Intel Hyper-Threading Accused of Being a Security Threat

daveybrat

Super Moderator
Jan 31, 2000
5,099
477
126
Take this article with a huge grain of salt, but i wonder to what extent parts of this might be true:

https://www.tomshardware.com/news/disable-intel-hyper-threading-security,37690.html

Quote:
Following the reveal of the Foreshadow (L1TF) Intel CPU flaw, as well as the previous TLBleed flaw, Theo de Raadt, founder of OpenBSD, which makes a free, multi-platform, UNIX-like operating system, recommended everyone completely disable Intel’s Hyper-Threading in BIOS before hackers start taking advantage of it.
 

VirtualLarry

Lifer
Aug 25, 2001
44,787
3,825
126
How long before CPUs have a "Performance Mode" (for single-user personal / gaming PCs), and a "Security Mode" (for VM farms)? The former would allow all performance "cheats" in the CPU, and the latter would disable anything in the CPU that might be hackable or have side-channel effects. Of course, the CPU would be highly-neutered, performance-wise, if it used existing Intel Core architecture, which as I understand it, relies very heavily on performance "cheats" to obtain its IPC numbers.
 
Aug 11, 2008
10,457
637
126
The full article at TH says there are not even any exploits yet. It is just something that might be exploited in the future.
 

whm1974

Diamond Member
Jul 24, 2016
8,334
1,373
96
I think this is one of those things, a real concern for people running servers with VMs and stuff, but for the regular user right now not a problem.
So how many of these CPU security flaws are a major concern and which ones are rather minor? I'm not saying that the minor ones should be ignored, but sometimes some of these security experts sound like the boy who cried wolf.
 
  • Like
Reactions: frozentundra123456

TheELF

Platinum Member
Dec 22, 2012
2,886
268
126
So your take is, who cares, let everyone run it, and wait until a real breach happens before you worry about it ?
What's the alternative?
As soon as a CPU executes code that you yourself havn't hand coded it's a security risk.
You're all running around using windows and android (or even some linux distro a 12 year old cobbled together) but are worried about this...
 
  • Like
Reactions: killster1
Aug 11, 2008
10,457
637
126
So your take is, who cares, let everyone run it, and wait until a real breach happens before you worry about it ?
Thanks for putting words in my mouth. I simply stated a fact directly from the article. The inferences are all from you.
 

Abwx

Diamond Member
Apr 2, 2011
9,037
789
126
So how many of these CPU security flaws are a major concern and which ones are rather minor? .
Once they are publicly known they become a major threat since every wannabee hacker is given the info...

As for some comments how surprising that a given public brand theses flaws as unimportant since they seems to be concentrated on a given firm products, what would be the opinion of such people if these were say typical of Epyc FI.?.

100% sure that the discourse would be at the exact opposite...
 
  • Like
Reactions: DarthKyrie

Markfw

CPU Moderator, VC&G Moderator, Elite Member
Super Moderator
May 16, 2002
18,358
5,680
136
Thanks for putting words in my mouth. I simply stated a fact directly from the article. The inferences are all from you.
Was this your statement ? or a direct quote from Toms ? Its not clear to me, but I took it as yours, and that inters that "who cares until they do"

"It is just something that might be exploited in the future."
 

DaveSimmons

Elite Member
Aug 12, 2001
40,737
667
126
A thousand WordPress hacks have been created without using Spectre or Foreshadow.

Exploits will continue to be found in OS code, applications, protocols, and even with air-gapped computers. The only 100% safe way to protect the information in a computer is to melt it down into a puddle of goo.

Time to go back to paper and pen, but write with a single sheet on a steel slate so that there is no information leakage onto the surface below.

Or....apply updates and patches as they are released, and evaluate how each unpatched new exploit applies to your own use of a PC and decide what to do about it.

Based on this, my opinion is that normal desktop users shouldn't care about TLBleed: https://arstechnica.com/gadgets/2018/06/tlbleed-a-new-way-to-leak-crypto-keys-on-hyperthreaded-processors/
 
Last edited:
  • Like
Reactions: tonyfreak215

whm1974

Diamond Member
Jul 24, 2016
8,334
1,373
96
A thousand WordPress hacks have been created without using Spectre or Foreshadow.

