Massive security hole in CPU's incoming?Official Meltdown/Spectre Discussion Thread

Page 73 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.

yeshua

Member
Aug 7, 2019
166
134
86
Intel has received a metric ton of flak in regard to their vulnerabilities, however each time they have been announced, a fix was immediately available for Linux, MacOS and Windows.

AMD was notified about this vulnerability over five months ago (August 23, 2019).
  • There's no CVE still
  • The vulnerability hasn't even been confirmed by the company
  • I've just checked with Microsoft and Linux (kernel.org) - zero confirmations and no fixes despite the announcement and publication
Meanwhile the researchers have been able to exploit the vulnerability in a web browser. This looks really really bad.

The researchers were able to exploit the vulnerability via JavaScript run on Chrome and Firefox browsers. The paper suggests several possible remedies for the vulnerability through a combined software and hardware approach, but doesn't speculate on the performance hit associated with the suggested fixes.
 
Last edited:
  • Like
Reactions: mikk

IEC

Elite Member
Super Moderator
Jun 10, 2004
14,323
4,904
136
That's certainly viewing things through blue-tinted glasses. I had to wait many months for some of these fixes, and many of them negatively impacted performance...

Then there's the issue of my 6700K laptop which is at the mercy of the vendor for BIOS updates. Last update was in early 2019.
 

yeshua

Member
Aug 7, 2019
166
134
86
RHEL, Fedora, Ubuntu, Arch Linux, mainline Linux: fixes were released within days after vulnerabilities announcements. Microsoft Windows: fixes were released at most within a month after announcements. I'm not sure about MacOS/FreeBSD/NetBSD/OpenBSD - haven't used any of them ever. I've been following the entire SNAFU very closely and had to update numerous servers and PCs to keep 'em safe. BIOS updates are preferrable but Intel has pushed microcode updates as part of Windows updates/Linux firmware package quite snappily. Can't really complain.

Meanwhile AMD has been sitting on this vulnerability for five months already and hasn't even confirmed it. Maybe it's not so severe - I'm not sure if PoC has been published yet. It's unfortunate the researchers announced the vulnerability on Thursday evening/Friday morning. AMD products security page doesn't mention anything at all.
 

nicalandia

Diamond Member
Jan 10, 2019
3,330
5,281
136
Meanwhile AMD has been sitting on this vulnerability for five months already and hasn't even confirmed it. Maybe it's not so severe - I'm not sure if PoC has been published yet. It's unfortunate the researchers announced the vulnerability on Thursday evening/Friday morning. AMD products security page doesn't mention anything at all.
Because it's a weak half baked "Exploit" that they didn't even bother with a POC?
 

Markfw

Moderator Emeritus, Elite Member
May 16, 2002
25,478
14,434
136
RHEL, Fedora, Ubuntu, Arch Linux, mainline Linux: fixes were released within days after vulnerabilities announcements. Microsoft Windows: fixes were released at most within a month after announcements. I'm not sure about MacOS/FreeBSD/NetBSD/OpenBSD - haven't used any of them ever. I've been following the entire SNAFU very closely and had to update numerous servers and PCs to keep 'em safe. BIOS updates are preferrable but Intel has pushed microcode updates as part of Windows updates/Linux firmware package quite snappily. Can't really complain.

Meanwhile AMD has been sitting on this vulnerability for five months already and hasn't even confirmed it. Maybe it's not so severe - I'm not sure if PoC has been published yet. It's unfortunate the researchers announced the vulnerability on Thursday evening/Friday morning. AMD products security page doesn't mention anything at all.
Isb't this the one where you have to somehow read information before it even posts ? and after it posts, it is not a problem ? How do you even do that ?
 

nicalandia

Diamond Member
Jan 10, 2019
3,330
5,281
136
Meanwhile the researchers have been able to exploit the vulnerability in a web browser. This looks really really bad.
It's a simulated attack based on their... Simulation. No POC on Actual Hardware outside of their simulated enviroment
 

moinmoin

Diamond Member
Jun 1, 2017
4,933
7,619
136
Because it's a weak half baked "Exploit" that they didn't even bother with a POC?
Responsible disclosure often involves the presentation of the research and findings at security oriented events (as happened here), with a PoC only being publicly released after the vulnerability is already mitigated.
 

Hitman928

Diamond Member
Apr 15, 2012
5,177
7,629
136
Intel has received a metric ton of flak in regard to their vulnerabilities, however each time they have been announced, a fix was immediately available for Linux, MacOS and Windows.

