Yesterday it emerged a major processor-level kernel security flaw in CPUs could not be simply patched. Instead, a workaround for the so-called Meltdown and Spectre could severely compromise hardware performance. While cloud giants Microsoft, Amazon, and Google say their systems are mostly protected, CERT says the only way to solve the issue it to change the affected CPU.
CERT is the Computer Emergency Response Team, based at Carnegie Mellon University. The team is sponsored by the U.S. Department of Homeland Security Office of Cybersecurity and Communications. CERT says the only way to properly bypass the flaw is a processor switch.
“The underlying vulnerability is primarily caused by CPU architecture design choices,” CERT researchers say in a blog post. “Fully removing the vulnerability requires replacing vulnerable CPU hardware.”
The Meltdown and Spectre CPU flaw is embedded in the kernel operations within a system. When a command is sent to perform any task, the CPU passes control to the kernel, which stays below the surface in processes even once the CPU takes back control. This is to ensure smoother and faster performance, but also means systems are potentially at risk at kernel level.
In its newest chips, Intel has overcome the problem with the Kernel Page Table Isolation (PTI) workaround. PTI places the kernel in a dedicated address space, making it unavailable to running processes. However, this comes are a costly price as is severely compromises performance.
Intel has yet to discuss this flaw, waiting under an embargo until the end of this month. If the PTI workaround is the only answer, it could prove problematic to companies that rely on fast processing. Some of those companies are the cloud giants like Amazon, Microsoft, and Google.
Incoming Regulatory Pressure?
In its advisory, CERT says users should apply patches, but these will only “mitigate the underlying hardware vulnerability.”
It is worth pointing out that CERT has no regulatory control despite being government-related. In other words, the team is not mandating companies and customers to remove the CPUs. However, considering the potential significance of this problem, some regulatory pressure from other departments is not out of the question.
The vulnerability is so widespread, it could affects most machines on the planet. It certainly affects all tech giants, such as Apple, Google, AMD, Microsoft, Amazon, and of course Intel. If these giants were forced to replace CPUs, the costs would be truly massive.