The Blog

Intel CPU Security Flaw – What You Need to Know

This is a highly technical issue and requires a lot of in-depth technical knowledge to fully comprehend. If you want to dive in, check out Google’s Project Zero blog

For a simpler version, read on..

Computer operating systems (such as Windows, macOS, Linux, Android, iOS etc) all have a kind of supervisor/management program called the kernel. The kernel is more or less the heart of the operating system. It manages nearly everything else. What goes on inside the kernel is kept in kernel memory. The kernel memory needs to be kept highly secret from the rest of the programs running on the system, especially programs like web browsers. That’s because the kernel both helps make sure other programs behave themselves and it also holds a bunch of secret data like your login password and such. Other programs that are not the kernel and do not run with the same level of access are called user mode applications.

The problem that has been discovered is that due to a design flaw, Intel CPUs accidentally allow user mode programs to access kernel memory through a convoluted process. Most of the time, Intel CPUs will deny access to user mode apps that try to access kernel memory, as is supposed to happen. But there is a specific way that can exploit this design flaw which bypasses the protection that the CPU is supposed to provide. When a nasty program exploits this vulnerability, it can read and change the kernel’s memory which again is supposed to be kept secret from the rest of the computer’s programs.

It is not possible to fix this problem properly and completely by making OS security updates because the problem is in hardware, the physical object. Operating systems can work around this flaw with software fixes, but those fixes make the operating system do things it didn’t have to do before when certain things happen. That means it is doing more work which slows the computer down. The additional work occurs when a user mode program makes a request from the kernel. Many programs don’t do this that often and so they won’t notice the full performance penalty. Some types of programs will do this all the time and will suffer heavily. You will have seen the numbers 5%-34% performance reduction thrown about. Programs like games and web browsing probably won’t be affected by more than about 5-10%. But certain software, such as that software which runs virtual computers called Virtual Machines (VMs) do this all the time so they will suffer heavily.

Virtual Machines allow cloud services providers like Amazon, Microsoft, and Google to sell cloud computing to many customers and run many programs and services for different customers on the same physical computers. These businesses will be most affected by this problem.

Modern CPUs do some very clever things to run as fast as they do. One of those clever things is called speculative execution. The CPU basically guesses what will need to happen next, and tries to do that if it can. This way the CPU is kept busy doing work instead of waiting around doing nothing while it waits for some other, slower system component. Through comments made by an AMD engineer, people have pieced together that the Intel CPU flaw seems to be in the way Intel handles this speculative execution function. Perhaps the CPU doesn’t protect kernel memory when it guesses what needs to be done next.

What this means for most people is not really all that much. Intel based computers will perform many tasks slightly slower but most people won’t notice. If you are one of the people who will be hit by a higher percentage performance loss such as more than 10%, you will probably already know (I’m guessing, here).

Google who discovered this issue say that both AMD and ARM are affected too. As for how much of a performance penalty there will be on AMD and ARM CPUs, we don’t know yet, but I would assume similar. https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html

Most OS providers will be rolling out updates in the coming days, so it’s important you update and reset your machine when promoted to do so.

Source:

Google, The Geek Guy,TechCrunch