【科技】英特尔的处理器存在安全漏洞,修复可能会降低PC的速度 [美国媒体]

英特尔处理器的一个安全缺陷导致了Linux和Windows内核需要重新设计。 过去两个月,程序员一直忙于修补Linux内核的虚拟内存系统,以防止Intel CPU中的硬件错误。这些错误可能会让攻击者利用安全弱点访问磁盘上缓存的安全密钥,密码和文件。Register报告说,Windows和Linux系统都需要软件更新,并且机器的性能也会受到影响。



A security flaw in Intel processors has led to a redesign of Linux and Windows kernels. Programmers have been busy for the past two months patching the Linux kernel’s virtual memory system to protect against a hardware bug in Intel CPUs that could let attackers exploit security weaknesses and access security keys, passwords, and files cached from a disk. The Register reports that software updates are required for both Windows and Linux systems, and performance of a machine will be affected.

英特尔处理器的一个安全缺陷导致了Linux和Windows内核需要重新设计。 过去两个月,程序员一直忙于修补Linux内核的虚拟内存系统,以防止Intel CPU中的硬件错误。这些错误可能会让攻击者利用安全弱点访问磁盘上缓存的安全密钥,密码和文件。Register报告说,Windows和Linux系统都需要软件更新,并且机器的性能也会受到影响。

Reports suggest information around the specific bug has been kept confidential between software and hardware vendors, and patches for the Linux kernel include comments that have been redacted to prevent attackers discovering the precise weakness. The security bug could be present on Intel processors manufactured over the past 10 years, meaning many systems will require updates. 

相关报导暗示软件和硬件厂商之间对漏洞进行保密,以及Linux内核的补丁和已经编辑过的注释,以防止攻击者发现确切的弱点。英特尔过去10年间生产的处理器都可能存在安全漏洞,这意味着许多系统将需要更新。

The exact bug is related to the way that regular apps and programs can discover the contents of protect kernel memory areas. Kernels in operating systems have complete control over the entire system, and connect applications to the processor, memory, and other hardware inside a computer. There appears to be a flaw in Intel’s processors that lets attackers bypass kernel access protections so that regular apps can read the contents of kernel memory. To protect against this, Linux programmers have been separating the kernel's memory away from user processes in what’s being called “Kernel Page Table Isolation.”

确切的错误与用户应用程序可以发现内核内存保护区域的内容有关。操作系统中的内核可以完全控制整个系统,并将应用程序连接到计算机内的处理器,内存和其他硬件。 英特尔处理器似乎存在一个漏洞,允许攻击者绕过内核内存访问保护,以便用户应用程序可以读取内核内存的内容。为了防止这种情况发生,Linux程序员已经将内核的内存从用户进程中分离出来,称为“内核页表隔离”。
 

The problem with this isolation is that some programmers are reporting performance hits after systems are patched. The Register reports that the slowdowns could be between 5 and 30 percent depending on the exact Intel processor. While Linux patches have been rolling out over the past month, a Windows 10 patch is not yet available. Some are speculating that Microsoft will deliver this in an upcoming Patch Tuesday, as the company started separating the NT kernel memory with Windows 10 beta builds in November. “We have nothing to share at this time,” says a Microsoft spokesperson, in response to a query from The Verge.

这种隔离的问题在于有些程序员在系统修补后的性能损失。Register报告说,性能损失可能在5%到30%之间,这取决于具体的英特尔处理器型号。尽管过去一个月Linux补丁已经推出,但Windows 10补丁尚不可用。有人猜测,微软将在星期二发布补丁,因为该公司在11月份开始将NT内核内存与Windows 10 beta版本分离。微软发言人在回应The Verge的一次询问时表示:“目前我们没有什么可分享的东西。

It’s still unclear how these patches will affect regular Windows, Mac, and Linux machines. AppleInsider reports that Apple has already deployed a partial fix for the security bug in macOS 10.13.2, which was released last month. Citing multiple sources at Apple and developer Alex Ionescu, who publicly identified code that points to the fix, the report says Apple has mitigated the flaw by altering existing programming requirements related to the kernel memory data in macOS. More changes are expected to come with 10.13.3 soon, AppleInsider reports. 

