Info Meltdown and Spectre Vulnerabilities Information

[-Fran-]

Looking at it this way: all CPUs have a serious security flaws - us, humans. We all know how easy it is to trick average user to allow execution of malicious code. But this AMD flaw discussion is strictly off topic here as has nothing to do with Spectre/Meltdown.

This. These have nothing to do with Meltdown and Spectre. This is off topic bickering.

You are regurgitating bile here.

Getting might close to personal attacks here. Keep it civil.

Then put the original thread name in it, please. I don't think this will be just passing news and I don't see this as useless discussion.

The original thread name was "cpu security vulnerabilities information". You can crosscheck with the URL if you like.

Cheers!

 

[8350rocks]

While there is clearly an ulterior motive to this release of information, it appears the vulnerabilities are genuine:

https://arstechnica.com/information-technology/2018/03/a-raft-of-flaws-in-amd-chips-make-bad-hacks-much-much-worse/

What *is* genuine about this is the following:

■ If you feed your BIOS a malicious update, or your CPU a malicious microcode update it can be compromised.

■ If you have physical access to a machine and administrative privileges the machine will be compromised.

Also, I love that they specifically state that the bad BIOS and/or microcode update would require administrative physical access to the BIOS, and would require to be implemented upon each reboot.

From a professional standpoint: The 2 above points are true of any processor, from any architecture, anywhere on the planet. The fact that they single out AMD for this is absurd.

The rest of the "security whitepaper" reads like a filthy PR blurb.

 

[-Fran-]

I just saw this from GamerNexus and it's interesting: https://www.youtube.com/watch?v=ZZ7H1WTqaeo

It's just... When you put it into perspective it's like... They were looking to cash-in on AMD's back, but so far, they've failed miserably (and fortunately).

Cheers!

 

[DRagor]

http://www.tomshardware.co.uk/microsoft-speculative-execution-bug-bounty-program,news-58059.html

Microsoft introduced a new bug bounty program meant to encourage researchers to discover new speculative execution side channel vulnerabilities--such as the infamous Meltdown and Spectre flaws revealed in January--so it can help patch the security problems.

Interesting. Why Microsoft is going to spend money to help fighting bugs introduced by CPU manufacturers?

 

[-Fran-]

http://www.tomshardware.co.uk/microsoft-speculative-execution-bug-bounty-program,news-58059.html

Microsoft introduced a new bug bounty program meant to encourage researchers to discover new speculative execution side channel vulnerabilities--such as the infamous Meltdown and Spectre flaws revealed in January--so it can help patch the security problems.

Interesting. Why Microsoft is going to spend money to help fighting bugs introduced by CPU manufacturers?

Could be simple optics. They're the "first line of defense" (if you like), so they need to be proactive about a big visibility issue like this.

The other option, Intel and AMD are willing to support MS with some funding for this Bounty Program.

Cheers!

 

[gamerk316]

http://www.tomshardware.co.uk/microsoft-speculative-execution-bug-bounty-program,news-58059.html

Microsoft introduced a new bug bounty program meant to encourage researchers to discover new speculative execution side channel vulnerabilities--such as the infamous Meltdown and Spectre flaws revealed in January--so it can help patch the security problems.

Interesting. Why Microsoft is going to spend money to help fighting bugs introduced by CPU manufacturers?

Because it's their customers that get hit as a part of the flaws. Plus it costs them a lot of time and effort to patch the OS with temporary workarounds for HW problems, so it's cheaper for them in the long run to pay people to find the HW problems ahead of time so they actually get fixed.

 

[jaymc]

How Spectre And Meltdown Mitigation Hits Xeon Performance:
https://www.nextplatform.com/2018/03/16/how-spectre-and-meltdown-mitigation-hits-xeon-performance/

1
WordPress test using HHVM had about a 10 percent performance impact across the Xeon systems tested (Skylake did 91 percent, Broadwell and Haswell did 90 percent), and this PHP application has more user-kernel transitions, driven by the I/O requests coming into the servers, so the impact is greater.

2
On the one set of FIO tests, Intel used 64 KB block sizes, with one core is pegged with two NVM-Express flash drives, and the idea was to just hammer that core as much as possible. Thanks to the Skylake architecture change, there was no performance impact. On the Broadwell machines, there was a 30 percent hit and on Haswell there was a 27 percent hit. Shifting to a smaller 4 KB block size with the same two NVM-Express drives hitting a single core, the Skylake machine Took a 32 percent performance hit running the FIO test, and the Broadwell machine saw its performance drop by 59 percent and the Haswell by 60 percent. All that boundary crossing really hurts performance.

3
Now, with 4 KB block sizes, it is still a big deal, but the performance impact was a lot lower once the Retpoline approaches were used. The Skylake machine only lost 18 percent of its performance after applying the Spectre and Meltdown patches, the Broadwell machine only lost 22 percent, and the Haswell machine only lost 20 percent.

4
Rest of the test had 1-2% decrease in performance

 

[jaymc]

Edit: Posted twice my bad browser hung.

