Massive security hole in CPU's incoming?Official Meltdown/Spectre Discussion Thread

[coercitiv]

A 5-10% performance improvement was terribly small, but a 5-10% performance loss is intolerably huge.

Think of it the other way around: would people mind an overall 5-10% performance loss if performance improvement from gen to gen would be 15-25%? The higher the gains are, the lower the penalties seem. Now go back to 5-10% gains.

 

[goldstone77]

https://www.bloomberg.com/news/arti...-inside-the-semiconductor-industry-s-meltdown

Researchers began writing about the potential for security weaknesses at the heart of central processing units, or CPUs, at least as early as 2005. Yuval Yarom, at the University of Adelaide in Australia, credited with helping discover Spectre last week, penned some of this early work.

Damn! 2005!

 

[IEC]

VMWare released patches yesterday for Spectre mitigation on Guest OSes.
https://www.vmware.com/security/advisories/VMSA-2018-0004.html

Process*:

• Update host firmware
• Make sure your AV solution is compatible with the updates
  
• Update vCenter
• Update ESXi
• Verify all hosts in cluster have ESXi patches
• Fully shut down the Guest VMs and then cold boot them
  
• Patch the Guest OS, add registry keys to enable the protection (Windows)

*May vary a bit depending on your setup

If you have WYSE thin clients, Dell is working on an update:
http://www.dell.com/support/article...e-2017-5754---impact-on-dell-products?lang=en

If you have any of the following... patches have been reported to break functionality:
SCCM/SQL, Cisco Any Connect (older versions only?), PulseSecure VPN, Sandboxie, NCR's Counterpoint POS, Rockwell Automation FactoryTalk

Google Project Zero Meltdown/Spectre full bug report now public, with proof of concept exploit...
https://bugs.chromium.org/p/project-zero/issues/detail?id=1272#c3

 

[LTC8K6]

Damn! 2005!

Well, that's not Meltdown and Spectre is it? Just CPU security flaws in general.

Why would they have only started writing about CPU security flaws in 2005?

CPU security flaws of various types should have been an issue since the CPU was invented, I would think.

https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)#History

 

[goldstone77]

Well, that's not Meltdown and Spectre is it? Just CPU security flaws in general.

Why would they have only started writing about CPU security flaws in 2005?

CPU security flaws of various types should have been an issue since the CPU was invented, I would think.

https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)#History

I believe the context of this statement is made about the underlying vulnerability that these latest exploits abuse. You reference Meltdown, but I don't think it matters since all the attacks are based on branch chain prediction (implemented sometime after the 486 around year 2000). This guy, Yarom, discovered Spectre, but it looks like he also has started doing research on this type of vulnerability as early as 2005 from what the article suggests. It says researchers, so more than just him, but he is significant since he has been researching this type vulnerability since 2005 and also discovered Spectre.

 

[coercitiv]

Straight from Microsoft, posted yesterday.

Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems

Here is the summary of what we have found so far:

• With Windows 10 on newer silicon (2016-era PCs with Skylake, Kabylake or newer CPU), benchmarks show single-digit slowdowns, but we don’t expect most users to notice a change because these percentages are reflected in milliseconds.
• With Windows 10 on older silicon (2015-era PCs with Haswell or older CPU), some benchmarks show more significant slowdowns, and we expect that some users will notice a decrease in system performance.
• With Windows 8 and Windows 7 on older silicon (2015-era PCs with Haswell or older CPU), we expect most users to notice a decrease in system performance.
• Windows Server on any silicon, especially in any IO-intensive application, shows a more significant performance impact when you enable the mitigations to isolate untrusted code within a Windows Server instance. This is why you want to be careful to evaluate the risk of untrusted code for each Windows Server instance, and balance the security versus performance tradeoff for your environment.

For context, on newer CPUs such as on Skylake and beyond, Intel has refined the instructions used to disable branch speculation to be more specific to indirect branches, reducing the overall performance penalty of the Spectre mitigation. Older versions of Windows have a larger performance impact because Windows 7 and Windows 8 have more user-kernel transitions because of legacy design decisions, such as all font rendering taking place in the kernel. We will publish data on benchmark performance in the weeks ahead.

