Meltdown and Spectre Vulnerabilities Information

Page 20 - Seeking answers? Join the Tom's Hardware community: where nearly two million members share solutions and discuss the latest tech.


Many people on these very forums would disagree with you. I honestly think the reverse is true: Government really couldn't care if the "fix" is SW or HW based, but your generic Fortnite player will raise hell about any performance drop.
 

audiospecaccts

Upstanding
Oct 13, 2018
149
0
210
14


Secure from What?

btw, encryption doesn't doesn't increase safety, it just mean its encrypted. and its only secure till someone parses the key to it,
which does happen.

btw we've been testing a few budget servers that has "secure boot" and encryption. Needless to say, the hackers out there have figured out how to get in and attach the UEFI partition and host it out on an iSCSI connection with a different encryption encoding that uses the empty spaces of the encrypted drive.

my my, the lengths they go to hijack web servers now these days.
 

goldstone77

Distinguished
Aug 22, 2012
2,250
13
19,965
85


That, would be crazy thinking on the part of those uninformed forum goers. No one wants their secrets being stolen. Examples: years of cancer research, military movements, next gen power source, etc. It's not a crazy concept to want to keep private things private. It is a crazy concept to think that everyone doesn't care about their privacy, and by extension their finances and reputation. The military wouldn't want their messages intercepted and decrypted. I'm sure Hillary Clinton didn't want her server hacked and have all her email public. Just saying, who doesn't want privacy? The kid playing Fortnite, probably doesn't care, but countless millions are probably terrified by the prospect that their privacy is in jeopardy. I know Apple pushes privacy right really hard!
 


As someone who works with government IT: You give most government IT way too much credit.
 

goldstone77

Distinguished
Aug 22, 2012
2,250
13
19,965
85
How much do people care? That is the question. This article is from 2016.

Fri, 08/19/2016 - 16:37 - Archive
Cyber Security Bill for 2015: $75 Billion Spent, $300 Billion Lost

Technology research company Gartner forecasts worldwide spending on information security to reach $75.4 billion this year. According to their report, this represents a 4.7% increase in spending from 2014. The increase is partly attributed to government initiatives and increased legislation in countries such as Poland, the Czech Republic and South Africa. Additionally, high-profile data breaches are forcing organizations to increase their focus on information security. Gartner identifies security testing, IT outsourcing and access management as the largest areas for growth for technology providers.

According to Elizabeth Kim, research analyst at Gartner, “Interest in security technologies is increasingly driven by elements of digital business, particularly cloud, mobile computing and now also the Internet of Things, as well as by the sophisticated and high-impact nature of advanced targeted attacks.” Additionally, “endpoint detection and remediation tools, threat intelligence and cloud security tools” were also identified as areas for growth.

Additionally, Grant Thornton, a global accounting advisory firm, has just released theresults of their global survey on cyber security attacks. The total estimated cost of cyber security attacks over the past 12 months, in American dollars, is $315 billion. The findings are based on a survey of 2,500 international business leaders in 35 economies. Regionally, cyber security attacks cost “Asia Pacific businesses $81bn in the past 12 months, while firms in the EU ($62bn) and North America ($61bn) are also counting the significant cost of attacks.”

According to the research, the sector most concerned by the threat of cyber attacks is financial services, while “only 10% of transport firms globally have reported a cyber attack in the past 12 months and just 27% perceive it as a threat.” Paul Jacobs, Global Leader of Cyber Security at Grant Thornton, said: ““Vigilance alone won’t keep businesses safe. Proactive measures are needed. This is an issue which needs to be on the agenda in boardrooms as well as IT departments. Management teams need to be driving cyber strategies which boost awareness of the threat among all staff, and of the policies and procedures in place to deal with the threat.”
https://www.adaware.com/blog/cyber-security-bill-for-2015-75-billion-spent-300-billion-lost

Ignorance, is an expensive game to play.
 

audiospecaccts

Upstanding
Oct 13, 2018
149
0
210
14


Things never change for them do they: always looking forward to the 1st and 15th
 

digitalgriffin

Distinguished
Jan 29, 2008
732
136
19,190
10
It's important to note that Spectre vulnerabilities also apply to java script and can attack MOBILE browsers. A lot of modern mobile CPU hardware use similar caching mechanisms which can be attacked in a similar fashion.
 

greenreaper

Prominent
Apr 3, 2018
5
3
515
0
Oh, it's worse than that. You see, if you have HyperThreading, the other thread has to be switched into kernel mode and paused while you access protected kernel data, otherwise it might run user mode code which accesses the protected data while you do as well.

