Massive security hole in CPU's incoming?Official Meltdown/Spectre Discussion Thread

Page 10 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.

majord

Senior member
Jul 26, 2015
433
523
136
Google reportedly told AMD/Intel/ARM/etc in June 2017, so I doubt that is the issue with that, Intel stated in the investor call that Intel products released in 2018 calendar will not have these issues

which would be CNL, yes? which should have taped out before June 17
 

Shivansps

Diamond Member
Sep 11, 2013
3,835
1,514
136
Correction :

Reading the paper is clear to me there is a chance for every out-of-order CPU with speculative execution to be vulnerable, we just dont know it yet. Since that is true from AMD K6-3 and Pentium 2, the only modern cpus i can off are the pre-Bay Trail Atoms... not sure about AMD Bobcats.
 
May 11, 2008
19,306
1,131
126
Reading the paper is clear to me there is a chance for every out-of-order CPU with speculative execution to be vulnerable, we just dont know it yet. Since that is true from AMD K6-3 and Pentium 2, the only modern cpus i can off are the pre-Bay Trail Atoms... not sure about AMD Bobcats.

Indeed, i have that same feeling that only an in order core without predication is not vulnerable to this at all.
I wonder if the power cpu's from IBM are affected.
 

jpiniero

Lifer
Oct 1, 2010
14,510
5,159
136
Google reportedly told AMD/Intel/ARM/etc in June 2017, so I doubt that is the issue with that, Intel stated in the investor call that Intel products released in 2018 calendar will not have these issues

If they were told about this in June would that really be enough time to devise a silicon fix for the KPTI issue? Skylake Xeon-D was supposed to be released in Q1.
 

Dayman1225

Golden Member
Aug 14, 2017
1,152
973
146
If they were told about this in June would that really be enough time to devise a silicon fix for the KPTI issue? Skylake Xeon-D was supposed to be released in Q1.

No idea how complex it is at a silicon level.
 

Bouowmx

Golden Member
Nov 13, 2016
1,138
550
146
Meltdown concerns out-of-order execution: such as instructions after a thrown exception.
Spectre concerns speculative execution: such as taking a branch ahead of time.

My Intel Bonnell Atom D510, ARM Cortex-A7, and A53 look safe.
 

zinfamous

No Lifer
Jul 12, 2006
110,515
29,100
146
Nothing in life is ever "zero" chance and there is always a possibility some vulnerability can be found 10 years from now.

There is a near zero chance that all gravity will simply "fail" tomorrow. I continue to remain confident that things will proceed as normal.
 
  • Like
Reactions: Kuosimodo

jpiniero

Lifer
Oct 1, 2010
14,510
5,159
136
In hindsight I did think it was strange that the roadmap said that Intel was going to put Coffee Lake full release in production separately from the paper launch. So it's possible that they could release a new stepping then I guess.
 

moinmoin

Diamond Member
Jun 1, 2017
4,934
7,620
136
Linus Torvalds on Intel

Why is this all done without any configuration options?

A *competent* CPU engineer would fix this by making sure speculation
doesn't happen across protection domains. Maybe even a L1 I$ that is
keyed by CPL.

I think somebody inside of Intel needs to really take a long hard look
at their CPU's, and actually admit that they have issues instead of
writing PR blurbs that say that everything works as designed.

.. and that really means that all these mitigation patches should be
written with "not all CPU's are crap" in mind.

Or is Intel basically saying "we are committed to selling you shit
forever and ever, and never fixing anything"?

Because if that's the case, maybe we should start looking towards the
ARM64 people more.

Please talk to management. Because I really see exactly two possibibilities:

- Intel never intends to fix anything

OR

- these workarounds should have a way to disable them.

Which of the two is it?
 
May 11, 2008
19,306
1,131
126
Meltdown concerns out-of-order execution: such as instructions after a thrown exception.
Spectre concerns speculative execution: such as taking a branch ahead of time.

My Intel Bonnell Atom D510, ARM Cortex-A7, and A53 look safe.

This makes me wonder, how would they fix this for modern cores ?
Disabling speculative execution would mean less performance because the core would wait with execution until the conditional branch is actually resolved.
And how to stop execution when privileges are also going to change during instruction flow.
Would that not mean a big change in the architecture ?
If Intel really already solved it for the 2018 without performance penalities i am truly amazed.
Seems like quite the fix to implement.
O well, we will know in a few months.
 

