being installed in order to prevent errors that could result in the Blue Screen of Death (BSOD).
- Apple has released mitigations that help defend against Meltdown in iOS 11.2, macOS 10.13.2, and tvOS 11.2. A security update for the Safari browser designed to help to defend against Spectre should be released soon.
- Google has released security patches for their Pixel and Nexus devices with Android OS that use ARM chips. Version 63 of the Chrome browser includes a site isolation feature that forces websites use unique address spaces.
- VMware has provided patches for their products (ESXi, Workstation, and Fusion) to help mitigate Spectre attacks.
US-CERT, already mentioned above, showed its commitment to global data security by promptly publishing its Meltdown and Spectre Side-Channel Vulnerability Guidance. The Alert includes links to vendor information, advisories, and patches published in response to security flaws in processors.
The patches will certainly help reduce the risk of security being compromised by the recently discovered bugs in Intel, AMD and ARM processors, and we highly recommend that you install them as soon as possible. However, these solutions could have serious drawbacks, which we will consider below.
Up to 30% Performance Reduction in Windows and Linux
The main issue that occurs after software patching against Meltdown and Spectre is the reduction of performance of your device by up to 30%, depending on the CPU model and the tasks being run. This patching presents a much greater impact in corporate sector than for home users. It poses a serious problem for software giants, such as Microsoft, Google, Amazon, and Apple, as they use Intel processors, in particular, to build their cloud environments, and patching the systems could significantly slow down the performance of their servers and virtual machines. Ordinary customers will not be happy either, because they will receive less performance and may find themselves needing to buy extra virtual environment from cloud providers to compensate.
Researchers are running benchmarks in order to explore the influence of software patches on computer performance. The initial results show us that the degree of performance slowdown varies greatly depending on the applications running on the machine.
For example, after running an input/output synthetic benchmark (FSMark v.3.3) on a Linux machine patched with KPTI, the worst measured slowdown was about 50% for the Intel i7 7800K processor: its performance dropped from 293.6 files per second before patching to 135.2 files per second after patching. However, its older relative, the Intel i7 6800K, showed different results, with the gap of less than 5% (51.87 vs. 50.67). In other tests, the difference for the Intel i7 7800K chip was not so significant and measured only in the 1- 5%. Thus, more tests are required to gain a better understanding of the extent of the patch’s effect.
How Can You Protect Your Own Device?
Despite the fact that there is no solution that can completely fix the Meltdown and Spectre CPU flaws, it is highly recommended to update your software and install the security patches, even if they degrade system performance somewhat. It is also recommended to update the browser you use to the latest version. The general advice is to respect the security policy. Follow the particular recommendations depending on the software you use.
Please note: You should always back up your data before patching your system to protect it, should something go wrong; for VMware and Hyper-V VMs and AWS EC2 instances, use NAKIVO Backup & Replication.
If you use Microsoft Windows, do the following:
- Check for, and download, the appropriate security update, either manually or via the automatic Windows update service;
- Disable your antivirus solution for the duration of the update process to prevent system errors that may trigger the BSOD;
- Install the updates and reboot;
- Re-enable your antivirus program.
If you use Linux, do the following:
- Make sure that a new version of kernel is available for your distribution;
- Install the patch with your packet manager or download the compiled files to install it manually according to the documentation.
If you use VMware ESXi 5.5, 6.0, 6.5, Workstation 12, or Fusion 8, follow the recommendations of VMware and install patches for these products either manually or with the update manager.
Although AWS snapshots can help you protect your data stored in the Amazon cloud, if you create backups with instead, you can save 4X on data storage costs, reduce security risks, and spend less time on backup administration. Download the White Paper “AWS Snapshot vs. Backup” and learn more about these benefits.
The recently discovered critical security bugs in Intel, AMD and ARM CPUs affect billions of devices with different operating systems and other software, and were an unpleasant surprise for everyone. In our blog post, we have outlined the methods available to reduce your chances to be attacked by malware that exploits these security flaws. However, the number of fixes that still need to be implemented is high, so there is a lot of work ahead. Please regularly check for updates of software you are using in order to protect your personal data against unpermitted access
More Meltdown and Spectre Posts:
- Roll Back VMware Meltdown and Spectre Microcode Patch
- VMware Performance Impact of Meltdown and Spectre Patches
- New Intel Design Flaw is VMware Affected?