Exploits will continue to be found in OS code, applications, protocols, and even with air-gapped computers. The only 100% safe way to protect the information in a computer is to melt it down into a puddle of goo.

Time to go back to paper and pen, but write with a single sheet on a steel slate so that there is no information leakage onto the surface below.

Or....apply updates and patches as they are released, and evaluate how each unpatched new exploit applies to your own use of a PC and decide what to do about it.

Based on this, my opinion is that normal desktop users shouldn't care about TLBleed: https://arstechnica.com/gadgets/2018/06/tlbleed-a-new-way-to-leak-crypto-keys-on-hyperthreaded-processors/
I'm thinking about which security risks I can do something about myself and those that I will have to wait on others to fix. I keep up with updates and have my Firewall up and running. I'm also careful about what I install and get packages from.
 

DaveSimmons

Elite Member
Aug 12, 2001
40,737
667
126
I'm thinking about which security risks I can do something about myself and those that I will have to wait on others to fix. I keep up with updates and have my Firewall up and running. I'm also careful about what I install and get packages from.
Yep, as the wise man Joe Jackson sings, "everything gives you cancer."

Don't install random apps from shady sites, keep your browser up to date, keep an eye out for unpatched zero-day exploits that don't require physical access to your computer or NSA-level hacking.

For example, at least one speculative execution exploit could work using just JavaScript in a browser, until they were patched. Once patched, you're safe. Now most of the speculative execution exploits have requirements like "first compromise the OS" or "buy $50 worth of cloud computing" which isn't going to happen for mass attacks on ordinary PCs.

Mass spam and phishing happens because the attacks cost less than a fraction of a cent per attempt. They infect (or buy access to infected) servers and have those servers do the bulk mailing.

If you're an engineer for Boeing and keep aircraft design documents on your home PC, then China might make the effort to target you personally. Even then they'd probably use something simpler than a speculative execution exploit, like installing a rootkit.

All that said, if you're running a commercial cloud service or datacenter that allows users to run their own code then you're probably very annoyed with intel right now for all of these exploits requiring performance downgrades.
 
Last edited:
  • Like
Reactions: tonyfreak215
Mar 11, 2004
19,095
1,681
126
A thousand WordPress hacks have been created without using Spectre or Foreshadow.

Exploits will continue to be found in OS code, applications, protocols, and even with air-gapped computers. The only 100% safe way to protect the information in a computer is to melt it down into a puddle of goo.

Time to go back to paper and pen, but write with a single sheet on a steel slate so that there is no information leakage onto the surface below.

Or....apply updates and patches as they are released, and evaluate how each unpatched new exploit applies to your own use of a PC and decide what to do about it.

Based on this, my opinion is that normal desktop users shouldn't care about TLBleed: https://arstechnica.com/gadgets/2018/06/tlbleed-a-new-way-to-leak-crypto-keys-on-hyperthreaded-processors/
Except that you're missing that why people are mad is that companies running servers have shown they're seemingly not taking security any more seriously than general WinXP users about 15 years ago. And you don't have to be running code on their stuff to be concerned, because lots of companies/organizations are handling your data, and that creates problems for you when they have this "eh, we'll do something about it if it becomes a problem" mentality.

Plenty of time its not the IT department workers that is the issue, as they'll tell the higher ups an they'll tell the management and the latter just won't care until they're forced to. But since they get away with light slap on the wrist if anything over their failures in this regard, there's no real pressure to change, because they share your feelings.

When this starts leading to real harm (like say hospitals, or infrastructure - power plants and electric grid, or food production facilities, or government), I'm guessing you're gonna be one of those "why weren't they doing something about this to prevent it?!?" people.

Yep, as the wise man Joe Jackson sings, "everything gives you cancer."

Don't install random apps from shady sites, keep your browser up to date, keep an eye out for unpatched zero-day exploits that don't require physical access to your computer or NSA-level hacking.

