Info Meltdown and Spectre Vulnerabilities Information

[gamerk316]

https://www.tomshardware.com/news/openbsd-disables-intel-hyper-threading-spectre,37332.html

This might be a bigger deal than we can read at face value. If SMT has inherent exploitable-by-design problems then Intel is screwed, but AMD might not be that far off. This one will be an interesting piece to follow. I wonder what the Linux camp has to say.

Cheers!

Been waiting for this one.

AMD may or may not be hit by this; depends how they're managing the L1/TLB under the hood. In any case, this problem is fixable: Simply don't share the L1/TLB on HTT cores; this is likely a legacy design choice from the Core M [pre-HTT] days that Intel never needed to address before now.

I've been saying it for a while: It's time to retire Core. There's a ton of legacy problems that are starting to show, and Intel is NEVER going to address them all by fixing them one by one. They have to design a new CPU with security in mind.

My cynical self is saying "but that costs a lot of money!".

Cheers!

So does AMD gaining market share.

 

[goldstone77]

SafeSpec: Banishing the Spectre of a Meltdown with Leakage-Free Speculation
https://arxiv.org/pdf/1806.05179.pdf
https://arxiv.org/abs/1806.05179

Speculative execution which is used pervasively in modern CPUs can leave side effects in the processor caches and other structures even when the speculated instructions do not commit and their direct effect is not visible. The recent Meltdown and Spectre attacks have shown that this behavior can be exploited to expose privileged information to an unprivileged attacker. In particular, the attack forces the speculative execution of a code gadget that will carry out the illegal read, which eventually gets squashed, but which leaves a side-channel trail that can be used by the attacker to infer the value. Several attack variations are possible, allowing arbitrary exposure of the full kernel memory to an unprivileged attacker. In this paper, we introduce a new model (SafeSpec) for supporting speculation in a way that is immune to side-channel leakage necessary for attacks such as Meltdown and Spectre. In particular, SafeSpec stores side effects of speculation in a way that is not visible to the attacker while the instructions are speculative. The speculative state is then either committed to the main CPU structures if the branch commits, or squashed if it does not, making all direct side effects of speculative code invisible. The solution must also address the possibility of a covert channel from speculative instructions to committed instructions before these instructions are committed. We show that SafeSpec prevents all three variants of Spectre and Meltdown, as well as new variants that we introduce. We also develop a cycle accurate model of modified design of an x86-64 processor and show that the performance impact is negligible. We build prototypes of the hardware support in a hardware description language to show that the additional overhead is small. We believe that SafeSpec completely closes this class of attacks, and that it is practical to implement.

Interesting!

 

[DefinitelyNotTom]

Everything I have read said these issues are exclusively on computers using intel cpus, but the first post in here doesn't seem to even mention intel and says most everyone is affected.

 

[gamerk316]

Everything I have read said these issues are exclusively on computers using intel cpus, but the first post in here doesn't seem to even mention intel and says most everyone is affected.

It comes down to how SMT is handled by CPU architecture; Intel is the obvious company to look at first due to it's dominant market share, but SMT is used by pretty much everyone at this point. I'd be shocked if everyone else doesn't have a holes similar to the one that just got disclosed.

 

[goldstone77]

Everything I have read said these issues are exclusively on computers using intel cpus, but the first post in here doesn't seem to even mention intel and says most everyone is affected.

If you start with the first post and read till now, you will find a time line of events. If you want to know more about which variants that effect AMD, and the mitigation they have a "AMD Processor Security Updates" page.
https://www.amd.com/en/corporate/security-updates

 

[8350rocks]

New Rowhammer vulnerabilities: Now requires just Ethernet packets:

https://arstechnica.com/information-technology/2018/05/attackers-trigger-rowhammer-bit-flips-by-sending-network-packets-over-a-lan/

Funny we've gone full circle now: OS's are secure enough where it's far easier to hit the hardware directly.

10 Gbps is not ultra common outside of massive data centers though, and probably will not be widespread for at least another decade outside of data centers/cloud computing.

Now...does that mean it is irrelevant? Absolutely not! However, this is something that most consumers do not have to worry about on their personal machines for ages...

 

[gamerk316]

New Rowhammer vulnerabilities: Now requires just Ethernet packets:

https://arstechnica.com/information-technology/2018/05/attackers-trigger-rowhammer-bit-flips-by-sending-network-packets-over-a-lan/

Funny we've gone full circle now: OS's are secure enough where it's far easier to hit the hardware directly.

10 Gbps is not ultra common outside of massive data centers though, and probably will not be widespread for at least another decade outside of data centers/cloud computing.

Now...does that mean it is irrelevant? Absolutely not! However, this is something that most consumers do not have to worry about on their personal machines for ages...

Famous last words: "Don't worry; we'll deal with it later."

Usually followed shortly by

"Well, we didn't think things would get THAT bad."

 

[-Fran-]

The gift that keeps on giving!

https://www.phoronix.com/scan.php?page=news_item&px=NetSpectre

Cheers!

 

[gamerk316]

Here we go again:

https://newsroom.intel.com/editorials/protecting-our-customers-through-lifecycle-security-threats/
https://foreshadowattack.eu/

So now even the VMs can't keep you secure.

 

[YoAndy]

🙁

 

[goldstone77]

Spectre and Meltdown in Hardware: Intel Clarifies Whiskey Lake and Amber Lake
by Ian Cutress on August 30, 2018 7:00 AM EST

https://www.anandtech.com/show/13301/spectre-and-meltdown-in-hardware-intel-clarifies-whiskey-lake-and-amber-lake

No hardware fix for Amber Lake. No hardware fix for Spectre Variant 2, the one the hurt performance the most, for Whiskey Lake.

