CPU Security Flaws MELTDOWN and SPECTRE

https://www.nrc.nl/nieuws/2019/05/14/hackers-mikken-op-het-intel-hart-a3960208

edit:
Wired has info on it in English
VUSec's Giuffrida notes that his team was paid $100,000 by Intel for their work as part of the company's "bug bounty" program that rewards researchers who warn the company about critical flaws. That's hardly the kind of money paid out for trivial issues, he points out. But he also says that Intel at one point offered VUSec only a $40,000 bug bounty, accompanied by a $80,000 "gift"—which Giuffrida saw as an attempt to reduce the bounty amount cited publicly and thus the perceived severity of the MDS flaws. VUSec refused the offer of more total money in favor of a bounty that better reflected the severity of its findings, and it threatened to opt out of a bug bounty in protest. Intel changed its offer to the full $100,000.
"It's clear what Intel is doing," says Giufrrida. "It's in their interest to say, 'No, after Spectre and Meltdown, we didn't overlook other vulnerabilities; it's just that these were so minor that they slipped by.'" In a call with WIRED, Intel denied trying to manipulate the perceived size of the bounty.

https://www.wired.com/story/intel-mds-attack-speculative-execution-buffer/
 
Last edited:
The only hyperthreading I have around is in notebooks. Surface Book (6600U), ASUS G750JY (4860HQ) and my ancient ASUS G73JH (920XM). I greatly look forward to seeing what Windows 10 does to them. I imagine the Surface Book will get more firmware updates, though I wonder how much longer MS will keep that up.

I can't say I've noticed anything sluggish about the old 920XM with up-to-date Win7 or Win10 at this point.
 
Last edited:
With all the little regressions here and there, maybe zen+ would be come on top if a lot of reviews were re-done now with all the patches and mitigations in place... ?

I'm still good with my 5820k OC@4.2 , but honestly, seeing how AMD is non affected by most of this, it's an argument they could push a lot with Zen2...
 
Phoronix has done some testing across various Intel CPUs with various levels of mitigation enabled. The most recent Intel cores do lose a measurable amount of performance, but many of the vulnerabilities or mitigations hit system calls or context switches, which are already high-overhead. Intel frequently had a commanding lead in those areas, and sometimes even with the losses it's a matter of some ties or a reduced lead versus Zen. Since systems try to avoid these overheads as much as possible, the overall impact outside of some things like IO-heavy loads is minimized.
The vulnerabilities that may require disabling SMT aren't all Intel-only, and since Zen has shown better SMT scaling it would lose more if SMT is disabled.

That many workloads still have Intel competitive or leading may mean that the goal for the next microarchitectures is to try to implement many of the Intel speculative measures while mitigating whichever corner case is leaking information. CPU generations fight for single-digit performance gains, so trying to get back 5-10% by restoring known performance improvements is a tempting direction.
 
At least the shit-show is so bad that the Linux folks are building in a simple boot-time mitigation controls and also allowing for some controls at run-time too.
  • mitigations=off: Disable all mitigations.
  • mitigations=auto: [default] Enable all default mitigations, but leave SMT enabled, even if it's vulnerable.
  • mitigations=auto,nosmt: Enable all default mitigations, disabling SMT if needed by a mitigation.
instead of:
  • pti=off spectre_v2=off l1tf=off mds=off nospec_store_bypass_disable no_stf_barrier
 
Is there a way to disable Hyperthreading with Windows? I was going to disable it on my old G73JH with 920XM but the BIOS has no option.
 
Zen2 includes extra hardware fixes from AMD
https://www.anandtech.com/show/14525/amd-zen-2-microarchitecture-analysis-ryzen-3000-and-epyc-rome/3
Another aspect to Zen 2 is AMD’s approach to heightened security requirements of modern processors. As has been reported, a good number of the recent array of side channel exploits do not affect AMD processors, primarily because of how AMD manages its TLB buffers that have always required additional security checks before most of this became an issue. Nonetheless, for the issues to which AMD is vulnerable, it has implemented a full hardware-based security platform for them.



The change here comes for the Speculative Store Bypass, known as Spectre v4, which AMD now has additional hardware to work in conjunction with the OS or virtual memory managers such as hypervisors in order to control. AMD doesn’t expect any performance change from these updates. Newer issues such as Foreshadow and Zombieload do not affect AMD processors.
 
I thought elliptic crypto stuff was fake 'security' the CIA had Cisco push into 'potential enemy' countries?

Well that wouldn't make much sense given that Suite B crypto is used to secure US government and military networks along with most 5 eyes nations + who knows who else.
 
I thought elliptic crypto stuff was fake 'security' the CIA had Cisco push into 'potential enemy' countries?

Some elliptic-curve cryptography curves (such as the infamous Dual_EC_DRBG) has parameters that are suspected to have backdoors. Other commonly used curves are probably fine.
 
Btw, for those that windows 10 suddenly become less responsive (start took longer to pop up, explorer took longer to pop up)

Try disabling both meltdown and specter mitigation via inspecter app.

For my Haswell tablet, it completely fixed the annoying sluggishness.

Despite the reports that the mitigations shouldn't have any user noticeable impact on performance (other than on games or benchmark)
 
All those flaw mitigations are overkill unless you know you're a target of State Actors. It's far easier and less performance draining to simply prevent JAVASCRIPT in Browsers from using excessive CPU, thus making the attacks impossible.
 
Why don't you just give us your email passwords as well?

Is that statement was what people talks as whataboutism or moving a goalpost or false equivalence?

Anyway, My understanding about spectre and meltdown is that general users are more likely target of conventional attacks
 
There are two scenarios for these side channel attacks: the first one is for those virtual machines from cloud providers. This is actually a huge problem for them because people used to believe that by using a virtual machine it's safe to share a physical machine with unknown people. This could make dedicated machines more popular but the thing is that large companies are already using them and small companies can't really afford them.

For desktop users, the problem is quite different, as most people don't really run untrusted codes frequently, except (and this is a huge except) for those pesky Javascript codes from random websites. This is really a difficult problem because people are expecting to have good Javascript performance, so anything that causes a serious performance downgrade is not really acceptable. On the other hand, Javascript is kind of easier to secure because the VM actually has the source code. And no, disabling Javascript is not a realistic solution, at least for most people.
 
There are two scenarios for these side channel attacks: the first one is for those virtual machines from cloud providers. This is actually a huge problem for them because people used to believe that by using a virtual machine it's safe to share a physical machine with unknown people. This could make dedicated machines more popular but the thing is that large companies are already using them and small companies can't really afford them.

For desktop users, the problem is quite different, as most people don't really run untrusted codes frequently, except (and this is a huge except) for those pesky Javascript codes from random websites. This is really a difficult problem because people are expecting to have good Javascript performance, so anything that causes a serious performance downgrade is not really acceptable. On the other hand, Javascript is kind of easier to secure because the VM actually has the source code. And no, disabling Javascript is not a realistic solution, at least for most people.

Can't you limit or quota CPU usage for Javascript, thus making the timing attacks impossible? No normal website is going to need consecutive Minutes of 100% CPU load Javascript execution. Or only use the mitigation protections for the Javascript VM engine or go slightly larger and use the protections for the entire browser process.
 
Back
Top