Application Security

Linus Torvalds on Meltdown: Perhaps We Should Move to ARM

4 Jan 2018 4:08pm, by

Linux creator Linus Torvalds previously loved Intel and the x86 architecture. The architecture has an established infrastructure, programs just run and unlike ARM, code doesn’t need to be tweaked to devices.

But critical x86 vulnerabilities that allow hackers to steal data from chip memory has Torvalds fuming at Intel, and telling the Linux community to seriously consider ARM architecture.

Researchers on Wednesday revealed multiple exploits — called Meltdown and Spectre — on Intel x86 chips in which hackers can access sensitive information from protected kernel memory in PCs, mobile phones and tablets with Windows or Linux-based operating systems.

Torvalds said the exploit happened partly because of incompetency in Intel’s chip design process. After a few comments on Intel’s poor response to the exploits, he suggested perhaps it was time to drop Intel and look to ARM.

“Maybe we should start looking towards the ARM64 people more,” Torvalds said.

The exploits are big, affecting millions, potentially billions of devices.  The exploits take advantage of what Intel calls “speculative execution” of instructions — which is a kind of pre-execution of instructions for predictive processes  — to steal personal data from vulnerable kernel memory spaces. The pre-executed instructions may or may not be used, but preparing them reduces the number of cycles it takes to execute a task, thus speeding up a chip.

Google discovered three techniques of “side-channel analysis” to potentially leak secret information, which could include usernames, passwords and other data typically protected on a computer. “These techniques can be used via JavaScript code running in the browser, which may allow attackers to gain access to memory in the attacker’s process,” Microsoft said in a blog entry.

From the CERT Vulnerability Note
Different CPUs are impacted differently, for example, the speculative execution and cache implementation of many Intel CPUs allows an attacker to read kernel memory using variant 3 on un-protected operating systems. Attacks require the ability to execute code locally on a target system. Typically this requires a valid account or independent compromise of the target. Attacks using JavaScript in web browsers are possible. Multi-user and multi-tenant systems (including virtualized and cloud environments) likely face the greatest risk. Systems use to browse arbitrary web sites are also at risk. Single-user systems that do not readily provide a way for attackers to execute code locally face significantly lower risk.

Individual computers could be at risk through the browser — already one group of researchers have crafted a JavaScript exploit. Beyond browsers, however, this exploit affects a wide range of programs and virtualization software. It also affects chips from AMD and ARM. Software providers, chip and cloud companies are issuing alerts and patches, and links can be found on the Meltdown website.

The full brunt of the vulnerabilities isn’t yet known, but the patches could affect chip performance and impact cloud and software providers. One benchmark by Phoronix showed a slowdown in the Linux OS and the PostgreSQL database. The patches could bring a performance penalty between 5 percent and 30 percent to Windows, Linux and MacOS computers, wrote Michael Larabel, founder of Phoronix, in the article.

Intel has issued press statements downplaying the vulnerabilities, saying it wasn’t an architectural issue and an industrywide problem, a fact that AMD disputed. But given Intel CPUs are used in a majority of PCs and more than 90 percent of servers, they are attracting the most attention.

“I think somebody inside of Intel needs to really take a long hard look at their CPUs, and actually admit that they have issues instead of writing PR blurbs that say that everything works as designed,” Torvalds wrote.

Feature image via Pixabay.


A digest of the week’s most important stories & analyses.

View / Add Comments

Please stay on topic and be respectful of others. Review our Terms of Use.