Intel Responds To Alleged Chip Flaw, Claims Effects Won't Significantly Impact Average Users

An anonymous reader quotes a report from Hot Hardware: The tech blogosphere lit up yesterday afternoon after reports of a critical bug in modern Intel processors has the potential to seriously impact systems running Windows, Linux and macOS. The alleged bug is so severe that it cannot be corrected with a microcode update, and instead, OS manufacturers are being forced to address the issue with software updates, which in some instances requires a redesign of the kernel software. Some early performance benchmarks have even suggested that patches to fix the bug could result in a performance hit of as much as 30 percent. Since reports on the issues of exploded over the past 24 hours, Intel is looking to cut through the noise and tell its side of the story. The details of the exploit and software/firmware updates to address the matter at hand were scheduled to go live next week. However, Intel says that it is speaking out early to combat "inaccurate media reports."

Intel acknowledges that the exploit has "the potential to improperly gather sensitive data from computing devices that are operating as designed." The company further goes on state that "these exploits do not have the potential to corrupt, modify or delete data." The company goes on to state that the "average computer user" will be negligibly affected by any software fixes, and that any negative performance outcomes "will be mitigated over time." In a classic case of trying to point fingers at everyone else, Intel says that "many different vendors' processors" are vulnerable to these exploits. You can read the full statement here.

Nice try

[blackomegax]

Nice try Intel, but phoronix benchmarks prove you wrong, and show even up to 60! % loss in some loads.

Re:Video streaming?

[Hal_Porter]

If the hit is really 30% for FUCKWIT I wonder if there's a case to be made for a 'I know all the software on my box, don't protect me against kernel to user mode data leakage'.

You could have "--bareback" switch the user could pass into the kernel from the bootloader.

Looks like the Intel legal team was hard at work..

[QuietLagoon]

That was one of the most uninformative, denying-we-did-anything-wrong press releases I've read in a long while. Therefore I suspect it came from the legal team. If only Intel's CPU designers were as good as the Intel legal team.

Re: why is intel saying many different vendors??

Actually, not so quickly. Only because of Kernel-mode JIT.

Read it very carefully.

• * AMD chips are only vulnerable to variant 1.
• * Variant one works on eBFP bytecode which is either interpreted or JIT'd by the kernel. If the malcode is JIT'd by the kernel, it is executed by the kernel in kernel space.
• * AMD is thus still maintaining security and not speculatively executing instructions that violate security - as far as the chip is concerned, this is the kernel accessing kernel memory!

The fixes are being more careful in the bytecode verifier prior to JIT'ing (if that's even possible!), or isolating the JIT'd code into its own space, or considering eBFP bytecode loading to be as security sensitive as insmod. And... I can't see how splitting kernel space into its own page table would avoid this particular variant.

For more info about BPF, check this. Sadly, "... Tcpdump asks the kernel to execute a BPF program within the kernel context. This might sound risky, but actually isn't." didn't take timing attacks into consideration.

They haven't demonstrated a user-mode reading kernel memory just yet. Securing a Linux box on AMD is as trivial as disabling eBPF.

However, it really uncovers a fundamental issue in all JITs allowing what should be interpreted code to read things, using timing attacks, that it should not be able to (escaping its sandbox). Hence all the references about JavaScript - similar attack allows JavaScript code to read memory outside the JavaScript world, but as far as I can tell, not read anything that the JavaScript interpreter couldn't read (although it seems to require JIT compilation). If anything, it's a general class of attacks allowing anything to read about its underlying environment.

The gotcha on Intel chips is that user-mode-x86 code can use this same timing attack on the kernel. On AMD, the timing attack is nullified because speculative reads fail before triggering cache loads.