grandeduc - Fotolia
Intel CPU flaw gets third-party patch but no details
Release of a third-party patch for a mysterious Intel CPU flaw led to many questions but few answers, and details on the issue may not be imminent.
After internet speculation dating back to June of last year boiled over in the opening days of 2018, Intel was forced to respond to claims by credible researchers regarding a potential CPU flaw affecting its hardware. The statement, which led to more questions than answers regarding severity and the potential performance penalties of a fix, at least made it clear that something serious was afoot. Despite one researcher's claims to the contrary, the Intel statement also suggested that rival AMD's chips are affected by similar vulnerabilities.
The initial discovery of the Intel CPU flaw has been credited to researchers at the Graz University of Technology in Styria, Austria, who were attempting to prevent kernel ASLR (KASLR) attacks in Linux. The paper, titled "KASLR is Dead: Long Live KASLR," detailed how the old system of kernel memory mapping -- Linux KAISER -- needed to be modified with kernel page-table isolation (KPTI).
Because the details of any potential Intel CPU flaw are unknown, experts couldn't agree on the severity of the reported flaw, but did note that KASLR attacks are difficult to perform.
[UPDATE: The flaw in question, dubbed "Meltdown," was disclosed Wednesday evening by researchers from Google's Project Zero, Graz University and Cyberus Technology. Additionally, researchers disclosed a similar issue for AMD and ARM CPUs, known as "Spectre." More information on these critical vulnerabilities can be found on the research team's website and on Project Zero's report.]
Evidence of the Intel CPU flaw
After KPTI was integrated into Linux within three months and the speed at which this occurred led some to speculate that the changes came preceding disclosure of an Intel CPU flaw related to KASLR attacks. This speculation intensified when combined with news from Alex Ionescu, vice president of EDR strategy at CrowdStrike, in November 2017 that Microsoft was working on a similar patch.
Windows 17035 Kernel ASLR/VA Isolation In Practice (like Linux KAISER). First screenshot shows how NtCreateFile is not mapped in the kernel region of the user CR3. Second screenshot shows how a 'shadow' kernel trap handler, is (has to be). pic.twitter.com/7PriLIJHe1
— Alex Ionescu (@aionescu) November 14, 2017
Ionescu also found code in macOS 10.13.2 that would mitigate a potential Intel CPU flaw.
The question on everyone's minds: Does MacOS fix the Intel #KPTI Issue? Why yes, yes it does. Say hello to the "Double Map" since 10.13.2 -- and with some surprises in 10.13.3 (under Developer NDA so can't talk/show you). cc @i0n1c @s1guza @patrickwardle pic.twitter.com/S1YJ9tMS63
— Alex Ionescu (@aionescu) January 3, 2018
Additionally, Thomas Lendacky, software engineer at Advanced Micro Devices (AMD), claimed AMD chips were unaffected by similar attacks, but noted in a post on a Linux Kernel Mailing List archive that users should "assume for now that ALL X86 CPUs are insecure."
"AMD processors are not subject to the types of attacks that the kernel
page table isolation feature protects against," Lendacky wrote. "The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault."
Erik Bosman, aka brainsmoke, Ph.D. student in the systems and network security group at the Vrije Universiteit Amsterdam in the Netherlands, posted what is thought to be proof-of-concept code to exploit the Intel CPU flaw; however, the code has not yet been verified.
Bingo! #kpti #intelbug pic.twitter.com/Dml9g8oywk
— brainsmoke (@brainsmoke) January 3, 2018
Official response
Although the details of the possible Intel CPU flaw remained unknown, the speculation around these posts and information led to Intel releasing an official statement on the news coverage.
"Recent reports that these exploits are caused by a 'bug' or a 'flaw' and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices -- with many different vendors' processors and operating systems -- are susceptible to these exploits," Intel wrote in the statement. "Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively. Intel has begun providing software and firmware updates to mitigate these exploits. Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time."
Ionescu said on Twitter that the statement seemed to focus more on the reporting rather than the evidence supporting the potential Intel CPU flaw.
"Intel is making this statement today because of the current inaccurate media reports."
— Alex Ionescu (@aionescu) January 3, 2018
So: not because an AMD Linux dev publicly indicated where the issue was. Not because proof of the bug/PoC was publicly dropped today. But because some articles stated exaggerated perf claims.