Also on Skylake+ we're talking about writing 6KB of data to multiple buffers. That's potentially more than you went into kernel mode to access in the first place.

It's a huge mess, and to top it all they didn't use a new SKU name for the fixed chips, just a new stepping. No wonder they had "shortages" - they had to dump their output lest they be accused of selling known-bad goods.
 
Reactions: digitalgriffin

alceryes

Distinguished
Are there any definitive, up-to-date charts or articles from Intel and AMD on which of the last couple gens of chips (maybe from Kaby for Intel and Phenom II for AMD?) have full hardware mitigations, what ones are using hardware AND software mitigations, what ones have only software mitigations, and what ones currently have no mitigations, for each of the currently know speculative execution vulnerabilities? I know that AMD isn't vulnerable to some of them and I know that Intel's latest Coffee Lake refresh (9th gen) already include some hardware mitigations but I'm finding it difficult to match individual vulnerabilities to the type of mitigation and CPU, across the last couple gens of CPUs.

I know about MDS tool but I'd like something like a chart that I don't need to run on individual CPUs to find the info.

TIA!
 

mitch074

Distinguished
Mar 17, 2006
2,050
50
19,890
22
Are there any definitive, up-to-date charts or articles from Intel and AMD on which of the last couple gens of chips (maybe from Kaby for Intel and Phenom II for AMD?) have full hardware mitigations, what ones are using hardware AND software mitigations, what ones have only software mitigations, and what ones currently have no mitigations, for each of the currently know speculative execution vulnerabilities? I know that AMD isn't vulnerable to some of them and I know that Intel's latest Coffee Lake refresh (9th gen) already include some hardware mitigations but I'm finding it difficult to match individual vulnerabilities to the type of mitigation and CPU, across the last couple gens of CPUs.

I know about MDS tool but I'd like something like a chart that I don't need to run on individual CPUs to find the info.

TIA!
AMD have full hardware mitigations for Meltdown and many variants of Spectre, including the latest Zombieload and such products, because process isolation is really baked into the Zen architecture.

Intel's latest chips have hardware mitigations for the earlier attacks, but only firmware updates for the latest ones. Contrary to AMD though, process isolation isn't baked into the silicon - so we see hardware patches being applied on each new iteration. As long as Intel don't overhaul the Core architecture, we'll see more vulnerabilities come out regularly.

Some Spectre versions cannot be protected from in hardware : the way speculative execution is set would need a profound rework of both operating system internals and the hardware ; the result is the creation of tools like retpoline and compiler-level features that force a CPU queue flush when switching context
 
Reactions: alceryes

mitch074

Distinguished
Mar 17, 2006
2,050
50
19,890
22
Le oof.

The gift that keeps on giving.

According to the article, it's "better off patched via software", so I'd imagine it's not as much hardware vuln than software? I have a hard time believing a boundaries problem can be "easily" patched in software and not hardware...

Cheers!
 
Le oof.

The gift that keeps on giving.

According to the article, it's "better off patched via software", so I'd imagine it's not as much hardware vuln than software? I have a hard time believing a boundaries problem can be "easily" patched in software and not hardware...

Cheers!
It sounds like Microsoft already patched it:

https://arstechnica.com/information-technology/2019/08/silent-windows-update-patched-side-channel-that-leaked-data-from-intel-cpus/

EDIT

And now with 100% more Linux performance benchmarks:

https://www.phoronix.com/scan.php?page=article&item=swapgs-spectre-impact&num=1
 
Last edited:

ASK THE COMMUNITY

TRENDING THREADS