• Guest, The rules for the P & N subforum have been updated to prohibit "ad hominem" or personal attacks against other posters. See the full details in the post "Politics and News Rules & Guidelines."

Massive security hole in CPU's incoming?Official Meltdown/Spectre Discussion Thread

Page 17 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.

Phynaz

Lifer
Mar 13, 2006
10,140
817
126
They're using hardware provided by a manufacturer with documentation and validation. It's on AMD's head if they claim they're not affected by this when they are. Can Microsoft be blamed if the manufacturer claims that the processor doesn't have an issue, nobody can prove it for years, and then suddenly someone figures out a way?
Yes, Microsoft would be liable if they knew about possibility of the issue and didn't block it under tort law.
 

maddie

Diamond Member
Jul 18, 2010
3,506
2,495
136
No one can say that anything remotely this complex is ever 100% safe. That's why you get such cautious language :)

Rather dramatically shown by these things suddenly turning up after they've notionally been out there for 10+ years.
Exactly, and everyone should know that 100% certainty in the mathematically precise sense is a myth, ever since the dawn of Quantum theory.

If AMD systems are immune to this exploit variation, then why should they pay the cost? When a successful exploit is developed, if ever, then patch for that. I'm fairly certain that we have not seen the end of these flaws and possible exploits on most CPU designs.
 

Malogeek

Golden Member
Mar 5, 2017
1,390
778
106
yaktribe.org
It seems like you are selectively quoting?
Let me quote myself
The quoted one here specifically to Meltdown before certain people here quote other stuff regarding Spectre again and again.
The discussion above and the patches in question are regarding Meltdown. They are separate attacks and are patched differently. So yes I am selectively quoting because the discussion is specifically about the Intel design "flaw" which is in regards to Meltdown only.
 

arandomguy

Senior member
Sep 3, 2013
537
154
116
Has AMD officially as the company asked Microsoft to not patch and to accept liability?

Also no one is answering the question of what the risk/reward for someone like Microsoft is in this situation?
 

CatMerc

Golden Member
Jul 16, 2016
1,114
1,148
136
It seems like you are selectively quoting?



That aside that is still murky as it relates to whether or not someone like Microsoft should broadly patch. Microsoft will want to protect themselves as tightly as possible as they have no gain to take any risk for AMD.
Aside from their servers performing faster?
 

teejee

Senior member
Jul 4, 2013
361
199
116
What means absolutely nothing, this falls way intro preventive measures territory, and is up to Microsoft to decide what to do, and to AMD to try to convice them not to. If this ends up backfiring its going to be Microsoft fault, and security is more important than performance for the server enviroment here.
No, I'm pretty sure it is the other way round. It is AMD that is responsible to specify how their CPU works. MS takes zero risk if they follow AMD's request. If they ignore AMD then they risk a lawsuit for giving for ignoring AMD and giving Intel unfair advantage.
 
  • Like
Reactions: trollspotter

Phynaz

Lifer
Mar 13, 2006
10,140
817
126
https://www.amd.com/en/corporate/speculative-execution

I'd call that a definitive statement. There's no Intel PR crap in their statement, just laying out the facts and providing a clear response as to their vulnerability status. The quoted one here specifically to Meltdown before certain people here quote other stuff regarding Spectre again and again.
AMD's statement is specifically directed to the exploitations in the Google Project Zero research. Don't assume anything beyond that. Just because those methods may not work on AMD CPU's doesn't mean that other attacks on speculative execution on AMD CPU's won't work.

Again, from the researchers:


"As the attack involves currently-undocumented hardware
effects, exploitability of a given software program
may vary among processors. For example, some indirect
branch redirection tests worked on Skylake but not on
Haswell. AMD states that its Ryzen processors have “an
artificial intelligence neural network that learns to predict
what future pathway an application will take based
on past runs” [3, 5], implying even more complex speculative
behavior. As a result, while the stop-gap countermeasures
described in the previous section may help
limit practical exploits in the short term, there is currently

no way to know whether a particular code construction
is, or is not, safe across today’s processors – much less

future designs."
 

Qwertilot

Golden Member
Nov 28, 2013
1,587
243
106
The risk for Microsoft in (hypothetically) over aggressively patching is relatively clear cut - loss of market share vs since Linux for AMD systems. Not a huge thing but probably not trivial either.
 

Glo.

Diamond Member
Apr 25, 2015
4,824
3,443
136
In this thread, I see many purported techy/sciency people failing to understand common, simple scientific language.

Yes, there is a near-zero chance that your DNA that we found at the crime scene isn't your DNA but, you know, you can hold onto that argument as long as you want.
IMO, what AMD says is that every architecture can be exploited some way, and for them there have to very specific conditions, not replicable in normal circumstances.

TL;DR: Even AMD is not 100% sure about the safety of their CPUs, however - they are most likely unaffected by the most common ones, discussed here.
 

realibrad

Lifer
Oct 18, 2013
12,337
894
126
AMD's statement is specifically directed to the exploitations in the Google Project Zero research. Don't assume anything beyond that. Just because those methods may not work on AMD CPU's doesn't mean that other attacks on speculative execution on AMD CPU's won't work.

Again, from the researchers:


"As the attack involves currently-undocumented hardware
effects, exploitability of a given software program
may vary among processors. For example, some indirect
branch redirection tests worked on Skylake but not on
Haswell. AMD states that its Ryzen processors have “an
artificial intelligence neural network that learns to predict
what future pathway an application will take based
on past runs” [3, 5], implying even more complex speculative
behavior. As a result, while the stop-gap countermeasures
described in the previous section may help
limit practical exploits in the short term, there is currently

no way to know whether a particular code construction
is, or is not, safe across today’s processors – much less

future designs."

That is saying that the currently undocumented hardware effects means they cannot be 100% sure as of yet. There is not a way to know until its documented.
 

maddie

Diamond Member
Jul 18, 2010
3,506
2,495
136
In this thread, I see many purported techy/sciency people failing to understand common, simple scientific language.

Yes, there is a near-zero chance that your DNA that we found at the crime scene isn't your DNA but, you know, you can hold onto that argument as long as you want.
NM.
 

Malogeek

Golden Member
Mar 5, 2017
1,390
778
106
yaktribe.org
Again, from the researchers:
I knew you'd be back with your "anything is possible" argument. You do realize your bolded part basically says that it's entirely possible the CPU may be hacked in some other way? Well of course, that's true for any CPU and for any other type of hack method. You also realize by the same argument, these patches wouldn't block that attack either, because the patch specifically fixes issues associated with these 3 forms of attacks.
 

Glo.

Diamond Member
Apr 25, 2015
4,824
3,443
136
The risk for Microsoft in (hypothetically) over aggressively patching is relatively clear cut - loss of market share vs since Linux for AMD systems. Not a huge thing but probably not trivial either.
It is and will be huge things. AMD may finally get around 50% sales market share for each quarter, and over time rapidly gain installed base.

Intel just got MASSIVE PR and Mindshare hit. People are not dumb, unfortunately for Intel.
 

dahorns

Senior member
Sep 13, 2013
550
83
91
No, I'm pretty sure it is the other way round. It is AMD that is responsible to specify how their CPU works. MS takes zero risk if they follow AMD's request. If they ignore AMD then they risk a lawsuit for giving for ignoring AMD and giving Intel unfair advantage.
Actually, it does work that way. If Microsoft was aware of a risk and was unreasonable in failing to protect or warn its customers, it could certainly be liable for any damage. AMD may also be liable (case would be stronger against AMD if it actually asked MS not to implement a fix and a customer was damaged as a result). These are not mutually exclusive possibilities; both can be liable at the same time.
 
  • Like
Reactions: Phynaz

Paratus

Lifer
Jun 4, 2004
14,929
8,598
146
Aside from their servers performing faster?
It’s worse than that.

For cloud and other services they obviously selected their server components to meet certain requirements including certain amounts of computing margin.

For some uses this patch will be negligible. For other uses, specifically those that have high numbers of kernel calls the impact can apparently be in the double digits percentage wise. (Ars I think mentioned almost %50 worse case).

For those businesses, implementing this patch may be the difference between being fast enough to meet requirements and being too slow to meet requirements.

For those of us at home it probably doesn’t matter if we run with or without the patch as the risk of an actual exploit should be small as well as most (but not all) uses cases shouldn’t be affected by more than a few percent.

For me I’ll probably leave the patch on my intel machines and look to turn it off on my new AMD machine.
 
  • Like
Reactions: CatMerc

nsangani1

Member
Oct 26, 2007
30
0
66
I put together a system with i7 7700K ($250) and Asus Maximus VIII Hero($100 after rebates) during Black Friday sales. I believe this is still under extended return policy period.
Keep it or return it and wait a few months?
 

LTC8K6

Lifer
Mar 10, 2004
28,520
1,573
126
I put together a system with i7 7700K ($250) and Asus Maximus VIII Hero($100 after rebates) during Black Friday sales. I believe this is still under extended return policy period.
Keep it or return it and wait a few months?
Why in the world would you even consider returning it?
 

Glo.

Diamond Member
Apr 25, 2015
4,824
3,443
136
Its funny thing. I just caught myself, that I was thinking about upcoming, 2018, builds that I planned to do, and... that I was thinking that all of them were Intel based - should I switch to AMD platform...

I think, I am not the only one with those thoughts...
 
  • Like
Reactions: Ken g6

Malogeek

Golden Member
Mar 5, 2017
1,390
778
106
yaktribe.org
I think it's too early for anyone to start thinking about changing platforms or altering purchase decisions until there is some significant testing done with known patched PCs across multiple CPU types/speeds and many different types of workloads. Otherwise all you're basing decisions on is potential issues.
 

BigDaveX

Senior member
Jun 12, 2014
440
214
116
It is and will be huge things. AMD may finally get around 50% sales market share for each quarter, and over time rapidly gain installed base.

Intel just got MASSIVE PR and Mindshare hit. People are not dumb, unfortunately for Intel.
Um, even if we were just talking about server marketshare, I'm not sure that AMD can even supply enough CPUs to manage that. IIRC, the highest their share of desktop CPU sales (which they've always done a lot better in than server) ever got was about 35% back in 2005-2006 or so, and that was when they still had their own fabs and a product that pretty conclusively owned the competition.

EDIT: Plus, if we go by historical precedent, the TLB glitch on the early K10 Opterons didn't ultimately do much to hurt sales; it took Nehalem for Intel to get their server mojo back. Admittedly, the timing's opportune for AMD since Epyc is far more competitive than the Bulldozer Opterons ever were, but I don't think this is going to be a game-changer.
 
Last edited:

Despoiler

Golden Member
Nov 10, 2007
1,937
747
136
I think it's too early for anyone to start thinking about changing platforms or altering purchase decisions until there is some significant testing done with known patched PCs across multiple CPU types/speeds and many different types of workloads. Otherwise all you're basing decisions on is potential issues.
Disk I/O is most definitely affected.
https://www.youtube.com/watch?v=_qZksorJAuY

I'd like to see review sites do gaming + cpu streaming tests.
 

Glo.

Diamond Member
Apr 25, 2015
4,824
3,443
136
Um, even if we were just talking about server marketshare, I'm not sure that AMD can even supply enough CPUs to manage that. IIRC, the highest their share of desktop CPU sales (which they've always done a lot better in than server) ever got was about 35% back in 2005-2006 or so, and that was when they still had their own fabs and a product that pretty conclusively owned the competition.

EDIT: Plus, if we go by historical precedent, the TLB glitch on the early K10 Opterons didn't ultimately do much to hurt sales; it took Nehalem for Intel to get their server mojo back. Admittedly, the timing's opportune for AMD since Epyc is far more competitive than the Bulldozer Opterons ever were, but I don't think this is going to be a game-changer.
I was talking about consumer Market. There is a lot of consumers(well, I think all of them) who are concerned with this, and will not be blinded, by any brand perception.
 

ASK THE COMMUNITY

TRENDING THREADS