CPU Security Flaws MELTDOWN and SPECTRE

Discussion in 'PC Industry' started by Bondrewd, Jan 2, 2018.

  1. Kaarlisk

    Regular Newcomer Subscriber

    Joined:
    Mar 22, 2010
    Messages:
    293
    Likes Received:
    49
    Yeah, Intel's messaging is plain weird. There clearly is a real issue that does specifically affect Intel more than at the very least AMD. So statements shifting blame/saying "nothing to see here" are actually the premiere reason to avoid buying Intel products in the future. I can live with vendors screwing up, I cannot live with vendors not admitting/hiding/downplaying mistakes.
     
  2. 3dilettante

    Legend Alpha

    Joined:
    Sep 15, 2003
    Messages:
    8,122
    Likes Received:
    2,873
    Location:
    Well within 3d
    Something as complex as virtual memory and the interactions between the microarchitecture and OS can have any number of flaws, particularly at the margins of the system or legacy support. One side note is that I recall seeing comments about removing certain guard bands at the end of kernel/user space that would have kept a limited set of pages off-limits in case of chip prefetchers or microcoded instructions running over and crashing/looping.
    AMD and Intel had varying amounts of memory off-limits in that zone, just in case.
    The new paging scheme shifts the actual space into a new mapping, so some poorly handled boundary conditions are avoided.

    If people are just flaking out about the KAISER issues because they've been coded, it might be an oddly escalated reaction due to people noticing. Whether validation can help may depend on whether Intel is trying to throw a problem that hasn't been specified in the public research into the same basket.

    Side channel issues on their own wouldn't normally be caught by validation, because the results are fully valid. The design and system architecture didn't mandate invariant time, or absolute obfuscation of any incidental behaviors that could hint at the history or state of process execution.
    More fundamental changes would have to happen to change what the accepted results are.

    More fundamentally, some of these exploits pit the desire for the best performance against the need for secrecy. Sometimes being faster means something to those paying attention, and hiding that information may mean giving up some of that speed.

    We may need to wait and see if it's all just about the KAISER proposal, or if AMD is playing loose with the situation in the other direction. Even if this is all a blowup about the original "KASLR is pretty sucky and has been for a while" fixes, there are exploits even in the source papers for that proposal that AMD was vulnerable from that the proposal didn't cover, and general issues where being cleaner about kernel and user space could help long-term.
     
    Kaarlisk and Malo like this.
  3. Kaotik

    Kaotik Drunk Member
    Legend

    Joined:
    Apr 16, 2003
    Messages:
    8,166
    Likes Received:
    1,836
    Location:
    Finland
    Meltdown is Intel exclusive vulnerability
    https://meltdownattack.com/
    Spectre affects practically every single OOoE-CPU out there, including Ryzen
    https://spectreattack.com/

    edit:
    Also, since there's generally 3 variants being talked about, Meltdown is Variant 3, Spectre is Variant 1 & 2
     
    #43 Kaotik, Jan 3, 2018
    Last edited by a moderator: Jan 4, 2018
    Kej, Grall, BRiT and 1 other person like this.
  4. fuboi

    Newcomer

    Joined:
    Aug 6, 2011
    Messages:
    90
    Likes Received:
    45
  5. 3dilettante

    Legend Alpha

    Joined:
    Sep 15, 2003
    Messages:
    8,122
    Likes Received:
    2,873
    Location:
    Well within 3d
    From that, the scenarios are related to side-channel attacks based on timing cache residency, branch history, and perhaps most flexibly a crafted kernel value-based action that creates an external side effect like a highly revealing address loaded into cache.

    Residency and branch history can likely be crafted, with varying degrees of difficulty for most vendors.

    The third case is the apparent high-priority one Intel is trying to minimize.
    It's not a direct breaking of internal pipelining like a complex store forwarding scenario I threw out there earlier, but a more straightforward method where a read to a location whose permissions will produce a fault is allowed to speculatively forward its result to instructions that take the value and make something that can be used to generate a side effect: like another memory address for another speculative load.
    After the speculation is rolled back, timing a set of loads meant to exercise the cache will turn up a faster load time in the section corresponding to the value (or a specific part of it, repeat as needed).

