• Guest, The rules for the P & N subforum have been updated to prohibit "ad hominem" or personal attacks against other posters. See the full details in the post "Politics and News Rules & Guidelines."

Massive security hole in CPU's incoming?Official Meltdown/Spectre Discussion Thread

Page 75 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.

amd6502

Senior member
Apr 21, 2017
818
269
106

DrMrLordX

Lifer
Apr 27, 2000
16,352
5,266
136
If a script kiddee got their hands on a tool to push signed drivers enabling a +.5v uptick on Intel systems, they could harass people by killing their entire PC. When I was younger, and back when there weren't yet any Federal laws against DoS/DDoS, I used Winnuke to knock out Win95 systems as a prank a few times. Don't think I would kill an entire PC, but I knew the kinds of people who might do that . . .
 

VirtualLarry

Lifer
Aug 25, 2001
48,792
5,302
126
Given the severity and lack of current fix for that last mentioned vuln., I'm changing my limited warranty period for my Intel-based gaming PCs to 30 days, and not stocking any more Intel-based rigs.

What kind of timespan (generation-wise) are we talking about? 4th-gen through current? Or only 6th-gen through current? 4th-gen had FIVR, IIRC, and changing the "mobo CPU voltage" only varied the voltage input to the FIVR. So, possibly, 4th-Gen systems are immune? Just a thought, might be incorrect.
 

amd6502

Senior member
Apr 21, 2017
818
269
106
Looks like all vendors might be at risk.
These are just follow up studies from Graz university. It's so broad it covers about all modern processors (eg POWER, acorn risc, x86). However imho these are far fetched proofs of concept that are going to be hard to exploit.

A solution would be further sandbox the most likely vectors which are running withing browser; that is, malicious javascript scripts as well as webassembly. Hence browsers have the first duty to reduce the risk.

The main thing is that a lot of CPU time is needed to get a likely hit.

So browsers could timeout a javascript or webassembly program after a set amount (user specified) of cpu time and then decrease thread priority or niceness to the absolute minimum, and move (or let OS move) these to either a low power core with no to little out of order execution and less L2 privileges, or an emulated core with similar properties.
 

ASK THE COMMUNITY

TRENDING THREADS