AMD was notified about this vulnerability over five months ago (August 23, 2019).
  • There's no CVE still
  • The vulnerability hasn't even been confirmed by the company
  • I've just checked with Microsoft and Linux (kernel.org) - zero confirmations and no fixes despite the announcement and publication
Meanwhile the researchers have been able to exploit the vulnerability in a web browser. This looks really really bad.

Intel Fixes a Security Flaw It Said Was Repaired 6 Months Ago

Here's part of the update from ZombieLoad's researchers:
"On January 27th, 2020, an embargo ended showing that the mitigations against MDS attacks released in May 2019 are insufficient. With L1D Eviction Sampling, an attacker can still mount ZombieLoad to leak data that is being evicted from the L1D cache.
"We disclosed this issue to Intel on May 16th, 2019. However, as microcode updates containing the necessary fixes are not yet available, we are not releasing any proof-of-concept code."


You were saying?

Then there's also the Zombieload researchers who said that Intel's fixes are band-aids and that they aren't fixing the underlying problems which is why slight tweaks to existing attacks force a new response each time.
 

yeshua

Member
Aug 7, 2019
166
134
86
Then there's also the Zombieload researchers who said that Intel's fixes are band-aids and that they aren't fixing the underlying problems which is why slight tweaks to existing attacks force a new response each time.

Forgot about this one, right, thanks but they've handled the others pretty well I guess. Large companies have layers on top of layers of people and sometimes information has troubles reaching the right ones. Like with this AMD vulnerability - the researchers behind it are quite serious, reputable and well known - it's unlikely they've uncovered something totally invalid which is impossible to exploit - they have their own reputation at stake. They are neither AMD, nor Intel fans - they're in purely for hacking.
 

naukkis

Senior member
Jun 5, 2002
702
570
136
Intel has received a metric ton of flak in regard to their vulnerabilities, however each time they have been announced, a fix was immediately available for Linux, MacOS and Windows.

AMD was notified about this vulnerability over five months ago (August 23, 2019).
  • There's no CVE still
  • The vulnerability hasn't even been confirmed by the company
  • I've just checked with Microsoft and Linux (kernel.org) - zero confirmations and no fixes despite the announcement and publication
Meanwhile the researchers have been able to exploit the vulnerability in a web browser. This looks really really bad.

There's nothing to fix yet. Yes, they can get address bits from javascript - but that yet not leak any useful data by itself. That exploit way to leak kernel data is to use special kernel module, and even with that they could get data out at rate 0.66B/s.

Intel vulnerabilities are real threats that needs rapid patching - to use this to leak data is extremely difficult without getting access to run special kernel modules, and in those circumstances that leak method isn't needed at all.
 

nicalandia

Diamond Member
Jan 10, 2019
3,330
5,281
136
There's nothing to fix yet. Yes, they can get address bits from javascript - but that yet not leak any useful data by itself. That exploit way to leak kernel data is to use special kernel module, and even with that they could get data out at rate 0.66B/s.
I agree, the research here are grasping at straws
 

Hitman928

Diamond Member
Apr 15, 2012
5,177
7,629
136
I agree, the research here are grasping at straws

Grasping at straws is maybe a little harsh. This is university research so trying to push the frontier (so to speak) isn't uncommon. This is basically a first step at seeing if there is anything with AMD's method to exploit. They will continue (or others) to investigate to see if they can actually turn this into something, but as yet, there's really nothing there. Knowing how PhD funding typically works, I do find it a bit funny that intel's cash donation for this research was brushed off. There's nothing illegal or immoral about it and the students and professor shouldn't receive any flack for it, but for sure intel isn't just giving them money because they're good students, intel knows what they'll be researching before funding is actually given.

I will say that their recommended mitigations do seem to be quite a stretch at this point given the state of the attack vector. I'll still wait for AMD's response as I'm sure they're looking into it and will probably have better insights at this point than the researchers.
 
  • Like
Reactions: lightmanek

DisEnchantment

Golden Member
Mar 3, 2017
1,590
5,722
136
If AMD responded to the folks at CTSLabs I am sure they will respond to these people. They seem more decent and even followed a responsible disclosure policy unlike the folks at CTSLabs who went to great lengths, making YT videos and even made a green screen office background to make AMD look bad.
If there is no CVE assigned yet, then it is just that ... another Uni paper and it ends there and the student get the degree.

The fact that they have been trying and they have not been able to come up with a PoC so far says something.

