News New Spectre Exploits Beat All Mitigations: Fixes to Severely Degrade Performance

InvalidError

Titan
Moderator
AFAIK, all of the previous attacks never went beyond proof-of-concept in a curated lab environment optimized for the best chances of success possible and would be next to impossible to pull off in a real-world environment where typical systems have a bunch of background activity raising the background noise level too much for these to be practical. They are hypotheticals to keep in mind just in case for absolutely mission-critical high-stakes secrecy/privacy (no unknown code should be allowed anywhere near those machines) and attempt to mitigate in future designs.

As usual, you need to get the code on the machine before it can attempt to exploit these flaws in the first place, so the security has already been compromised in some other less sophisticated way before the attempt can ever begin. For normal people and most businesses, this is another non-issue.
 

USAFRet

Titan
Moderator
Mar 16, 2013
147,505
9,358
175,390
23,027
AFAIK, all of the previous attacks never went beyond proof-of-concept in a curated lab environment optimized for the best chances of success possible and would be next to impossible to pull off in a real-world environment where typical systems have a bunch of background activity raising the background noise level too much for these to be practical. They are hypotheticals to keep in mind just in case for absolutely mission-critical high-stakes secrecy/privacy (no unknown code should be allowed anywhere near those machines) and attempt to mitigate in future designs.

As usual, you need to get the code on the machine before it can attempt to exploit these flaws in the first place, so the security has already been compromised in some other less sophisticated way before the attempt can ever begin. For normal people and most businesses, this is another non-issue.
There is/was one, but only 3 years later.

Of course, mitigated and fixed by all the intervening patches. So only a potential concern if you are one of those people who purposely negate updates.
 

hannibal

Distinguished
I wonder if these exploits can be fixed in next gen CPUs without hurting the performance.
most likely yes, but there will be performansseja cost and it seems any prediction can be weakness, so there would be permanentti reduction in the possible speed that can be get, without making these changes.
Some fixes that were mentioned can be done hardware level, but those are tasks that cpu without those don`t have to do aka you lose power to something that is purely there for security. Server chips most likely will get those in anyway. Do the consumer chips also… lets see… again…
 
Even though they've only tested on Zen and Skylake, if the fundamental flaw is with how to use micro-ops caching, then ARM processors may be affected as well. Wikichip claims the A77 has a micro-ops cache.

Also please note that the ISA has nothing to do with this. It's just how the processors are implemented.
 

InvalidError

Titan
Moderator
Even though they've only tested on Zen and Skylake, if the fundamental flaw is with how to use micro-ops caching, then ARM processors may be affected as well. Wikichip claims the A77 has a micro-ops cache.
The inevitable outcome of practically all CPUs being built around the same fundamental principles since there is a limited number of sensible ways to do things regardless of ISA. Everyone tries to do things their own way because patents force them to do so and they end up converging on the nearly exact same solutions 15-20 years later once the patents (ex.: Intel's Netburst uOP cache / replay queue) have expired.
 
Reactions: martinch

mac_angel

Distinguished
Mar 12, 2008
415
26
18,810
0
AFAIK, all of the previous attacks never went beyond proof-of-concept in a curated lab environment optimized for the best chances of success possible and would be next to impossible to pull off in a real-world environment where typical systems have a bunch of background activity raising the background noise level too much for these to be practical. They are hypotheticals to keep in mind just in case for absolutely mission-critical high-stakes secrecy/privacy (no unknown code should be allowed anywhere near those machines) and attempt to mitigate in future designs.

As usual, you need to get the code on the machine before it can attempt to exploit these flaws in the first place, so the security has already been compromised in some other less sophisticated way before the attempt can ever begin. For normal people and most businesses, this is another non-issue.
yea, I was wondering the same. I remembered all these security issues hitting the news, but even then I was really wondering how much my home computers would really be at risk. And all the 'fixes' did say there would be something of a performance hit, also made me think that these fixes should be options for people. State that they are security fixes for ... and let people decide if they think it's really necessary for a computer that is mostly used for playing games on Steam.
 
