Researcher Talks Of Possible CPU Security Mitigations With No Performance Cost

Written by Michael Larabel in Linux Security on 11 February 2022 at 06:00 AM EST. 10 Comments
LINUX SECURITY
A security researcher presented at last weekend's Free and Open source Software Developers' European Meeting (FOSDEM) conference around mitigating processor vulnerabilities like Spectre and Meltdown but with negligible performance cost.

Sebastian Eydam with Cyberus Technology spoke at FOSDEM 2022 on potentially being able to mitigate processor vulnerabilities like Spectre and Meltdown with little to no performance cost. However, the big caveat is that this is just security research right now and has only been prototyped using the Hedron micro hypervisor.

This alternative mitigation strategy to the existing software mitigation techniques would be moving process-related information in the kernel into a process-local portion of the kernel address space. In turn the user-space bad actors would only be able to infer the information about its own process and not that of others. Eydam summed up in his abstract, "This alternative mitigation involves moving process-related information in the kernel into a process-local part of the kernel address space. A userspace attacker that can infer the content of its associated kernel page table can thus only read information about its own process. Switching between these kernel address spaces is done as part of the normal address space switch when a thread in a different process is scheduled and thus comes with no additional cost."


The current CPU security mitigation costs cited by Cyberus.


Besides the lower performance impact of the possible mitigation strategy, it would also be CPU independent... But for now at least it's just research and the only published code is the prototyping work done on the Hedron micro-hypervisor (GitHub work).


So if it's as good as it is talked up to be, it would be a win for users compared to the significant performance costs with today's mitigation. However, so far there doesn't appear to be any independent critical analysis of the research let alone any proposed Linux kernel patches or the likes to show its viability in the real-world. It would also be surprising if Intel engineers haven't considered and evaluated this approach already internally in the roughly five years they have been looking at Spectre and Meltdown.


In any case those who missed out on this research presentation last week can see the PDF slide deck and the video recording.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week