Massive security hole in CPU's incoming?Official Meltdown/Spectre Discussion Thread

Page 79 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.

deasd

Senior member
Dec 31, 2013
513
724
136
Just went over old Spectre/Meltdown mitigation test summary from last year, it seems context switching result heavily depends on memory latency, IO, and core-interconnect, since 10980XE has the same arch as 10900K but only different in some other factors that mentioned above... the only way that explain why Intel HEDT suffer the most.

In short, this is not a generic algorithm test and more of a stress program switching test between cores, we have to wait for Windows responding to new Spectre.

With the number of cores per CPU growing ever since, there is less and less need to even switch between programs. (There is still the user<->kernel transition on each syscall, depending on one's interpretation of "context switch". However, I seem to remember TSS change/TLB flush was the expensive part, so program switch it is.)


3.jpg
 

deasd

Senior member
Dec 31, 2013
513
724
136
So..... a month later, still no action from Microsoft against Spectre V2 ??? What's going on there,....
 

DrMrLordX

Lifer
Apr 27, 2000
21,582
10,785
136
So..... a month later, still no action from Microsoft against Spectre V2 ??? What's going on there,....

Nothing, apparently. I guess they think they can ignore it so long as there are no PoCs or active exploits in the wild.
 
Jul 27, 2020
15,759
9,823
106
Intel can't take the performance hit. They will wait till Raptor Lake possibly to slow down ADL with security patches.
 

beginner99

Diamond Member
Jun 2, 2009
5,208
1,580
136
So..... a month later, still no action from Microsoft against Spectre V2 ??? What's going on there,....

The issue is overblown. Always has been for client (=us) users. It has always been an issue with cloud providers where different people share stuff on the same machine (CPU) and exploting these could give them unwanted access. But let's be clear. Nobody runs security ciritical stuff on shared machines so even then it's doubtful how useful that attack ever was outside of state-actors.
For linux it is fixed and these machines all run linux and not windows. The only place you find windows server is inside corporations and here the whole sharing one machine part is much less critical as only your admins could really exploit and they are your admins so they don^t need security bugs to do nefarious things. (These machines are behind firewalls so only internal users are possible attackers)
 

nicalandia

Diamond Member
Jan 10, 2019
3,330
5,281
136
This is getting out of hand really fast

Hertzbleed Attack

Am I affected by Hertzbleed?

Likely, yes.

Intel’s security advisory states that all Intel processors are affected. We experimentally confirmed that several Intel processors are affected, including desktop and laptop models from the 8th to the 11th generation Core microarchitecture.


AMD’s security advisory states that several of their desktop, mobile and server processors are affected. We experimentally confirmed that AMD Ryzen processors are affected, including desktop and laptop models from the Zen 2 and Zen 3 microarchitectures.
 
  • Wow
Reactions: igor_kavinski

Hitman928

Diamond Member
Apr 15, 2012
5,182
7,633
136
This is getting out of hand really fast

Hertzbleed Attack

Am I affected by Hertzbleed?

Likely, yes.

Intel’s security advisory states that all Intel processors are affected. We experimentally confirmed that several Intel processors are affected, including desktop and laptop models from the 8th to the 11th generation Core microarchitecture.


AMD’s security advisory states that several of their desktop, mobile and server processors are affected. We experimentally confirmed that AMD Ryzen processors are affected, including desktop and laptop models from the Zen 2 and Zen 3 microarchitectures.

Two things:

  1. Basically every modern CPU is affected by Hertzbleed.
  2. No one has to worry. This is not a danger to anyone and AMD and Intel (and almost assuredly ARM and any of the ARM licensees) aren't even releasing any kind of fixes for it.
 
  • Like
Reactions: lightmanek
Jul 27, 2020
15,759
9,823
106
Want to hear a conspiracy theory?

"Hey! PC sales are down. People are satisfied with their old CPUs. We need something to increase sales ASAP!".

"I have the perfect idea! We hire a bunch of security guys to find flaws in our older designs and then we tell everyone how seriously insecure they are from potential attacks! Everyone will scramble to buy the newer CPUs that are immune to these vulnerabilities."

"Wow! You are a genius! Get right on it! By the way, how about we design these hard to find vulnerabilities into the newer CPU architectures and disclose them at the end of every generation?"

"Brilliant! I concur!"
 

Markfw

Moderator Emeritus, Elite Member
May 16, 2002
25,483
14,434
136
Threadripper 1000 series and Ryzen 5000 series are not on the list !
 

Hitman928

Diamond Member
Apr 15, 2012
5,182
7,633
136
Threadripper 1000 series and Ryzen 5000 series are not on the list !

They are affected. Maybe their specific boosting behavior will take some small tweaks to make the attack work, but the attack described will work on any modern CPU. With that said, again, no one needs to worry. The real world applicability of this is basically 0.
 
Jul 27, 2020
15,759
9,823
106
Threadripper 1000 series and Ryzen 5000 series are not on the list !
Isn't "AMD Ryzen™ Threadripper™ PRO processor" 1000 series?

So Zen 3 is immune? Interesting!

By the way, AMD's advisory is much more succinct and somewhat less scary. I find it better.

A potential security vulnerability in some Intel® Processors may allow information disclosure. Intel is releasing guidance to address this potential vulnerability.

Affected Products:
All
Intel® Processors are affected.

