Microsoft Touts Using HyperClear To Address Intel Processor Woes
Microsoft is again promoting its HyperClear Hyper-V hypervisor technology as a potential balm for organizations trying to come to grips with Intel's latest speculative execution side-channel attack disclosures.
On Tuesday, Intel described microarchitectural data sampling (MDS) vulnerabilities in older Intel processors that were discovered by researchers. Four new attack approaches were discovered, which Intel subsequently announced. These MDS attack methods constitute a new subgroup of speculative execution side-channel attack methods that are different from Intel's "Meltdown" and "Spectre" disclosures more than a year ago. The vulnerabilities could be used in information disclosure types of exploits by attackers, although no known active attacks have been described at present.
In response to the MDS vulnerabilities, operating system patches and firmware ("microcode") updates are being issued, and both need to be applied to protect systems. Intel explained that the microcode updates typically get issued by "OEMs," by which it means original equipment manufacturers of PCs and servers, such as Dell, HP and Toshiba, among others. Intel's microcode release progress per supported processor is described in this Intel guide.
In August, Microsoft had described its HyperClear Hyper-V technology as adding support for addressing the L1 Terminal Fault "Foreshadow" exploit, another speculative execution side-channel attack method. HyperClear technology is present in Windows Server 2016 and newer products, and it's also used in Microsoft Azure datacenters. Microsoft had indicated back then that HyperClear allowed organizations to continue to safely use Intel's Hyper-Threading technology with virtual machines, instead of having to disable it to address the Foreshadow vulnerabilities.
This week, Microsoft renewed its HyperClear claims with regard to the MDS disclosures. HyperClear was updated, allowing it to address the new MDS avenues of attack in virtual machines without having to disable Hyper-Threading, Microsoft's Tuesday announcement explained:
Fortunately for us and for our customers, HyperClear has proven to be an excellent foundation for mitigating this new set of side channel vulnerabilities. In fact, HyperClear required a relatively small set of updates to provide strong inter-VM and intra-OS protections for our customers. These updates have been deployed to Azure and are available in Windows Server 2016 and later supported releases of Windows and Windows Server. Just as before, the HyperClear mitigation allows for safe use of hyper-threading in a multi-tenant virtual machine hosting environment.
Intel Hyper-Threading is a form of Simultaneous Multi-Threading (SMT) technology. Intel and Microsoft have both warned that disabling Hyper-Threading will result in performance decrements. HyperClear apparently lets organizations continue to run Hyper-Threading in virtual machines, although advice from Microsoft and Intel seems somewhat murky.
Intel, for instance, doesn't recommend disabling Hyper-Threading to address the latest MDS vulnerabilities, but its FAQ included the following caveat:
It may be appropriate for some customers to consider additional steps [to address MDS]. This includes customers who cannot guarantee that trusted software is running on their system(s) and are using Simultaneous Multi-Threading (SMT). In these cases, customers should consider how they utilize SMT for their particular workload(s), guidance from their OS and VMM software providers, and the security threat model for their particular environment.
Microsoft's advice in Security Advisory ADV190013 seems more stark:
To be fully protected, customers may also need to disable Hyper-Threading (also known as Simultaneous Multi Threading (SMT)). Please see Knowledge Base Article 4073757 for guidance on protecting Windows devices.
That Knowledge Base article doesn't answer whether Hyper-Threading needs to be disabled or not. However, it does explain that Hyper-Threading typically gets disabled via a system's BIOS settings: "The steps that are necessary to disable Hyper-Threading will differ from OEM to OEM but are generally part of the BIOS or firmware setup and configuration tools," the Knowledge Base article stated.
So, the case for HyperClear isn't altogether clear. One the one hand, Microsoft is promoting HyperClear as a solution for the MDS dilemma. On the other hand, it's saying that organizations may still have to disable Hyper-Threading after all.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.