Massive security hole in CPU's incoming?Official Meltdown/Spectre Discussion Thread

Page 11 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.

Phynaz

Lifer
Mar 13, 2006
10,140
819
126
It seems like it is actually extremely easy for AMD machines not to be effected by the Spectre bug as it was only shown to work in a non-default OS configuration (a Debian based system was tested).

One thing to keep in mind, Meltdown and Spectre aren't bugs. They are attacks that exploit features of modern CPUs.
 

ClockHound

Golden Member
Nov 27, 2007
1,108
214
106
Why isn't there a front page expose on this issue here at Anandtech? It's been in the news everywhere else for days.

The good news is that it confirms my deepest suspicions about computers and their architecture. Not to be trusted. When they were used for Pong and to make VCR's impossible to program, there had a certain charm. Maybe time to fire up the TRS-80 and dialup the BBS and wait for the all clear...
 
  • Like
Reactions: lightmanek

Elixer

Lifer
May 7, 2002
10,376
762
126
Come to think of it, the Ryzen Pro line of CPUs should be OK here, for these exploits.
They have fully encrypted paths, which should include the cache, so, I am thinking these are the only CPUs that would be golden here.

Though, I can't say I have seen them shipping anyplace yet.
 
  • Like
Reactions: lightmanek

Phynaz

Lifer
Mar 13, 2006
10,140
819
126
I guess, generally speaking, he adds a lot of new ideas to the kernel, and gets his assistants to the patch bugs and older versions, but he seems quite adamant about not messing things up. Remember "WE DON'T BREAK USERSPACE"? :laughing:

https://stackoverflow.com/a/25954326

I think, considering how Linux was started as a hobby in the 90s, and it's still going and used by a lot of people 25 years later, he must have learned a lot about what works well and what doesn't, what actions to take and not to take, or else it would have all fallen apart by now.

Or maybe you just meant he can insult how people/companies do things and get away with it. Are other "leaders" like Steve Jobs and Bill Gates better? I guess to maximize $$$ out of their supporters they need to be more cautious about what they say and lie when it benefits the company's profits.

No, I meant as in if his commit harms a user he can't be sued. He has no skin in the game.
 

richaron

Golden Member
Mar 27, 2012
1,357
329
136
One thing to keep in mind, Meltdown and Spectre aren't bugs. They are attacks that exploit features of modern CPUs.
If intel CPUs allow something as (conceptually) obvious as Meltdown to occur then intel CPUs have a bug. It's an architectural problem in hardware which allows an unwanted action to occur. There is already a huge amount of hardware in place to stop exactly these sort of privileged memory access but intel has left a hole in their logic so their hardware has a bug. It's a bug.

So intel CPUs have a bug,

Same logic applies to Spectre but it seems a much more esoteric and lower risk problem, and it's also almost universal which implies it's a bug with current computer engineering on the whole. It's not just like Meltdown where intel tried to design hardware to do a certain job but left a glaring hole in the form of a bug.
 
  • Like
Reactions: Kuosimodo

Markfw

Moderator Emeritus, Elite Member
May 16, 2002
25,483
14,434
136
One thing to keep in mind, Meltdown and Spectre aren't bugs. They are attacks that exploit features of modern CPUs.
I beg to differ. Intel allows non-privileged cache to access privileged cache ? (or whatever) Linux called them out I think. I may not have my terminology all correct, But following this thread, its obvious Intel did something to optimize that should not be allowed, but AMD enforced the rules.
 

Malogeek

Golden Member
Mar 5, 2017
1,390
778
136
yaktribe.org
Why isn't there a front page expose on this issue here at Anandtech? It's been in the news everywhere else for days.
The NDA of the exploit lifts tomorrow. Ian and co have been gathering information and likely have been writing it, but waiting until more actual official details are released.
 

Phynaz

Lifer
Mar 13, 2006
10,140
819
126
I beg to differ. Intel allows non-privileged cache to access privileged cache ? (or whatever) Linux called them out I think. I may not have my terminology all correct, But following this thread, its obvious Intel did something to optimize that should not be allowed, but AMD enforced the rules.

These are implementations of side-channel attacks. They expose flaws in processor designs, they are not bugs in themselves. Even Android on ARM is getting patched to get the Kernel address space out of user space.

