Massive security flaw found in Intel CPUs, patch could hit performance by up to 30%

By midian182 · 53 replies
Jan 3, 2018
Post New Reply
  1. Almost every Intel processor manufactured over the last decade contains a major security flaw that could be exploited in severe attacks. If that isn’t bad enough, patching the issue might slow down the performance of a CPU by up to 35 percent.

    Update #1: A full update on the flaws dubbed Meltdown and Spectre can be read here.

    Update #2: With an emergency fix for Windows 10 already out, we've conducted a set of tests to measure the impact this update has on performance for desktop users, if any at all.

    The exact details of the vulnerability have been placed under an embargo to give Intel time to work on a fix. According to The Register, the flaw could allow normal user programs to see some of the content of protected kernel memory areas, which means any malicious programs might be able to read information like passwords, login keys, files cached from disk, and more.

    Imagine a piece of JavaScript running in a browser, or malicious software running on a shared public cloud server, able to sniff sensitive kernel-protected data,” wrote The Register.

    As the problem is within the Intel x86-64 hardware, it can’t be fixed with a microcode update; instead, an OS-level fix is required for the affected operating systems, which includes Windows, Linux, and macOS.

    The immediate solution comes in the form of a kernel Page Table Isolation (PTI), which separates the kernel’s memory from user processes. But this solution increases the kernel’s overhead, causing the system to slow down by five to 30 percent, “depending on the task and processor model.”

    These KPTI [Kernel Page Table Isolation] patches move the kernel into a completely separate address space, so it’s not just invisible to a running process, it’s not even there at all. Really, this shouldn’t be needed, but clearly there is a flaw in Intel’s silicon that allows kernel access protections to be bypassed in some way.

    The downside to this separation is that it is relatively expensive, time wise, to keep switching between two separate address spaces for every system call and for every interrupt from the hardware. These context switches do not happen instantly, and they force the processor to dump cached data and reload information from memory. This increases the kernel’s overhead, and slows down the computer.

    Your Intel-powered machine will run slower as a result.

    It seems companies that use virtualized environments are the biggest targets for those looking to exploit the vulnerability. "There are hints the attack impacts common virtualization environments including Amazon EC2 and Google Compute Engine,” wrote Python Sweetness. Microsoft, Amazon, and Google are all working on fixes set to be implemented over the next week.

    For everyday users, it's possible the patches won’t have much of an impact on everyday usage and gaming frame rates. Additionally, future fixes should have less of an effect on performance.

    Intel rival AMD has already used the vulnerability as a way of promoting its processors, which it says aren’t affected due to their extra security protections.

    “AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against,” wrote Thomas Lendacky, a member of the Linux OS group at AMD. “The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault.”

    Permalink to story.

     
  2. Evernessince

    Evernessince TS Evangelist Posts: 2,216   +1,348

    Apparently this has been known since at least November but Intel has been keeping things quiet till now. Smart move by Intel to rake in all those Christmas sales and to cash in on businesses using up the rest of their budget for tax purposes before they learn about this.

    I have no idea if Intel is liable for the reduced performance here, but it is certain that this is going to cost cloud and datacenter companies bundles of cash as they will have to make up that lost performance.
     
    BrodyB and JaredTheDragon like this.
  3. noname

    noname TS Member

    CVE-2017-5925 Class: Design Error since 2017/02/07
     
    Reehahs and senketsu like this.
  4. ThrakazogZ

    ThrakazogZ TS Rookie

    End of year sales aside, the top execs also needed time to sell off their stock (not unlike the Equifax execs did) before making this public. It was already noticed, in December by market watchers, that Intel's CEO sold every bit of stock he legally could. That's a decent indicator of how bad this might be.
     
    Reehahs, Jules Mark, BrodyB and 3 others like this.
  5. fadingfool

    fadingfool TS Enthusiast Posts: 46   +38

    Doesn't look good for intel - whilst gaming benchmarks may not have much of a hit (according to preliminary tests) how many of us have nothing else running on a clean OS build (if the background processes are severely hit - up 30% estimated this could cause latency issues) . Embargo is lifted in a few days but I think my next build will definitely be AMD.
     
