Meltdown and Spectre Vulnerabilities Information

[goldstone77]

All government/financial/banking systems I'm sure would want secure systems. They guy playing games, like Fortnite, probable doesn't care.

 

[gamerk316]

All government/financial/banking systems I'm sure would want secure systems. They guy playing games, like Fortnite, probable doesn't care.

Many people on these very forums would disagree with you. I honestly think the reverse is true: Government really couldn't care if the "fix" is SW or HW based, but your generic Fortnite player will raise hell about any performance drop.

 

[audiospecaccts]

To be fair, who would buy a processor that's secure, but has a 30% performance penalty?

Secure from What?

btw, encryption doesn't doesn't increase safety, it just mean its encrypted. and its only secure till someone parses the key to it,
which does happen.

btw we've been testing a few budget servers that has "secure boot" and encryption. Needless to say, the hackers out there have figured out how to get in and attach the UEFI partition and host it out on an iSCSI connection with a different encryption encoding that uses the empty spaces of the encrypted drive.

my my, the lengths they go to hijack web servers now these days.

 

[goldstone77]

All government/financial/banking systems I'm sure would want secure systems. They guy playing games, like Fortnite, probable doesn't care.

Many people on these very forums would disagree with you. I honestly think the reverse is true: Government really couldn't care if the "fix" is SW or HW based, but your generic Fortnite player will raise hell about any performance drop.

That, would be crazy thinking on the part of those uninformed forum goers. No one wants their secrets being stolen. Examples: years of cancer research, military movements, next gen power source, etc. It's not a crazy concept to want to keep private things private. It is a crazy concept to think that everyone doesn't care about their privacy, and by extension their finances and reputation. The military wouldn't want their messages intercepted and decrypted. I'm sure Hillary Clinton didn't want her server hacked and have all her email public. Just saying, who doesn't want privacy? The kid playing Fortnite, probably doesn't care, but countless millions are probably terrified by the prospect that their privacy is in jeopardy. I know Apple pushes privacy right really hard!

 

[gamerk316]

All government/financial/banking systems I'm sure would want secure systems. They guy playing games, like Fortnite, probable doesn't care.

Many people on these very forums would disagree with you. I honestly think the reverse is true: Government really couldn't care if the "fix" is SW or HW based, but your generic Fortnite player will raise hell about any performance drop.

That, would be crazy thinking on the part of those uninformed forum goers. No one wants their secrets being stolen. Examples: years of cancer research, military movements, next gen power source, etc. It's not a crazy concept to want to keep private things private. It is a crazy concept to think that everyone doesn't care about their privacy, and by extension their finances and reputation. The military wouldn't want their messages intercepted and decrypted. I'm sure Hillary Clinton didn't want her server hacked and have all her email public. Just saying, who doesn't want privacy? The kid playing Fortnite, probably doesn't care, but countless millions are probably terrified by the prospect that their privacy is in jeopardy. I know Apple pushes privacy right really hard!

As someone who works with government IT: You give most government IT way too much credit.

 

[goldstone77]

How much do people care? That is the question. This article is from 2016.

Fri, 08/19/2016 - 16:37 - Archive
Cyber Security Bill for 2015: $75 Billion Spent, $300 Billion Lost

Technology research company Gartner forecasts worldwide spending on information security to reach $75.4 billion this year. According to their report, this represents a 4.7% increase in spending from 2014. The increase is partly attributed to government initiatives and increased legislation in countries such as Poland, the Czech Republic and South Africa. Additionally, high-profile data breaches are forcing organizations to increase their focus on information security. Gartner identifies security testing, IT outsourcing and access management as the largest areas for growth for technology providers.

According to Elizabeth Kim, research analyst at Gartner, “Interest in security technologies is increasingly driven by elements of digital business, particularly cloud, mobile computing and now also the Internet of Things, as well as by the sophisticated and high-impact nature of advanced targeted attacks.” Additionally, “endpoint detection and remediation tools, threat intelligence and cloud security tools” were also identified as areas for growth.

Additionally, Grant Thornton, a global accounting advisory firm, has just released theresults of their global survey on cyber security attacks. The total estimated cost of cyber security attacks over the past 12 months, in American dollars, is $315 billion. The findings are based on a survey of 2,500 international business leaders in 35 economies. Regionally, cyber security attacks cost “Asia Pacific businesses $81bn in the past 12 months, while firms in the EU ($62bn) and North America ($61bn) are also counting the significant cost of attacks.”

