Massive security hole in CPU's incoming?Official Meltdown/Spectre Discussion Thread

Page 32 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.

Alpha One Seven

Golden Member
Sep 11, 2017
1,098
124
66
http://pythonsweetness.tumblr.com/post/169166980422/the-mysterious-case-of-the-linux-page-table



Quoted from a reddit thread.

This could be big. Many a sysadmin might have sleepless nights soon enough.

EDIT: Since news and clarification arrived, I'll add it here.
Official website with details: https://meltdownattack.com
TL;DR
There are two attacks exploiting similar ideas, called Meltdown and Spectre.

Meltdown affects all Intel CPU's going back a decade, and some select ARM CPU's. It is the more pressing issue of the two, and potentially compromises systems completely due to its power. Patches already went out on both Linux and Windows to mitigate it. Performance hit depends on workload, gaming not noticeably affected.

Spectre affects all CPU's aside from specialized microcontrollers and other low powered devices. It is harder to exploit but also harder to fix. The full consequences and effects of it are still unknown, but all major tech companies are taking steps to research and mitigate it.

Intel Press Release: https://newsroom.intel.com/news/intel-responds-to-security-research-findings/

AMD Press Release: https://www.amd.com/en/corporate/speculative-execution

Apple Press Release: https://support.apple.com/en-us/HT208394

ARM Press Release: https://developer.arm.com/support/security-update
No.
 

goldstone77

Senior member
Dec 12, 2017
217
93
61
You know I wonder if you could use these exploits through the Intel Management Engine via Intel Active Management Technology. Now wouldn't that be something.
 

goldstone77

Senior member
Dec 12, 2017
217
93
61
Meltdown & Spectre Updates Benchmarked, Big Slow Down for SSDs!
Hardware Unboxed
Published on Jan 6, 2018

Not much impact on gaming or application performance, but NVME and SSDs take another hit in performance.
 

beginner99

Diamond Member
Jun 2, 2009
5,208
1,580
136
Plus, they said they couldn't detect if it was ever exploited, since there wouldn't be a log of it.

Well at one point you need to send the data you found home and that can always be detected. Only thing you can't know in this case is how the attacker got the data. Mabye that is what happened. They saw someone stealing put there was no malware to be found explaining how access to the data happened.
 

bononos

Diamond Member
Aug 21, 2011
3,883
142
106
Woo-yay, Meltdown CPU fixes are here. Now, Spectre flaws will haunt tech industry for years
Countermeasures to protect apps from attack
By Thomas Claburn in San Francisco 5 Jan 2018 at 07:08

https://www.theregister.co.uk/2018/01/05/spectre_flaws_explained/
The article lays out a good timeline, and describes the attacks in good detail.

The article addresses Intel's spinning by calling them 'bullshit' and 'denial'. I think Intel's reaction is more defensive compared to the Management Engine fiasco just a less than a ago (another bug known for 7 years) because it knows that Spectre v1/2 is likely not fixable because many of the affected motherboards are out of production and support and will not be receiving bios updates from their manufacturers. What a giant mess.
 
May 11, 2008
19,306
1,131
126
Meltdown & Spectre Updates Benchmarked, Big Slow Down for SSDs!
Hardware Unboxed
Published on Jan 6, 2018

Not much impact on gaming or application performance, but NVME and SSDs take another hit in performance.

I will wait for when they start doing multiplayer games testing.
Especially those open field games.

games like WOW might get it difficult.
Lot of network and IO and cpu usage i assume...
 

StinkyPinky

Diamond Member
Jul 6, 2002
6,761
777
126
So we have about 10,000 computers at work. Is Intel going to pay for some temp workers to patch their bios?
 

wahdangun

Golden Member
Feb 3, 2011
1,007
148
106
So we have about 10,000 computers at work. Is Intel going to pay for some temp workers to patch their bios?


Wow that suck, fortunately we have transition to thing client so it was minimal, and the thinclient we use used arm CPU or 45nm Intel atom that still single core in-order .
 

hnizdo

Member
Aug 11, 2017
33
16
41
So we have about 10,000 computers at work. Is Intel going to pay for some temp workers to patch their bios?

Did Microsoft (etc.) pay for managing, testing and troubleshooting their security updates? No. No company can cover something like this.
 

Borealis7

Platinum Member
Oct 19, 2006
2,914
205
106
So we have about 10,000 computers at work. Is Intel going to pay for some temp workers to patch their bios?
there has got to be some kind of Endpoint management system in an organization this size. my work laptop was updated and restarted automatically, during work hours WHILE I WAS WORKING and i lost a little bit of work that wasn't saved yet.
 

stockolicious

Member
Jun 5, 2017
80
59
61
Take that to P&N before it gets started. Please.

Meltdown is now out in the open. It's only a matter of time before non-state actors take advantage of it. The patches are hurting performance and possibly affecting people's livelihoods today. We don't need to muck around in the world of conspiracy to know that much.

