AMD's Future Chips & SoC's: News, Info & Rumours.

Page 47 - Seeking answers? Join the Tom's Hardware community: where nearly two million members share solutions and discuss the latest tech.
Toggle sidebar Toggle sidebar
Status
Not open for further replies.


Pentium bug was like in one processor and what 2 years? This is all intel CPU's in the past decade. This also mainly affects the server market so yeah i can say some will not be too happy.
 


Yeah agreed even more so since linux dev's already said exceptions can be made later they really wanted to rush this patch out hoping Microsoft doesn't do the same.
 


I am not a linux kernel developer. So it is AMD linux dev vs rest of linux devs. Linux devs are treating all x86 CPUs as vulnerable because no one has demonstrated the contrary.
 


Like I said, defensive coding for now is the best approach. Specially since day 1 patches affect both, Intel likes that AMD will take a bigger hit than them! Har har.

No one will care the later patches that remove AMD from the enforcement of the memory separation removes the performance penalty for them.

@jdwii
And yeah, it is definitely different in magnitude. That is correct, but that was just an example. Intel has a lot of misdoings under their belt and their fanbois keep on increasing like foam next to a drain exit.
 


This quote is the real kick in the shorts!
The easiest way to ensure you are not going to experience this issue is to pick up a Ryzen or Threadripper, of course.
Click to expand...
 
While with the Linux development code currently, AMD CPUs are marked as insecure and those PTI applied, as covered earlier today, being staged via the tip tree is the much talked about AMD patch. But if that patch will land in time for this month's Linux 4.15 kernel release or be held off until the Linux 4.16 kernel cycle remains to be seen. Regardless, that AMD patch will end up landing some point soon so AMD CPU owners won't be negatively impacted as their hardware appears immune to this latest security issue.
Click to expand...
https://www.phoronix.com/scan.php?page=article&item=linux-more-x86pti&num=1
 


Everything I'm reading is basically saying the same story. Intel hardware design flaw allowing exploits to be deployed.

To be clear, the security research team identified three variants targeting speculative execution. The threat and the response to the three variants differ by microprocessor company, and AMD is not susceptible to all three variants. Due to differences in AMD's architecture, we believe there is a near zero risk to AMD processors at this time.
Click to expand...
 
Variants of this issue are known to affect many modern processors, including certain processors by Intel, AMD and ARM. For a few Intel and AMD CPU models, we have exploits that work against real software. We reported this issue to Intel, AMD and ARM on 2017-06-01
Click to expand...

So AMD knew its CPUs are affected issue since June. Very interesting that the AMD kernel dev pretended in December that AMD CPUs aren't affected by this security bug...
 


You are ignoring all the recent reports that AMD is not vulnerable. Scroll up!

Edit:
DSpmxcLUQAA2VRu.jpg:small
 
Further info released today

https://meltdownattack.com/

Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.

Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider's infrastructure, it might be possible to steal data from other customers.
Click to expand...

Is there a workaround/fix?

There are patches against Meltdown for Linux ( KPTI (formerly KAISER)), Windows, and OS X. There is also work to harden software against future exploitation of Spectre, respectively to patch software after exploitation through Spectre .

Which systems are affected by Meltdown?

Desktop, Laptop, and Cloud computers may be affected by Meltdown. More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013). We successfully tested Meltdown on Intel processor generations released as early as 2011. Currently, we have only verified Meltdown on Intel processors. At the moment, it is unclear whether ARM and AMD processors are also affected by Meltdown.

Which systems are affected by Spectre?

Almost every system is affected by Spectre: Desktops, Laptops, Cloud Servers, as well as Smartphones. More specifically, all modern processors capable of keeping many instructions in flight are potentially vulnerable. In particular, we have verified Spectre on Intel, AMD, and ARM processors.
Click to expand...

AMD affected by Spectre confirmed. AMD affected by Meltdown unclear.

There are three variants of this security bug.

* Variant 1: bounds check bypass
* Variant 2: branch target injection
* Variant 3: rogue data cache load

Spectre is a common codename for variants 1 and 2. Meltdown is for variant 3.

 


DSpmxcLUQAA2VRu.jpg:small
 


Did you miss I was quoting a Google security blog entry from day 3?

I give the link again

https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html?m=1
 


Variants of this issue are known to affect many modern processors, including certain processors by Intel, AMD and ARM. For a few Intel and AMD CPU models, we have exploits that work against real software. We reported this issue to Intel, AMD and ARM on 2017-06-01
Click to expand...
As I have stated previously these are exploits that can affect many devices, except there are protection in place to prevent the exploits. Intel's hardware design flaw is allowing these exploits to be deployed where AMD CPU's are unaffected.

Edit: That being said they released a patch negatively affecting performance of all X86, which AMD still needs to release code to be incorperated in this patch or more likely a later patch to fix the performance issues. But AMD is not affected on a hardware level like Intel.
 
The worse of all the variants of the attack is Spectre. It also affects Zen CPUs:

1.3 Targeted Hardware and Current Status Hardware. We have empirically verified the vulnerability of several Intel processors to Spectre attacks, including
Ivy Bridge, Haswell and Skylake based processors. We have also verified the attack’s applicability to AMD Ryzen CPUs. Finally, we have also successfully mounted Spectre attacks on several Samsung and Qualcomm processors (which use an ARM architecture) found in popular mobile phones
Click to expand...
 


