News GhostRace CPU vulnerability threatens all major architectures — IBM and VU Amsterdam researchers detail new cross-platform speculative execution at...

[Admin]

GhostRace is a cross-platform vulnerability that applies to CPUs made by Intel, AMD, Arm, and IBM that echoes the Spectre vulnerability from six years ago.

GhostRace CPU vulnerability threatens all major architectures — IBM and VU Amsterdam researchers detail new cross-platform speculative execution at... : Read more

 

[RichardtST]

Is there an easy way to turn off all these performance-killing fixes? I am the only one on my computer. No one else. If the hacker has enough control to squeak this information out of my CPU, then they already have complete control of the machine anyway. These kinds of bugs are only relevant for large servers with multiple users or anything up in the cloud. Leave my home computers out of it. I don't need this. I want to turn it (and all the other covert channel & speculative execution bugs) off.

 

[vanadiel007]

There will always be a vulnerability when using CPU's. But what is interesting is that I never heard of a GPU vulnerability.

It's like locking your front door while leaving your back door wide open.

 

[wbfox]

Is there an easy way to turn off all these performance-killing fixes? I am the only one on my computer. No one else. If the hacker has enough control to squeak this information out of my CPU, then they already have complete control of the machine anyway. These kinds of bugs are only relevant for large servers with multiple users or anything up in the cloud. Leave my home computers out of it. I don't need this. I want to turn it (and all the other covert channel & speculative execution bugs) off.

You are totally fine. As long as you don't use anything like javascript or wasm, etc... you are good to go.

 

[Vanderlindemedia]

Really, it's not affecting consumers but in a shared (cloud) space it's a big issue. Fixes that cut off 5% of it's performance can run into the hundreds of thousands if you think you have a full rack stacked with servers.

 

[digitalgriffin]

There will always be a vulnerability when using CPU's. But what is interesting is that I never heard of a GPU vulnerability.

It's like locking your front door while leaving your back door wide open.

They exist and have been documented. There's also vulnerabilities that attack zip/rar and root level certs on anti viruses.

 

[bluvg]

Has anyone done benchmark tests on the total performance lost in recent years due to all the CPU vulnerability fixes?

 

[bit_user]

Has anyone done benchmark tests on the total performance lost in recent years due to all the CPU vulnerability fixes?

In the early days of Zen 4 and Golden Cove, they actually showed slightly worse performance with all mitigations disabled. At the time, people wondered whether that's because those CPUs' branch predictors were optimized for the mitigated code paths.

Of course, another aspect is that OS kernels know which CPU models need which mitigations, and tend to try not to enable the unnecessary ones for your CPU. So, this would concern only the subset of mitigations which cannot easily be switched on/off at runtime.

With the vulnerabilities discovered since then, I'd expect the net effect to again be worse, with mitigations enabled. Particularly in cases like Intel's AVX2 Gather bug, if you're running software that uses heavy AVX2.

 

[bluvg]

In the early days of Zen 4 and Golden Cove, they actually showed slightly worse performance with all mitigations disabled. At the time, people wondered whether that's because those CPUs' branch predictors were optimized for the mitigated code paths.

Of course, another aspect is that OS kernels know which CPU models need which mitigations, and tend to try not to enable the unnecessary ones for your CPU. So, this would concern only the subset of mitigations which cannot easily be switched on/off at runtime.

With the vulnerabilities discovered since then, I'd expect the net effect to again be worse, with mitigations enabled. Particularly in cases like Intel's AVX2 Gather bug, if you're running software that uses heavy AVX2.

Right, but has anyone actually benchmarked all of the vuln mitigations?

 

[bit_user]

Right, but has anyone actually benchmarked all of the vuln mitigations?

I haven't seen this done, since the time I mentioned.

• https://www.phoronix.com/news/AMD-Zen-4-Mitigations-Off
• https://www.phoronix.com/review/amd-zen4-spectrev2
• https://www.phoronix.com/review/raptor-lake-mitigations

 

[Amdlova]

If you want security you need change your cpu and motherboard every generation.
When you know the bleed you are in another cycle.
Intel and amd sell for years cpus with breeches and don't and won't tell anyone.

 

[Alvar "Miles" Udell]

Yet another exploit that requires specific knowledge and specific conditions in order to be exploited, so no reason to worry, like the probably literal million other speculative attacks that could breach security under specific conditions.

 

[Pierce2623]

Has anyone done benchmark tests on the total performance lost in recent years due to all the CPU vulnerability fixes?

It’s not really possible. The exploits come out in different gens. Raptor Lake or zen4 etc can’t be tested “before specter mitigations” for example because many of the mitigations get rolled into hardware changes that define each architecture.

 

[bluvg]

It’s not really possible. The exploits come out in different gens. Raptor Lake or zen4 etc can’t be tested “before specter mitigations” for example because many of the mitigations get rolled into hardware changes that define each architecture.

Understood, it's complicated. Nonetheless, I would love to see CPU-by-CPU (not all, but a representative sample) benchmarks pre-spec-execution era perf vs. today.