goldstone77

Senior member
Dec 12, 2017
217
93
61
https://spectreattack.com/
FumgTpw.png

Questions & Answers
Am I affected by the bug?
Most certainly, yes.
Can I detect if someone has exploited Meltdown or Spectre against me?
Probably not. The exploitation does not leave any traces in traditional log files.
Can my antivirus detect or block this attack?
While possible in theory, this is unlikely in practice. Unlike usual malware, Meltdown and Spectre are hard to distinguish from regular benign applications. However, your antivirus may detect malware which uses the attacks by comparing binaries after they become known.
What can be leaked?
If your system is affected, our proof-of-concept exploit can read the memory content of your computer. This may include passwords and sensitive data stored on the system.
Has Meltdown or Spectre been abused in the wild?
We don't know.
Is there a workaround/fix?
There are patches against Meltdown for Linux ( KPTI (formerly KAISER)), Windows, and OS X. There is also work to harden software against future exploitation of Spectre, respectively to patch software after exploitation through Spectre .
Which systems are affected by Meltdown?
Desktop, Laptop, and Cloud computers may be affected by Meltdown. More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013). We successfully tested Meltdown on Intel processor generations released as early as 2011. Currently, we have only verified Meltdown on Intel processors. At the moment, it is unclear whether ARM and AMD processors are also affected by Meltdown.
Which systems are affected by Spectre?
Almost every system is affected by Spectre: Desktops, Laptops, Cloud Servers, as well as Smartphones. More specifically, all modern processors capable of keeping many instructions in flight are potentially vulnerable. In particular, we have verified Spectre on Intel, AMD, and ARM processors.
Which cloud providers are affected by Meltdown?
Cloud providers which use Intel CPUs and Xen PV as virtualization without having patches applied. Furthermore, cloud providers without real hardware virtualization, relying on containers that share one kernel, such as Docker, LXC, or OpenVZ are affected.
What is the difference between Meltdown and Spectre?
Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory. Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location. For a more technical discussion we refer to the papers ( Meltdown and Spectre)
Why is it called Meltdown?
The bug basically melts security boundaries which are normally enforced by the hardware.
Why is it called Spectre?
The name is based on the root cause, speculative execution. As it is not easy to fix, it will haunt us for quite some time.
Is there more technical information about Meltdown and Spectre?
Yes, there is an academic paper and a blog post about Meltdown, and an academic paper about Spectre. Furthermore, there is a Google Project Zero blog entry about both attacks.
What are CVE-2017-5753 and CVE-2017-5715?
CVE-2017-5753 and CVE-2017-5715 are the official references to Spectre. CVE is the Standard for Information Security Vulnerability Names maintained by MITRE.
What is the CVE-2017-5754?
CVE-2017-5754 is the official reference to Meltdown. CVE is the Standard for Information Security Vulnerability Names maintained by MITRE.
 
  • Like
Reactions: DarthKyrie

moinmoin

Diamond Member
Jun 1, 2017
4,934
7,620
136
Regarding a possible fix for Spectre, AMD may already be prepared to extend SME and SEV further to a process based encryption support in the future.
 
Last edited:

goldstone77

Senior member
Dec 12, 2017
217
93
61
https://www.phoronix.com/scan.php?page=news_item&px=Linux-Tip-Git-Disable-x86-PTI
Update: Linus Torvalds has now ended up pulling the latest PTI fixes that also include the change to disable page table isolation for now on all AMD CPUs. The commit is in mainline for Linux 4.15 along with a few basic fixes and ensuring PAGE_TABLE_ISOLATION is enabled by default.
Kernel developer Thomas Gleixner wrote in the pull request of disabling KPTI on AMD hardware, "Not necessarily a fix, but if AMD is so confident that they are not affected, then we should not burden users with the overhead."

AMD fixed their issues with meltdown, variant 1, without using the PTI patch that is affecting Intel performance.
 
Last edited:

Hitman928

Diamond Member
Apr 15, 2012
5,182
7,633
136

I'm kind of split on this. AMD is justifiably very confident that the exploits shown in the papers won't work on their CPUs so I understand their strong desire not to take the performance hit. On the other hand, the papers show that this is still very much an attack vector that can be further explored on all CPUs with OoO execution and branch prediction. It is possible that with time, AMD will need the same treatment. Then again, maybe they did a good enough job that by the time it's figured out, it won't matter anymore. Even if AMD CPUs end up being exploited in this way, you can easily argue that they shouldn't take a hit until it's proven that their safeguards were compromised.

Like I said, I go back and forth. I think I lean towards Gleixner's feeling as well, if AMD is confident that their CPUs aren't susceptible, don't assume they are and punish them for it. For AMD's sake, I hope they're right.
 

moinmoin

Diamond Member
Jun 1, 2017
4,934
7,620
136
I'm kind of split on this. AMD is justifiably very confident that the exploits shown in the papers won't work on their CPUs so I understand their strong desire not to take the performance hit. On the other hand, the papers show that this is still very much an attack vector that can be further explored on all CPUs with OoO execution and branch prediction. It is possible that with time, AMD will need the same treatment. Then again, maybe they did a good enough job that by the time it's figured out, it won't matter anymore. Even if AMD CPUs end up being exploited in this way, you can easily argue that they shouldn't take a hit until it's proven that their safeguards were compromised.

