​Major Linux redesign in the works to deal with Intel security flaw

A serious security memory problem in all Intel chips has led to Linux's developers resetting how to deal with memory. The result will be a more secure, but -- as Linux creator Linus Torvalds says -- slower operating system.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

Video: Intel slows the rate of major chip upgrades as Moore's law falters

Long ago, Intel made a design mistake in its 64-bit chips -- and now, all Intel-based operating systems and their users must pay the price.

Linux's developers saw this coming early on and patched Linux to deal with it. That's the good news. The bad news is it will cause at least a 5-percent performance drop. Applications may see far more serious performance hits. The popular PostgreSQL database is estimated to see at least a 17-percent slowdown.

How bad will it really be? I asked Linux's creator Linus Torvalds, who said: "There's no one number. It will depend on your hardware and on your load. I think 5 percent for a load with a noticeable kernel component (e.g. a database) is roughly in the right ballpark. But if you do micro-benchmarks that really try to stress it, you might see double-digit performance degradation."

Some applications won't see much of a hit. Torvalds said, "A number of loads will spend almost all their time in user space, and not see much of an impact at all." But to really know what's going on, Greg Kroah-Hartman, the Linux kernel maintainer for the stable branch, said you'll need to benchmark your particular machine and load to see what you can expect.

Read also: NSA's Ragtime program targets Americans, leaked files show | Leaked TSA documents reveal New York airport's wave of security lapses

Windows, macOS, and other Intel-based operating systems face similar performance problems. Microsoft has patched the problem as well, but some users are having trouble getting them thanks to anti-virus software. Apple has also repaired it in macOS 10.13.2.

If you use AMD processors, you may be safe. In a Linux Kernel Mailing List (LKML), AMD stated that its "processors are not subject to [these] types of attacks."

ARM CPUs, however, also have this hole, and the fix will give these systems similar performance problems.

Intel's blunder was to allow user programs to be able to gather hints about how the kernel address space is laid out. As discovered by Austria's university researchers this summer, "Modern operating system kernels employ address space layout randomization (ASLR) to prevent control-flow hijacking attacks and code-injection attacks. While kernel security relies fundamentally on preventing access to address information, recent attacks have shown that the hardware directly leaks this information."

ASLR is vital to today's operating systems' defense against malware. The Intel vulnerability isn't so much a new hole as it is a way of making all those many existing attack methods against ASLR-defended operating systems much stronger.

The researchers' solution was KAISER, a system for Linux kernel address isolation. In November, these patches were proposed for the Linux kernel. Realizing just how dangerous these attacks could be, the Linux kernel developers quickly started revising these patches.

Their solution, which amounts to more than 51 patches to date, separates the Linux kernel page tables kernel from the user space tables. Going forward, Linux will have two sets of memory page tables.

Besides making memory management more complicated, this also means many program instructions must keep switching between the two address spaces for every system call and for every hardware interrupt. This is what will slow down many, but not all, operating system functions and applications.

As LWN.net editor and Linux kernel developer Jonathan Corbet explained, "This is a fundamental change to how the kernel's memory management works and is the sort of thing that one would ordinarily expect to see debated for years, especially given its associated performance impact."

Read also: Millions of Verizon customer records exposed in security lapse | Meet the shadowy tech brokers that deliver your data to the NSA

To say Linux developers were unhappy about this would be a massive understatement. When the set of fixes' name was changed from KAISER to Kernel Page Table Isolation (KPTI), some of the suggested names were User Address Space Separation, prefix uass_ and Forcefully Unmap Complete Kernel With Interrupt Trampolines, prefix fuckwit_.

Angry they may be, but Linux had to be secured. Torvalds already merged in some early KPTI patches. The fixed code is in 4.14.11, which was released on January 3. Torvalds has also already placed the patched code in Linux 4.15. This new Linux release will be out in a few weeks. All these fixes will be backported to long-term support Linux kernels.

Linux users, especially those who run enterprise software on servers and the cloud, should ready themselves to do performance testing on the new release as soon as possible. Whether you run your application in a server room or any of the clouds -- Amazon Web Services (AWS), Google Engine, Azure, and so on -- you must adjust the number of server or container instances to maintain the speed and performance you demand from your programs and services.

Related stories

Editorial standards