For example, at least one speculative execution exploit could work using just JavaScript in a browser, until they were patched. Once patched, you're safe. Now most of the speculative execution exploits have requirements like "first compromise the OS" or "buy $50 worth of cloud computing" which isn't going to happen for mass attacks on ordinary PCs.

Mass spam and phishing happens because the attacks cost less than a fraction of a cent per attempt. They infect (or buy access to infected) servers and have those servers do the bulk mailing.

If you're an engineer for Boeing and keep aircraft design documents on your home PC, then China might make the effort to target you personally. Even then they'd probably use something simpler than a speculative execution exploit, like installing a rootkit.

All that said, if you're running a commercial cloud service or datacenter that allows users to run their own code then you're probably very annoyed with intel right now for all of these exploits requiring performance downgrades.
I think its beyond annoyance. I imagine they'll be full on suing their butts or demanding they give them a CPU capable of the thread count processing and general performance of the one they bought based on Intel's sales and marketing. And that better be for free, because at this point, Intel straight up has been lying to its customers. I genuinely cannot think of the last time a company did something like this for years (Apple's battery/power gating thing would be the closest, and that was big news and even Apple fans were outraged). And I cannot think of any instance in which there was something like this and yet were so many people acting like people shouldn't even be able to have an issue with this. "Oh don't have a server CPU, well then stop whining." Great attitude there. They were quite aware of the potential catastrophic results from stuff like this, and didn't care, figuring like you, well they'll do something about it if it happens. And then of course they're trying to act like its computing at large, even when its ones that work only on their hardware.

Also, I take it you're choosing to ignore the IoT glut of devices where you can't patch them, and many of them are already compromised? I hope you recall that Intel was doing a big push for IoT, I'm sure its just a coincidence that both situations show a noticeable lack of concern about security. And we don't have good data on what is and isn't compromised, because again, there's a lot of people like you that just shrug, "eh, don't be an idiot and nothing will happen to you". Meanwhile I can guarantee you that there are exploits that are in the wild that you don't know about, and so even if you do your best to be smart, you're at serious risk of being compromised. And you're not going to know it.

The last point I want to make is. You think that maybe if these companies didn't have to worry about these Intel specific ones that it would just possibly free them up to work to deal with the many other ones they need to address? I'm waiting for when we find out that some of these fixes actually break the security protection for other exploits, opening them up to older ones that they thought were handled. At this point it seems like an inevitability.

Next up we'll find out that Intel's stuff somehow ends up with Y2K bugs because they're fix for that was to just set it to 2020 or something.
 

TheELF

Platinum Member
Dec 22, 2012
2,886
268
126
Once they are publicly known they become a major threat since every wannabee hacker is given the info...

As for some comments how surprising that a given public brand theses flaws as unimportant since they seems to be concentrated on a given firm products, what would be the opinion of such people if these were say typical of Epyc FI.?.

100% sure that the discourse would be at the exact opposite...
Hmm well let's test your theory for a bit...let's see.
https://threatpost.com/amd-investigating-reports-of-13-critical-vulnerabilities-found-in-ryzen-epyc-chips/130404/
 

Markfw

CPU Moderator, VC&G Moderator, Elite Member
Super Moderator
May 16, 2002
18,358
5,680
136

Abwx

Diamond Member
Apr 2, 2011
9,037
789
126
That s old story, actually thoses threats are real only if one take physical control of the machines, the same way you would let someone plug an infected USB drive in your personnal PC...

Btw, this alleged research center was nothing else than a cover up for some squeezed short sellers, i cant explain otherwise how they came with such phony claims...
 

french toast

Senior member
Feb 22, 2017
943
744
106
Wow, that's old for a start, they were more a general vulnerability of the chipset than AMD specific (if I remember correctly)..which also affected intel in some cases.(not mentioned in their 'disclosure')
They refused to disclose their sponsors, which when taking into account they only gave AMD one week to respond before full public disclosure, (very unusual)..I am to think intel was probably behind this.
Something I predicted when spectre and meltdown first came out that intel would pay for a hit piece...we will never know for certain.
 

maddie

Platinum Member
Jul 18, 2010
2,768
1,336
136
That was an ultimately amusing attempt at manipulation. Remember they were also found to be using some manipulated generic office photos for their business site. After the expose, never heard from them again, and here we have it being dug up as evidence. I suppose desperate times calls for desperate measures.
 

moinmoin

Senior member
Jun 1, 2017
988
755
106

DaveSimmons

Elite Member
Aug 12, 2001
40,737
667
126
As mentioned above, they were almost certainly just sockpuppets working for stock manipulators.

