UPDATED: Intel and its flawed Kernel Memory Management Security

It has emerged that Intel CPUs made in the last decade or so are missing proper checks when it comes to securing Kernel Memory. It would seem that through special (undocumented) steps, a User-Mode application can peek and make changes to Kernel-Mode Memory. This means that any application, such as your browser, can access and change your system memory.

Some theory

In the 32-bit era, an application could typically access up to 4GB of RAM; this has been de-facto for ages. What really happened is that the application had access to 2GB of for User-Mode memory (used to typically hold the memory needed by the application to function). The other 2GB is mapped to Kernel space, containing memory locations for Kernel-Mode memory.

In the 64-bit era, these memory limitations were lifted since a 64-bit architecture can access such a larger address space (16 exabytes, to be exact). Given that the Kernel-Mode memory is so much larger (248TB), the OS can randomly place it anywhere it pleases, randomly. This randomness (Address space layout randomization) successfully makes it so much harder for foul-playing applications to find the addresses of Kernel-Mode functions.

So, what’s happening?

Typically the code that runs in User-Mode (typical code) does not have access to the Kernel-Mode memory. The reason why this is done is so when an application switches to Kernel-Mode (needed for example to open a file from disk), the Kernel-Mode memory would still be accessible, avoiding the needed to have 2 memory tables, one for User-Mode and one for Kernel-Mode. Having more than one table will mean that during every sysenter (or equivalent), tables will need to be swapped, cache needs to be freed and any overhead that such operations require.

It would seem that on Intel CPUs, hackers have found a way to bypass this security feature. This means that a User-Mode application can now access Kernel-Mode memory; which is devastating. A User-Mode application can apply small changes to the Kernel and change its functionality. Since an application has access to Kernel memory, a hacker can basically do whatever he pleases with the target’s system.

How can this be fixed?

Unfortunately, an easy fix is not available. The whole memory management logic needs to be re-written, so that instead of having just one memory table, which maps both User-Mode and Kernel-Mode memory, an additional table will hold the Kernel-Mode memory; this table will be only accessible from Kernel-Mode memory. The change is being dubbed as Kernel page-table isolation (KPTI, known as KAISER).

Adding a new memory table and switching to-and-fro has negative effects on the overall system performance, especially in I/O heavy applications. The reason is that I/O involves a lot of User-Mode and Kernel-Mode switching. Given that the new code needs to run every time the system switches from User-Mode to Kernel-Mode. performance degradation are expected. Unofficial figures quote between 5%-30% performance impact, depending on the application. OC3D has provided some benchmarks; FS-Mark (I/O benchmark) show a devastating hit in performance. PostgreSQL said that there is a best case of 17% slowdown, worst case of 23% using new new Linux patch.

Which operating systems are vulnerable?

Basically, all Operating systems are vulnerable to this hack. this is because this is a bug that goes beyond the operating system, since it lives on the CPU rather than on an operating system level. Scary! Vendors have been (secretly) informed of this issue and are working on fixing the vulnerability:

Are non-Intel CPUs vulnerable?

All we know at the moment is that AMD CPUs are NOT vulnerable. This has been confirmed by AMD themselves. In fact, Tom Lendacky from AMD has issued a fix for the Linux kernel itself, adding a check so that if the CPU is AMD, the mitigation is not applied.

What’s next? How can I stay safe?

If you got an AMD CPU, well then congratulations, you’re safe! If you’re on an Intel System, don’t panic just yet. Yes, you are vulnerable, but yes, you still control what you do with your computer. If you don’t visit dodgy websites and don’t install dodgy applications, you’ll remain safe. But that’s age-old advice.



I hate it when my laptop’s fan switches on – here’s how I solved it (Part 1)!

I’ve made it a point that I’d buy my laptop equipped with a Intel U-Based – this is to make sure that my laptop is as light, power efficient and quiet as possible. My HP Spectre X360 does all of this; well almost. It’s light (around 1.3kg), power efficient (8-10 hours of battery plus), but is not the quietest laptop on the planet.

