Massive security hole in CPU's incoming?Official Meltdown/Spectre Discussion Thread

Page 65 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.

Hitman928

Diamond Member
Apr 15, 2012
5,177
7,628
136

amd6502

Senior member
Apr 21, 2017
971
360
136
Software mitigation essentially useless according to Google research: https://www.tomshardware.com/news/spectre-forever-cpu-security-flaws-research,38627.html

"to truly fix all existing as well as future Spectre bugs, the CPU makers need to come up with new CPU microarchitecture designs"


It's probably actually a good way for nation states to introduce vulnerabilities. Don't think they have no connections within the development community, including open sores devs.
 

Mr Evil

Senior member
Jul 24, 2015
464
187
116
mrevil.asvachin.com
Wow it's like Slashdot from 10 years ago. Some trolling is awesome.

BSD IS DEAD NETCRAFT CONFIRMS IT
Off topic, seing the last two posts reminded me of when I used to visit that place, and there were a series of troll users with 6502 and/or Commodore-related usernames, presumably all one person. The increasing number of trolls and shills is one of the reasons I stopped going there.
 

DrMrLordX

Lifer
Apr 27, 2000
21,582
10,785
136
Off topic, seing the last two posts reminded me of when I used to visit that place, and there were a series of troll users with 6502 and/or Commodore-related usernames, presumably all one person. The increasing number of trolls and shills is one of the reasons I stopped going there.

Sorry I get flashbacks everytime someone starts mentioning "open sores" software. Now all we need is something more modern like . . . APK trolling. Yeah, that'd be great. Oh wait, no it wouldn't . . .

I'm not so sure the Spectre class of vulnerabilities are nation-state-level vulnerabilities though. I think it's the x86 world (at a minimum) pushing the limits on performance with a terrible price. Stuff like IME and TrustZone looks more like state-level-actor stuff to me.
 
  • Like
Reactions: amd6502

amd6502

Senior member
Apr 21, 2017
971
360
136
I'm not so sure the Spectre class of vulnerabilities are nation-state-level vulnerabilities though. I think it's the x86 world (at a minimum) pushing the limits on performance with a terrible price. Stuff like IME and TrustZone looks more like state-level-actor stuff to me.

Sure, spectre is a new class that was discovered recently; for the most part many of these vulnerabilities are very hard to exploit, and for the most part, they are not x86 specific.

However, when some of the patches introduce new vulnerabilities, don't you wonder if the patching effort is seen as a big opportunity?
 

Mopetar

Diamond Member
Jan 31, 2011
7,797
5,899
136
I'm not so sure the Spectre class of vulnerabilities are nation-state-level vulnerabilities though. I think it's the x86 world (at a minimum) pushing the limits on performance with a terrible price. Stuff like IME and TrustZone looks more like state-level-actor stuff to me.

I don't think any of those things really are. Nation-state is stuff like Stuxnet that's specifically tailored for a very particular purpose. The government doesn't need hardware backdoors when they can strong arm any companies into releasing data that they have.

If they can't do that, they still don't need to exploit hardware when there're vastly more exploitable humans that will let them in. The DNC hack from the last election wasn't a result of any special hardware flaw, but due to a simple spearfishing attack.

Sure, spectre is a new class that was discovered recently;

I recall that when these were first announced, someone posted a research paper that suggested the possibility of exactly that kind of exploit. I think that it's just really difficult to understand how to exploit the vulnerability and probably only something that a very small number of people might be knowledgeable enough to know to look for or even suspect would be there.

It's definitely not the kind of thing a government would do since their own computers would be vulnerable to someone else finding it. Sure they could hypothetically patch it on their own systems and not tell anyone else, but tell me with a straight face that the government can pull that off while being so terribly inept in all kinds of other ways.
 

DrMrLordX

Lifer
Apr 27, 2000
21,582
10,785
136
I don't think any of those things really are.

I wish that were true. We probably won't ever hear about IME exploits being actually used, though. Nobody's gonna brag about it. Stuxnet was as much a PR campaign as it was an attack on Iran's nuclear capabilities.
 

coercitiv

Diamond Member
Jan 24, 2014
6,151
11,682
136
And... time for your weekly exploit update. https://www.theregister.co.uk/2019/03/05/spoiler_intel_flaw/

This one is named SPOILER.
"The leakage can be exploited by a limited set of instructions, which is visible in all Intel generations starting from the 1st generation of Intel Core processors, independent of the OS and also works from within virtual machines and sandboxed environments."

The issue is separate from the Spectre vulnerabilities, and is not addressed by existing mitigations. It can be exploited from user space without elevated privileges.

SPOILER, the researchers say, will make existing Rowhammer and cache attacks easier, and make JavaScript-enabled attacks more feasible – instead of taking weeks, Rowhammer could take just seconds. Moghimi said the paper describes a JavaScript-based cache prime+probe technique that can be triggered with a click to leak private data and cryptographic keys not protected from cache timing attacks.

Intel is said to have been informed of the findings on December 1, 2018.
 
