Massive security hole in CPU's incoming?Official Meltdown/Spectre Discussion Thread

Page 8 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.

Udgnim

Diamond Member
Apr 16, 2008
3,662
104
106
Good, now is AMD's time to push hard with marketing.

DSmAJ59V4AAhIaH.jpg
 

Hitman928

Diamond Member
Apr 15, 2012
5,182
7,633
136
  • Like
Reactions: moinmoin and NTMBK

StinkyPinky

Diamond Member
Jul 6, 2002
6,761
777
126

"These vulnerabilities affect many CPUs, including those from AMD, ARM, and Intel, as well as the devices and operating systems running them."

I think that is pretty conclusive, it is coming from Google afterall. The key question however is are certain cpus performance impacted more than others? I hear it is. That AMD and Coffee Lake will be less impacted.
 

Karnak

Senior member
Jan 5, 2017
399
767
136
"Meltdown" and "Spectre"...

https://spectreattack.com/
https://meltdownattack.com/meltdown.pdf
https://spectreattack.com/spectre.pdf

Which systems are affected by Meltdown?
Desktop, Laptop, and Cloud computers may be affected by Meltdown. More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013). We successfully tested Meltdown on Intel processor generations released as early as 2011. Currently, we have only verified Meltdown on Intel processors. At the moment, it is unclear whether ARM and AMD processors are also affected by Meltdown.

Which systems are affected by Spectre?
Almost every system is affected by Spectre: Desktops, Laptops, Cloud Servers, as well as Smartphones. More specifically, all modern processors capable of keeping many instructions in flight are potentially vulnerable. In particular, we have verified Spectre on Intel, AMD, and ARM processors.

What is the difference between Meltdown and Spectre?
Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory. Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location. For a more technical discussion we refer to the papers ( Meltdown and Spectre)
 

mattiasnyc

Senior member
Mar 30, 2017
356
337
136
"These vulnerabilities affect many CPUs, including those from AMD, ARM, and Intel, as well as the devices and operating systems running them."

I think that is pretty conclusive, it is coming from Google afterall. The key question however is are certain cpus performance impacted more than others? I hear it is. That AMD and Coffee Lake will be less impacted.

It's not that conclusive though. If my understanding is correct it will affect more Intel users than AMD users because of what CPU generations are currently in use, and in what contexts.

So if you're running an old AMD "consumer" CPU and you're facing a performance hit that might be annoying, but your CPU was old to begin with and you might want to upgrade anyway. And in that case the Zen architecture is very appealing. On the other hand, if you were even a recent adopter of a 'newer' Intel chip you might be affected, and that might have been a chip/platform you easily expected to last several years. IF you're hit with a significant performance hit then either you'll need address that right away ($) or upgrade sooner rather than later - both being annoying options. And I'd guess that since data centers etc move very slowly they'll mostly be on CPUs that are affected by this.
 

Hitman928

Diamond Member
Apr 15, 2012
5,182
7,633
136
"These vulnerabilities affect many CPUs, including those from AMD, ARM, and Intel, as well as the devices and operating systems running them."

I think that is pretty conclusive, it is coming from Google afterall. The key question however is are certain cpus performance impacted more than others? I hear it is. That AMD and Coffee Lake will be less impacted.

  • AMD, intel, and ARM all perform speculative execution.
  • This attack works through speculative execution, therefore all 3 manufacturers could possibly be effected by this type of attack.
  • The research team specifically showed 3 ways in which they were able to perform the exploit on intel CPUs.
  • AMD was not shown to be vulnerable to the three methods shown (not sure if it was even attempted) and AMD has said that none of the 3 methods would work on their CPUs due to the difference in how speculative execution is performed on their CPUs.
 

Genx87

Lifer
Apr 8, 2002
41,095
513
126
I just received an email from Amazon regarding several hundred of our VM's. There will be a forced reboot of many of our instances on JAN04. It looks like Amazon is on top of this and has known about it for some time. I'm interested to know if they are pathing their physical servers or their hypervisor software. My guess is their Hypervisor.

We received a similar email last week from Azure.
 
May 11, 2008
19,306
1,131
126
"These vulnerabilities affect many CPUs, including those from AMD, ARM, and Intel, as well as the devices and operating systems running them."

I think that is pretty conclusive, it is coming from Google afterall. The key question however is are certain cpus performance impacted more than others? I hear it is. That AMD and Coffee Lake will be less impacted.

