Intel chips have a severe security flaw and the fix isn't good

By JC Torres/Jan. 3, 2018 6:18 am EST

Intel isn't exactly having a good few months as far as security goes. Just two months ago, the chip maker admitted to having discovered quite a number of severe security flaws in its firmware, specifically those related to its Management Engine. Now another, still undisclosed vulnerability has both Linux and Windows kernel programmers scrambling to put out a fix. Unfortunately, this is a case where the cure is almost, just almost, as bad as the disease, potentially causing almost all modern Intel processors to perform significantly slower than they do today.

The security flaw has to do with the kernel, the innermost core of the operating system, and the way Intel's hardware manages kernel memory on the hardware. Without going into too much technical detail, an operating system has two virtual memory spaces, one for the user with limited access and one for the kernel with god-like access. While these spaces are distinct and separated from each other, the kernel itself has to exist in a way that it has immediate access to both spaces in order to operate efficiently. It can simply direct the processor, in this case, an Intel chip, to switch between user and kernel space quickly without having to shuffle memory and data around.

Intel is still keeping the details of the flaw under embargo, so the nature of the bug is pretty much guesswork at this point. It seems, though, that Intel's implementation of memory hardware causes problems for this omniscient kernel paradigm. In practical terms, it means that a userspace program, which can be anything from a database to a Javascript program running in the browser, can have access to protected and secret data stored in kernel space memory.

Unfortunately, it is a hardware problem that can't simply be fixed on the hardware level, since we're talking about generations of processors already in use in the market. Kernel developers are already working on a patch for kernels, but there is a terrible consequence. The fix basically kicks the kernel from its "god mode". So in order to switch between user space and kernel space, it has to repeatedly unload and reload data from the processor's memory.

This will sadly have severe repercussions when it comes to performance. Some benchmarks point to as much as 30% slowdown, which would adversely affect businesses that rely on the speed of Intel's processors, like cloud computing solutions such as Amazon EC2, Microsoft Azure, or Google Compute Engine. And while some more recent Intel chips have features that could mitigate the side effects, they will still be felt nonetheless.

VIA: The Register