Side channel attacks are nothing new, just see the references in the Meltdown paper. First you need to understand what the issue is. AMD is also affected by Specter, and the authors say AMD may be affected by Meltdown - they don't know.
 

moinmoin

Diamond Member
Jun 1, 2017
4,934
7,620
136
One thing to keep in mind, Meltdown and Spectre aren't bugs. They are attacks that exploit features of modern CPUs.
No, as of now they are attacks that exploit specific implementations of features of modern CPUs, so they are most certainly design flaws in the hardware/microcode implementations of the features. Reading the papers they are currently disappointingly focused on Intel chips only (the Spectre paper even plainly mentions "Testing on non-Intel CPUs has not been performed.") and extrapolate to other chips and uarches without any results. There already are pretty big differences in behavior so for all the non-Intel chips we still have to see whether they find equally groundbreaking flaws in them as well (and those then may only apply to them and not Intel).
 

Hitman928

Diamond Member
Apr 15, 2012
5,182
7,633
136
This is strictly about Meltdown which works on Intel chips because they aren't even checking privileges, and Meltdown exploits that. AMD chips are checking privileges so AMD can feel confident about this one.

Hitman, am going with Moinmoin here.

This is where I miss Ian, Anand, etc popping on the forums to hash things around and get inspired to write up a thorough article to clear matters.


Part of me agrees. The other part knows that in the whitepaper, the researchers basically said that the building blocks for executing a similar exploit on AMD CPUs (and basically all OoO processors) is there even though AMD had done a good job of not allowing the exploit to happen. They even suggest a couple of ideas that could cause a race condition to occur where a similar exploit could possibly happen. I'm not trying to suggest AMD has anything to really worry about, there's just a part of me (that has some experience in hardware security) that knows they shouldn't be overly confident.

Again, I'm definitely leaning with siding on AMD on this one, I just always have a nagging part of my brain with stuff like this that always makes me nervous, even if I have no stake for the company involved, lol.
 

richaron

Golden Member
Mar 27, 2012
1,357
329
136
Something so obvious that it was just now identified despite existing for over a decade?
That's why I put "conceptually" in brackets.

intel CPUs have this bug which allows a program to access data it shouldn't be able to. The CPUs were designed to not allow this to happen and there is already plenty of hardware in place to not allow this to happen. But intel left a hole in their logic so this the bug allows it to happen.
 

moinmoin

Diamond Member
Jun 1, 2017
4,934
7,620
136
Part of me agrees. The other part knows that in the whitepaper, the researchers basically said that the building blocks for executing a similar exploit on AMD CPUs (and basically all OoO processors) is there even though AMD had done a good job of not allowing the exploit to happen. They even suggest a couple of ideas that could cause a race condition to occur where a similar exploit could possibly happen. I'm not trying to suggest AMD has anything to really worry about, there's just a part of me (that has some experience in hardware security) that knows they shouldn't be overly confident.

Again, I'm definitely leaning with siding on AMD on this one, I just always have a nagging part of my brain with stuff like this that always makes me nervous, even if I have no stake for the company involved, lol.
The possibility of other bugs and/or design flaws is definitely there. Just the way Meltdown works right now seems to fail on AMD chips as those appear to be prepared for this particular attack. I guess the question is how much Meltdown needs to be expanded on or modified to make it work on AMD chips if ever, at which point it's likely getting a new name. ;) Spectre is definitely the more generic and more universal one of the two attacks, also harder to implement and harder to protect against, so that one will be interesting to watch how it plays out on all the different platforms.
 

Phynaz

Lifer
Mar 13, 2006
10,140
819
126
No, as of now they are attacks that exploit specific implementations of features of modern CPUs, so they are most certainly design flaws in the hardware/microcode implementations of the features. Reading the papers they are currently disappointingly focused on Intel chips only (the Spectre paper even plainly mentions "Testing on non-Intel CPUs has not been performed.") and extrapolate to other chips and uarches without any results. There already are pretty big differences in behavior so for all the non-Intel chips we still have to see whether they find equally groundbreaking flaws in them as well (and those then may only apply to them and not Intel).

Just read the source....Non-Intel CPU's have been tested.

https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
 

Phynaz

Lifer
Mar 13, 2006
10,140
819
126
That's why I put "conceptually" in brackets.

intel CPUs have this bug which allows a program to access data it shouldn't be able to. The CPUs were designed to not allow this to happen and there is already plenty of hardware in place to not allow this to happen. But intel left a hole in their logic so this the bug allows it to happen.

As did AMD, ARM, Qualcomm....And a lot more coming.
 
May 11, 2008
19,306
1,131
126
If intel CPUs allow something as (conceptually) obvious as Meltdown to occur then intel CPUs have a bug. It's an architectural problem in hardware which allows an unwanted action to occur. There is already a huge amount of hardware in place to stop exactly these sort of privileged memory access but intel has left a hole in their logic so their hardware has a bug. It's a bug.