When the laptop has a relatively moderate task to process, it ramps up the CPU to full (3.5 Ghz). That’s great, except for the fact that high clocks generate a lot of heat. When the threshold temperature is constantly exceeded (in my laptop’s case, around 50c), the fan needs to kick-in in order to manage thermals.

There’s nothing wrong with that; the laptop functions perfectly. What I’d like is to do all these tasks, whilst the laptop remains cool and will only require passive cooling. How can this be achieved? By lowering the maximum CPU Clock, of course!

What I ended up doing is setting up the maximum CPU usage to 45% (at around 1.6 Ghz), instead of 100%. This means that tasks run slightly slower, but meaning that the laptop runs way cooler. Even better, most of the time, the performance cost is not felt since the tasks do not actually max the CPU usage; thus a lower CPU clock is sufficient!

For now, I’ve solved it naively – setting up this value as a fixed value is not the most efficient. There are times that my laptop is running well below under the threshold temperature where the fan needs to kick-in. A more intelligent solution is to adjust the temperatures on the fly, so that the laptop maintains a target temperature, much like how NVIDA’s GPU Boost works.

This is very easy to set up – this can be accessed through the Windows Power Options. Here’s a step by step guide.

Power Options
1) Right click the battery icon – select Power Options


Change Plan Settings
2) Select your desired power plan and select Change plan settings


Change Advanced Power Settings
3) Select Change Advanced Power Settings


Max Processor State
4) Scroll down, open Processor power management, open Maximum processor state, and type your maximum value. (Eg 45%)

That’s it! Next time, we’ll see how we can do all this programmatically, through WinAPI.

Until the next one.

On sites using Javascript based cryptocurrency mining

Lately, clicked a link from those “funny” programming related Facebook pages, read the article and did not close the tab. No harm done, right? Well, after 10-15 minutes I heard the CPU fan revving more than usual and I thought that it’s quite odd. I fired up Task Manager, and I found out that my Chrome tab is running on 100% CPU usage. Odd, what was going on?

I immediately remembered an article I read a days back that Pirate Bay have implemented a script to mine coins in the background.  I fired up Developer Tools, and unsurprisingly, I found out that the site was using CoinHive.

What’s my take on this? First and foremost, as a server, it’s Illegal to use your client’s CPU cycles without letting them know upfront what you’re doing. This is essentially turning your clients into botnets. Second of all, if you’re going to do such task, at least give the client some breathing space. These coin miners can seriously hammer the CPU; since they are multi threaded, they can easily cause a 100% CPU load!

Alright then, let’s now discuss a bit from an ethic point of view. Chances are that if you are running a legit / legal site (such as this blog), you don’t want to turn your precious visitors into mining machines. Thus probably the servers which end up using such services will be more shady sites, such as Torrent Sites, Streaming Sites, some (illegal) sharing sites and any other shady service. This means that these people do not care much on how they’ll monetize their service, be it (shady) advertisements or cryptocurrency mining.

Though this had me thinking, from a consumer point of view, should I prefer giving away CPU usage for a couple of minutes in exchange for their services? Or should I prefer being bombarded with really terrible advertisements (which if interacted, can download some really malicious software). I mean, I understand that CPU usage hogging is very annoying, but so is getting bombarded with adverts. If I were in a position where I had to choose to give some CPU usage for a couple of minutes versus those adverts, I’d choose the CPU usage choice any day. But then, of course, you can always use a good Ad-Blocker!

Some closing thoughts – is it possible that sites that rely purely on adverts have a choice to finally remove (or tone down) the use of adverts, in exchange of using the client’s machine CPU Cycles? From a legal standpoint? No. From a realistic point? Probably not, or at least. I really doubt. Maybe if they strike a balance between tasteful ads and low CPU consumption? Only the future will tell. Or maybe it’s just a fad, like 3D TVs (but that’s an argument for another day).

(Article image credit: https://insight.jbs.cam.ac.uk/2016/could-cryptocurrency-help-the-bottom-billion)