According to the research, the sector most concerned by the threat of cyber attacks is financial services, while “only 10% of transport firms globally have reported a cyber attack in the past 12 months and just 27% perceive it as a threat.” Paul Jacobs, Global Leader of Cyber Security at Grant Thornton, said: ““Vigilance alone won’t keep businesses safe. Proactive measures are needed. This is an issue which needs to be on the agenda in boardrooms as well as IT departments. Management teams need to be driving cyber strategies which boost awareness of the threat among all staff, and of the policies and procedures in place to deal with the threat.”

https://www.adaware.com/blog/cyber-security-bill-for-2015-75-billion-spent-300-billion-lost

Ignorance, is an expensive game to play.

 

[audiospecaccts]

As someone who works with government IT: You give most government IT way too much credit.

Things never change for them do they: always looking forward to the 1st and 15th

 

[Yuka]

Meltdown and Spectre exploit critical vulnerabilities in modern processors . These hardware vulnerabilities allow programs to steal data which is currently processed on the computer. ... Meltdown and Spectre work on personal computers, mobile devices, and in the cloud.

Ok...?

 

[digitalgriffin]

It's important to note that Spectre vulnerabilities also apply to java script and can attack MOBILE browsers. A lot of modern mobile CPU hardware use similar caching mechanisms which can be attacked in a similar fashion.

 

[gamerk316]

https://www.phoronix.com/scan.php?page=news_item&px=Microarch-Data-Sampling

Here we go again. This one doesn't sound too bad though, and should be a trivial fix.

 

[Darkbreeze]

Seems like each "trivial" fix makes my performance drop a bit lower than before. LOL.

 

[gamerk316]

Seems like each "trivial" fix makes my performance drop a bit lower than before. LOL.

To be fair, this sounds like all that really needs to be done is to clear out the buffers when switching states. For all intents in purposes, that's a free operation when compared to how long switching states comparatively takes.

 

[greenreaper]

Oh, it's worse than that. You see, if you have HyperThreading, the other thread has to be switched into kernel mode and paused while you access protected kernel data, otherwise it might run user mode code which accesses the protected data while you do as well.

Also on Skylake+ we're talking about writing 6KB of data to multiple buffers. That's potentially more than you went into kernel mode to access in the first place.

It's a huge mess, and to top it all they didn't use a new SKU name for the fixed chips, just a new stepping. No wonder they had "shortages" - they had to dump their output lest they be accused of selling known-bad goods.

 

[Yuka]

Woah, that's really big... 6KB of data for on-transit threads is humongous!

No wonder worst case scenarios are so bad with the mitigations* in place.

EDIT: https://www.phoronix.com/scan.php?page=article&item=intel-mds-xeon&num=1

Cheers!

 

[alceryes]

Are there any definitive, up-to-date charts or articles from Intel and AMD on which of the last couple gens of chips (maybe from Kaby for Intel and Phenom II for AMD?) have full hardware mitigations, what ones are using hardware AND software mitigations, what ones have only software mitigations, and what ones currently have no mitigations, for each of the currently know speculative execution vulnerabilities? I know that AMD isn't vulnerable to some of them and I know that Intel's latest Coffee Lake refresh (9th gen) already include some hardware mitigations but I'm finding it difficult to match individual vulnerabilities to the type of mitigation and CPU, across the last couple gens of CPUs.

I know about MDS tool but I'd like something like a chart that I don't need to run on individual CPUs to find the info.

TIA!

 

[mitch074]

Are there any definitive, up-to-date charts or articles from Intel and AMD on which of the last couple gens of chips (maybe from Kaby for Intel and Phenom II for AMD?) have full hardware mitigations, what ones are using hardware AND software mitigations, what ones have only software mitigations, and what ones currently have no mitigations, for each of the currently know speculative execution vulnerabilities? I know that AMD isn't vulnerable to some of them and I know that Intel's latest Coffee Lake refresh (9th gen) already include some hardware mitigations but I'm finding it difficult to match individual vulnerabilities to the type of mitigation and CPU, across the last couple gens of CPUs.

I know about MDS tool but I'd like something like a chart that I don't need to run on individual CPUs to find the info.

TIA!

AMD have full hardware mitigations for Meltdown and many variants of Spectre, including the latest Zombieload and such products, because process isolation is really baked into the Zen architecture.

Intel's latest chips have hardware mitigations for the earlier attacks, but only firmware updates for the latest ones. Contrary to AMD though, process isolation isn't baked into the silicon - so we see hardware patches being applied on each new iteration. As long as Intel don't overhaul the Core architecture, we'll see more vulnerabilities come out regularly.

Some Spectre versions cannot be protected from in hardware : the way speculative execution is set would need a profound rework of both operating system internals and the hardware ; the result is the creation of tools like retpoline and compiler-level features that force a CPU queue flush when switching context