Google Project Zero has spilled the beans. There are two huge security flaws that are dependent on the speculative execution functions found in many modern processors. Basically, attackers can attack it to read the kernel memory, which is extremely bad, as they can then get passwords, encryption keys, everything. And contrary to the early speculation, these flaws are not just Intel-only. ARM and AMD have issues, too.
Okay, going to rewrite this to clear up any initial misunderstanding.
Recently, people have noticed that a pretty major and unannounced change to the way Linux handles virtual memory. Even more puzzling is that there’s been no communication about this whatsoever. This is the kind of massive change that would be announced well in advanced, debated, and then slowly implemented in the past. Instead, it appears to to have been executed in two months, and in secret.
Other people started digging and discovered that Microsoft has also done a sudden and big rewrite of the way Windows handles virtual memory, and MS started rolling out the change to Insiders in November. Two months.
Coupled with even more digging, and it all points to a massive flaw in Intel CPUs that exposes the kernel memory, which is very, very, very bad. This does not appear to be a flaw that can be fixed in microcode/firmware updates, which means it has to be fixed at the OS level, which means that there’s going to be a performance hit. As to how large? It’s unknown until the details and fixes are released.
It looks like all intel CPUs are affected, but those with PCID have much less performance impact from the fix. As to severity, this bug allows you to read kernel memory from the userspace. Straight-up. It’s as bad as it gets.
The impact completely depends on workload but numbers I’ve seen going around are <1% on CPUs with PCID (meaning Broadwell or later) and ~5% on other Intel CPUs. But you can devise a workload where the impact is 0% or up to a whopping 50%. Depends on the number of syscalls you make.
It’s not just VMs. It’s possible that someone could write JavaScript code that could read the contents of the kernel memory. All you need is to visit a malicious web page.
There’s a reason why the Linux devs have done a secret crash rewrite of a system that they’d normally discuss openly for months before even touching.
And it seems like PCID (Process context identifiers) is present back to Sandy Bridge, e.g. 2500K. So performance penalty seems mitigated for almost anything modern in the past 6-7 years if that’s true.
I think the VM angle is because that’s where most big business computing is today, either locally hosted or in the public cloud. A user-level PC getting a 30% processor slowdown isn’t even going to be noticeable for most PC workloads. A big cloud provider such as Azure or AWS suddenly losing 30% of their capacity is going to be a nightmare. Both for the cloud provider and all their clients.
VMs hit the CPU a lot, and they also run tons of untrusted code. If you’re sharing a machine with someone else, you have no idea what they’re running. This is a massive liability all of a sudden. You could see a ton of compliance guys losing their shit this week.
It depends on the number of syscalls, with du supposedly slowed down by a whopping 50%. This is all still just rumor and hearsay, we won’t know the real deal until the embargo lifts.
This is absolutely not limited to the enterprise or VMs. You will need to patch your windows desktop too. Not a huge deal, expect a 1-5% overall slowdown, but not exactly welcome news either.