  • Like
Reactions: lightmanek

coercitiv

Diamond Member
Jan 24, 2014
6,151
11,682
136
Kinda makes you wonder if Lisa Su has a time machine, and a very subtle sense of purpose.
It's either that, or AMD simply chose to go for a more strict approach relative to security, or more likely (imho) they're just behind the curve. Intel finished eating the low hanging (performance) fruit and took a peek around the corner - and a peek was enough for the alien to strike. Yum yum, Intel inside.

Remember the first runner always has to cut through the wind. We like watching the finish line, but reality is those athletes ran as a group - separate the winners and watch their completion time plummet.
 

naukkis

Senior member
Jun 5, 2002
701
569
136
This vulnerability, like Meltdown relies on speculative execution to go beyond process memory limits - Intel cpu's MMU is faulty, speculative execution can access also other privilege level memory which it shouldn't by definition. With MMU that gives access to memory it shouldn't there's all kind of possibilities to steal private data.

-> don't use Meltdown-vulnerable cpu's where data privacy is important.

Intel 9th gen Coffeelake-R and Cascadelake are fixed, other still in market Intel cpu's have that faulty MMU.
 

Hitman928

Diamond Member
Apr 15, 2012
5,177
7,628
136
Intel 9th gen Coffeelake-R and Cascadelake are fixed, other still in market Intel cpu's have that faulty MMU.

Do we know that this is true for this new attack? I only briefly reviewed the research paper but it seemed like they only tested up to Kabylake for verification. They also only tested a Bulldozer based CPU for AMD as well. I don't think the results will change for Zen based CPUs but with the magnitude of these things, I think I'd like an actual test to show the vulnerability doesn't exist.
 

naukkis

Senior member
Jun 5, 2002
701
569
136
Do we know that this is true for this new attack? I only briefly reviewed the research paper but it seemed like they only tested up to Kabylake for verification. They also only tested a Bulldozer based CPU for AMD as well. I don't think the results will change for Zen based CPUs but with the magnitude of these things, I think I'd like an actual test to show the vulnerability doesn't exist.

A cpu with rightly behaving MMU won't allow speculative memory operations beyond privilege levels. Meltdown was one way to use that kind of MMU-behaviour but obviously there's more ways to use it. Meltdown should have not existed, it's not pure side channel leak, actual stolen data is gathered because MMU allows data operations it should forbidden - it's a primary channel data leak. And there's not much security in cpu's that allows primary channel data leak, Meltdown was the easiest way to exploit it.
 
  • Like
Reactions: amd6502

Hitman928

Diamond Member
Apr 15, 2012
5,177
7,628
136
A cpu with rightly behaving MMU won't allow speculative memory operations beyond privilege levels. Meltdown was one way to use that kind of MMU-behaviour but obviously there's more ways to use it. Meltdown should have not existed, it's not pure side channel leak, actual stolen data is gathered because MMU allows data operations it should forbidden - it's a primary channel data leak. And there's not much security in cpu's that allows primary channel data leak, Meltdown was the easiest way to exploit it.

With all that said, we don't know for sure if the meltdown fix in cascadelake addresses this issue. . . correct? Has Intel detailed their hardware fix to the point we could say their chips are no longer vulnerable to this new attack which utilizes a different attack vector?
 

naukkis

Senior member
Jun 5, 2002
701
569
136
With all that said, we don't know for sure if the meltdown fix in cascadelake addresses this issue. . . correct? Has Intel detailed their hardware fix to the point we could say their chips are no longer vulnerable to this new attack which utilizes a different attack vector?

We cannot be absolutely sure without testing it, but for hardware Meltdown-fix Intel should be checking privilege levels before speculative memory accesses( as cpu's should always do). If cpu checks privilege levels before accessing data such leaks cannot happen.
 

Tuna-Fish

Golden Member
Mar 4, 2011
1,324
1,462
136
It's either that, or AMD simply chose to go for a more strict approach relative to security, or more likely (imho) they're just behind the curve. Intel finished eating the low hanging (performance) fruit and took a peek around the corner - and a peek was enough for the alien to strike. Yum yum, Intel inside.

Nope. Meltdown works all the way back to P6. It's not some really new performance enhancement that Intel just happened to use before AMD, it is simply bad design that doesn't even give them a performance boost. SPOILER is similar. Using only partial addresses as hints spares them a very tiny amount of power, but it also costs performance (and power) in accidental hits. And it also has been there for a long time.
 

moinmoin

Diamond Member
Jun 1, 2017
4,933
7,619
136
And... time for your weekly exploit update. https://www.theregister.co.uk/2019/03/05/spoiler_intel_flaw/

This one is named SPOILER.

Intel is said to have been informed of the findings on December 1, 2018.
Article was update with a cute response by an Intel spokesperson:

"Intel received notice of this research, and we expect that software can be protected against such issues by employing side channel safe development practices. This includes avoiding control flows that are dependent on the data of interest. We likewise expect that DRAM modules mitigated against Rowhammer style attacks remain protected. Protecting our customers and their data continues to be a critical priority for us and we appreciate the efforts of the security community for their ongoing research."

They got 90 days and all they can do is "expect", "critical priority" at work.