How to disable Specter protection: a new parameter has been added to the Linux kernel
A flag has appeared in the Linux kernel that disables protection against Specter v4 vulnerabilities in all child processes running on the server. More about the new parameter - under the cut. / Flickr / Rie H / CC BY / Photo changed
The Specter processor vulnerability group first became known at the beginning of 2018, and over the next months this family was replenished with new “security holes”. Vulnerabilities are associated with the operation of systems that increase processor performance - speculative writing and reading and predicting transitions - and allow attackers to bypass memory isolation mechanisms in processors from Intel and AMD.
To close vulnerabilities, developers of operating systems issue patches, but installing them often leads to a decrease in the speed of servers. For example, on Linux machines, some Specter patches reduce performance by 30–50%.
The system administrators were dissatisfied with the problem, especially in large data centers. They began asking Linux kernel developers to selectively disable Specter protection. Some of the vulnerabilities discovered are only theoretical in nature, and in a number of systems they basically can not do harm. For example, render farms and offline supercomputers are disconnected from the Internet, so they are not afraid of malicious code injections.
The Linux team met the users and introduced several functions that disable the protection against vulnerabilities Specter v1, v2 (we will talk more about them later) and v4. The last of them was introduced in early February for all current kernel versions - this is the new flag PR_SPEC_DISABLE_NOEXEC.
The vulnerability of Specter v4 is called the Speculative Store Bypass. It allows malware to access speculative computing results that the processor previously discarded as unnecessary.
This situation occurs when the CPU takes turns reading and writing using indirect addressing. Reading occurs more often than writing, and the processor can use data from memory to determine the read address without waiting for the calculation of the offset of the indirect addressing. If, after calculating the offset, an intersection of the memory areas for writing and reading is detected (that is, reading was performed from the wrong area), then the second operation is performed again, and the speculative result is discarded.
In theory, it turns out that if an attacker knows the addresses and structure of memory cells, he can extract data from them, such as encryption keys.
The patch for Specter v4 appeared in the Linux kernel a few days after the publication of information about the vulnerability - by default it turned off the memory disambiguation function , which allowed extraordinary execution of commands. But this slowed the processor I / O operations by 10–40%.
/ Flickr / Rie H / CC BY-SA
And in early June 2018, the kernel release 4.17 made it possible to disable this protection. There was one problem: the parameter was not passed from the parent to the child process. For them, protection had to be manually disabled, which caused inconvenience to system administrators. But in early February, kernel developers implemented the flag PR_SPEC_DISABLE_NOEXEC . It complements the previous function and copies the operating mode of the patch from Specter v4 from the parent process to the child ones. PR_SPEC_DISABLE_NOEXEC is part of prctl, and you can enable it when starting any new process.
In the Linux kernel developers mailing list, the introduction of the new flag was written by Waiman Long of Red Hat. According to him, protection from Specter v4 significantly affects the performance of applications that perform many write operations, such as databases. PR_SPEC_DISABLE_NOEXEC will help automate the check for disabling the patch and speed up servers with a large number of simultaneously running processes.
At the same time, participants in the IT community note that in certain situations, careless handling of a new flag can lead to unpleasant consequences.
In addition to the PR_SPEC_DISABLE_NOEXEC flag, the Linux kernel has other parameters that disable Specter protection.
The first one is nospectre_v2 . The function disables protection from Specter v2, which allows attackers to use the transition prediction block in order to “force” the processor to speculatively perform an operation in a specific memory module. For protection, the patch disables the function of indirectly predicting transitions and prevents the transfer of received information between threads in the same CPU core.
Disabling protection leads to an increase in processor performance by 30% - this is how it fellafter installing the patch from Specter v2. Even the creator of Linux, Linus Torvalds, supported the new feature. In his words , the vulnerability of threatened only processors with the function of the SMT , in this particular case would be better to turn it off.
The second parameter - nospectre_v1 - disables protection from the first Specter option. With the help of malware, hackers can cause the processor to incorrectly predict the result of a conditional transition and discard the results of speculative calculations in the memory area that hackers need. Although the patch from v1 does not significantly affect performance (according to some reports , a decrease in processor speed can be completely neglected), the developers askedadd the ability to disable this protection to the kernel. This allowed us to simplify the structure of networks isolated from external access.
The Linux kernel community remains true to the idea of free choice that Linus Torvalds laid down at the very beginning : users themselves are responsible for balancing the security and performance of Linux systems. Therefore, it is worth expecting that upon detection of new vulnerabilities similar to Specter in the kernel, both a patch and the ability to disable it will appear.
