Recently, the public was made aware of a class of security vulnerabilities known as kernel side-channel attacks (KSCA), which can affect computers utilizing Intel processors. This bulletin provides MemSQL administrators with background on these attacks, possible mitigations, and information about the performance impact of different mitigations. It also discusses related software patches and cloud computing platform changes.
Page Table Isolation (PTI), is a Linux security feature designed to mitigate a class of KSCA, described by Red Hat here. PTI can reduce performance by increasing the cost of context switching between threads, and between user space and kernel space.
There are three new Linux kernel flags for mitigations, the main flag PTI, as well as Indirect Branch Prediction Barriers (IBPB), and Indirect Branch Restricted Speculation (IBRS). PTI controls how Linux maps pages in memory, while IBPB and IBRS control processor features that mitigate other aspects of the attack. The IBPB feature protects guest mode context switches (VM to VM attacks), and the IBRS feature protects kernel mode context switches (kernel attacks).
MemSQL has measured the performance impact of the Linux kernel flags (PTI, IBPB, IBRS) that mitigate the KSCA and has determined that the impact depends upon workload, and can be significant. Due to the possible performance impact, we recommend that users measure configuration changes in a test environment before applying them in production. For applications that see a considerable performance impact, MemSQL administrators should consider isolating their workload from untrusted code running on the same machines, as an alternative to applying the kernel flags to mitigate against KSCA.
MemSQL administrators can protect against kernel side channel attacks by applying kernel flags for PTI, IBPB, and IBRS, or by isolating their runtime environment from untrusted code.
- Linux Distribution Updates
- RedHat Enterprise Linux (and derivatives)
- RHEL 7
- RHSA-2018:0007 - Security Advisory
- RHEL 6
- RHSA-2018:0008 - Security Advisory
- CentOS 7
- CESA-2018:0007 Important CentOS 7 kernel Security Update
- CentOS 6
- CESA-2018:0008 Important CentOS 6 kernel Security Update
Related Cloud Platform Bulletins
- Xen Security Advisory CVE-2017-5753,CVE-2017-5715,CVE-2017-5754 / XSA-254
- Google Cloud