In a recent keynote speech of Open Source Summit in Europe, Greg Kroah Hartman, maintainer of Linux Kernel stated that Intel’s security problems in CPU, will remain with us for a long time. Also, they are not going away. He also mentioned that each and every bug in the CPU are more or less the same. However, they can be fixed one by one individually.
What Are The Intel Chip Security Problems?
As Hartman mentions that there are possibly various intel chip problem in the CPU itself, such as “Fallout, MDS or Zombieload”. He also mentions that the aspect of all these problems are more or less the same.
Issues like Zombieload or even RIDL are known to be potentially deadly to the system. To get a clear aspect, the “Zombieload” issue is profoundly dangerous as it has the ability to steal any data from any application, or even virtual machines. As a matter of fact, it can also bypass any secure enclave.
ZombieLoad Attack
As the name suggest, Zombieload is known as an attacking channel on the side. This affects the Intel chips that are on target. As a result, hackers or intruders are able to directly exploit the vulnerabilities. Instead of spreading malicious files, attackers directly go for the flaws.
MDS Attack
This type of attack deals with the breach of security. Attackers have the ability to expose private information or data of users on random platforms surrounding the user’s system. Such as, exposing images to a website that is full of malicious files. And not only are they personal data from any file folder. These data are also from the CPU cache as well as CPU buffers.
Defense against this type of attack is relatively not enough.
Software Guard Extensions
The irony of Intel chip problem is that, one of its basic application namely “Software Guard Extensions” is meant to be in full security right inside the Intel chip. But however, it is porous and transparent.
One of the major drawbacks of Intel CPU is the execution of speculative problems. The making of this speculation execution has a drawback. This drawback is that when the CPU calculates or estimates it’s next action, not only does the execution time and speed increases, but also the data is exposed during the process.
How To Fix Intel Chip Security Problems?
As there are multiple problems, you would have to fix them individually by patching Linux Kernel, Microcode as well as CPU’s BIOS. You must keep in mind that this issue is not just limited to Linux OS. Any operating system is likely to have the same problems.
The Use Of OpenBSD
The OpenBSD is a multi-platform that is Unix based OS. OpenBSD delivers safety and security which is their prime aspect to deliver. In case of security holes, the best you can do is disable the SMT (Simultaneously Multi-Threading) and then go in thorough check with performance.
Secure The Operating System Entirely
Just simply disabling the multi-threading option, the intel security problem will not resolve. You would have to also secure the entire OS. This is because most of the time, exploits for hyper-threading keeps appearing from time to time.
If it is a Linux software, then every time there is a switch in context or when the CPU is on stop mode and not running, the CPU buffer flushes.
With every buffer flush, the CPU takes a lot of time. If there are more functions for the CPU to run, then you can imagine the amount of time that is lost in the process.
What Kroah Hartman Has To Say About The Problems!
Kroah Hartman mentions that his entire day is spent on writing emails which are relatively taking 2% of performance in the entire day. And then he also mentions that his days are also spent of developing Linux kernel. This activity takes up 20% performance of the day as well.
Depending on jobs, you can tell how much of a delay you are to face. However, Hartman states that if it is a bad thing when you have to choose between security or performance. Because having both privileges with benefits and no counter-intuitive problems is rare.
Final Word!
It is essential that you upgrade the Linux kernel and then proceed to patch the microcode individually one by one. As Intel security updates keep releasing often, you would be notified.
To have a safety-first, you can consider running supports like Canonical, Red Hat, Debian or even SUSE Distros. Why these supports for Linux is suggested, is because without them you’d be having an unstable system.
However, you can simply just keep a track of the latest updates for the OS as well as the hardware.