    AMD's hardware not speculating at the initial load to the kernel from user space is probably the reason they state they're safer, though that's not the total range of issues fixed by the page table isolation changes.

    Intel is likely truthful when they say everything is working as designed, although is likely trying to hide the magnitude of one of its specific vulnerabilities.
    AMD is fixating on Intel's issues to the exclusion of equally applicable flaws, many of which no architecture can really avoid as long as the same state-holding hardware is touched by code from both domains or multiple actors. Even separating that may not be sufficient unless timing can be made invariant or uninformative.
     
  6. Kaotik

    Kaotik Drunk Member
    Legend

    Joined:
    Apr 16, 2003
    Messages:
    8,166
    Likes Received:
    1,836
    Location:
    Finland
    (Spectre) Variant 1: Bounds Check Bypass - Use existing code with access to secrets by making it speculatively execute memory operations
    (Spectre) Variant 2: Branch Target Injection - Malicious code usurpsproperties of CPU branch prediction features to speculatively run code
    (Meltdown) Variant 3:Rogue Data Load - Access memory controlled by the OS while running amalicious application.
     
  7. 3dilettante

    Legend Alpha

    Joined:
    Sep 15, 2003
    Messages:
    8,122
    Likes Received:
    2,873
    Location:
    Well within 3d
    From ARM, it appears variant 3 is not Intel-exclusive:
    https://developer.arm.com/support/security-update

    The other thing about this is that while OoOE is speculative, in-order cores can speculate as well.
    The Cortex A8 is affected by Spectre, for example.

    Pipelines and branch prediction can start executing instructions ahead of knowing if they will fault. Caches, predictors, and other subsystems whose functions can accumulate state and affect timings can provide side-channel information.
     
    Gubbi, DavidGraham and BRiT like this.
  8. Malo

    Malo Yak Mechanicum
    Legend Veteran Subscriber

    Joined:
    Feb 9, 2002
    Messages:
    6,975
    Likes Received:
    3,051
    Location:
    Pennsylvania
    AMD update
    https://www.amd.com/en/corporate/speculative-execution

    Variant One - Bounds Check Bypass - Resolved by software / OS updates to be made available by system vendors and manufacturers. Negligible performance impact expected.
    Variant Two - Branch Target Injection - Differences in AMD architecture mean there is a near zero risk of exploitation of this variant. Vulnerability to Variant 2 has not been demonstrated on AMD processors to date.
    Variant Three - Rogue Data Cache Load - Zero AMD vulnerability due to AMD architecture differences.

    That's quite a different release from AMD than from Intel lol.
     
    el etro, Lightman, matthias and 3 others like this.
  9. Malo

    Malo Yak Mechanicum
    Legend Veteran Subscriber

    Joined:
    Feb 9, 2002
    Messages:
    6,975
    Likes Received:
    3,051
    Location:
    Pennsylvania
    Linus rips into Intel
    https://lkml.org/lkml/2018/1/3/797

     
    Kej, Lightman and BRiT like this.
  10. Kaotik

    Kaotik Drunk Member
    Legend

    Joined:
    Apr 16, 2003
    Messages:
    8,166
    Likes Received:
    1,836
    Location:
    Finland
    As it turns out, it's not that rosy on the ARM-side of the fence either. Meltdown aka Variant 3, thought to be Intel exclusive, applies to ARM Cortex-A75 too. Also there's related "Variant 3a" which applies to Cortex-A15, A57 and A72.
    Maybe Linus should look more towards AMD? It's the only safe one from Meltdown of the 3 and apparently no-one has been able to get Variant 2 working on AMD either even though it's apparently possible in theory.

    https://developer.arm.com/support/security-update
     
    #50 Kaotik, Jan 4, 2018
    Last edited: Jan 4, 2018
    Lightman, Malo and BRiT like this.
  11. Grall

    Grall Invisible Member
    Legend

    Joined:
    Apr 14, 2002
    Messages:
    10,801
    Likes Received:
    2,172
    Location:
    La-la land
    Is graphics driver outside kernel memory space in modern MS OSes? Because doing 100k+ drawcalls/sec would bring giant performance hit if it isn't...

