Intel Secretly Firefighting a Major CPU Bug Affecting Datacenters?
There are ominous signs that Intel may be secretly fixing a major security vulnerability affecting its processors, which threatens to severely damage its brand equity among datacenter and cloud-computing customers. The vulnerability lets users of a virtual machine (VM) access data of another VM on the same physical machine (a memory leak). Amazon, Google, and Microsoft are among the big three cloud providers affected by this vulnerability, and Intel is reportedly in embargoed communications with engineers from the three, to release a software patch that fixes the bug. Trouble is, the patch inflicts an unavoidable performance penalty ranging between 30-35%, impacting the economics of using Intel processors versus AMD ones. https://www.techpowerup.com/240174/intel-secretly-firefighting-a-major-cpu-bug-affecting-datacenters
正しい事が失われ 正しい事の模倣も失われる時代 けいべつはしていない 0337名無しさん@1周年2018/01/04(木) 10:16:57.69ID:+Z7h1TPH0>>35 Tool Started 2018/01/04 10:10:37 Name: MSI Manufacturer: Micro-Star International Co., Ltd. Model: GS63 7RD Processor Name: Intel(R) Core(TM) i7-7700HQ CPU @ 2.80GHz OS Version: Microsoft Windows 10 Pro Status: This system is vulnerable. Tool Stopped
As recommended by Intel [8], today’s operating systems map the kernel into the address space of every user process.
Kernel pages are protected from unwanted access by user space applications using different access permissions, set in the page table entries (PTE). Thus, the address space is shared between the kernel and the user and only the privilege level is escalated to execute system calls and interrupt routines. The idea of Stronger Kernel Isolation proposed by Gruss et al. [6] (cf. Figure 2) is to unmap kernel pages while the user process is in user space and switch to a separated kernel address space when entering the kernel. Consequently, user pages are not mapped in kernel space and only a minimal numbers of pages is mapped both in user space and kernel space. While this would prevent
all microarchitectural attacks on kernel address space information on recent systems [6, 7, 10], it is not possible to implement Stronger Kernel Isolation without rewriting large parts of today’s kernels. There is no previous work investigating the requirements real hardware poses to implement kernel address isolation in practice. We identified the following three challenges that make kernel address isolation non-trivial to implement.
Fig. 2: (a) The kernel is mapped into the address space of every user process. (b) Theoretical concept of stronger kernel isolation. It splits the address spaces and only interrupt handling code is mapped in both address spaces. (c) For compatibility with x86 Linux, KAISER relies on SMAP to prevent invalid user memory references and SMEP to prevent execution of user code in kernel mode.