News New Spectre Exploits Beat All Mitigations: Fixes to Severely Degrade Performance

[Admin]

New Spectre exploits vulnerabilities in micro-op caches.

New Spectre Exploits Beat All Mitigations: Fixes to Severely Degrade Performance : Read more

 

[InvalidError]

AFAIK, all of the previous attacks never went beyond proof-of-concept in a curated lab environment optimized for the best chances of success possible and would be next to impossible to pull off in a real-world environment where typical systems have a bunch of background activity raising the background noise level too much for these to be practical. They are hypotheticals to keep in mind just in case for absolutely mission-critical high-stakes secrecy/privacy (no unknown code should be allowed anywhere near those machines) and attempt to mitigate in future designs.

As usual, you need to get the code on the machine before it can attempt to exploit these flaws in the first place, so the security has already been compromised in some other less sophisticated way before the attempt can ever begin. For normal people and most businesses, this is another non-issue.

 

[aetolouee]

I wonder if these exploits can be fixed in next gen CPUs without hurting the performance.

 

[USAFRet]

AFAIK, all of the previous attacks never went beyond proof-of-concept in a curated lab environment optimized for the best chances of success possible and would be next to impossible to pull off in a real-world environment where typical systems have a bunch of background activity raising the background noise level too much for these to be practical. They are hypotheticals to keep in mind just in case for absolutely mission-critical high-stakes secrecy/privacy (no unknown code should be allowed anywhere near those machines) and attempt to mitigate in future designs.

As usual, you need to get the code on the machine before it can attempt to exploit these flaws in the first place, so the security has already been compromised in some other less sophisticated way before the attempt can ever begin. For normal people and most businesses, this is another non-issue.

There is/was one, but only 3 years later.

First Fully Weaponized Spectre Exploit Discovered Online

therecord.media

Of course, mitigated and fixed by all the intervening patches. So only a potential concern if you are one of those people who purposely negate updates.

 

[hannibal]

I wonder if these exploits can be fixed in next gen CPUs without hurting the performance.

most likely yes, but there will be performansseja cost and it seems any prediction can be weakness, so there would be permanentti reduction in the possible speed that can be get, without making these changes.
Some fixes that were mentioned can be done hardware level, but those are tasks that cpu without those don`t have to do aka you lose power to something that is purely there for security. Server chips most likely will get those in anyway. Do the consumer chips also… lets see… again…

 

[hotaru.hino]

Even though they've only tested on Zen and Skylake, if the fundamental flaw is with how to use micro-ops caching, then ARM processors may be affected as well. Wikichip claims the A77 has a micro-ops cache.

Also please note that the ISA has nothing to do with this. It's just how the processors are implemented.

 

[InvalidError]

Even though they've only tested on Zen and Skylake, if the fundamental flaw is with how to use micro-ops caching, then ARM processors may be affected as well. Wikichip claims the A77 has a micro-ops cache.

The inevitable outcome of practically all CPUs being built around the same fundamental principles since there is a limited number of sensible ways to do things regardless of ISA. Everyone tries to do things their own way because patents force them to do so and they end up converging on the nearly exact same solutions 15-20 years later once the patents (ex.: Intel's Netburst uOP cache / replay queue) have expired.

 

[mac_angel]

AFAIK, all of the previous attacks never went beyond proof-of-concept in a curated lab environment optimized for the best chances of success possible and would be next to impossible to pull off in a real-world environment where typical systems have a bunch of background activity raising the background noise level too much for these to be practical. They are hypotheticals to keep in mind just in case for absolutely mission-critical high-stakes secrecy/privacy (no unknown code should be allowed anywhere near those machines) and attempt to mitigate in future designs.

As usual, you need to get the code on the machine before it can attempt to exploit these flaws in the first place, so the security has already been compromised in some other less sophisticated way before the attempt can ever begin. For normal people and most businesses, this is another non-issue.

yea, I was wondering the same. I remembered all these security issues hitting the news, but even then I was really wondering how much my home computers would really be at risk. And all the 'fixes' did say there would be something of a performance hit, also made me think that these fixes should be options for people. State that they are security fixes for ... and let people decide if they think it's really necessary for a computer that is mostly used for playing games on Steam.