 

[Despoiler]

The Windows Meltdown/Spectre patches are apparently breaking other things besides Windows installations for older AMD chips. The "industry" response turns out to be "tier 1" companies. No one else was given a heads up prior to embargo lifting. An example. I do amateur astronomy. The patches broke the ability for some control software to be able to communicate with some telescope mounts. I expect we will see more stuff like this come out as people patch.

https://ascom-standards.org/

ALERT: Windows 10 January 2018 Security Update KB4056892
On Windows 10, the January 2018 Cumulative Security Rollup KB4056892 has caused connectivity issues between ASCOM components. This was caused by a change in security that affected an obscure feature that was introduced for an astronomy product many years ago. You can find more information and instructions on how to manually make the adjustments needed to restore connectivity published by one of our members.

We are aware that the security change affects some of the ASCOM Platform simulator components, as well as requiring changes in the tools for new driver developers. At present we are not recommending driver developers make this change to their existing drivers. It is unclear whether Microsoft will reverse this change or not. The release notes do say it is a "known issue" and that it will be addressed in a future release.

We plan to wait for Microsoft's next move, which should be soon as there are other critical issues with this update which will likely cause another one to come out soon. If it turns out that this security change is permanent, we will make the adjustments needed to the Platform and the Developer Tools.

 

[TempAcc99]

Straight from Microsoft, posted yesterday.

Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems

looks like I will opt out of this patch. Don't really think it's a huge issue for consumers and for anything important, 2-factor will help a lot.

 

[maddie]

Well, that's not Meltdown and Spectre is it? Just CPU security flaws in general.

Why would they have only started writing about CPU security flaws in 2005?

CPU security flaws of various types should have been an issue since the CPU was invented, I would think.

https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)#History

Despite the seriousness of this problem, I want to thank you for the comic relief of your posts.

 

[coercitiv]

looks like I will opt out of this patch. Don't really think it's a huge issue for consumers and for anything important, 2-factor will help a lot.

People keep thinking all they stand to lose with these vulnerabilities are their passwords, when sooner or later they stand to lose control over the vulnerable system.

 

[Kenmitch]

People keep thinking all they stand to lose with these vulnerabilities are their passwords, when sooner or later they stand to lose control over the vulnerable system.

Well it's being downplayed because Intel is the biggest offender in the exploits. If AMD was the biggest offender we'd be seeing braking news AMD headquarters was burned down by angry mob

 

[Dayman1225]

Gregory Bryant, manager of Intel's Client Computing Group confirmed that they will be intercepting future products and future designs to implement silicon/hardware level fixes, such products will be seen in 2018. He also said that fixing the issues was the first priority and reiterated the 90% 5 yr claim by end of week then all by end of month, however he also said that they will be working with OEMs to go even further back in time to push out patches. Fixing the bugs was the first priority and when that is sorted they will be focusing on performance mitigation to lower overhead and improve performance as much as possible. This was all from a JPMorgan Analyst call, recording is not up just yet, will link when it is.

https://jpmorgan.metameetings.net/events/ces18/sessions/13981-intel-corporation/webcast

Link to the recording (you may have to sign in to listen!)

 

[TempAcc99]

People keep thinking all they stand to lose with these vulnerabilities are their passwords, when sooner or later they stand to lose control over the vulnerable system.

Well the bug only affects you once you have malware installed that makes use of it. And if you have malware installed, all bets are off mostly anyway.

 

[coercitiv]

Well the bug only affects you once you have malware installed that makes use of it. And if you have malware installed, all bets are off mostly anyway.

Is that why you think everybody is scrambling to patch operating systems, drivers and browsers? Just so they can watch how the patches have no significant impact on system security anyway?

Mozilla patched Firefox since they feared exploits could be found to take advantage of these vulnerabilities: just JS code from a compromised web server, no initial malware deployment necessary.

 

[LTC8K6]

Despite the seriousness of this problem, I want to thank you for the comic relief of your posts.

I am single handedly keeping Intel in business.

I feel so powerful and influential to elicit such responses.

I'm still not building a new Intel system anyway.

 

[LTC8K6]

Despite the seriousness of this problem, I want to thank you for the comic relief of your posts.

PS: I was not able to access the Bloomberg article, so I didn't actually know what it said.

 

[LTC8K6]

Well the bug only affects you once you have malware installed that makes use of it. And if you have malware installed, all bets are off mostly anyway.

Perhaps we need an explanation of why home users need to worry about this?
Other than applying whatever patches come out, and maintaining our anti-virus software, I'm not sure what we can do about it anyway?

