Security Risks Revealed In CPUs, Patch Causes Performance Hit - Report
A fundamental flaw.
This is a developing story with implications that are being explored.
It appears that a vast majority of CPUs from Intel have a fundamental security flaw on a hardware level. CPUs from AMD and ARM (both chip manufacturers) are also said to be affected, and all three companies have acknowledged the issue with varying implications (see below). The flaws were revealed by Google's Project Zero researchers who found a particular feature that consequently leaves computers susceptible to what's called Meltdown and Spectre vulnerabilities.
At the core of the problem, memory is leaking through Intel chip's kernel which leads to potential personal data exposure and increased vulnerability to malicious software attacks. This is being fixed through extensive patching to the kernel software built into computer operating systems like Windows and Linux for PC and MacOS. These patches, while necessary, are said to hamper CPU performance, which also affects in-game framerates.
A kernel is a non-physical entity between the CPU and operating system that controls the communication between operations/applications and the hardware itself. As PC World puts it, "It has complete control over your operating system. Your PC needs to switch between user mode and kernel mode thousands of times a day, making sure instructions and data flow seamlessly and instantaneously."
CPUs are essentially leaving systems open to memory leaks, which make sensitive information a sitting duck to malware. As a result, the fix to this problem requires a ton of work, and chip manufacturers can't really do anything about it since the leaks need to be sealed software side. Microsoft and Apple provided security updates for their respective operating systems that solve the issues for a majority of CPUs, but slow down processor performance due to additional instructions that are necessary in mitigating the issue. Users are strongly advised to install the latest security updates for their OS.
A Reddit user by the name of Laexe said they have benchmarked their own system both before and after the Windows 10 security update. This user stated that an Intel Core i5-4690K at 4.4GHz with an 8GB AMD RX 580 video card and 16GB of RAM was used for the tests and claimed the following results for Rainbow Six Siege, War Thunder, Counter-Strike Global Offensive, DayZ, and Elite Dangerous:
Intel, AMD, and ARM released official statements in response to the security issues that affect CPUs, you can read them below:
"Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. Intel believes these exploits do not have the potential to corrupt, modify or delete data.
"Recent reports that these exploits are caused by a "bug" or a "flaw" and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices -- with many different vendors' processors and operating systems -- are susceptible to these exploits.
"Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively. Intel has begun providing software and firmware updates to mitigate these exploits. Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.
"Intel is committed to the industry best practice of responsible disclosure of potential security issues, which is why Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available. However, Intel is making this statement today because of the current inaccurate media reports.
"Check with your operating system vendor or system manufacturer and apply any available updates as soon as they are available. Following good security practices that protect against malware in general will also help protect against possible exploitation until updates can be applied.
"Intel believes its products are the most secure in the world and that, with the support of its partners, the current solutions to this issue provide the best possible security for its customers."
"There has been recent press coverage regarding a potential security issue related to modern microprocessors and speculative execution. Information security is a priority at AMD, and our security architects follow the technology ecosystem closely for new threats.
"It is important to understand how the speculative execution vulnerability described in the research relates to AMD products, but please keep in mind the following:
- The research described was performed in a controlled, dedicated lab environment by a highly knowledgeable team with detailed, non-public information about the processors targeted.
- The described threat has not been seen in the public domain.
"When AMD learned that researchers had discovered a new CPU attack targeting the speculative execution functionality used by multiple chip companies’ products, we immediately engaged across the ecosystem to address the teams’ findings.
"The research team identified three variants within the speculative execution research. The below grid details the specific variants detailed in the research and the AMD response details.
Variant / AMD Response Matrix
|Google Project Zero (GPZ) Research Title
|Bounds Check Bypass
|Resolved by software / OS updates to be made available by system vendors and manufacturers. Negligible performance impact expected.
|Branch Target Injection
|Differences in AMD architecture mean there is a near zero risk of exploitation of this variant. Vulnerability to Variant 2 has not been demonstrated on AMD processors to date.
|Rogue Data Cache Load
|Zero AMD vulnerability due to AMD architecture differences.
"As the security landscape continues to evolve, a collaborative effort of information sharing in the industry represents the strongest defense.
"Total protection from all possible attacks remains an elusive goal and this latest example shows how effective industry collaboration can be.
"As always, AMD strongly encourages its customers to consistently undertake safe computing practices, examples of which include: not clicking on unrecognized hyperlinks, following strong password protocols, using secure networks, and accepting regular software updates."
"Based on the recent research findings from Google on the potential new cache timing side-channels exploiting processor speculation, here is the latest information on possible Arm processors impacted and their potential mitigations. We will post any new research findings here as needed.
"Cache timing side-channels are a well-understood concept in the area of security research and therefore not a new finding. However, this side-channel mechanism could enable someone to potentially extract some information that otherwise would not be accessible to software from processors that are performing as designed. This is the issue addressed here and in the Cache Speculation Side-channels whitepaper.
"It is important to note that this method is dependent on malware running locally which means it's imperative for users to practice good security hygiene by keeping their software up-to-date and avoid suspicious links or downloads.
"The majority of Arm processors are not impacted by any variation of this side-channel speculation mechanism. A definitive list of the small subset of Arm-designed processors that are susceptible can be found below."