Enterprise and cloud provider security team leaders are anxiously awaiting operating system patches to fix a security vulnerability in some processors from Intel, AMD and ARM to see how bad a performance hit their enterprise applications will suffer. Initial reports are the hit may be as high as 30 per cent for applications that are I/O intensive.
Exploits have also been found for IBM System Z, Power 8 and Power 9 architectures.
In a surprising move Wednesday, officials from Intel, AMD and ARM appeared together on a conference call with microprocessor industry analysts to confirm news reports earlier in the week that the vulnerability could allow an attacker to access unsecured cached data.
One of those on the call, Nathan Brookwood, research fellow at Insight 64, said in an interview with IT World Canada that Intel processors appear to be more vulnerable to the problem than CPUs from AMD and some ARM processors.
It is known that Linux kernel developers have been quietly working on a patch for the last two months, and it is believed it will be released shortly. There is speculation Microsoft will release a Windows patch January 9, which is the usual Patch Tuesday.
Briefly, the problem — first discovered by Google researchers — is that some unprotected data held in system memory while processing instructions could be compromised by an attack. (More detail below. Here’s a link to a site created by researchers, who call one vulnerability ‘Meltdown’, and the other ‘Spectre’).
Google researchers say information in the system’s memory such as passwords, encryption keys, or sensitive information open in applications could be accessed. “Testing also showed that an attack running on one virtual machine was able to access the physical memory of the host machine, and through that, gain read-access to the memory of a different virtual machine on the same host.”
Brookwood called it ”really esoteric” flaw.
“This is a new way for hackers to try and compromise data which all advanced processor designers [now] have to take into consideration,” Brookwood said. “Longer-term, when new processors come out two or three years down the road this will be completely obviated through changes in the way they design their hardware.” But until then, he added, Intel, AMD, Microsoft, the Linux community and likely Apple will have to issue operating system and firmware patches.
The initial news report, from The Register, speculated that there may be a performance hit of between five and 30 per cent. Brookwood said the applications most likely to suffer in performance because of patches are those that make high input/output (I/O) or calls on the operating system. Think of applications that constantly update screens or are tied into cursor movements, for example, Those that are computationally intensive, say a fluid dynamics number crunching application, won’t be affected as much.
This is why in a statement Intel says “any performance impacts are workload-dependent.” It believes “for the average computer user, should not be significant and will be mitigated over time.”
There are so far three possible ways of exploiting the flaw. In a statement AMD said for its processors one can be fixed with a software update, for the second there is a “near zero risk” of exploitation and for the third, there is zero risk due to differences in AMD’s architecture and other processors.
Initial news reports suggested Intel processors are the most vulnerable. In their conference call with analysts Wednesday the chip makers said that isn’t so.
“The way to think of this,” said Brookwood, “is because of the way it processes work Intel is a little more vulnerable to this problem than AMD, and therefore the solution to mitigate the problem on an Intel processors is going to be a little bit more complicated and have a little more impact on performance than the solution on an AMD processor.”
High-end ARM processors used in servers and expensive smartphones or tablets could also be vulnerable, he added. Low-end ARM chips used in Internet of Things devices don’t process data in a way that is vulnerable.
However, Brookwood stressed that the flaw can only be exposed on a compromised local system. “You almost have to have a physical presence,” on a workstation. he said. “On the other hand if you’re running in an AWS environment where you’re basically renting virtual machines and you don’t know who’s renting the virtual machine that might be sharing your physical machine then you could be more vulnerable.”
Because of this cloud infrastructure providers such as Amazon and Microsoft might be very worried, he added.
In a statement to Wired, Amazon said it will take steps to resolve the issue soon as well. “This is a vulnerability that has existed for more than 20 years in modern processor architectures like Intel, AMD, and ARM across servers, desktops, and mobile devices,” the site quoted the company as saying. “All but a small single-digit percentage of instances across the Amazon EC2 fleet are already protected. The remaining ones will be completed in the next several hours.
Microsoft said it has already released several updates to help mitigate the vulnerabilities and taken action to secure its cloud services. It has also issued this advice for IT pros.
Red Hat said several versions of its Linux distribution are affected and urged users to apply existing updates or new ones when available.
In a blog late Wednesday Google said its Project Zero team discovered the flaw in a technique used in most modern microprocessors to optimize performance called ‘speculative execution.’
Brookwood described the process this way: In order to get an advantage when it comes to a branch instruction which could go in one of two directions the CPU executes a few instructions in both directions, knowing that it’s going to have to throw away some of the results. So, as he put it, “at least instead of twiddling its thumbs” the processor will at least have the data ready for either direction. The flaw is that some of the normal mechanisms that would protect data in the computer’s memory are skipped in the anticipation that eventually protection mechanisms would be invoked. Instead, data is loaded into cache from both branches. A clever hacker could look at what was loaded and not used because it wasn’t being protected.
(Or, here’s Google explanation: “In order to improve performance, many CPUs may choose to speculatively execute instructions based on assumptions that are considered likely to be true. During speculative execution, the processor is verifying these assumptions; if they are valid, then the execution continues. If they are invalid, then the execution is unwound, and the correct execution path can be started based on the actual conditions. It is possible for this speculative execution to have side effects which are not restored when the CPU state is unwound, and can lead to information disclosure.”
Google says Android devices with the latest security update are protected. The infrastructure that runs Google products (e.g., Search, YouTube, Google Ads products, Maps, Blogger, and other services), and the customer data held by Google, are protected. Google Chrome browser can be protected by admins by switching on a feature called Site Isolation. See this list for details on all Google products.
Dean McCarron, principal of microprocessor market research firm Mercury Research, said in an interview there have been no reports so far of an exploit seen in the wild. “Now that people are aware of it likely there will be bad guys writing code to exploit it for unpatched systems.”
“Obviously it’s serious enough that all the operating system people are working on a fix for it. The reality is it doesn’t require a number of stars to align: There has to be sensitive information in the memory and the application has to be able to do something to expose that. In a real world example. you need something like a Trojan installed, so hurdle number one is getting past the normal user anti-virus et cetera. And once it’s the (malware) program actually has to find something useful.”
Because it’s been caught early he suspects the impact will be “pretty minimal.”
(This story has been updated from the original with links to vendor statements)