Also, I take it you're choosing to ignore the IoT glut of devices where you can't patch them, and many of them are already compromised? I hope you recall that Intel was doing a big push for IoT, I'm sure its just a coincidence that both situations show a noticeable lack of concern about security.
IoT and embedded systems are a huge concern, but my wild guess is 99% of the exploits found for them won't be from speculative execution information leaks. They will be found by disassembling the BIOS, OS, and application code of the devices looking for code bugs. That, and the CPU for many (most?) IoT devices use ARM cores.
 

TheELF

Platinum Member
Dec 22, 2012
2,886
268
126
So you missed this glorious thread and the associated AT articles back in spring: https://forums.anandtech.com/threads/amdflaws-com-what-is-this.2540299/
Helped separate the wheat from the chaff in the press reporting, I guess it works with users as well.
And apparently you missed last year,then it was debian claiming that everyone should disable HT like yesterday because it could blow up your PC (well cause data loss) ,all was patched and all was forgotten,and this won't be any different just like the amdflaws wasn't any different, they discover flaws/vulnerabilities all the time and they also fix them all the time.
https://forums.anandtech.com/threads/intel-skylake-kaby-lake-processors-broken-hyper-threading.2509617/
https://hothardware.com/news/critical-flaw-in-intel-skylake-and-kaby-lake-hyperthreading-discovered-requiring-bios-microcode-fix
 

french toast

Senior member
Feb 22, 2017
943
744
106
And apparently you missed last year,then it was debian claiming that everyone should disable HT like yesterday because it could blow up your PC (well cause data loss) ,all was patched and all was forgotten,and this won't be any different just like the amdflaws wasn't any different, they discover flaws/vulnerabilities all the time and they also fix them all the time.
https://forums.anandtech.com/threads/intel-skylake-kaby-lake-processors-broken-hyper-threading.2509617/
https://hothardware.com/news/critical-flaw-in-intel-skylake-and-kaby-lake-hyperthreading-discovered-requiring-bios-microcode-fix
I think your intentionally muddying the waters, these flaws most likely have been known for years and years, far too simple for those expert engineers at intel to not notice, they left it in for a reason, they have the most R&D, the most engineer's, the most experience with speculative execution and SMT.

They said cascade lake was pulled from tape in and fixed for some vulnerabilities in two weeks!.

That tells you they more than likely knew and had hardware contingency plan just 'in case' or for future product's, the R&D had already been done for this fix and put on ice.
That is why you can't just give intel a free pass and say AMD/ARM/Intel are all the same.

Just my opinion.
 

dualsmp

Golden Member
Aug 16, 2003
1,616
26
91
And apparently you missed last year,then it was debian claiming that everyone should disable HT like yesterday because it could blow up your PC (well cause data loss) ,all was patched and all was forgotten,and this won't be any different just like the amdflaws wasn't any different, they discover flaws/vulnerabilities all the time and they also fix them all the time.
https://forums.anandtech.com/threads/intel-skylake-kaby-lake-processors-broken-hyper-threading.2509617/
https://hothardware.com/news/critical-flaw-in-intel-skylake-and-kaby-lake-hyperthreading-discovered-requiring-bios-microcode-fix
That was a case where they were recommending to temporarily disable HT when the flaw was discovered. However a microcode update was able to fix it later on and HT could be re-enabled without consequence.

In the case of the L1TF flaw every Intel processor on the planet with HT cannot be mitigated with a microcode update or software update. The only way to mitigate the L1TF flaw completely is to disable HT in BIOS forever. HT needs a completely new architecture to fix it and most likely even the newest Intel 9000 series processors are affected.
 
Last edited:
  • Like
Reactions: DarthKyrie

ASK THE COMMUNITY