    Amet Monegro and BrodyB like this.
  6. senketsu

    senketsu TS Guru Posts: 404   +259

    A Google search for "CVE-2017-5925 Class: Design Error" took me to a nice National Institute
    of Standards and Technology National Vulnerability Database that gives tech folk more details. Unbelieveable that this was known (as @noname points out) as early as 27 Feb 2017. I don't understand most of this page, but when I see stuff like:
    Access Vector: Network exploitable
    Access Complexity: Low
    Authentication: Not required to exploit
    Impact Type: Allows unauthorized disclosure of information
    my morale falls into my shoes, my jaw hits the floor....gobsmacked as they say
    Overused word, but this truly is unbelieveable
     
    SantistaUSA and Per Hansson like this.
  7. SamuraiSamson

    SamuraiSamson TS Booster Posts: 44   +25

    I don't run any sensitive programs using my PC, just the usual games. Will it be possible to bypass the fix in the next Windows update? Personally, I would rather take the increased security risk than pay a performance penalty.
     
    MonsterZero likes this.
  8. enemys

    enemys TS Addict Posts: 135   +116

    Actually, most of the information passed in today's news has been publicly available for at least two months, it's just the pass-the-news-over-and-over-again-to-spread-panic-machine that started this week on a lot of tech websites.
     
  9. enemys

    enemys TS Addict Posts: 135   +116

    Unless your workload involves a lot of syscalls (e.g. heavy networking or intense mass storage I/O, like in database servers or video rendering), you won't notice a damn thing, because most software relatively rarely enters kernel mode - and the switches between modes are the only thing that will get slower.

    I don't think so, but you probably won't see any real performance penalty. It will be there for some computations, but most of the time it will be unmeasureable (next to none) or unnoticable (within a couple percent).
     
    Last edited: Jan 3, 2018
    ddferrari and PetrolHead like this.
  10. BSim500

    BSim500 TS Evangelist Posts: 404   +700

    I agree about having the choice but it probably depends on your version of Windows. W10 is almost certainly going to be forced, whereas you can avoid it with W7 by disabling Windows Update service and simply installing patches manually. If that's the case, then for non-critical low-risk gaming machines, a lot of us still sticking to W7 are going to feel even less guilty about our "luddite-ness"... :)
     
    copasetic and ddferrari like this.
  11. PetrolHead

    PetrolHead TS Enthusiast Posts: 41   +22

    Those that game on Linux may be interested to know that the fix can be disabled with the "nopti" kernel boot option.
     
    copasetic likes this.
  12. Burty117

    Burty117 TechSpot Chancellor Posts: 3,176   +938

    I wonder if we're about to see a "Coffeelake v2" that doesn't have the said flaw in it's core architecture :p
     
    hahahanoobs likes this.
  13. fadingfool

    fadingfool TS Enthusiast Posts: 46   +38

    I expect a bit hit on our SQL databases - hopefully get year end out of the way before the update and latency may become an issue during gaming especially on heavily threaded workloads.
     
  14. Pragyan

    Pragyan TS Member

    Yeah!!! AMD FTW!!!
    Intel WTF?!!
    Cmon can I not exert little bit of my unbiased fandom? ;)
     
  15. jared reabow

    jared reabow TS Rookie

    "If that isn’t bad enough, patching the issue might slow down the performance of a CPU by up to *35 percent*."
    "causing the system to slow down by five to *30 percent*"

    Some quality fact-checked information here.....
     
  16. Puiu

    Puiu TS Evangelist Posts: 2,688   +1,125

    There is no actual fact-checking that can be done (yet). Some tests have even shown hits of over 60% in certain limited tests/workloads/system configs.

    Here's a few things people should understand:
    - this won't affect many day to day workloads in mainstream PCs, but you might see things like javascript getting hit by it or software that need to use the virtual memory (not sure if browsers as a whole will be affected since they have many security features that rely kernel ring restrictions and access to virtual memory).
    - I don't know if games will be affected, but some anticheat/DRM solutions might.
    - If you are a developer and you run VMs then you'll find that some things will indeed run slower.

    There are a lot of unknowns about this bug since the Linux patches that are currently public have the comments redacted/censored. More details will be given in a few weeks after MS and Linux devs update the kernels (we have no idea about MacOS and how and when they will fix this). Rumors say that the latest fast builds from windows 10 already include an early version of the patch.