I wonder which models, speculative execution can maybe implemented different from architecture to architecture.

https://googleprojectzero.blogspot.nl/2018/01/reading-privileged-memory-with-side.html

During the course of our research, we developed the following proofs of concept (PoCs):

  1. A PoC that demonstrates the basic principles behind variant 1 in userspace on the tested Intel Haswell Xeon CPU, the AMD FX CPU, the AMD PRO CPU and an ARM Cortex A57 [2]. This PoC only tests for the ability to read data inside mis-speculated execution within the same process, without crossing any privilege boundaries.
  2. A PoC for variant 1 that, when running with normal user privileges under a modern Linux kernel with a distro-standard config, can perform arbitrary reads in a 4GiB range [3] in kernel virtual memory on the Intel Haswell Xeon CPU. If the kernel's BPF JIT is enabled (non-default configuration), it also works on the AMD PRO CPU. On the Intel Haswell Xeon CPU, kernel virtual memory can be read at a rate of around 2000 bytes per second after around 4 seconds of startup time. [4]
  3. A PoC for variant 2 that, when running with root privileges inside a KVM guest created using virt-manager on the Intel Haswell Xeon CPU, with a specific (now outdated) version of Debian's distro kernel [5] running on the host, can read host kernel memory at a rate of around 1500 bytes/second, with room for optimization. Before the attack can be performed, some initialization has to be performed that takes roughly between 10 and 30 minutes for a machine with 64GiB of RAM; the needed time should scale roughly linearly with the amount of host RAM. (If 2MB hugepages are available to the guest, the initialization should be much faster, but that hasn't been tested.)
  4. A PoC for variant 3 that, when running with normal user privileges, can read kernel memory on the Intel Haswell Xeon CPU under some precondition. We believe that this precondition is that the targeted kernel memory is present in the L1D cache.

That could mean ryzen as well.
I hope not, to be honest.
https://www.amd.com/en/ryzen-pro
https://www.anandtech.com/show/1159...anced-security-longer-warranty-better-quality
 
Last edited:

Yakk

Golden Member
May 28, 2016
1,574
275
81
According to this post, AMD is serious about not having the vulnerability :

https://lkml.org/lkml/2018/1/3/425

Wed, 3 Jan 2018 08:21:47 -0800
From tip-bot for Tom Lendacky <>
Subject [tip:x86/pti] x86/cpu, x86/pti: Do not enable PTI on AMD processors
Commit-ID: 694d99d40972f12e59a3696effee8a376b79d7c8
Gitweb: https://git.kernel.org/tip/694d99d40972f12e59a3696effee8a376b79d7c8
Author: Tom Lendacky <thomas.lendacky@amd.com>
AuthorDate: Tue, 26 Dec 2017 23:43:54 -0600
Committer: Thomas Gleixner <tglx@linutronix.de>
CommitDate: Wed, 3 Jan 2018 15:57:59 +0100

x86/cpu, x86/pti: Do not enable PTI on AMD processors

AMD processors are not subject to the types of attacks that the kernel
page table isolation feature protects against. The AMD microarchitecture
does not allow memory references, including speculative references, that
access higher privileged data when running in a lesser privileged mode
when that access would result in a page fault.

Disable page table isolation by default on AMD processors by not setting
the X86_BUG_CPU_INSECURE feature, which controls whether X86_FEATURE_PTI
is set.

Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Borislav Petkov <bp@suse.de>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/20171227054354.20369.94587.stgit@tlendack-t1.amdoffice.net

---
arch/x86/kernel/cpu/common.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
index f2a94df..b1be494 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -899,8 +899,8 @@ static void __init early_identify_cpu(struct cpuinfo_x86 *c)

setup_force_cpu_cap(X86_FEATURE_ALWAYS);

- /* Assume for now that ALL x86 CPUs are insecure */
- setup_force_cpu_bug(X86_BUG_CPU_INSECURE);
+ if (c->x86_vendor != X86_VENDOR_AMD)
+ setup_force_cpu_bug(X86_BUG_CPU_INSECURE);

fpu__init_system(c);
 

Hitman928

Diamond Member
Apr 15, 2012
5,182
7,633
136
From further reading, including a quick read of the Spectre and Meltdown research papers, this is what I've gathered:

