Massive security hole in CPU's incoming?Official Meltdown/Spectre Discussion Thread

[Phynaz]

They're using hardware provided by a manufacturer with documentation and validation. It's on AMD's head if they claim they're not affected by this when they are. Can Microsoft be blamed if the manufacturer claims that the processor doesn't have an issue, nobody can prove it for years, and then suddenly someone figures out a way?

Yes, Microsoft would be liable if they knew about possibility of the issue and didn't block it under tort law.

 

[maddie]

No one can say that anything remotely this complex is ever 100% safe. That's why you get such cautious language

Rather dramatically shown by these things suddenly turning up after they've notionally been out there for 10+ years.

Exactly, and everyone should know that 100% certainty in the mathematically precise sense is a myth, ever since the dawn of Quantum theory.

If AMD systems are immune to this exploit variation, then why should they pay the cost? When a successful exploit is developed, if ever, then patch for that. I'm fairly certain that we have not seen the end of these flaws and possible exploits on most CPU designs.

 

[Malogeek]

It seems like you are selectively quoting?

Let me quote myself

The quoted one here specifically to Meltdown before certain people here quote other stuff regarding Spectre again and again.

The discussion above and the patches in question are regarding Meltdown. They are separate attacks and are patched differently. So yes I am selectively quoting because the discussion is specifically about the Intel design "flaw" which is in regards to Meltdown only.

 

[arandomguy]

Has AMD officially as the company asked Microsoft to not patch and to accept liability?

Also no one is answering the question of what the risk/reward for someone like Microsoft is in this situation?

 

[CatMerc]

It seems like you are selectively quoting?



That aside that is still murky as it relates to whether or not someone like Microsoft should broadly patch. Microsoft will want to protect themselves as tightly as possible as they have no gain to take any risk for AMD.

Aside from their servers performing faster?

 

[teejee]

What means absolutely nothing, this falls way intro preventive measures territory, and is up to Microsoft to decide what to do, and to AMD to try to convice them not to. If this ends up backfiring its going to be Microsoft fault, and security is more important than performance for the server enviroment here.

No, I'm pretty sure it is the other way round. It is AMD that is responsible to specify how their CPU works. MS takes zero risk if they follow AMD's request. If they ignore AMD then they risk a lawsuit for giving for ignoring AMD and giving Intel unfair advantage.

 

[Malogeek]

Are any of us here remotely qualified to answer the question of liability regarding AMD and Microsoft?

 

[Phynaz]

https://www.amd.com/en/corporate/speculative-execution

I'd call that a definitive statement. There's no Intel PR crap in their statement, just laying out the facts and providing a clear response as to their vulnerability status. The quoted one here specifically to Meltdown before certain people here quote other stuff regarding Spectre again and again.

AMD's statement is specifically directed to the exploitations in the Google Project Zero research. Don't assume anything beyond that. Just because those methods may not work on AMD CPU's doesn't mean that other attacks on speculative execution on AMD CPU's won't work.

Again, from the researchers:


"As the attack involves currently-undocumented hardware
effects, exploitability of a given software program
may vary among processors. For example, some indirect
branch redirection tests worked on Skylake but not on
Haswell. AMD states that its Ryzen processors have “an
artificial intelligence neural network that learns to predict
what future pathway an application will take based
on past runs” [3, 5], implying even more complex speculative
behavior. As a result, while the stop-gap countermeasures
described in the previous section may help
limit practical exploits in the short term, there is currently
no way to know whether a particular code construction
is, or is not, safe across today’s processors – much less
future designs."

 

[Qwertilot]

The risk for Microsoft in (hypothetically) over aggressively patching is relatively clear cut - loss of market share vs since Linux for AMD systems. Not a huge thing but probably not trivial either.

 

[Glo.]

In this thread, I see many purported techy/sciency people failing to understand common, simple scientific language.

Yes, there is a near-zero chance that your DNA that we found at the crime scene isn't your DNA but, you know, you can hold onto that argument as long as you want.

IMO, what AMD says is that every architecture can be exploited some way, and for them there have to very specific conditions, not replicable in normal circumstances.

TL;DR: Even AMD is not 100% sure about the safety of their CPUs, however - they are most likely unaffected by the most common ones, discussed here.

 

[realibrad]

AMD's statement is specifically directed to the exploitations in the Google Project Zero research. Don't assume anything beyond that. Just because those methods may not work on AMD CPU's doesn't mean that other attacks on speculative execution on AMD CPU's won't work.

Again, from the researchers:


"As the attack involves currently-undocumented hardware
effects, exploitability of a given software program
may vary among processors. For example, some indirect
branch redirection tests worked on Skylake but not on
Haswell. AMD states that its Ryzen processors have “an
artificial intelligence neural network that learns to predict
what future pathway an application will take based
on past runs” [3, 5], implying even more complex speculative
behavior. As a result, while the stop-gap countermeasures
described in the previous section may help
limit practical exploits in the short term, there is currently
no way to know whether a particular code construction
is, or is not, safe across today’s processors – much less
future designs."

That is saying that the currently undocumented hardware effects means they cannot be 100% sure as of yet. There is not a way to know until its documented.

 

[maddie]

In this thread, I see many purported techy/sciency people failing to understand common, simple scientific language.

Yes, there is a near-zero chance that your DNA that we found at the crime scene isn't your DNA but, you know, you can hold onto that argument as long as you want.

