Kernel page-table isolation

from Wikipedia, the free encyclopedia
Separation of a shared user and kernel memory into two separate page tables. In addition to a copy of the user data, the user memory only contains a minimal set of system calls to the separate page table with the kernel

Kernel page-table isolation (short KPTI , formerly KAISER ) is a workaround for the Meltdown called vulnerability in the x86 processors from Intel . This is achieved by separating user memory and kernel memory. KPTI was integrated into the Linux kernel 4.15, which is expected for early 2018, and also backported to the Linux kernel 4.4.110, 4.9.75 and 4.14.11 . Similar updates are available for Windows and macOS . KPTI does not protect against the Specter vulnerability .

Background to KAISER

In 2014, Linux Kernel Address Space Layout Randomization (KASLR) was introduced, which hides the kernel addresses from the user memory and makes it difficult to exploit other vulnerabilities in the kernel. Despite the denial of access to these memory allocations to the kernel, the vulnerability to some side channel attacks has been shown in modern processors. This allows the address of the memory to be spied out, which means bypassing KASLR.

KAISER stands for " Kernel Address Isolation to have Side-channels Efficiently Removed " and was published in June 2017 when Meltdown was not yet known. KAISER improves KASLR even further. While KASLR only hides the kernel addresses, KAISER also prevents the contents of the kernel's memory from being spied on, thus covering the meltdown security gap.

Meltdown and KPTI

In January 2018, the Meltdown vulnerability was published, which mainly affects Intel x86 processors. Researchers found out in the summer that the contents of the kernel memory can also be spied on, not just the memory allocations, as originally thought. As a result, the KAISER patches were redesignated (and renamed KPTI) to correct this error.

AMD x86 processors are not affected by Meltdown and therefore do not require a workaround. However, AMD processors are still susceptible to bypassing KASLR if KPTI is not active.

KPTI is based on KAISER. Without an active KPTI, Linux would manage all of its kernel memory in page tables every time code was executed in user memory (applications) , albeit with access protection. The advantage here is the constant availability of the page tables if an application makes a kernel system call or an interrupt is triggered. In this way, an overhead resulting from a context change (emptying the translation buffer , page table swapping , etc.) can usually be avoided.

implementation

KPTI eliminates the possibility of spying by completely separating the page tables of the user and kernel areas. On processors that support PCID (process-context identifiers), emptying the translation buffer can be avoided, but even then there is a significant loss of performance, especially with frequent system calls or interrupts.

The KAISER developers at the time measured the overhead at 0.28%; a Linux developer rated it around 5% for most use cases and up to 30% in some cases, despite the PCID optimization; for the PostgreSQL database management system , the effects of read-only tests on an Intel Skylake processor were 7–17% (or 16–23% without PCID), while a full benchmark lost 13–19% ( Coffee Lake vs. Broadwell E ). Redis was slowed down by 6-7%.

Under operating systems such as Linux, a kernel parameter in the boot manager can be used to determine whether KPTI should be activated or not. With some kernel versions, this is also possible during operation. This means that the effects of the reduction in performance in your own application area and hardware can be determined and assessed and, depending on the situation, a decision can be made whether or not KPTI should be used.

Individual evidence

  1. Jonathan Corbet: The current state of kernel page-table isolation . In: LWN.net , December 20, 2017. 
  2. a b c d Jonathan Corbet: KAISER: hiding the kernel from user space . In: LWN.net , November 15, 2017. 
  3. a b c Daniel Gruss, Moritz Lipp, Michael Schwarz, Richard Fellner, Clémentine Maurice, Stefan Mangard: KASLR is Dead: Long Live KASLR . In: Engineering Secure Software and Systems 2017 ..
  4. Jonathan Corbet: Kernel page-table isolation merged . In: LWN.net , December 20, 2017. 
  5. Linux 4.4.110 changelog . 5th January 2018.
  6. ^ Greg Kroah-Hartman: Linux 4.9.75 Changelog . 5th January 2018.
  7. ^ Greg Kroah-Hartman: Linux 4.14.11 changelog .
  8. Apple has already partially implemented fix in macOS for 'KPTI' Intel CPU security flaw ( en-US ) Retrieved January 3, 2018.
  9. a b c Devin Coldewey: Kernel panic! What are Meltdown and Specter, the bugs affecting nearly every computer and device? (en) . In: TechCrunch , January 4, 2018. 
  10. Linux kernel 3.14, Section 1.7. Kernel address space randomization . March 30, 2014. Retrieved April 2, 2014.
  11. Abhishek Bhattacharjee, Daniel Lustig: Architectural and Operating System Support for Virtual Memory ( en ). Morgan & Claypool Publishers, September 29, 2017, ISBN 978-1-62705-933-6 , p. 56.
  12. Yeongjin Jang, Sangho Lee, Taesoo Kim: Breaking Kernel Address Space Layout Randomization with Intel TSX . ACM, New York, NY, USA 2016, ISBN 978-1-4503-4139-4 , pp. 380-392, doi : 10.1145 / 2976749.2978321 .
  13. ^ Daniel Gruss, Clémentine Maurice, Anders Fogh, Moritz Lipp, Stefan Mangard: Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR . ACM, New York, NY, USA 2016, ISBN 978-1-4503-4139-4 , pp. 368-379, doi : 10.1145 / 2976749.2978356 .
  14. a b R. Hund, C. Willems, T. Holz: Practical Timing Side Channel Attacks against Kernel Space ASLR May 2013, pp. 191-205, doi : 10.1109 / sp.2013.23 .
  15. Meltdown .
  16. To Update on AMD Processor Security . In: AMD , January 4, 2018. 
  17. Andres Freund: heads up: Fix for intel hardware bug will lead to performance regressions . In: PostgreSQL development mailing list (pgsql-hackers) . 2nd January 2018.
  18. a b Michael Larabel: Initial Benchmarks Of The Performance Impact Resulting From Linux's x86 Security Changes . In: Phoronix . 2nd January 2018.
  19. Controlling the Performance Impact of Microcode and Security Patches for CVE-2017-5754 CVE-2017-5715 and CVE-2017-5753. Retrieved January 13, 2018 .