Yes, this is why they are releasing a patch! The negative performance effect associated with the patch affect all X86 device. But, Intel is vulnerable on a hardware level, and the negative performance can only be fixed by a new CPU design. Where AMD is not affected on a hardware level, and only needs to release code to be incorporated in a patch to remove the negative performance.
 


No. There is no patch for Spectre, and it seems that Spectre is unfixable and will require new hardware.

The patch only exists for Meltdown and actually is enabled for both AMD and Intel because it is not clear that AMD CPUs aren't affected: "At the moment, it is unclear whether ARM and AMD processors are also affected by Meltdown."
 


Okay, I found some more information on Spectre, it can be mitigated through software patch, but it's a flaw in X86. Melt down is the one that was patched. They are rolling out software mitigation update for windows now.
January 3, 2018—KB4056892 (OS Build 16299.192)
Applies to: Windows 10 version 1709
Improvements and fixes
This update includes quality improvements. No new operating system features are being introduced in this update. Key changes include:

Addresses issue where event logs stop receiving events when a maximum file size policy is applied to the channel.
Addresses issue where printing an Office Online document in Microsoft Edge fails.
Addresses issue where the touch keyboard doesn’t support the standard layout for 109 keyboards.
Addresses video playback issues in applications such as Microsoft Edge that affect some devices when playing back video on a monitor and a secondary, duplicated display.
Addresses issue where Microsoft Edge stops responding for up to 3 seconds while displaying content from a software rendering path.
Addresses issue where only 4 TB of memory is shown as available in Task Manager in Windows Server version 1709 when more memory is actually installed, configured, and available.
Security updates to Windows SMB Server, the Windows Subsystem for Linux, Windows Kernel, Windows Datacenter Networking, Windows Graphics, Microsoft Edge, Internet Explorer, and the Microsoft Scripting Engine.
Click to expand...

It appears Spector is a lot harder to deploy aslo.
 
https://spectreattack.com/
FumgTpw.png

Questions & Answers
Am I affected by the bug?
Most certainly, yes.

Can I detect if someone has exploited Meltdown or Spectre against me?
Probably not. The exploitation does not leave any traces in traditional log files.

Can my antivirus detect or block this attack?
While possible in theory, this is unlikely in practice. Unlike usual malware, Meltdown and Spectre are hard to distinguish from regular benign applications. However, your antivirus may detect malware which uses the attacks by comparing binaries after they become known.

What can be leaked?
If your system is affected, our proof-of-concept exploit can read the memory content of your computer. This may include passwords and sensitive data stored on the system.

Has Meltdown or Spectre been abused in the wild?
We don't know.

Is there a workaround/fix?
There are patches against Meltdown for Linux ( KPTI (formerly KAISER)), Windows, and OS X. There is also work to harden software against future exploitation of Spectre, respectively to patch software after exploitation through Spectre .

Which systems are affected by Meltdown?
Desktop, Laptop, and Cloud computers may be affected by Meltdown. More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013). We successfully tested Meltdown on Intel processor generations released as early as 2011. Currently, we have only verified Meltdown on Intel processors. At the moment, it is unclear whether ARM and AMD processors are also affected by Meltdown.

Which systems are affected by Spectre?
Almost every system is affected by Spectre: Desktops, Laptops, Cloud Servers, as well as Smartphones. More specifically, all modern processors capable of keeping many instructions in flight are potentially vulnerable. In particular, we have verified Spectre on Intel, AMD, and ARM processors.

Which cloud providers are affected by Meltdown?
Cloud providers which use Intel CPUs and Xen PV as virtualization without having patches applied. Furthermore, cloud providers without real hardware virtualization, relying on containers that share one kernel, such as Docker, LXC, or OpenVZ are affected.

What is the difference between Meltdown and Spectre?
Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory. Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location. For a more technical discussion we refer to the papers ( Meltdown and Spectre)

Why is it called Meltdown?
The bug basically melts security boundaries which are normally enforced by the hardware.

Why is it called Spectre?
The name is based on the root cause, speculative execution. As it is not easy to fix, it will haunt us for quite some time.

Is there more technical information about Meltdown and Spectre?
Yes, there is an academic paper and a blog post about Meltdown, and an academic paper about Spectre. Furthermore, there is a Google Project Zero blog entry about both attacks.

What are CVE-2017-5753 and CVE-2017-5715?
CVE-2017-5753 and CVE-2017-5715 are the official references to Spectre. CVE is the Standard for Information Security Vulnerability Names maintained by MITRE.

What is the CVE-2017-5754?
CVE-2017-5754 is the official reference to Meltdown. CVE is the Standard for Information Security Vulnerability Names maintained by MITRE.
Click to expand...
 
This smells like "yeah, we have a problem, BUT THEY ALSO HAVE ONE! LOOK OVER THERE, NOT HERE!" from Intel's PR dept.

Looking forward to the Intel propaganda machine brainwashing fanbois again that everything is fine.

Cheers!
 
Given that this discussion is taking place over at least three different threads I think we need a thread dedicated to discussing the security flaws so that the existing threads can remain focused on their original topics.
 


Okay, how do we do this?
 
Status
Not open for further replies.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom