• Guest, The rules for the P & N subforum have been updated to prohibit "ad hominem" or personal attacks against other posters. See the full details in the post "Politics and News Rules & Guidelines."
  • Community Question: What makes a good motherboard?

Massive security hole in CPU's incoming?Official Meltdown/Spectre Discussion Thread

Page 75 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.

amd6502

Senior member
Apr 21, 2017
830
274
106

DrMrLordX

Lifer
Apr 27, 2000
16,627
5,634
136
If a script kiddee got their hands on a tool to push signed drivers enabling a +.5v uptick on Intel systems, they could harass people by killing their entire PC. When I was younger, and back when there weren't yet any Federal laws against DoS/DDoS, I used Winnuke to knock out Win95 systems as a prank a few times. Don't think I would kill an entire PC, but I knew the kinds of people who might do that . . .
 

VirtualLarry

Lifer
Aug 25, 2001
49,517
5,593
126
Given the severity and lack of current fix for that last mentioned vuln., I'm changing my limited warranty period for my Intel-based gaming PCs to 30 days, and not stocking any more Intel-based rigs.

What kind of timespan (generation-wise) are we talking about? 4th-gen through current? Or only 6th-gen through current? 4th-gen had FIVR, IIRC, and changing the "mobo CPU voltage" only varied the voltage input to the FIVR. So, possibly, 4th-Gen systems are immune? Just a thought, might be incorrect.
 

amd6502

Senior member
Apr 21, 2017
830
274
106
Looks like all vendors might be at risk.
These are just follow up studies from Graz university. It's so broad it covers about all modern processors (eg POWER, acorn risc, x86). However imho these are far fetched proofs of concept that are going to be hard to exploit.

A solution would be further sandbox the most likely vectors which are running withing browser; that is, malicious javascript scripts as well as webassembly. Hence browsers have the first duty to reduce the risk.

The main thing is that a lot of CPU time is needed to get a likely hit.

So browsers could timeout a javascript or webassembly program after a set amount (user specified) of cpu time and then decrease thread priority or niceness to the absolute minimum, and move (or let OS move) these to either a low power core with no to little out of order execution and less L2 privileges, or an emulated core with similar properties.
 

moinmoin

Platinum Member
Jun 1, 2017
2,069
2,471
106
Direct link to the website: https://platypusattack.com/

Should be noted that this is not a new attack (monitoring power usage to extract data has been done before), what's new is that Intel's RAPL power monitoring interface is being used for that purpose. Also they looked only at Intel (again) whereas AMD also supports RAPL and very likely is also affected unless they already thought of that attack vector before (not unthinkable, its finer grained boost algorithm in Zen 2 and 3 may well be able to hide power usage differences of instructions as is).
 

ASK THE COMMUNITY