 

[-Fran-]

Well, the impact we saw in our own Ivy-E era machines is ~30%. Usage went from 20%-25% to 50%-55%. The infrastructure got their lifespan reduced by some years and projects have been put into re-sizing mode over traffic.

We all saw that coming in all honesty, so it's been dealt with. It's so sad, really.

Cheers!

 

[jaymc]

That is desperate, massive impact so.

 

[Turb0Yoda]

Can't wait till that hits our logging and pentesting boxes,
:^)

 

[-Fran-]

Performance hit analysis in a NUC!

https://www.anandtech.com/show/12566/analyzing-meltdown-spectre-perf-impact-on-intel-nuc7i7bnh

Leaving the storage subsystem outside, the losses are not really big: ~3% down on average. Storage is a massive 27% though, but CPU-intensive stuff is within error margins. That is positive for Haswell era hardware, at least.

I wish we could see on previous gens 8(

Cheers!

 

[gamerk316]

https://arstechnica.com/gadgets/2018/03/its-not-just-spectre-researchers-reveal-more-branch-prediction-attacks/

New attack vectors found against branch predictors.

As I noted a few weeks back: This is going to progressively get worse and worse as the onion gets peeled back.

 

[imrazor]

Digging a little deeper, it seems like they tested these exploits on Intel CPUs. Any word if AMD is vulnerable?

 

[Turb0Yoda]

https://arstechnica.com/gadgets/2018/03/its-not-just-spectre-researchers-reveal-more-branch-prediction-attacks/

New attack vectors found against branch predictors.

As I noted a few weeks back: This is going to progressively get worse and worse as the onion gets peeled back.

Looks like I'm a few days late on this one :/

 

[randomizer]

Up to date list of processors that Intel intends to release (or not) microcode updates for:

https://newsroom.intel.com/wp-content/uploads/sites/11/2018/04/microcode-update-guidance.pdf

 

[goldstone77]

Intel has slowly been deploying mitigations for Spectre/Meltdown for recent platforms. In the most recent microcode revision guidance, Intel has indicated it will not deploy any microcode mitigations for the recently disclosed flaws for older processor platforms. Intel cited the following reasons:

“After a comprehensive investigation of the microarchitectures and microcode capabilities for these products, Intel has determined to not release microcode updates for these products for one or more reasons including, but not limited to the following:

Micro-architectural characteristics that preclude a practical implementation of features mitigating Variant 2 (CVE-2017-5715)
Limited Commercially Available System Software support
Based on customer inputs, most of these products are implemented as ‘closed systems’ and therefore are expected to have a lower likelihood of exposure to these vulnerabilities.”
The following CPU families now list a “stopped” status regarding microcode updates:

Bloomfield
Clarksfield
Gulftown
Harpertown
Jasper Forest
Penryn
SoFIA
Wolfdale
Yorkfield

At this point, it’s no secret that mitigating Spectre/Meltdown has been a trying affair, with both Microsoft and Intel struggling to stabilize previous patches that triggered reboots, crashes, and various performance effects. Being that most of the aforementioned chip families are a decade old, Intel may very will not deem the update worth the effort. Additionally, the microcode updates can only be delivered via BIOS (motherboard OEMs) or OS patch (Microsoft, etc.), and these vendors may or may not be willing to support hardware this old.

- Eric Hamilton

https://www.gamersnexus.net/industry/3280-intel-limits-meltdown-spectre-updates-older-cpus

Mostly what we already expected... Older systems with older CPUs will not receive protection from vulnerabilities via microcode.

 

[-Fran-]

https://techreport.com/news/33493/today-patch-tuesday-helps-harden-amd-cpus-against-spectre

AMD has issued some patches and recommends checking the OEM's site for firmware updates to complement.

Cheers!

 

[Gon Freecss]

Uh, what about AMD? They've not issued any microcode updates for their older CPUs.

 

[-Fran-]

Uh, what about AMD? They've not issued any microcode updates for their older CPUs.

Probably because of this: "The update exposes control over the Indirect Branch Prediction Barrier, or IBPB, within AMD CPUs that support the feature".

It is implied in that sentence that not all AMD CPUs support IBPB, so older models might not need patching.

Cheers!

 

[juanrga]

Uh, what about AMD? They've not issued any microcode updates for their older CPUs.

Probably because of this: "The update exposes control over the Indirect Branch Prediction Barrier, or IBPB, within AMD CPUs that support the feature".

It is implied in that sentence that not all AMD CPUs support IBPB, so older models might not need patching.

All models need patching.

 

[-Fran-]

All models need patching.

Source? At least a long explanation?

 

[juanrga]

Uh, what about AMD? They've not issued any microcode updates for their older CPUs.

AMD released microcode only up to Bulldozer

In addition, microcode updates with our recommended mitigations addressing Variant 2 (Spectre) have been released to our customers and ecosystem partners for AMD processors dating back to the first “Bulldozer” core products introduced in 2011.

 

[goldstone77]

2011, can someone remind me how far back Intel is releasing their microcode updates? Let's keep in mind AMD makes 1/10 the income of Intel, and then judge.

 

[randomizer]

2009 I think, but not for all CPUs released in that timeframe.