KPTI Intel Chip Flaw Exposes Security Risks

UPDATED: Multiple operating system vendors are set to patch a memory isolation flaw in Intel processors that could impact performance and expose users to a security risk.

Vulnerabilities

Operating system vendors are rushing to put out a fix for an alleged Intel chip flaw that could be used to exploit systems.

Intel has not officially disclosed details on the flaw yet, though a patch already exists in the Linux kernel, with patches for Microsoft Windows and Apple macOS expected by Jan. 9. The Intel flaw doesn't have a branded name at this point, though security researchers have referred to it as both KPTI (Kernel Page Table Isolation) and KAISER (Kernel Address Isolation to have Side-channels Efficiently Removed).

"Modern operating system kernels employ address space lay-out randomization (ASLR) to prevent control-flow hijacking attacks and code-injection attacks," researchers at Graz University of Technology in Styria, Austria, wrote in a research abstract on KAISER. "While kernel security relies fundamentally on preventing access to address information, recent attacks have shown that the hardware directly leaks this information."

Linux kernel developers have been working on a patch for the KAISER issue since at least early November 2017. The Linux kernel uses a form of ASLR called Kernel ASLR (KASLR) to perform address space randomization. Memory randomization is important to help limit the risk of attackers knowing where applications use specific memory registers, which could then be directly attacked to leak information.

The KAISER patches in Linux are intended to be a defense against KSLR attacks, which apparently can be enabled via the as-yet undisclosed Intel chip flaw. In a Linux kernel commit message for the KAISER patches, Intel Linux kernel developer Dave Hansen explained that KAISER is a countermeasure against attacks on kernel address information. Hansen noted that the KAISER patches unmap memory locations in the Linux kernel when userspace applications run. Instead, there is only a minimal set of memory page tables that are left, which are called kernel page tables.

"This minimal set of data can still reveal the kernel's ASLR base address," Hansen wrote. "But, this minimal kernel data is all trusted, which makes it harder to exploit than data in the kernel direct map which contains loads of user-controlled data."

While ASLR is widely used on multiple system architectures, the KAISER issue initially appeared to be  specific to Intel processors and does not impact Advanced Micro Devices processors.

"AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against," AMD Linux kernel developer Tom Lendacky wrote in a Linux Kernel Mailing List message. "The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault."

Intel released a statement on Jan. 3 noting that the issues are not just limited to its products. The company stated that reports that these exploits are caused by a 'bug' or a 'flaw' and are unique to Intel products are incorrect. Additionally Intel downplayed the risk of the memory issues noting that in Intel's view the exploits do not have the potential to corrupt, modify or delete data.

"Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits," Intel stated. "Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively."

On Intel systems, KAISER will have some amount of performance impact, with the patch slowing systems. It's not clear at this point how much KAISER will slow down all operating systems, though early testing has pegged the performance impact to be as high as 30 percent on some Linux systems.

"Most workloads that we have run show single-digit regressions," Hansen wrote. "5 percent is a good round number for what is typical. The worst we have seen is a roughly 30 percent regression on a loopback networking test that did a ton of syscalls and context switches."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Editor's Note: This article was updated with an Intel statement that said the issues are not limited to Intel products.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.