Oracle security researchers have been working on security feature for Linux kernels that could protect Linux-based systems against attacks that affect Intel’s Hyper-Threading (HT) feature. Multiple side-channel threats the feature's vulnerable against, including L1TF/Foreshadow and the MDS attacks, have been revealed over the past few months.
The Oracle developers didn't specify whether or not the recent MDS attacks against Intel’s HT would also be mitigated through its Kernel Address Space Isolation (KASI), only that it will protect against L1TF/Foreshadow. Other side-channel attacks seem to be up for debate, as any extra isolation being introduced into the kernel could potentially impact the performance of Linux systems.
Kernel Address Space Isolation
The Oracle team first proposed the Kernel-based Virtual Machine (KVM) Address Space Isolation solution in order to isolate the KVM’s address space from the rest of the kernel, as well as the user space. However, the team has now released an experimental version 2 of the feature redesigned as a framework. That means all sorts of kernel-level applications can isolate their address spaces.
The researchers also renamed the feature from KVM Address Space Isolation to KASI. The code is still a proof of concept, but it’s already said to be more stable than the first version of the mitigation feature.
They're now looking for suggestions on how to improve the feature before they attempt to merge it into an official release of the Linux kernel.
Intel Hyper-Threading Security Vulnerabilities
Last year, two major side-channel attacks were exposed against Intel’s HT CPU feature, TLBleed and L1TF/Foreshadow.
When TLBleed was first unveiled to the public, Theo de Raadt, founder of OpenBSD (an open-source, security-focused operating system), announced that HT would be disabled on OpenBSD systems. The OpenBSD founder also warned that more HT vulnerabilities are likely to appear in the near future. A couple of months later, the L1TF/Foreshadow flaw was also revealed, and the OpenBSD founder started encouraging everyone to disable Intel’s HT.
However, it wasn’t until the MDS side-channel attacks appeared that Google and Apple started taking the advice seriously. Google disabled HT on Chromebooks, but stopped at recommending the disabling of HT as an additional security measure against the MDS attacks. Even Intel admitted that some customers should consider disabling HT on their systems.