    @Steve I know you guys are working on some A/B tests for this. I just hope you include as many generations of CPUs and some lower end CPUs too. (are server CPUs even possible to include?) This will require massive amounts of researching so good luck. It seems you'll be traveling in that patch release window too.
     
    Last edited: Jan 3, 2018
  17. dj2017

    dj2017 TS Enthusiast Posts: 64   +40

    And because Intel knows how to $$$$influence$$$$ everything, the patch treats AMD CPUs like they also have the bug.
     
    Amet Monegro likes this.
  18. Ira Wechsler

    Ira Wechsler TS Rookie


    That is utter nonsense. The fix will not be installed on AMD cpus. Windows has AMD directories where AMD drivers and processor enhancements are installed NO Intel directories exist in an AMD windows installation.
     
    JaredTheDragon likes this.
  19. Misagt

    Misagt TS Addict Posts: 160   +95


    I would enjoy the moment. I've always enjoyed AMD and this is interesting. I was actually planning on building a new PC over Christmas but the timing wasn't right. I had finally settled on building going Intel. But I think I might have to change direction and go back to AMD.
     
  20. Vulcanproject

    Vulcanproject TS Maniac Posts: 231   +176

    Big news, although the fact it has been kept very low key for quite a while suggests Intel have probably been working on a solution. I guess it depends how serious it is and under what circumstances it would actually be exploitable.
     
  21. Urgelt

    Urgelt TS Enthusiast Posts: 26   +16

    No.

    I mean, you could isolate your computer from the internet and prevent all future updates. But Microsoft isn't going to leave a vulnerability unpatched, even if the patch slows the computer down. So if you leave your computer connected, the patch is going in. There are no decisions for users to make.

    But it's not a big deal for you if you're just gaming with your rig. The big impacts should be data-intensive, not compute-intensive. Which means mostly data centers are going to take an instant hit when the patch goes in. The internet itself will slow, though it's anyone's guess if it'll be noticeable by the average user. Gaming and bitcoin mining and other compute-intensive tasks will slow down when the patch goes in, too, but the impact should be at the low end of the estimated impact range.

    For most people, their CPUs are mostly idle anyway. If you're running challenging AAA titles on your rig, you'll most likely be constrained by your GPU, not your CPU. Some gamers are still using 4th gen CPUs with a late-model GPU and are doing just fine with it.

    You really should welcome the patch. You *think* that you're just gaming, but if you use your credit card for internet transactions, or use your home address to have stuff shipped to you, or subscribe to newspapers or web sites requiring passwords, or do your banking or pay bills on-line, or reveal your political leanings in e-mails or blog comments, or any number of other common uses, malicious hackers would love to see your data. They can make money off of it and inconvenience you to no end.
     
    TomSEA and copasetic like this.
  22. copasetic

    copasetic TS Rookie

    The news and public are the most likely to treat this like AMD has the bug, IF they notice the severity of this patch. "Better safe than sorry," so goes the FUD machine. Most "end users" don't even have a clue what CPU is inside their machines...or what a CPU is. Remember, for many people. a computer is a TOOL used to do something ELSE. If they do, most likely will assume intel. "AMD makes processors? I thought they only did video cards..." Some people still think the screen is the computer/CPU, or that the box down there under the desk is the CPU. Still more of those also don't usually read tech news (like this article), or skip the comments (Like I almost did).
     
  23. SeekerJBP

    SeekerJBP TS Rookie

  24. Per Hansson

    Per Hansson TS Server Guru Posts: 1,963   +218

    It's almost like if you say worked at Intel, maybe being it's CEO and knew about this since February 2017, that you'd be interested in some insider trading?

    https://www.nystocknews.com/2017/12...ling-889878-shares-in-intel-corporation-intc/

    https://www.reuters.com/finance/stocks/insider-trading/INTC.O?symbol=&name=Krzanich+(Brian+M

    https://www.fool.com/investing/2017/12/19/intels-ceo-just-sold-a-lot-of-stock.aspx
     
    senketsu and Puiu like this.
  25. SeekerJBP

    SeekerJBP TS Rookie

    If you read towards the bottom of that page, it lists some AMD CPUs also.
     

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...