If Intel mishandles this situation, they may lose significant market share in the server sector, which is their main source of revenue. And this while AMD and ARM are both attempting to make fresh incursions into that space. IBM is still pushing its POWER products, too.
https://www.ebay.com/sch/i.html?_od...&_trksid=m570.l1313&_nkw=xeon+server&_sacat=0

I think your right - seems as though there are a few hundred thousand newly available intel servers on Ebay
 

french toast

Senior member
Feb 22, 2017
988
825
136
So, 2-3% games (some, offline)...10-40% nvme storage (ouch!).
Not the end of the world for desktop by a long shot.
 

hnizdo

Member
Aug 11, 2017
33
16
41
I think your right - seems as though there are a few hundred thousand newly available intel servers on Ebay

Hmm, I am thinking how its realted. Lets have a server(s), retarded by ptaches. How I solve the situation? I will sell them for low price on ebay, and restock with - what? Server with the same flaw? Forget bout AMD, there are no hundred thousand modern amd servers on the whole market.
 

ashetos

Senior member
Jul 23, 2013
254
14
76
I feel like the problem isn't going to be the throughput loss, disk I/O and network I/O could very well not lose performance given enough queue depth.

We may suffer from increased CPU utilization, which most benchmarks will not show.
 

rchunter

Senior member
Feb 26, 2015
933
72
91
Cpu passmark scores are the same on my x99 rig after the windows 10 update. I will bench again if Asus ever gets us a bios patch.
 

mattiasnyc

Senior member
Mar 30, 2017
356
337
136
Meltdown & Spectre Updates Benchmarked, Big Slow Down for SSDs!
Hardware Unboxed
Published on Jan 6, 2018

Not much impact on gaming or application performance, but NVME and SSDs take another hit in performance.

Not NVME and SSDs, NVME SSDs, correct? It's only showing reduced performance on NVME drives specifically, not SSDs generally (i.e. SATA SSDs).
 

Zstream

Diamond Member
Oct 24, 2005
3,396
277
136
Wow that suck, fortunately we have transition to thing client so it was minimal, and the thinclient we use used arm CPU or 45nm Intel atom that still single core in-order .

Nothing to do with OoO or IO.
 

moinmoin

Diamond Member
Jun 1, 2017
4,934
7,620
136
Any guesses when we will see cpu's without this vulnerability?
Some ex-Intel employee did a detailed Tweets thread about this very topic: https://twitter.com/securelyfitz/status/949370010652196864
Thread time! Why can't they just quickly patch #meltdown or #spectre and push out another cpu? Why could it possibly take years? Why don't they use AGILE or x/y/z? Lots of reasons: (note: my goal is not to criticize chip manufacturers - it's to defend the constraints they have)

Let's start with a standard software product many are familiar with and work off that. First, every time you hit 'build' it's called a 'stepping', costs millions of dollars & takes several months. If you want a profitable product, you may only get 10 chances to press 'build'.

On top of that, half those 'builds' are not 'full layer steppings' meaning you can't change any logic gates, just how they're connected. Even with a full layer stepping you can't shuffle stuff around anywhere like you can with library files and whatnot.

One way to think of it - imagine an ISA that only supports 8 bit jumps/calls. You can only go back or forth +- 128 bytes from your current address. you can't just plug in an extra 256 bytes of code between two existing blocks without lots of rework and significant timing impact

So what's an easy fix on silicon? 1 bit to a couple bytes. Equivalent of inverting a test, changing an immediate value in code, nopping out a bad instruction, or adjusting a branch destination. maybe reordering a simple if/else.

Any more than that, and you impact everything around you. Your extra power draw might heat up another gate that makes a latch work slower and causes every cpu to be speed rated 100mhz slower. The extra space you need might introduce propagation delays that can't be worked around.

So, the easiest possible fix means a couple months to 'build', a few months for you to test your fix, plus regression testing against 50 years of code that your CPU must support. Followed by ramping up high volume manufacturing. Let's say 6 months from fix to on the shelf.

But really, even a small fix means building, testing, fine tuning, building, testing, characterizing, and then releasing. So count on 2-3 steppings and we quickly get to 6 months to a year.

What about a minor new feature? If you'vea already got the architectural and specification stuff done, you need to implement it in HDL, simulate and verify it, and then put it through the build/test/production path. 2 years.

The reality is that new features are risky when you only get a few revisions. LOTS of features exist in silicon for generations before they're fully vetted and 'enabled'. So most features end up being more like 5 years to availability on a product with software supporting it.

But we're still not there. #meltdown and #spectre attack fundamental architecture features that have been built on for decades. We may need to go back to the drawing board. (old intel product lifecycle slide). Everything so far has been in the yellow 'development' phase.

Assuming we don't need too much new research, we amend the architecture, write new specifications, implement the architecture in HDL, fabricate the chip, and go through validation before selling it. Once again, we're talking 4 to 5 years.

Whats it all mean? My guess is there might be a few hardware 'quick fixes' that we could see as soon as this summer (one year after first rumblings). These would probably have a performance impact, but would be a smaller impact than the current software fixes.

Come 2019 and 2020, other products in the pipeline will have more involved fixes that again improve performance over the software and quick fixes. The solution everyone wants is a full fix with no performance impact. I can't imagine that coming any sooner than 2021.

I left Intel over 5 years ago - I know nothing that isn't public about current or upcoming products. This is all speculation based on general knowledge of CPU and silicon manufacturing. Thanks to @savagejen for asking me questions and encouraging me to post.