Info Meltdown and Spectre Vulnerabilities Information

[goldstone77]

I hate to sound like a wingnut but maybe all these delays with 10mn are being exaggerated to buy some time for their teams to regroup and figure out a tenable redesign.

Intel isn't going to can its medium term product roadmap because of some performance penalties.

I have to agree with randomizer on this one. Intel has already spent time in money on designs for the next 3 generations. Cannon Lake is a port of Skylake to 10nm. Die shrinks provide lower power consumption and better performance using the same architecture. Intel has leveraged a process lead over AMD for ~20 years to help create and maintain a performance gap. They would not willingly give up this advantage, because it is giving away revenue to AMD.

Intel, in particular, formerly focused on leveraging die shrinks to improve product performance at a regular cadence through its Tick-Tock model. In this business model, every new microarchitecture (tick) is followed by a die shrink (tock) to improve performance with the same microarchitecture.[1]

https://en.wikipedia.org/wiki/Die_shrink

Again, wrong. Cannonlake isn't Skylake ported onto 10nm exactly as it is. It has architectural improvements. Historically (at least since the first generation since that's what I know), die shrinks provided <=5% IPC improvements.

And you're grossly wrong about Intel maintaining its performance lead mainly thanks to the process. It's the architecture first and foremost, then the process.

What I stated it completely accurate, and not "Again, wrong." The history of the architecture is proof of the facts not counting the wiki reference. While there might be minor architectural changes/improvements, which involve different IP at smaller nodes, the whole of the architecture was not redesigned!

And you're grossly wrong about Intel maintaining its performance lead mainly thanks to the process.

Your words not mine!

Intel has leveraged a process lead over AMD for ~20 years to help create and maintain a performance gap.

My exact words!
This has become off topic, and this will be my last response on the subject.

 

[goldstone77]

It's not about Meltdown or Spectre, but it is a serious security vulnerability recently patched by Microsoft. Make sure you update!
by Brandon Hill — Wednesday, May 09, 2018
This Major Windows Security Flaw Is Being Exploited Right Now As Microsoft Pushes A Patch

For those that remember, this is the Double Kill exploit that Qihoo 360 Core Security described late last month, but it now has an official designation: CVE-2018-8174. According to Microsoft, there is a flaw in the way that the VBScript engine that allows for remote code execution. Microsoft goes on to confirm the that is exploit is pretty nasty, writing:

An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

The bad news, however, is that this security flaw can force Internet Explorer to load -- even if it is not the default browser -- and that it is already being actively exploited.

https://hothardware.com/news/this-major-windows-security-flaw-is-being-exploited-right-now#gTYaCmQbQlUARPbZ.99

 

[gamerk316]

New Rowhammer vulnerabilities: Now requires just Ethernet packets:

https://arstechnica.com/information-technology/2018/05/attackers-trigger-rowhammer-bit-flips-by-sending-network-packets-over-a-lan/

Funny we've gone full circle now: OS's are secure enough where it's far easier to hit the hardware directly.

 

[goldstone77]

New Rowhammer vulnerabilities: Now requires just Ethernet packets:

https://arstechnica.com/information-technology/2018/05/attackers-trigger-rowhammer-bit-flips-by-sending-network-packets-over-a-lan/

Funny we've gone full circle now: OS's are secure enough where it's far easier to hit the hardware directly.

It's a never ending cycle!

 

[gamerk316]

New Rowhammer vulnerabilities: Now requires just Ethernet packets:

https://arstechnica.com/information-technology/2018/05/attackers-trigger-rowhammer-bit-flips-by-sending-network-packets-over-a-lan/

Funny we've gone full circle now: OS's are secure enough where it's far easier to hit the hardware directly.

It's a never ending cycle!

Yep! Case in point, am I the only person who's figured out "the cloud" is really just us going back to the mainframe concept? You run in circles just to wind up back where you started.

That being said, hardware based vulnerabilities are going to be huge problem going forward now that people are looking in that direction.

 

[-Fran-]

There's one added element to the old "Mainframe" concept that is usually drawn as parallel to the "Cloud": expansible.

Most "cloud oriented" technologies are now made to scale indefinitely until you run out of hardware and resource utilization is, supposedly, better administrated. I think the "phantom" benefit (I personally don't like this one) is you can move it wherever you want/need with relative simplicity if built as PaaS. This has pro's and con's in the real implementations, but it's up to the Organization Enterprise Architects to give a clear steer for this.

Cheers!

 

[gamerk316]

PGP now cracked:

https://arstechnica.com/information-technology/2018/05/decade-old-efail-attack-can-decrypt-previously-obtained-encrypted-e-mails/

It's never-ending.

 

[Eximo]

Mainframe vs cloud, even back then many companies had their own mainframe. But that concept never really went away with Citrix or VDI. BYOD also saw a resurgence of mainframe style systems.

Cloud is more like concentrating expertise. Why have 10,000 mediocre system admins when you can have 100 really good ones. Not really how it works in practice, but to general concept is there. It does simplify disaster recovery policies, physical security, etc for small businesses.