Which one is it, Intel? Some or all???? Make up your darn mind!!!!!!!!!! :mad:
 
  • Like
Reactions: lightmanek

Hitman928

Diamond Member
Apr 15, 2012
5,182
7,633
136
Sure it won't be used by state sponsored blackhats?

They can go for it if they want. The problem is that to really make this attack work, you need elevated enough privileges that you would just get the keys directly. Theoretically you don't need those privileges, but then you need a system where no one else is logging in and any meaningful OS/background tasks are suppressed for several days and even network traffic may interrupt what you are trying to do. Works well in a lab where you can setup the computer and access exactly how you want it. In the real world, not so much.
 

ondma

Platinum Member
Mar 18, 2018
2,718
1,278
136
Isn't "AMD Ryzen™ Threadripper™ PRO processor" 1000 series?

So Zen 3 is immune? Interesting!

By the way, AMD's advisory is much more succinct and somewhat less scary. I find it better.





Which one is it, Intel? Some or all???? Make up your darn mind!!!!!!!!!! :mad:
The article specifically says Zen 3 is affected.
Edit: perhaps not mentioned by AMD, but the authors say they "confirmed experimentally" that laptop and desktop models from Zen 2 and Zen 3 are affected. (See second full paragraph under Questions and Answers.)
 
Last edited:
Jul 27, 2020
15,759
9,823
106
but the authors say they "confirmed experimentally" that laptop and desktop models from Zen 2 and Zen 3 are affected. (See second full paragraph under Questions and Answers.)
You are right. Rats! But a performance impact of 5 to 11% for cryptolibraries doesn't sound that bad. What would this impact on client side? All https communication? The lower performance of patched cryptolibraries may go unnoticed.
 

DrMrLordX

Lifer
Apr 27, 2000
21,582
10,785
136
Hertzbleed is an odd attack.

finding, among other things, that differences as seemingly minute as a set bit’s position in a word can be distinguished through frequency changes.

Making matters worse, we show that data-dependent frequency adjustments can be observed without the need for any special privileges and even by a remote attacker. The reason is that CPU frequency differences directly translate to execution time differences (as 1 hertz = 1 cycle per second). The security implications of this finding are significant. For example, they fundamentally undermine constant-time programming, which has been the bedrock defense against timing attacks since their discovery in 1996 [58]. The premise behind constant-time
programming is that by writing a program to only use “safe” instructions, whose latency is invariant to the data values, the program’s execution time will be data-independent. With the frequency channel, however, timing becomes a function of data —even when only safe instructions are used.
 

Stuka87

Diamond Member
Dec 10, 2010
6,240
2,559
136
This is another of these types of attacks that have no real impact on the average person.

My hats off to the group that discovered this issue though. It had to of taken a lot of work to find.
 

moinmoin

Diamond Member
Jun 1, 2017
4,934
7,619
136
It's just adding to the overall attack surface. While there is no immediate danger I wouldn't downplay it. While exploitability is low this is true for a lot of potential and theoretical security issues. We don't know how any of them at one point can be combined to manipulate hardware in an easier way. That's why manufacturers should always strive to eventually resolve these issues even if the initial security impact assessment seems minor.
 

DrMrLordX

Lifer
Apr 27, 2000
21,582
10,785
136
It's just adding to the overall attack surface. While there is no immediate danger I wouldn't downplay it. While exploitability is low this is true for a lot of potential and theoretical security issues. We don't know how any of them at one point can be combined to manipulate hardware in an easier way. That's why manufacturers should always strive to eventually resolve these issues even if the initial security impact assessment seems minor.

What I can't understand is how they can accurately guess the contents of cache when a single core could have instructions from multiple different threads in the pipeline all at once. It's not like the attack targets are in-order CPUs.
 

moinmoin

Diamond Member
Jun 1, 2017
4,934
7,619
136
What I can't understand is how they can accurately guess the contents of cache when a single core could have instructions from multiple different threads in the pipeline all at once. It's not like the attack targets are in-order CPUs.
These exploits are part of the group of so called timing attacks. Wikipedia summary:
In cryptography, a timing attack is a side-channel attack in which the attacker attempts to compromise a cryptosystem by analyzing the time taken to execute cryptographic algorithms. Every logical operation in a computer takes time to execute, and the time can differ based on the input; with precise measurements of the time for each operation, an attacker can work backwards to the input. Finding secrets through timing information may be significantly easier than using cryptanalysis of known plaintext, ciphertext pairs. Sometimes timing information is combined with cryptanalysis to increase the rate of information leakage.

But time is only the most basic parameter that can be used to help find secrets. If a system allows monitoring other aspects affected by code execution, like changing frequency, heat, power usage etc. those can also be used to help finding the secret more quickly. This paper is essentially about such an extended application.
 

DrMrLordX

Lifer
Apr 27, 2000
21,582
10,785
136
These exploits are part of the group of so called timing attacks. Wikipedia summary:


But time is only the most basic parameter that can be used to help find secrets. If a system allows monitoring other aspects affected by code execution, like changing frequency, heat, power usage etc. those can also be used to help finding the secret more quickly. This paper is essentially about such an extended application.

I only skimmed it so there's obviously more to it than meets the eye.
 

DrMrLordX

Lifer
Apr 27, 2000
21,582
10,785
136
Good thing it doesn't affect anything truly modern. AMD is mostly selling Milan now, but Intel is still moving a lot of Cascade Lake-SP . . .