Like I said, I go back and forth. I think I lean towards Gleixner's feeling as well, if AMD is confident that their CPUs aren't susceptible, don't assume they are and punish them for it. For AMD's sake, I hope they're right.
This is strictly about Meltdown which works on Intel chips because they aren't even checking privileges, and Meltdown exploits that. AMD chips are checking privileges so AMD can feel confident about this one.
 

Phynaz

Lifer
Mar 13, 2006
10,140
819
126
Reading the paper is clear to me there is a chance for every out-of-order CPU with speculative execution to be vulnerable, we just dont know it yet. Since that is true from AMD K6-3 and Pentium 2, the only modern cpus i can off are the pre-Bay Trail Atoms... not sure about AMD Bobcats.

Exactly, expect a load of disclosures over the next month or so. Everyone is going to get hit with this.
 

goldstone77

Senior member
Dec 12, 2017
217
93
61
https://meltdownattack.com/meltdown.pdf
6.4 Limitations on ARM and AMD
We also tried to reproduce the Meltdown bug on several
ARM and AMD CPUs. However, we did not manage
to successfully leak kernel memory with the attack described
in Section 5, neither on ARM nor on AMD.
The
reasons for this can be manifold. First of all, our implementation
might simply be too slow and a more optimized
version might succeed. For instance, a more shallow
out-of-order execution pipeline could tip the race
condition towards against the data leakage. Similarly,
if the processor lacks certain features, e.g., no re-order
buffer, our current implementation might not be able to
leak data. However, for both ARM and AMD, the toy
example as described in Section 3 works reliably, indicating
that out-of-order execution generally occurs and
instructions past illegal memory accesses are also performed.

Since tests have not been able to successfully leak any memory, AMD is confident in their CPU uarch!
 
Last edited:
  • Like
Reactions: Kuosimodo

crazylocha

Member
Jun 21, 2010
45
0
66
Hitman, am going with Moinmoin here.

This is where I miss Ian, Anand, etc popping on the forums to hash things around and get inspired to write up a thorough article to clear matters.
 

goldstone77

Senior member
Dec 12, 2017
217
93
61
https://support.microsoft.com/en-us/help/4056892/windows-10-update-kb4056892
January 3, 2018—KB4056892 (OS Build 16299.192)
Applies to: Windows 10 version 1709
Improvements and fixes
This update includes quality improvements. No new operating system features are being introduced in this update. Key changes include:

Addresses issue where event logs stop receiving events when a maximum file size policy is applied to the channel.
Addresses issue where printing an Office Online document in Microsoft Edge fails.
Addresses issue where the touch keyboard doesn’t support the standard layout for 109 keyboards.
Addresses video playback issues in applications such as Microsoft Edge that affect some devices when playing back video on a monitor and a secondary, duplicated display.
Addresses issue where Microsoft Edge stops responding for up to 3 seconds while displaying content from a software rendering path.
Addresses issue where only 4 TB of memory is shown as available in Task Manager in Windows Server version 1709 when more memory is actually installed, configured, and available.
Security updates to Windows SMB Server, the Windows Subsystem for Linux, Windows Kernel, Windows Datacenter Networking, Windows Graphics, Microsoft Edge, Internet Explorer, and the Microsoft Scripting Engine.
You can manually download the update
January 3, 2018—KB4056892 (OS Build 16299.192)
Applies to: Windows 10 version 1709
http://www.catalog.update.microsoft.com/Search.aspx?q=KB4056892
 
  • Like
Reactions: IEC and Kuosimodo

ninaholic37

Golden Member
Apr 13, 2012
1,883
31
91
Linus is a arrogant fool. But then he doesn't have to live with the repercussions of his actions.
I guess, generally speaking, he adds a lot of new ideas to the kernel, and gets his assistants to the patch bugs and older versions, but he seems quite adamant about not messing things up. Remember "WE DON'T BREAK USERSPACE"? :laughing:

https://stackoverflow.com/a/25954326

I think, considering how Linux was started as a hobby in the 90s, and it's still going and used by a lot of people 25 years later, he must have learned a lot about what works well and what doesn't, what actions to take and not to take, or else it would have all fallen apart by now.

Or maybe you just meant he can insult how people/companies do things and get away with it. Are other "leaders" like Steve Jobs and Bill Gates better? I guess to maximize $$$ out of their supporters they need to be more cautious about what they say and lie when it benefits the company's profits.