NM.

 

[Malogeek]

Again, from the researchers:

I knew you'd be back with your "anything is possible" argument. You do realize your bolded part basically says that it's entirely possible the CPU may be hacked in some other way? Well of course, that's true for any CPU and for any other type of hack method. You also realize by the same argument, these patches wouldn't block that attack either, because the patch specifically fixes issues associated with these 3 forms of attacks.

 

[Glo.]

The risk for Microsoft in (hypothetically) over aggressively patching is relatively clear cut - loss of market share vs since Linux for AMD systems. Not a huge thing but probably not trivial either.

It is and will be huge things. AMD may finally get around 50% sales market share for each quarter, and over time rapidly gain installed base.

Intel just got MASSIVE PR and Mindshare hit. People are not dumb, unfortunately for Intel.

 

[LTC8K6]

I predict a lot of hype and hand wringing, and then back to normal.

 

[dahorns]

No, I'm pretty sure it is the other way round. It is AMD that is responsible to specify how their CPU works. MS takes zero risk if they follow AMD's request. If they ignore AMD then they risk a lawsuit for giving for ignoring AMD and giving Intel unfair advantage.

Actually, it does work that way. If Microsoft was aware of a risk and was unreasonable in failing to protect or warn its customers, it could certainly be liable for any damage. AMD may also be liable (case would be stronger against AMD if it actually asked MS not to implement a fix and a customer was damaged as a result). These are not mutually exclusive possibilities; both can be liable at the same time.

 

[Paratus]

Aside from their servers performing faster?

It’s worse than that.

For cloud and other services they obviously selected their server components to meet certain requirements including certain amounts of computing margin.

For some uses this patch will be negligible. For other uses, specifically those that have high numbers of kernel calls the impact can apparently be in the double digits percentage wise. (Ars I think mentioned almost %50 worse case).

For those businesses, implementing this patch may be the difference between being fast enough to meet requirements and being too slow to meet requirements.

For those of us at home it probably doesn’t matter if we run with or without the patch as the risk of an actual exploit should be small as well as most (but not all) uses cases shouldn’t be affected by more than a few percent.

For me I’ll probably leave the patch on my intel machines and look to turn it off on my new AMD machine.

 

[nsangani1]

I put together a system with i7 7700K ($250) and Asus Maximus VIII Hero($100 after rebates) during Black Friday sales. I believe this is still under extended return policy period.
Keep it or return it and wait a few months?

 

[LTC8K6]

I put together a system with i7 7700K ($250) and Asus Maximus VIII Hero($100 after rebates) during Black Friday sales. I believe this is still under extended return policy period.
Keep it or return it and wait a few months?

Why in the world would you even consider returning it?

 

[Glo.]

Its funny thing. I just caught myself, that I was thinking about upcoming, 2018, builds that I planned to do, and... that I was thinking that all of them were Intel based - should I switch to AMD platform...

I think, I am not the only one with those thoughts...

 

[Malogeek]

I think it's too early for anyone to start thinking about changing platforms or altering purchase decisions until there is some significant testing done with known patched PCs across multiple CPU types/speeds and many different types of workloads. Otherwise all you're basing decisions on is potential issues.

 

[BigDaveX]

It is and will be huge things. AMD may finally get around 50% sales market share for each quarter, and over time rapidly gain installed base.

Intel just got MASSIVE PR and Mindshare hit. People are not dumb, unfortunately for Intel.

Um, even if we were just talking about server marketshare, I'm not sure that AMD can even supply enough CPUs to manage that. IIRC, the highest their share of desktop CPU sales (which they've always done a lot better in than server) ever got was about 35% back in 2005-2006 or so, and that was when they still had their own fabs and a product that pretty conclusively owned the competition.

EDIT: Plus, if we go by historical precedent, the TLB glitch on the early K10 Opterons didn't ultimately do much to hurt sales; it took Nehalem for Intel to get their server mojo back. Admittedly, the timing's opportune for AMD since Epyc is far more competitive than the Bulldozer Opterons ever were, but I don't think this is going to be a game-changer.

 

[Despoiler]

I think it's too early for anyone to start thinking about changing platforms or altering purchase decisions until there is some significant testing done with known patched PCs across multiple CPU types/speeds and many different types of workloads. Otherwise all you're basing decisions on is potential issues.

Disk I/O is most definitely affected.
https://www.youtube.com/watch?v=_qZksorJAuY

I'd like to see review sites do gaming + cpu streaming tests.

 

[Glo.]

Um, even if we were just talking about server marketshare, I'm not sure that AMD can even supply enough CPUs to manage that. IIRC, the highest their share of desktop CPU sales (which they've always done a lot better in than server) ever got was about 35% back in 2005-2006 or so, and that was when they still had their own fabs and a product that pretty conclusively owned the competition.

EDIT: Plus, if we go by historical precedent, the TLB glitch on the early K10 Opterons didn't ultimately do much to hurt sales; it took Nehalem for Intel to get their server mojo back. Admittedly, the timing's opportune for AMD since Epyc is far more competitive than the Bulldozer Opterons ever were, but I don't think this is going to be a game-changer.

I was talking about consumer Market. There is a lot of consumers(well, I think all of them) who are concerned with this, and will not be blinded, by any brand perception.

 

[nathanddrews]

AnandTech's Article:

https://www.anandtech.com/show/12214/understanding-meltdown-and-spectre