Why did you need to disable protection
The Specter processor vulnerability group first became known at the beginning of 2018, and over the next months this family was replenished with new “security holes”. Vulnerabilities are associated with the operation of systems that increase processor performance - speculative writing and reading and predicting transitions - and allow attackers to bypass memory isolation mechanisms in processors from Intel and AMD.
To close vulnerabilities, developers of operating systems issue patches, but installing them often leads to a decrease in the speed of servers. For example, on Linux machines, some Specter patches reduce performance by 30–50%.
The system administrators were dissatisfied with the problem, especially in large data centers. They began asking Linux kernel developers to selectively disable Specter protection. Some of the vulnerabilities discovered are only theoretical in nature, and in a number of systems they basically can not do harm. For example, render farms and offline supercomputers are disconnected from the Internet, so they are not afraid of malicious code injections.
The Linux team met the users and introduced several functions that disable the protection against vulnerabilities Specter v1, v2 (we will talk more about them later) and v4. The last of them was introduced in early February for all current kernel versions - this is the new flag PR_SPEC_DISABLE_NOEXEC.
What and why disables the function
The vulnerability of Specter v4 is called the Speculative Store Bypass. It allows malware to access speculative computing results that the processor previously discarded as unnecessary.
This situation occurs when the CPU takes turns reading and writing using indirect addressing. Reading occurs more often than writing, and the processor can use data from memory to determine the read address without waiting for the calculation of the offset of the indirect addressing. If, after calculating the offset, an intersection of the memory areas for writing and reading is detected (that is, reading was performed from the wrong area), then the second operation is performed again, and the speculative result is discarded.
In theory, it turns out that if an attacker knows the addresses and structure of memory cells, he can extract data from them, such as encryption keys.
The patch for Specter v4 appeared in the Linux kernel a few days after the publication of information about the vulnerability - by default it turned off the memory disambiguation function , which allowed extraordinary execution of commands. But this slowed the processor I / O operations by 10–40%.
/ Flickr / Rie H / CC BY-SA
And in early June 2018, the kernel release 4.17 made it possible to disable this protection. There was one problem: the parameter was not passed from the parent to the child process. For them, protection had to be manually disabled, which caused inconvenience to system administrators. But in early February, kernel developers implemented the flag PR_SPEC_DISABLE_NOEXEC . It complements the previous function and copies the operating mode of the patch from Specter v4 from the parent process to the child ones. PR_SPEC_DISABLE_NOEXEC is part of prctl, and you can enable it when starting any new process.
What experts say
In the Linux kernel developers mailing list, the introduction of the new flag was written by Waiman Long of Red Hat. According to him, protection from Specter v4 significantly affects the performance of applications that perform many write operations, such as databases. PR_SPEC_DISABLE_NOEXEC will help automate the check for disabling the patch and speed up servers with a large number of simultaneously running processes.
At the same time, participants in the IT community note that in certain situations, careless handling of a new flag can lead to unpleasant consequences.
“It is worth noting that in some environments it is not safe to disable protection from Specter v4,” says Sergey Belkin , head of development department of IaaS provider 1cloud.ru . - These include, for example, web services using Java and JavaScript. Disclosure of the contents of the control process by managed code can be fatal for application security. ”
About other Specter patches in the Linux kernel
In addition to the PR_SPEC_DISABLE_NOEXEC flag, the Linux kernel has other parameters that disable Specter protection.
The first one is nospectre_v2 . The function disables protection from Specter v2, which allows attackers to use the transition prediction block in order to “force” the processor to speculatively perform an operation in a specific memory module. For protection, the patch disables the function of indirectly predicting transitions and prevents the transfer of received information between threads in the same CPU core.
Disabling protection leads to an increase in processor performance by 30% - this is how it fellafter installing the patch from Specter v2. Even the creator of Linux, Linus Torvalds, supported the new feature. In his words , the vulnerability of threatened only processors with the function of the SMT , in this particular case would be better to turn it off.
The second parameter - nospectre_v1 - disables protection from the first Specter option. With the help of malware, hackers can cause the processor to incorrectly predict the result of a conditional transition and discard the results of speculative calculations in the memory area that hackers need. Although the patch from v1 does not significantly affect performance (according to some reports , a decrease in processor speed can be completely neglected), the developers askedadd the ability to disable this protection to the kernel. This allowed us to simplify the structure of networks isolated from external access.
The Linux kernel community remains true to the idea of free choice that Linus Torvalds laid down at the very beginning : users themselves are responsible for balancing the security and performance of Linux systems. Therefore, it is worth expecting that upon detection of new vulnerabilities similar to Specter in the kernel, both a patch and the ability to disable it will appear.