I'm 100% certain I will get nothing other than the MS W10 patch.

I will be shocked if I get a BIOS update out of ASUS.

I doubt I will get a microcode update, although that may have been with the MS W10 patch. I have no idea, really.

 

[dark zero]

The Windows Meltdown/Spectre patches are apparently breaking other things besides Windows installations for older AMD chips. The "industry" response turns out to be "tier 1" companies. No one else was given a heads up prior to embargo lifting. An example. I do amateur astronomy. The patches broke the ability for some control software to be able to communicate with some telescope mounts. I expect we will see more stuff like this come out as people patch.

https://ascom-standards.org/

Ok... That would make more and more people and bussiness to look up to other options...
For my side, I guess that I move to Ryzen...

 

[goldstone77]

Perhaps we need an explanation of why home users need to worry about this?
Other than applying whatever patches come out, and maintaining our anti-virus software, I'm not sure what we can do about it anyway?

I'm 100% certain I will get nothing other than the MS W10 patch.

I will be shocked if I get a BIOS update out of ASUS.

I doubt I will get a microcode update, although that may have been with the MS W10 patch. I have no idea, really.

Right now it might not seem like much of a problem, but this is a hardware flaw. Meaning there will or could already be ways to exploit this by other methods. Now, that it's out in the open, one could reasonably expect more people/governments to work on exploiting via different methods. Why would anyone worry about someone stealing information off any computer? Obvious reasons are probably identity fraud and access to passwords. This flaw and the methods used might be of little worry too you, but it's the other possible ramifications of this being possible that is the real problem.

 

[Dayman1225]

https://seekingalpha.com/article/41...al-jp-morgan-ces-tech-forum-transcript?page=1​

Transcript available for the webcast

@DrMrLordX @LTC8K6 @Markfw

 

[teejee]

Straight from Microsoft, posted yesterday.

Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems

ouch, font rendering in the kernel ( before W10). That is a really "creative" design decision

 

[hnizdo]

ouch, font rendering in the kernel ( before W10). That is a really "creative" design decision

Its backwardd compatible decision. Its much easier to create new simple principle, which will work only for new apps.

 

[zinfamous]

I believe the context of this statement is made about the underlying vulnerability that these latest exploits abuse. You reference Meltdown, but I don't think it matters since all the attacks are based on branch chain prediction (implemented sometime after the 486 around year 2000). This guy, Yarom, discovered Spectre, but it looks like he also has started doing research on this type of vulnerability as early as 2005 from what the article suggests. It says researchers, so more than just him, but he is significant since he has been researching this type vulnerability since 2005 and also discovered Spectre.

no, that mention for 2005 is simply about when speculative vulnerabilities for hardware, in general, was being tossed about. I don't think the statement suggests anything about that being related to spectre or meltdown type of vulnerabilities. He didn't start looking at this type of vulnerability in 2005, just the potential to use hardware design as an attack vector.

 

[LTC8K6]

Right now it might not seem like much of a problem, but this is a hardware flaw. Meaning there will or could already be ways to exploit this by other methods. Now, that it's out in the open, one could reasonably expect more people/governments to work on exploiting via different methods. Why would anyone worry about someone stealing information off any computer? Obvious reasons are probably identity fraud and access to passwords. This flaw and the methods used might be of little worry too you, but it's the other possible ramifications of this being possible that is the real problem.

Seems like all I can do is wait. Next gen Zen is coming soon, so if you want to go Ryzen, might as well wait, and Intel says fixed chips are coming "later this year", whatever that means.

 

[Atari2600]

Seems like all I can do is wait. Next gen Zen is coming soon, so if you want to go Ryzen, might as well wait, and Intel says fixed chips are coming "later this year", whatever that means.

It means they hope you'll hold off on going AMD until late in the year when they announce, "OK, so, we didn't actually get fixed chips out in 2018, but they will be around fairly early in 2019, its only a few more months, then you can have performance X% better than anything AMD can do".

When asked to put down a hard quarter for that, or even which half of the 2019, or provide guarantees on performance, expect much obfuscation.


Intel simply can't have anything turned around in 12 months to fix this problem without it being a band-aid job (i.e. costing performance) - therefore all they are trying to do is stop you switching to AMD. If they can stall you long enough, they might be able to bring a workable solution to market in a timeframe which you'd consider then, but not now.