The only real problem I've run into is getting two cloud providers to talk to each other. Most make your site the bridge which adds a lot of latency.

 

[goldstone77]

Murthy Renduchintala
Chief Engineering Officer & Executive Vice President, Intel Corporation

As we go into the second half of this year we'll provide hardware mitigation for our 14nm products that launch in the 2nd half of the year. The Cascade server product range as well as the whiskey lake client product.

https://jpmorgan.metameetings.net/events/tmc18/sessions/15020-intel-corporation/webcast

 

[YoAndy]

With regard to the Spectre-Meltdown situation, Krzanich(Intel's CEO)said he was proud of the way the company and the industry had handled the situation "with transparency." New processors with a hardware fix for the security issues will be out later this year, he promised. And Finally, chip design guru Jim Keller has joined Intel as a senior veep for silicon engineering

 

[aldaia]

AMD is reportedly unaffected by Spectre NG - Great news for EPYC
https://www.overclock3d.net/news/cpu_mainboard/amd_is_reportedly_unaffected_by_spectre_ng_-_great_news_for_epyc/1

 

[goldstone77]

Alert (TA18-141A)
Side-Channel Vulnerability Variants 3a and 4
Original release date: May 21, 2018

Overview
On May 21, 2018, new variants—known as 3A and 4—of the side-channel central processing unit (CPU) hardware vulnerability were publically disclosed. These variants can allow an attacker to obtain access to sensitive information on affected systems.

Description
CPU hardware implementations—known as Spectre and Meltdown—are vulnerable to side-channel attacks. Meltdown is a bug that "melts" the security boundaries normally enforced by the hardware, affecting desktops, laptops, and cloud computers. Spectre is a flaw that an attacker can exploit to force a CPU to reveal its data.

Variant 3a is a vulnerability that may allow an attacker with local access to speculatively read system parameters via side-channel analysis and obtain sensitive information.

Variant 4 is a vulnerability that exploits “speculative bypass.” When exploited, Variant 4 could allow an attacker to read older memory values in a CPU’s stack or other memory locations. While implementation is complex, this side-channel vulnerability could allow less privileged code to

Read arbitrary privileged data; and
Run older commands speculatively, resulting in cache allocations that could be used to exfiltrate data by standard side-channel methods.
Corresponding CVEs for Side-Channel Variants 1, 2, 3, 3a, and 4 are found below:

Variant 1: Bounds Check Bypass – CVE-2017-5753
Variant 2: Branch Target Injection – CVE-2017-5715
Variant 3: Rogue Data Cache Load – CVE-2017-5754
Variant 3a: Rogue System Register Read – CVE-2018-3640
Variant 4: Speculative Store Bypass – CVE-2018-3639
Impact
Side-Channel Vulnerability Variants 3a and 4 may allow an attacker to obtain access to sensitive information on affected systems.

https://www.us-cert.gov/ncas/alerts/TA18-141A

Also,
“Speculative Store Bypass” Vulnerability Mitigations for AMD Platforms
5/21/18

Today, Microsoft and Google Project Zero researchers have identified a new category of speculative execution side channel vulnerability (Speculative Store Bypass or SSB) that is closely related to the previously disclosed GPZ/Spectre variant 1 vulnerabilities. Microsoft has released an advisory on the vulnerability and mitigation plans.

AMD recommended mitigations for SSB are being provided by operating system updates back to the Family 15 processors (“Bulldozer” products). For technical details, please see the AMD whitepaper. Microsoft is completing final testing and validation of AMD-specific updates for Windows client and server operating systems, which are expected to be released through their standard update process. Similarly, Linux distributors are developing operating system updates for SSB. AMD recommends checking with your OS provider for specific guidance on schedules.

Based on the difficulty to exploit the vulnerability, AMD and our ecosystem partners currently recommend using the default setting that maintains support for memory disambiguation.

We have not identified any AMD x86 products susceptible to the Variant 3a vulnerability in our analysis to-date.

As a reminder, security best practices of keeping your operating system and BIOS up-to-date, utilizing safe computer practices and running antivirus software are always the first line of defense in maintaining device security.

https://www.amd.com/en/corporate/security-updates

AMD's White Paper
https://developer.amd.com/wp-content/resources/124441_AMD64_SpeculativeStoreBypassDisable_Whitepaper_final.pdf

Microsoft
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180012

ARM
https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability

Redhat
https://www.redhat.com/en/blog/speculative-store-bypass-explained-what-it-how-it-works

 

[gamerk316]

https://www.hardocp.com/news/2018/05/27/spectre_variant_4_disclosed_mitigations_to_result_in_another_performance_hit

It's not going to end anytime soon.

 

[gamerk316]

And wait there's more!

https://www.hardocp.com/news/2018/05/27/epyc_fail63_researchers_say_they_defeat_amdrsquos_virtual_machine_encryption

So now even VMs are getting hit.

