Linus Torvalds Is Not Happy About Intel's Meltdown And Spectre Mess

Famed Linux developer Linus Torvalds has some pretty harsh words for Intel on the fiasco over Meltdown and Spectre, the massive security flaws in modern processors that predominantly affect Intel products.

Linus Torvalds in 1999. Photo: AP

Meltdown and Spectre exploit an architectural flaw with the way processors handle speculative execution, a technique that most modern CPUs use to increase speed. Both classes of vulnerability could expose protected kernel memory, potentially allowing hackers to gain access to the inner workings of any unpatched system or penetrate security measures.

The flaw can't be fixed with a microcode update, meaning that developers for major OSes and platforms have had to devise workarounds that could seriously hurt performance.

In an email to a Linux list this week, Torvalds questioned the competence of Intel engineers and suggested that they were knowingly selling flawed products to the public. He also seemed particularly irritated that users could expect a five to 30 per cent projected performance hit from the fixes.

"I think somebody inside of Intel needs to really take a long hard look at their CPU's, and actually admit that they have issues instead of writing PR blurbs that say that everything works as designed," Torvalds wrote. "...and that really means that all these mitigation patches should be written with 'not all CPU's are crap' in mind."

"Or is Intel basically saying 'we are committed to selling you shit forever and ever, and never fixing anything'?" he added. "Because if that's the case, maybe we should start looking towards the ARM64 people more."

"Please talk to management," Torvalds concluded. "Because I really see exactly two possibibilities: -- Intel never intends to fix anything OR -- these workarounds should have a way to disable them. Which of the two is it?"

As Business Insider noted, as the person in charge of the open-source Linux kernel, Torvalds may be freer to share his opinion on Intel's explanation for the issue than engineers working for the company's business partners.

Intel is currently being hit by a series of class action lawsuits citing the flaws and its handling of the security disclosure.

While workaround fixes for affected systems -- or at the very least, those that are still supported by developers -- have begun rolling out, per Wired, they're far from an ideal solution. Meltdown patches are available for Microsoft, Apple, Google and Linux systems, though Spectre is a far more difficult to resolve vulnerability and it may in fact be impossible to guard against it entirely without replacing hardware.

While consumer systems are impacted, enterprise systems like cloud service providers may suffer the biggest performance hits, take the longest to patch and are the likeliest targets of any malware targeting the exploits.

"One of the most confusing parts of this whole thing is that there are two vulnerabilities that affect similar things, so it's been challenging just to keep the two separate," TrustedSec security researcher Alex Hamerstone told Wired. "But it's important to patch these because of the type of deep access they give. When people are developing technology or applications they're not even thinking about this type of access as being a possibility so it's not something they're working around -- it just wasn't in anybody's mind."

[IT Wire/Business Insider]



    Did Linus write code that did not have bugs?
    Is this problem specific to Intel?
    I thought we were talking of Phones, Tablets and all PC's whether Intel or not.
    Moreover if this was such a glaring problem then why has it taken 20 years to find?

      You've fallen for the clever/deceptive PR referred to in the article. Intel very cleverly conflated two issues, one that only applies to them, and one that applies to them and everyone else.
      No, Linus isn't perfect and has probably a written code with a few bugs, but he hasn't written weasely press releases blaming everyone else, either.
      The one that really only affects Intel is called Meltdown, and it's this one that is not at all "works as designed" and is the one with specific kernel patches that cause slowdowns.
      The other is called Spectre, and does, like you say, affect the major manufacturers (and by extension phones, tablets and PCs)
      They're related because they're both "timing attacks" and side-effects of something called "speculative execution", a performance enhancement where the processor runs the code it has loaded even if it later decides it didn't need to. In both cases, an exploit means that code had access to memory it shouldn't have.
      In the case of Meltdown, this means all memory on the system including the operating system (and Kernel) due to a flaw in when Intel decide whether code is allowed to access a particular piece of memory.
      In the case of Spectre it's just the memory assigned to the program that's running, however this could still have serious consequences: imagine a rogue website able to read your login cookies for your internet banking in another tab.
      The glaring problem isn't that it was so easy to find, it's that we've been told that the processor works in a particular way, and is secure if used in a particular way and it isn't true. (and the specific thing Linus is complaining about really does apply to Intel and not, say, AMD)

      Last edited 09/01/18 10:35 pm

Join the discussion!