 

[hotaru.hino]

yea, I was wondering the same. I remembered all these security issues hitting the news, but even then I was really wondering how much my home computers would really be at risk. And all the 'fixes' did say there would be something of a performance hit, also made me think that these fixes should be options for people. State that they are security fixes for ... and let people decide if they think it's really necessary for a computer that is mostly used for playing games on Steam.

The average home user is probably going to fall victim to social engineering or some other means of getting sensitive information or administrative privileges than be hit by one of these, considering how difficult it is to pull off. Plus the average home user doesn't have much in the way of data that's profitable to them.

 

[InvalidError]

Plus the average home user doesn't have much in the way of data that's profitable to them.

And since most of those exploits rely on statistical analysis of CPU performance and known characteristics of the victim code to infer data, collisions between the exploit code and target code+data have to be frequent enough to build statistics to filter noise out. Not going to happen on a home PC that handles maybe a couple of site logins per day.

 

[mac_angel]

The average home user is probably going to fall victim to social engineering or some other means of getting sensitive information or administrative privileges than be hit by one of these, considering how difficult it is to pull off. Plus the average home user doesn't have much in the way of data that's profitable to them.

exactly. I'm pretty tech savvy and careful online. I try to teach my son the same. In the past he's had his Steam account stolen twice (I was able to get it back both times). I taught him to use LastPass and have LastPass generate the passwords for him. But none of that will matter when it comes down to the user. Even myself, I had my credit card info nabbed from one site just a couple of weeks ago. Two sites did two test transactions for something like $1.29 each. When they went through, a bunch of other sites started billing my credit card for odd amounts between $50 and $60. Luckily I caught it. But to stop it I had to cancel my credit card and open up an investigation that can take 2 weeks. I'm not sure what it is they do for investigating, but I think to the majority of people, looking at the sites they were affiliated with, and the progression of what and how it happened, it was pretty sketchy and obvious.
Anyway, point is, I agree. I don't think those vulnerabilities really affect the majority of end users. But the performance hits that the fixes entail would. And we should be given an option to secure our computer, or keep our performance.

 

[InvalidError]

Even myself, I had my credit card info nabbed from one site just a couple of weeks ago.

Much of the time though, credit cards getting compromised is due to a server-side exploit on a site you do business with, not your own PC or whatever device you do your online shopping and other payments from. When my credit card got used for a fraudulent transaction last year, it was because the payment handler for my union got hacked around the time I logged in to pay my membership fee.

 

[USAFRet]

Much of the time though, credit cards getting compromised is due to a server-side exploit on a site you do business with, not your own PC or whatever device you do your online shopping and other payments from. When my credit card got used for a fraudulent transaction last year, it was because the payment handler for my union got hacked around the time I logged in to pay my membership fee.

Same here.
I had a card compromised a few years ago.

Almost certainly a skimming device at a gas station.

We out here can be as proactive and careful as possible.
But when the entities that handle your data are not so careful...
VA, Yahoo, Equifax, Experian, facebook. Not a lot you can do.

 

[rluker5]

There is/was one, but only 3 years later.

First Fully Weaponized Spectre Exploit Discovered Online

therecord.media

Of course, mitigated and fixed by all the intervening patches. So only a potential concern if you are one of those people who purposely negate updates.

It still isn't shown that that was one. The exploit was part of a vulnerability testing kit and, from that same article " however, there is no evidence that the exploit was used in the wild, as it could have also been uploaded on VirusTotal by a penetration tester as well. "
So we are still at 0.

 

[InvalidError]

So we are still at 0.

Depends on whether you are counting strictly exploits that have made it into the wild vs demonstration of a practical application in a more realistic scenario that could possibly get used in the wild. Still highly hypothetical but gets in the realm of legitimate immediate concern.

 

[mac_angel]

Much of the time though, credit cards getting compromised is due to a server-side exploit on a site you do business with, not your own PC or whatever device you do your online shopping and other payments from. When my credit card got used for a fraudulent transaction last year, it was because the payment handler for my union got hacked around the time I logged in to pay my membership fee.

oh, definitely. I'm not thinking it was my computer getting compromised. Just that there are so many other vulnerabilities with all of these things. I'd rather have the option to keep my performance over a security patch that has a very, very minor chance of affecting me.