    Yeah, my post was only true at the time I wrote it, with me looking at only a few tech news websites which I visit more or less regularly... :p (Including for example Ars Technica, which are usually pretty quick at covering big bad breaking news stuff.) Now it's everywhere, pretty much.

    It's one thing not admitting/downplaying/hiding their mistakes; quite another downplaying your own mistakes whilst raising a finger pointing and saying, "hey hey, look over there, they screwed up too!"

    This latter thing is what Intel is doing.

    A Ford Pinto worked as designed when it caught fire after being rear-ended... Hum-de-hum hum...
     
    DavidGraham likes this.
  12. DavidGraham

    Veteran

    Joined:
    Dec 22, 2009
    Messages:
    2,749
    Likes Received:
    2,516
    AMD and ARM are not in the total clear of Meltdown yet:
    https://web.archive.org/web/20180103223603/https://meltdownattack.com/meltdown.pdf
     
    Kaarlisk likes this.
  13. A1xLLcqAgt0qc2RyMz0y

    Regular

    Joined:
    Feb 6, 2010
    Messages:
    985
    Likes Received:
    277
    el etro likes this.
  14. 3dilettante

    Legend Alpha

    Joined:
    Sep 15, 2003
    Messages:
    8,122
    Likes Received:
    2,873
    Location:
    Well within 3d
    It may also be a question as to how much of the draw call's cost is specific to a TLB flush versus data movement or any synchronization with a device.
    Some operations may be waiting on a pokey command processor somewhere to send a signal back.

    There's usually a line or two in the regulations as to how often a car's passengers can be exploded.
     
  15. Infinisearch

    Veteran Regular

    Joined:
    Jul 22, 2004
    Messages:
    739
    Likes Received:
    139
    Location:
    USA
    If I'm not mistaken each drawcall hits the usermode driver which then batches up drawcalls and sends them in one kernel mode driver 'go'. This take on things is supported by how to efficiently submit drawcalls and command lists in DX12. My opinion is based also on the description of the software stack as described here: https://fgiesen.wordpress.com/2011/07/01/a-trip-through-the-graphics-pipeline-2011-part-1/

    edit - oh an MS put out a patch yesterday (Jan 3) for the exploits. kb4056892
    edit2 - https://www.windowscentral.com/microsoft-pushing-out-emergency-fix-newly-disclosed-processor-exploit
     
    #56 Infinisearch, Jan 4, 2018
    Last edited: Jan 4, 2018
    Grall likes this.
  16. hoom

    Veteran

    Joined:
    Sep 23, 2003
    Messages:
    2,931
    Likes Received:
    485
    Wow this was just mentioned on hourly radio news where I live :shock:
    They pretty much never mention anything techy.
     
    Lightman likes this.
  17. Kaotik

    Kaotik Drunk Member
    Legend

    Joined:
    Apr 16, 2003
    Messages:
    8,166
    Likes Received:
    1,836
    Location:
    Finland
  18. entity279

    Veteran Regular Subscriber

    Joined:
    May 12, 2008
    Messages:
    1,229
    Likes Received:
    422
    Location:
    Romania
    Kej, Cyan and BRiT like this.
  19. BRiT

    BRiT (╯°□°)╯
    Moderator Legend Alpha Subscriber

    Joined:
    Feb 7, 2002
    Messages:
    12,390
    Likes Received:
    8,603
    Location:
    Cleveland
    • Exclude AMD from the PTI enforcement. Not necessarily a fix, but if AMD is so confident that they are not affected, then we should not burden users with the overhead"
    So now its a matter of time to see if they can indeed trigger on AMD and if so, then the config will need to change to include them for PTI.
     
Loading...

Share This Page

  • About Us

    Beyond3D has been around for over a decade and prides itself on being the best place on the web for in-depth, technically-driven discussion and analysis of 3D graphics hardware. If you love pixels and transistors, you've come to the right place!

    Beyond3D is proudly published by GPU Tools Ltd.
Loading...