So intel CPUs have a bug,

Same logic applies to Spectre but it seems a much more esoteric and lower risk problem, and it's also almost universal which implies it's a bug with current computer engineering on the whole. It's not just like Meltdown where intel tried to design hardware to do a certain job but left a glaring hole in the form of a bug.

That has gotten me wondering, almost all architecture have to a degree this problem, but they all share the same basic concept.
mmu, tlb, out of order execution, speculative execution.
A modern cpu core is riddled with logic functionality that is patented.
I wonder if this is a combination of patents. Or that it is the same patent that is the cause of all of this.

As a very interesting sidenote:
I did read something interesting this afternoon, it seems that on ARM 64 bit architecture, when doing cryptographic calculations, some instructions have variable execution length depending on the data. So some calculations will finish earlier than others calculations depending on the data that is calculated. To prevent this behavior as being abused, the 64 bit ARM architecture allows for setting flags that modifies the timing that it takes to complete these calculations. I am not sure how it works, but i assume that the flags makes sure that every instruction used for the calculation takes the same amount of time (The longest time, aka most clock cycles.)making it impossible for exploits that measure timings to determine what is going on under the hood of the cpu core.
 

richaron

Golden Member
Mar 27, 2012
1,357
329
136
  • Like
Reactions: Kuosimodo

Hitman928

Diamond Member
Apr 15, 2012
5,182
7,633
136
The possibility of other bugs and/or design flaws is definitely there. Just the way Meltdown works right now seems to fail on AMD chips as those appear to be prepared for this particular attack. I guess the question is how much Meltdown needs to be expanded on or modified to make it work on AMD chips if ever, at which point it's likely getting a new name. ;) Spectre is definitely the more generic and more universal one of the two attacks, also harder to implement and harder to protect against, so that one will be interesting to watch how it plays out on all the different platforms.

Yes, I agree. The problem for AMD would come though if a similar exploit to Meltdown (same in name or not) were found to be effective against AMD CPUs and the KPTI fix which they insisted they didn't need now becomes a critical fix for AMD as well. That is also the tone of the linux guy who greenlit the adjusted patch to exclude AMD from the potential performance decrease. Basically he puts the liability back on them saying the plan was to implement it for all x86 CPUs but AMD is completely sure they don't need it so. . .

This would be a nightmare scenario for AMD, even worse than what it is for intel right now, IMO. Again, I actually lean to AMD's side that it is the right call, all things considered, I just hope it truly is for their sake. Maybe I'm just being paranoid, but when it comes to this stuff, you kind of have to be.
 

moinmoin

Diamond Member
Jun 1, 2017
4,934
7,620
136
Maybe read the sources yourself as well?
https://spectreattack.com/spectre.pdf
https://meltdownattack.com/meltdown.pdf
The Project Zero page doesn't add much details aside the addition of eBPF which is the one case were a single non-Intel chip was shown to be affected, and only for this particular configuration (while the Intel chips were affected without depending on that particular configuration).
 

mattiasnyc

Senior member
Mar 30, 2017
356
337
136
That's why I put "conceptually" in brackets.

intel CPUs have this bug which allows a program to access data it shouldn't be able to. The CPUs were designed to not allow this to happen and there is already plenty of hardware in place to not allow this to happen. But intel left a hole in their logic so this the bug allows it to happen.

I really don't think something is a bug if it's working as designed. A bug to me is an unintended flaw that affects performance, not a security "hole" that can be exploited in a product that works as designed.

The way I look at it is this: Bug = design was fine, execution had issues. In this case; execution was fine, design was 'flawed'.
 

richaron

Golden Member
Mar 27, 2012
1,357
329
136
Neither do you, the comment was about Spectre.
Lol, good point.

What about this? https://spectreattack.com/spectre.pdf
Experiments were performed on multiple x86 processor architectures, including Intel Ivy Bridge (i7-3630QM), Intel Haswell (i7-4650U), Intel Skylake (unspecified Xeon on Google Cloud), and AMD Ryzen. The Spectre vulnerability was observed on all of these CPUs. Similar results were observed on both 32- and 64-bit modes, and both Linux and Windows. Some ARM processors also support speculative execution [2], and initial testing has confirmed that ARM processors are impacted as well.
 

Phynaz

Lifer
Mar 13, 2006
10,140
819
126
the Spectre paper even plainly mentions "Testing on non-Intel CPUs has not been performed."

The Project Zero page doesn't add much details aside the addition of eBPF which is the one case were a single non-Intel chip was shown to be affected, and only for this particular configuration (while the Intel chips were affected without depending on that particular configuration).

Yeah, I think I'm out.