Once again, the discussion turns towards security issues plaguing various processors in the market. This time, it’s worth highlighting the joint acknowledgment from Intel and Microsoft regarding a vulnerability that impacts dozens of Intel processors. The predicament lies in the fact that addressing this flaw in Intel processors entails a substantial trade-off in performance.
Following the revelation of vulnerabilities like Specter and Meltdown, which primarily targeted Intel processors, a slew of additional vulnerabilities has come to light. The proliferation of such issues stems from the heightened scrutiny applied at the silicon level. Prior to this, investigations didn’t delve as profoundly, but the need for such scrutiny has been unequivocally demonstrated.
Since then, a surge in these security vulnerabilities has emerged, subsequently impacting performance. It’s important to acknowledge that the remedies being devised inherently lead to a degradation in overall system performance.
Intel Faces Vulnerability Challenge Yet Again
Once again, Intel finds itself grappling with security vulnerabilities. The focal point of concern this time is a vulnerability that targets the transient or speculative execution side channel. This flaw, known as Gather Data Sampling (GDS) or alternately, “Downfall,” has been assigned the technical identifier CVE-2022-40982.
The impact of this vulnerability spans across Intel processors from the 7th Generation through the 11th Generation. Notably, processors from the 12th Gen (Alder Lake) and 13th Gen (Raptor Lake) appear to be exempt from this issue. These latest generations incorporate the Trust Domain eXtension (TDX), a feature that effectively isolates virtual machines (VMs) from virtual machine managers (VMMs).
This isolation creates a safeguarded environment akin to a bubble-like system, wherein hardware-isolated virtual machines are essentially designated as “trusted domains.”
Elaborating on the matter, a Microsoft document linked to the KB5029778 patch explains:
“Microsoft is aware of a new transient execution attack called Data Collection Sampling (GDS) or ‘Drop.’ This vulnerability could be used to infer data from affected CPUs across security boundaries such as user kernel, processes, virtual machines (VMs), and trusted execution environments.”
Intel’s explanation of Downfall encompasses the following processors:
- 7th Generation (Kaby Lake)
- 8th Generation (Coffee Lake)
- 9th Generation (Coffee Lake update)
- 10th Generation (Comet Lake)
- 11th Gen (Rocket Lake on desktop/Tiger Lake on mobile)
It’s noteworthy that the aforementioned processors lack the Trust Domain eXtension, a feature introduced from the 12th Generation onwards. As per Intel’s explanation:
“Gather Data Sampling (GDS) is a transient execution side channel vulnerability that affects certain Intel processors. In specific scenarios, during a collect instruction involving certain memory loads, a malicious attacker could exploit this instruction type to deduce stale data from previously utilized vector registers. These registers might correspond to those used by the same thread or its sibling thread on the same processor core.”
Performance-Impacting Mitigation
Intel has officially acknowledged that this vulnerability can be addressed through a microcode update or an Intel Platform Update. Swift implementation of the recommended update is advised to effectively mitigate the vulnerability.
In familiar fashion, we encounter the typical conundrum: a security breach that necessitates patching through software means, inevitably impacting performance. Remarkably, the resemblance to the Specter and Meltdown vulnerabilities is striking, with the inference that these vulnerabilities were ostensibly resolved starting from the 9th Generation of Intel’s processors.