目前还不清楚这些补丁如何影响普通的Windows,Mac和Linux机器。 AppleInsider报道,苹果公司已经部署了上个月发布的macOS 10.13.2中的安全漏洞补丁。苹果和开发商Alex Ionescu引用了多个消息来源,他们公开指出了指向该修补程序的代码,报告称苹果通过改变macOS中与内核内存数据相关的现有编程要求来缓解这个缺陷。AppleInsider报告称,预计10.13.3将会有更多的变化。

Still, one researcher speculates that virtual machines and cloud providers will be most affected by the security problem and resulting performance hits. Microsoft’s Azure cloud will experience maintenance next week, and Amazon Web Services has warned that a big security update is coming on Friday. AMD has confirmed that its own processors are not affected by this security bug. “AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against,” explains Tom Lendacky, an AMD engineer. AMD stocks have soared this morning as a result of Intel’s processor flaw. Intel has not yet publicly commented on the security problem.
不过,一位研究人员推测,虚拟机和云提供商将受到安全问题和性能的影响最大。 微软的Azure云将在下周进行维护,亚马逊网络服务已经警告说,周五将会有一个重大的安全更新。 AMD已经证实,它自己的处理器不受这个安全漏洞的影响。 AMD公司的工程师Tom Lendacky解释说:“AMD处理器不受内核页表隔离功能所抵御的攻击类型的限制。”由于英特尔处理器的缺陷,AMD股价今天早上大涨。 英特尔尚未公开评论安全问题。



zedx79 
That’s a big performance hit for some processes. Why so to detect the issue?
Posted on Jan  3, 2018 |  8:51 AM

这对一些处理器的性能影响很大。为什么要修复这个错误?

jmanes 
I believe the fault is Intel’s, but Microsoft and the Linux kernel team are fixing Intel’s mistake in software. A software fix for a hardware bug will always be extremely slow.
Posted on Jan  3, 2018 |  8:55 AM

我相信问题出在英特尔,但是微软和Linux的内核团队正在用软件方法修复英特尔的错误。用软件修复一个硬件错误总是很慢的。

Cory Lu Lu 
Furthermore, ideally, hardware issues are fixed using microcode/fireware fixes, but it seems that Intel’s flaw cannot be fixed in this way. That is why OS’s have to make kernel changes to fix it, because Intel simply can’t, and it leaves the OS’s security exposed.
Posted on Jan  3, 2018 |  3:44 PM

理想情况下,硬件问题使用微码或者固件进行修复。但是好像英特尔的缺陷不能用这种方式修复。这就是为什么操作系统必须更改内核,因为英特尔修复不了,并且这个错误让操作系统存在安全隐患。

DJ CERL
The slowdowns could be between 5 and 30 percent depending on the exact Intel processor
Stick a fork in Intel, it’s done.
Posted on Jan  3, 2018 |  8:56 AM

性能损失在5%到30%。取决于具体的处理器。插死英特尔,全完了。

Nargg 
Yeah, kicking myself for not going AMD on my last build. 
Posted on Jan  3, 2018 |  9:28 AM

对,上次装机没用AMD真想踹自己一脚。

McDustyRusty 
Your assuming it matters. The ‘fix’ might be universally applied, not just when the processor is Intel based. If so, AMD processor based system could see the same performance drop.
Posted on Jan  3, 2018 | 12:26 PM

你以为有区别。修复是全局的。不是只针对因特尔处理器。如果这样,AMD处理器也会受到同样的性能损失。

err404 
Sure it will. Keep telling yourself that if it makes you feel better.
Posted on Jan  3, 2018 |  1:03 PM

当然是这样。继续给自己洗脑如果这样能让你感觉好一点。

mcilloni 
As far as the Linux field goes, AMD already submitted a patch that marks their CPUs as "secure", thus, in theory, avoiding the slowdowns.
This whole situation is a godsent chance for EPIC to wreck Intel Xeons to smithereens.
Posted on Jan  3, 2018 |  1:26 PM

在Linux领域,AMD已经提交了补丁标注他们的处理器是安全的。所以理论上,不存在性能损失。这是天赐的良机让EPYC(译注:AMD服务器处理器)击败因特尔志强处理器。

StarkFuture 
Yup, and the data-centers are where the money is these days.
Posted on Jan  3, 2018 |  2:34 PM

是的,现在数据中心才赚钱。