 

[-Fran-]

And wait there's more!

https://www.hardocp.com/news/2018/05/27/epyc_fail63_researchers_say_they_defeat_amdrsquos_virtual_machine_encryption

So now even VMs are getting hit.

Haha, damn... That's what happen when you put hardware in charge of complex security stuff. Once they find a single hole, it's like they open flood gates.

I hope AMD can find a solution for that, otherwise it will hurt them in the short term.

On the upside, it requires access to the host system?

Cheers!

 

[aldaia]

And wait there's more!

https://www.hardocp.com/news/2018/05/27/epyc_fail63_researchers_say_they_defeat_amdrsquos_virtual_machine_encryption

So now even VMs are getting hit.

Haha, damn... That's what happen when you put hardware in charge of complex security stuff. Once they find a single hole, it's like they open flood gates.

I hope AMD can find a solution for that, otherwise it will hurt them in the short term.

On the upside, it requires access to the host system?

Cheers!

It requires replacing the hypervisor by a "evil hypervisor".
https://en.wikipedia.org/wiki/Hypervisor

 

[gamerk316]

Still, that's the point of having the on-chip security, so that if the OS/Hypervisor gets hit you don't lose information.

 

[randomizer]

It's not so much a vulnerability as it is a flawed security feature.

 

[-Fran-]

Ah, interesting. If it requires replacing the hypervisor then it's not THAT bad. If you can replace it, then that means you already compromised the machine anyway.

Cheers!

 

[gamerk316]

Ah, interesting. If it requires replacing the hypervisor then it's not THAT bad. If you can replace it, then that means you already compromised the machine anyway.

Cheers!

As I understand it, the issue here is the vulnerability will allow information to leak from OUTSIDE the affected hypervisor.

 

[-Fran-]

Ah, interesting. If it requires replacing the hypervisor then it's not THAT bad. If you can replace it, then that means you already compromised the machine anyway.

Cheers!

As I understand it, the issue here is the vulnerability will allow information to leak from OUTSIDE the affected hypervisor.

"So much so, they said they can exfiltrate plaintext data from an encrypted guest via a hijacked hypervisor and simple HTTP requests to a web server running in a second guest on the same machine."

Well, I didn't RTFA originally, but now I have. You do need access to the hypervisor, so this is similar-ish to the other vulnerabilities found by that Company I already forgot about... Like... Literally forgot about xD

EDIT: This is not to say it's not a problem for AMD. The way they've marketed SEV is to protect scenarios where the machines and hosts OS'es might be exposed to 3rd parties (think "rogue" technicians or very angry/frustrated tech-ops with a red eye for revenge, haha) in a way that should make the data inside those VMs safe to snoops. So far, they've found several holes, so AMD better fix them.

Cheers!

 

[aldaia]

Lazy FP State Restore
New intel vulnerability. Aparently AMD is not affected.
https://thehackernews.com/2018/06/intel-processor-vulnerability.html

 

[-Fran-]

https://www.tomshardware.com/news/openbsd-disables-intel-hyper-threading-spectre,37332.html

This might be a bigger deal than we can read at face value. If SMT has inherent exploitable-by-design problems then Intel is screwed, but AMD might not be that far off. This one will be an interesting piece to follow. I wonder what the Linux camp has to say.

Cheers!

 

[gamerk316]

https://www.tomshardware.com/news/openbsd-disables-intel-hyper-threading-spectre,37332.html

This might be a bigger deal than we can read at face value. If SMT has inherent exploitable-by-design problems then Intel is screwed, but AMD might not be that far off. This one will be an interesting piece to follow. I wonder what the Linux camp has to say.

Cheers!

Been waiting for this one.

AMD may or may not be hit by this; depends how they're managing the L1/TLB under the hood. In any case, this problem is fixable: Simply don't share the L1/TLB on HTT cores; this is likely a legacy design choice from the Core M [pre-HTT] days that Intel never needed to address before now.

I've been saying it for a while: It's time to retire Core. There's a ton of legacy problems that are starting to show, and Intel is NEVER going to address them all by fixing them one by one. They have to design a new CPU with security in mind.

 

[-Fran-]

https://www.tomshardware.com/news/openbsd-disables-intel-hyper-threading-spectre,37332.html

This might be a bigger deal than we can read at face value. If SMT has inherent exploitable-by-design problems then Intel is screwed, but AMD might not be that far off. This one will be an interesting piece to follow. I wonder what the Linux camp has to say.

Cheers!

Been waiting for this one.

AMD may or may not be hit by this; depends how they're managing the L1/TLB under the hood. In any case, this problem is fixable: Simply don't share the L1/TLB on HTT cores; this is likely a legacy design choice from the Core M [pre-HTT] days that Intel never needed to address before now.

I've been saying it for a while: It's time to retire Core. There's a ton of legacy problems that are starting to show, and Intel is NEVER going to address them all by fixing them one by one. They have to design a new CPU with security in mind.

My cynical self is saying "but that costs a lot of money!".

Cheers!