Reactions: macgeek
yea, I was wondering the same. I remembered all these security issues hitting the news, but even then I was really wondering how much my home computers would really be at risk. And all the 'fixes' did say there would be something of a performance hit, also made me think that these fixes should be options for people. State that they are security fixes for ... and let people decide if they think it's really necessary for a computer that is mostly used for playing games on Steam.
The average home user is probably going to fall victim to social engineering or some other means of getting sensitive information or administrative privileges than be hit by one of these, considering how difficult it is to pull off. Plus the average home user doesn't have much in the way of data that's profitable to them.
 
Reactions: martinch

InvalidError

Titan
Moderator
Plus the average home user doesn't have much in the way of data that's profitable to them.
And since most of those exploits rely on statistical analysis of CPU performance and known characteristics of the victim code to infer data, collisions between the exploit code and target code+data have to be frequent enough to build statistics to filter noise out. Not going to happen on a home PC that handles maybe a couple of site logins per day.
 
Reactions: martinch

mac_angel

Distinguished
Mar 12, 2008
415
26
18,810
0
The average home user is probably going to fall victim to social engineering or some other means of getting sensitive information or administrative privileges than be hit by one of these, considering how difficult it is to pull off. Plus the average home user doesn't have much in the way of data that's profitable to them.
exactly. I'm pretty tech savvy and careful online. I try to teach my son the same. In the past he's had his Steam account stolen twice (I was able to get it back both times). I taught him to use LastPass and have LastPass generate the passwords for him. But none of that will matter when it comes down to the user. Even myself, I had my credit card info nabbed from one site just a couple of weeks ago. Two sites did two test transactions for something like $1.29 each. When they went through, a bunch of other sites started billing my credit card for odd amounts between $50 and $60. Luckily I caught it. But to stop it I had to cancel my credit card and open up an investigation that can take 2 weeks. I'm not sure what it is they do for investigating, but I think to the majority of people, looking at the sites they were affiliated with, and the progression of what and how it happened, it was pretty sketchy and obvious.
Anyway, point is, I agree. I don't think those vulnerabilities really affect the majority of end users. But the performance hits that the fixes entail would. And we should be given an option to secure our computer, or keep our performance.
 

InvalidError

Titan
Moderator
Even myself, I had my credit card info nabbed from one site just a couple of weeks ago.
Much of the time though, credit cards getting compromised is due to a server-side exploit on a site you do business with, not your own PC or whatever device you do your online shopping and other payments from. When my credit card got used for a fraudulent transaction last year, it was because the payment handler for my union got hacked around the time I logged in to pay my membership fee.
 

USAFRet

Titan
Moderator
Mar 16, 2013
147,505
9,358
175,390
23,027
Much of the time though, credit cards getting compromised is due to a server-side exploit on a site you do business with, not your own PC or whatever device you do your online shopping and other payments from. When my credit card got used for a fraudulent transaction last year, it was because the payment handler for my union got hacked around the time I logged in to pay my membership fee.
Same here.
I had a card compromised a few years ago.

Almost certainly a skimming device at a gas station.

We out here can be as proactive and careful as possible.
But when the entities that handle your data are not so careful...
VA, Yahoo, Equifax, Experian, facebook. Not a lot you can do.
 
Reactions: martinch

rluker5

Distinguished
Jun 23, 2014
69
7
18,535
0
There is/was one, but only 3 years later.

Of course, mitigated and fixed by all the intervening patches. So only a potential concern if you are one of those people who purposely negate updates.
It still isn't shown that that was one. The exploit was part of a vulnerability testing kit and, from that same article " however, there is no evidence that the exploit was used in the wild, as it could have also been uploaded on VirusTotal by a penetration tester as well. "
So we are still at 0.
 

mac_angel

Distinguished
Mar 12, 2008
415
26
18,810
0
Much of the time though, credit cards getting compromised is due to a server-side exploit on a site you do business with, not your own PC or whatever device you do your online shopping and other payments from. When my credit card got used for a fraudulent transaction last year, it was because the payment handler for my union got hacked around the time I logged in to pay my membership fee.
oh, definitely. I'm not thinking it was my computer getting compromised. Just that there are so many other vulnerabilities with all of these things. I'd rather have the option to keep my performance over a security patch that has a very, very minor chance of affecting me.
 