EDIT:
Typo mentioned by @Hitman928
 
Last edited:
  • Like
Reactions: bononos

nicalandia

Diamond Member
Jan 10, 2019
3,330
5,281
136
To be honest I don't expect AMD even acknowledging this "research" as it's very presumptive about AMD L1D Hash Function, this has been explicitly left undocumented by AMD.
 
  • Like
Reactions: DarthKyrie

naukkis

Senior member
Jun 5, 2002
702
570
136
To be honest I don't expect AMD even acknowledging this "research" as it's very presumptive about AMD L1D Hash Function, this has been explicitly left undocumented by AMD.

Hash function itself has, other way L1 cache mictotags works just like AMD has documented it. I find also interesting that L1D microtagging was already implemented in Bulldozer, AMD mentioned it first time for Zen documentation. Might give reasons for why Bulldozer had write-through L1D.

First thing to get speculative attacks to work is to reverse-engineer that hash function, though it seems that AMD did not waste many gates to it,it simply XOR function for two first bytes for address translation. With such a simple algorithm AMD could not have expect that it can stay secret so it sure isn't only thing what they have done against side-channel attacks.
 

nicalandia

Diamond Member
Jan 10, 2019
3,330
5,281
136
As if things weren't any more suspicious, the Linux kernel they were using was the 4.15.
 
Last edited:

Hitman928

Diamond Member
Apr 15, 2012
5,177
7,629
136
Hm... so not fixed but can't help dis all efforts so far? :confused:

It seems to me that the researcher at this point is being a bit cagey on the subject. He says that this is not a new type of attack (all existing attacks are fixed/mitigated) but then says it's not fixed. I have to come back to my initial thought that there's something potentially there but this research doesn't really show how to perform an actual attack with it unless you are using other exploits to make it work.

In other words, this "new" side channel nets you nothing usable without other exploits and requires some pretty unrealistic conditions to be met to just to get to a point where you get nothing useful for your effort. So AMD's response was basically, have all the latest updates and this isn't an issue, which the research shows to be true. It's like performing a super involved theft that requires everything to go exactly right with some really good luck a long the way and in the end what you stole was a safety deposit box number inside a federally secured bank. Not the key, just the box number. In the end you spent a whole lot of effort and had just the right amount of luck to know where something (not even sure what) is stored but have no way to get it. Congrats.
 

Arkaign

Lifer
Oct 27, 2006
20,736
1,377
126
This new AMD thing is much Ado about nothing, just as it is with the Intel vulnerabilities - for home users. The realistic limitations in getting any usable data is so unbelievably slow and dependent on someone having outright appalling outdated OS and wide open internet connection and deliberately running malicious code and leaving it up for eons. To get anything useful either takes an eternity or incredible luck.

For business and server side, it's a bit different, but still pretty impractical.

As always, by an order of magnitude, the biggest risks in computer security are heavily weighted towards human error and exploitation, and third party software or services being hacked. You can have your perfect hardware and so on, but then some piece of trusted software gets owned (like with Asus and HP update software recently) and bammo, wide open door to inject and run whatever malware is enormously more effective as an attack vs any of this nonsense.

Now continual research and improvement in hardware level security is wise of course, it's just yet to be anything worth serious worry about yet. It's like someone in Australia worrying about a dumpster fire while half of the country is literally on fire. Forest for the trees syndrome.
 
  • Like
Reactions: lightmanek

Nothingness

Platinum Member
Jul 3, 2013
2,371
713
136
This new AMD thing is much Ado about nothing, just as it is with the Intel vulnerabilities - for home users.
My thought too. Alas as an end-user I am impacted because the hardware and software are getting updated to get around those issues and everything gets slower.
 

yeshua

Member
Aug 7, 2019
166
134
86
What is the difference between meta data and actual data?

I've no idea what meta-data means in terms of the CPU cache/RAM but here's an example from a related field of tech. On HDDs/SSDs/flash drives/etc. you have files which contain actual data. Then you have their records in the file allocation table, which tells the OS where to find these files on the underlying storage. This entire table is basically meta-data. File names could also be considered meta-data. All things considered such meta-data cannot be used directly to infer the contents of the files but it may hint at what's being stored.

Considering that not a single major company has made an announcement about this vulnerability it's safe to assume it's either very hard or near impossible to exploit, or already fixed. The Linux kernel usually gets such fixes as soon as they are announced and this time it's been nothing. The most recent Linux kernel 5.5.8 has absolutely nothing.