  • ARM, intel, and AMD are all susceptible to the Spectre bug though it was explicitly shown in intel CPUs. The Spectre bug actually has two exploits associated to it, only one of which is possible on AMD CPUs. This exploit, however, can be closed in software (patch already written) and shouldn't effect performance.
  • The Meltdown bug, however, is unique to how intel handles branch prediction/speculative execution and requires a much more serious software fix which can have a very large hit on performance, depending on the workload.
  • The researchers who discovered the Meltdown bug tried it on AMD and ARM, but were unsuccessful in using the exploits on those CPUs, however, they left open the possibility that maybe someone could figure out a way to get it to work on AMD and ARM CPUs (hence the near zero wording)
 
Last edited:

Markfw

Moderator Emeritus, Elite Member
May 16, 2002
25,483
14,434
136
I got the below links from my brother. I hope they are not duplicates from somewhere else in this thread.

Patch for Intel Speculative Execution Vulnerability Could Reduce Performance by 5 to 35%
https://soylentnews.org/article.pl?sid=18/01/03/1314247&from=rss

https://it.slashdot.org/story/18/01...sor-design-flaw-forces-linux-windows-redesign

https://hardware.slashdot.org/story...fects-wont-significantly-impact-average-users

https://www.phoronix.com/scan.php?page=article&item=linux-more-x86pti&num=1

And one that appears to confirm that AMD CPUs (at least AMD x86 CPUs) are not affected. Sounds like a lot of ARM chips also are affected. My phone may be affected.... AMD makes ARM chips too as well as a lot of other companies.
 
  • Like
Reactions: Kuosimodo
May 11, 2008
19,306
1,131
126
Easy reading material:
https://www.wired.com/story/critical-intel-flaw-breaks-basic-security-for-most-computers/

Meltdown and Spectre
Prior to the official revelation of Meltdown and Spectre on Wednesday, Erik Bosman, a colleague of Gras in Vrije Universiteit Amsterdam's VUSEC security group, successfully reproduced one of the Intel attacks, which take advantage of a feature in chips known as "speculative execution." When modern Intel processors execute code and come to a point in an algorithm where instructions branch in two different directions, depending on input data—whether there's enough money in an account to process a transaction, for instance—they save time by "speculatively" venturing down those forks. In other words, they take a guess, and execute instructions to get a head start. If the processor learns that it ventured down the wrong path, it jumps back to the fork in the road, and throws out the speculative work.

VUSEC's Bosman confirmed that when Intel processors perform that speculative execution, they don't fully segregate processes that are meant to be low-privilege and untrusted from the highest-privilege memory in the computer's kernel. That means a hacker can trick the processor into allowing unprivileged code to peek into the kernel's memory with speculative execution.

"The processor basically runs too far ahead, executing instructions that it should not execute," says Daniel Gruss, one of the researchers from the Graz University of Technology who discovered the attacks.

Retrieving any data from that privileged peeking isn't simple, since once the processor stops its speculative execution and jumps back to the fork in its instructions, it throws out the results. But before it does, it stores them in its cache, a collection of temporary memory allotted to the processor to give it quick access to recent data. By carefully crafting requests to the processor and seeing how fast it responds, a hacker's code could figure out whether the requested data is in the cache or not. And with a series of speculative execution and cache probes, he or she can start to assemble parts of the computer's high privilege memory, including even sensitive personal information or passwords.

Many security researchers who spotted signs of developers working to fix that bug had speculated that the Intel flaw merely allowed hackers to defeat a security protection known as Kernel Address Space Layout Randomization, which makes it far more difficult for hackers to find the location of the kernel in memory before they use other tricks to attack it. But Bosman confirms theories that the bug is more serious: It allows malicious code to not only locate the kernel in memory, but steal that memory's contents, too.

"Out of the two things that were speculated, this is the worst outcome," Bosman says.

A Tough Fix
In a statement responding to the Meltdown and Spectre research, Intel noted that "these exploits do not have the potential to corrupt, modify, or delete data," though they do have the ability to spy on privileged data. The statement also argued that "many types of computing devices—with many different vendors’ processors and operating systems—are susceptible to these exploits," mentioning ARM and AMD processors as well.

"I can confirm that Arm have been working together with Intel and AMD to address a side-channel analysis method which exploits speculative execution techniques used in certain high-end processors, including some of our Cortex-A processors," says ARM public relations director Phil Hughes. "This method requires malware running locally and could result in data being accessed from privileged memory." Hughes notes that ARM's IoT-focused Cortex-M line is unaffected.