 

[USAFRet]

oh, definitely. I'm not thinking it was my computer getting compromised. Just that there are so many other vulnerabilities with all of these things. I'd rather have the option to keep my performance over a security patch that has a very, very minor chance of affecting me.

Performance vs security updates is a never ending battle.

Pre Win 10, users could easily turn off ALL updates and security patches.
"My neighbors nephew Jimmy (you know he's really good with computers) turned off all those silly updates, because he says they just slow things down"

Result? Massive infections and botnets.
Microsoft is widely lambasted for allowing users to get compromised.
The WannaCry ransomware was almost entirely on systems that were unpatched. MS put out a patch for that 2 months before it was seen in the wild.

Enter Win 10.
'You WILL get updates, whether you like it or not.'
Again, MS is widely lambasted for this.

Can't have it both ways.

You and I may know and internalize the risk v benefit.
The other 500 million users may not.

 

[InvalidError]

Performance vs security updates is a never ending battle.

What battle? There is no practical means of exploiting most Spectre-type issues in the real world, most have barely survived the proof-of-concept stage under lab conditions. These flaws pose no meaningful threat to end-users, only to servers that handle mission-critical secret sauce.

To use these exploits, you first need to gain access to run code. Most normal people are already screwed if an attacker gets that far, no need to rely on fancy side-channel statistical exploits.

 

[USAFRet]

What battle? There is no practical means of exploiting most Spectre-type issues in the real world, most have barely survived the proof-of-concept stage under lab conditions. These flaws pose no meaningful threat to end-users, only to servers that handle mission-critical secret sauce.

To use these exploits, you first need to gain access to run code. Most normal people are already screwed if an attacker gets that far, no need to rely on fancy side-channel statistical exploits.

Not referring to Spectre specifically, but rather the larger 'security updates' thing.

Should Spectre/Meltdown fixes be walled off and user selectable?
Yeah, maybe.

 

[hotaru.hino]

"My neighbors nephew Jimmy (you know he's really good with computers) turned off all those silly updates, because he says they just slow things down"

And the problem with Jimmy is he probably added a hard drive and he thinks he's now on the same level as a 20-year experienced IT professional.

 

[USAFRet]

And the problem with Jimmy is he probably added a hard drive and he thinks he's now on the same level as a 20-year experienced IT professional.

We see "Jimmy" here every day...

 

[ginthegit]

Oh my Gosh, again tthey speak!

Let me explain this, this Cache is the cache used for Pipelines, SMT and its ilk use the same process as Pipelining but a different register. SMT and its ilk are a Gimick as Pipelining already does the same thing. A guy at Camp Gemini once explained to me this Level 0 access, and as Camp Gemini work closely with Governments, they were warned of this problem (Spectre) way back, and had to code it out of their systems.

Think about it, How does a Cache that is only meant to be read by the core itself have;

1. Access to the Kernel? (windows Scheduler which is the spyware for Gov agencies which keeps track of the activity of the core for Monitoring purposes), but it has been know by deep contracting companies; like camp Gemini, that there is little purpose for the scheduler than to read the contents and report accross the Kernel(deliberate)
2. Have access to anything other than the core and its hardware encoded routines, but somehow the Microcode has access to a hard wire cache system, and we are not talking just "is content full or empty commands" but "what is the content command."
3. Think of the overheads of the exploit, it means that the CPU is using cycles to send back information accross the Kernel to be packaged up and sent to the Internet Port. Would not a simple Antivirus or spyware software detect such activity or be made to before it can be sent remotely?
4. SMT and its ilk (hyperthreading) along with pipelining have always been know to make these exploits, at it is not about the hardware intended operation, but the hardware has been wired to allow for both Microcode, and thus extenal nafarious influence since its inception. Intel has been accused of this by people like;

Thomas Drake, Bunnatine Creenhouse, Russell Tice, Edward snowdon and manu others, who have actually worked in the high level industries.

1. AMD resisted such influence until the advent of Lisa Su.
2. AMD also now using same practices as Intel used to (AKA 5)

You guys need to read Snowdons info on Level 0 access.

Geez, Read about this stuff first!

 

[GenericUser]

And the problem with Jimmy is he probably added a hard drive and he thinks he's now on the same level as a 20-year experienced IT professional.

This comment causes me pain after recalling how many times I've come across this, having do deal with this person who refuses to believe that he isn't in fact an expert, and then having to clean up after his mess.