USAFRet

Titan
Moderator
Mar 16, 2013
147,505
9,358
175,390
23,027
oh, definitely. I'm not thinking it was my computer getting compromised. Just that there are so many other vulnerabilities with all of these things. I'd rather have the option to keep my performance over a security patch that has a very, very minor chance of affecting me.
Performance vs security updates is a never ending battle.

Pre Win 10, users could easily turn off ALL updates and security patches.
"My neighbors nephew Jimmy (you know he's really good with computers) turned off all those silly updates, because he says they just slow things down"

Result? Massive infections and botnets.
Microsoft is widely lambasted for allowing users to get compromised.
The WannaCry ransomware was almost entirely on systems that were unpatched. MS put out a patch for that 2 months before it was seen in the wild.

Enter Win 10.
'You WILL get updates, whether you like it or not.'
Again, MS is widely lambasted for this.

Can't have it both ways.

You and I may know and internalize the risk v benefit.
The other 500 million users may not.
 
Reactions: hotaru.hino

InvalidError

Titan
Moderator
Performance vs security updates is a never ending battle.
What battle? There is no practical means of exploiting most Spectre-type issues in the real world, most have barely survived the proof-of-concept stage under lab conditions. These flaws pose no meaningful threat to end-users, only to servers that handle mission-critical secret sauce.

To use these exploits, you first need to gain access to run code. Most normal people are already screwed if an attacker gets that far, no need to rely on fancy side-channel statistical exploits.
 

USAFRet

Titan
Moderator
Mar 16, 2013
147,505
9,358
175,390
23,027
What battle? There is no practical means of exploiting most Spectre-type issues in the real world, most have barely survived the proof-of-concept stage under lab conditions. These flaws pose no meaningful threat to end-users, only to servers that handle mission-critical secret sauce.

To use these exploits, you first need to gain access to run code. Most normal people are already screwed if an attacker gets that far, no need to rely on fancy side-channel statistical exploits.
Not referring to Spectre specifically, but rather the larger 'security updates' thing.

Should Spectre/Meltdown fixes be walled off and user selectable?
Yeah, maybe.
 

ginthegit

Distinguished
BANNED
Nov 15, 2012
201
31
18,610
3
Oh my Gosh, again tthey speak!

Let me explain this, this Cache is the cache used for Pipelines, SMT and its ilk use the same process as Pipelining but a different register. SMT and its ilk are a Gimick as Pipelining already does the same thing. A guy at Camp Gemini once explained to me this Level 0 access, and as Camp Gemini work closely with Governments, they were warned of this problem (Spectre) way back, and had to code it out of their systems.

Think about it, How does a Cache that is only meant to be read by the core itself have;
  1. Access to the Kernel? (windows Scheduler which is the spyware for Gov agencies which keeps track of the activity of the core for Monitoring purposes), but it has been know by deep contracting companies; like camp Gemini, that there is little purpose for the scheduler than to read the contents and report accross the Kernel(deliberate)
  2. Have access to anything other than the core and its hardware encoded routines, but somehow the Microcode has access to a hard wire cache system, and we are not talking just "is content full or empty commands" but "what is the content command."
  3. Think of the overheads of the exploit, it means that the CPU is using cycles to send back information accross the Kernel to be packaged up and sent to the Internet Port. Would not a simple Antivirus or spyware software detect such activity or be made to before it can be sent remotely?
  4. SMT and its ilk (hyperthreading) along with pipelining have always been know to make these exploits, at it is not about the hardware intended operation, but the hardware has been wired to allow for both Microcode, and thus extenal nafarious influence since its inception. Intel has been accused of this by people like;
Thomas Drake, Bunnatine Creenhouse, Russell Tice, Edward snowdon and manu others, who have actually worked in the high level industries.
  1. AMD resisted such influence until the advent of Lisa Su.
  2. AMD also now using same practices as Intel used to (AKA 5)
You guys need to read Snowdons info on Level 0 access.

Geez, Read about this stuff first!
 

GenericUser

Distinguished
Nov 20, 2010
240
90
18,790
12
And the problem with Jimmy is he probably added a hard drive and he thinks he's now on the same level as a 20-year experienced IT professional.
This comment causes me pain after recalling how many times I've come across this, having do deal with this person who refuses to believe that he isn't in fact an expert, and then having to clean up after his mess.
 

ASK THE COMMUNITY