 

[audiospecaccts]

Still, that's the point of having the on-chip security, so that if the OS/Hypervisor gets hit you don't lose information.

on chip security doesn't mean anything when the storage of the encryption cypher can be copied.
Just like dark webbing a server.
1. break into storage.
2. copy all encryption cyphers
3. install them on the remote dark-web server and connect it through a vpn
4. the darkweb server attaches to the victim server at root IP. since the private key is the same, any logged in sessions will be seen (just like if you remote destop into that browser window)


This gets around all known firewalls btw....


I've been spying on the dark web and observing what they do when they take over a system. Its not one guy. its several. The ones that copy SSL certificates post them for the others to continue.



I had the opportunity to talk to one of the anons out there, and he told me very disturbing things that one of the writers of the XML language actually built in security holes so others can access all hardware that is connected to the internet. He also said one of the engineers of the SSL is in league with them and that is why the system doesn't issue the certificate to a server exclusively (like to processor serial number, or Uuid of the drive).


It was quite disturbing to me when they released the Mac address on chip and thinking of the slight possibility it could end up with more than one processor with the same mac address, and the networking anomaly that would fallow. (that would be 1/2 of the attack tcp packet, the other would be the Ip ).

Just like those ones that pass objects (I think they are pictures, but could be SSL Certs) on any web site they both go to, they have each others IP, but they maliciously use the web server to mitigate the mac address for their "discrete" file sharing. The web server is oblivious to this activity, and only can be observed though packet inspection at the server because the data goes directly into network routing instead of being logged.

 

[goldstone77]

BAM! Open doors everywhere!

 

[audiospecaccts]

So is this just a Windows thing? Since I have not experienced this on any of the Linux platforms I use.

 

[gamerk316]

So is this just a Windows thing? Since I have not experienced this on any of the Linux platforms I use.

Affects all OS's that aren't patched. This is a hardware problem, first and foremost.

 

[Eximo]

And a widespread hardware problem. Once the concept was well known everyone started hunting. And since most chip designers adopted similar performance enhancing methods, there are side channel attacks for most processors.

 

[gamerk316]

https://www.zdnet.com/article/intel-cpus-impacted-by-new-portsmash-side-channel-vulnerability/

It will never end.

 

[audiospecaccts]

It may be the reason why I had to disable enhanced processor features for my audio studio machines to keep them from drifting out of real time (the real time latency would slowly increase) or on larger projects, the program would just crash if any of them were enabled.

on the same parallel, it was about the year 2000 I had to start doing this to machines.

 

[gamerk316]

https://arstechnica.com/gadgets/2018/11/spectre-meltdown-researchers-unveil-7-more-speculative-execution-attacks/

This is the attack that never ends.

 

[gamerk316]

https://www.pcper.com/news/General-Tech/not-dead-which-can-eternal-lie-Spectre-rises-again

First Meltdown variant that has been confirmed to hit AMD CPUs.

 

[cptgloval]

I think this is why we will see hyper-threading go away. I7-9700k doesn't support it. I think it's a nightmare for intel to try to fix, if it can ever be truly "patched." Best way to deal with the security issue is to eliminate it in the future completely.

 

[gamerk316]

I think this is why we will see hyper-threading go away. I7-9700k doesn't support it. I think it's a nightmare for intel to try to fix, if it can ever be truly "patched." Best way to deal with the security issue is to eliminate it in the future completely.

SMT isn't fundamentally insecure; at it's lowest level it's just another set of CPU Registers and the HW necessary to schedule an additional thread. The problem is Intel in particular seems to have taken a LOT of security liberties in order to increase performance.

It's also possible Intel ditched HTT on it's highest end parts due to increasing core count or production/thermal issues.

 

[goldstone77]

Hyper Threading isn't the problem, it's speculative execution. No one wants to give up the performance enhancements that speculative execution provides, so it will require a fundamental change in the current process. All these proposed hardware fixes do not change how information is being processed. New variants continue to pop up, and they are not being addressed by manufacturers.

 

[gamerk316]

Hyper Threading isn't the problem, it's speculative execution. No one wants to give up the performance enhancements that speculative execution provides, so it will require a fundamental change in the current process. All these proposed hardware fixes do not change how information is being processed. New variants continue to pop up, and they are not being addressed by manufacturers.

To be fair, who would buy a processor that's secure, but has a 30% performance penalty?

 

[Supernova1138]

Hyper Threading isn't the problem, it's speculative execution. No one wants to give up the performance enhancements that speculative execution provides, so it will require a fundamental change in the current process. All these proposed hardware fixes do not change how information is being processed. New variants continue to pop up, and they are not being addressed by manufacturers.

To be fair, who would buy a processor that's secure, but has a 30% performance penalty?

The e-commerce market may well just have to eat the performance hit and buy a larger number of weaker servers with speculative execution disabled, particularly if these sorts of side-channel attacks lead to massive data breaches and disabling speculative execution becomes part of PCI compliance or something like that. On the consumer level it would be a harder sell, as consumers aren't as high profile a target and getting their info isn't as valuable as say stealing Amazon's credit card database and most people might be more inclined to simply deal with the security risk, or if they're really worried, do highly sensitive stuff like banking and so on on a separate device that is more secure, if a bit slower overall.