Meltdown & Spectre

[67448eb737d04fox]

From what I learned (also from the "Project Zero" docs), Meltdown and Spector both need a microprocessor that is capable of OoOE (and subsequently speculative execution) to work. As far as Intel goes, that's not the case with X86 processors that were released before 1995 (and I agree that older ones don't really matter much). I know that OoOE has been introduced and used decades earlier though.

But yeah, there's lots of details that I don't have sufficient knowledge of yet. I started reading the book "Mirkoprozessortechnik" by Klaus Wüst, which seems competent and so far I would recommend it but I believe there's no translation available.

[67448eb7381eaOlfred]

I think the first processors (for personal use) which had this kind of features built in came right after the 486. IIRC the 486 was the first one to use a pipeline architecture, but it didn't do any predictions. But my knowledge is vague about this decade of processors.

I've heard about the mentioned book, but never read it myself. But I've heard it's also one of the good ones.
For some extra visualisation I can also recommend the videos from Andreas Wilkens (they are in german, sorry everyone else). Unfortunately there is no video about speculative execution.

[67448eb738452Hikari]

I'm just going to say I find Intel's CEO's behavior shadey, as in insider trading shadey. I dunno thogh I have bouts of paranoia so maybe that's it and guy isn't exploiting the fact they've been sittting on this information to trade so he'd have exactly the shares he needs. A flaw that nobody talked about until a week ago, then it was the apocolypse with everything but the new intel/Radeon hybrid chip being vulnerable and suffering maybe a 30% performance hit on patching, to a weekish later and google going 'no appreciable performance problems' after chrome OS patching.


Anyway amazing how a flaw can go un-documented by EVERYONE for twenty years when the potential is fairly.. uh... severe.

[67448eb738977fox]

Anyway amazing how a flaw can go un-documented by EVERYONE for twenty years when the potential is fairly.. uh... severe.

All's good though, nothing fishy about it.

Rob Joyce, White House cybersecurity coordinator, said, “NSA did not know about the flaw, has not exploited it and certainly the U.S. government would never put a major company like Intel in a position of risk like this to try to hold open a vulnerability.”

 

------

TechSpot: Patched Desktop PC: Meltdown & Spectre Benchmarked

tldr: pretty bad news for SSDs, games only very mildly affected, other benchmarks also not seeing dramatic slowdowns, some none at all.
Also there are more than just a few reports about issues caused by the patches (ranging from reappearing BSoD to browser freezes to just fine).

[67448eb738bb8fox]

The Register: "Meltdown, Spectre bug patch slowdown gets real – and what you can do about it"

Microsoft: "Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities"

Allegedly Intel's CEO announces inbetween a load of rubbish that only CPUs released since 2013 will be adressed by patches and fixes. Frankly, I couldn't be arsed to listen through all of it myself though.

https://www.youtube.com/watch?v=RlJ9zB74G_U

[67448eb7391cbfox]

Interview mit Anders Fogh: Auf Tuchfühlung mit "Spectre" und "Meltdown"

AMD: "An Update on AMD Processor Security"

Google Project Zero (GPZ) Variant 1 (Bounds Check Bypass or Spectre) is applicable to AMD processors.
We believe this threat can be contained with an operating system (OS) patch and we have been working with OS providers to address this issue. 
Microsoft is distributing patches for the majority of AMD systems now. We are working closely with them to correct an issue that paused the distribution of patches for some older AMD processors (AMD Opteron, Athlon and AMD Turion X2 Ultra families) earlier this week. We expect this issue to be corrected shortly and Microsoft should resume updates for these older processors by next week. For the latest details, please see Microsoft’s website. Linux vendors are also rolling out patches across AMD products now.
   
GPZ Variant 2 (Branch Target Injection or Spectre) is applicable to AMD processors.
While we believe that AMD’s processor architectures make it difficult to exploit Variant 2, we continue to work closely with the industry on this threat.  We have defined additional steps through a combination of processor microcode updates and OS patches that we will make available to AMD customers and partners to further mitigate the threat.
AMD will make optional microcode updates available to our customers and partners for Ryzen and EPYC processors starting this week. We expect to make updates available for our previous generation products over the coming weeks. These software updates will be provided by system providers and OS vendors; please check with your supplier for the latest information on the available option for your configuration and requirements. Linux vendors have begun to roll out OS patches for AMD systems, and we are working closely with Microsoft on the timing for distributing their patches. We are also engaging closely with the Linux community on development of “return trampoline” (Retpoline) software mitigations.

GPZ Variant 3 (Rogue Data Cache Load or Meltdown) is not applicable to AMD processors.
We believe AMD processors are not susceptible due to our use of privilege level protections within paging architecture and no mitigation is required.

There have also been questions about GPU architectures. AMD Radeon GPU architectures do not use speculative execution and thus are not susceptible to these threats.

Google: "Protecting our Google Cloud customers from new vulnerabilities without impacting performance"

(...)For months, hundreds of engineers across Google and other companies worked continuously to understand these new vulnerabilities and find mitigations for them.

In September, we began deploying solutions for both Variants 1 and 3 to the production infrastructure that underpins all Google products—from Cloud services to Gmail, Search and Drive—and more-refined solutions in October. Thanks to extensive performance tuning work, these protections caused no perceptible impact in our cloud and required no customer downtime in part due to Google Cloud Platform’s Live Migration technology. No GCP customer or internal team has reported any performance degradation.(...)

(...)With the performance characteristics uncertain, we started looking for a “moonshot”—a way to mitigate Variant 2 without hardware support. Finally, inspiration struck in the form of “Retpoline”—a novel software binary modification technique that prevents branch-target-injection, created by Paul Turner, a software engineer who is part of our Technical Infrastructure group. With Retpoline, we didn't need to disable speculative execution or other hardware features. Instead, this solution modifies programs to ensure that execution cannot be influenced by an attacker.

With Retpoline, we could protect our infrastructure at compile-time, with no source-code modifications. Furthermore, testing this feature, particularly when combined with optimizations such as software branch prediction hints, demonstrated that this protection came with almost no performance loss.

We immediately began deploying this solution across our infrastructure. In addition to sharing the technique with industry partners upon its creation, we open-sourced our compiler implementation in the interest of protecting all users.

By December, all Google Cloud Platform (GCP) services had protections in place for all known variants of the vulnerability. During the entire update process, nobody noticed: we received no customer support tickets related to the updates. This confirmed our internal assessment that in real-world use, the performance-optimized updates Google deployed do not have a material effect on workloads.(...)

Well, thank you for sharing this anecdote with the rest of the world, Google...

[67448eb7394e7fox]

Intel: "Firmware Updates and Initial Performance Data for Data Center Systems"

We have now issued firmware updates for 90 percent of Intel CPUs introduced in the past five years, but we have more work to do. As I noted in my blog post last week, while the firmware updates are effective at mitigating exposure to the security issues, customers have reported more frequent reboots on firmware updated systems.

As part of this, we have determined that similar behavior occurs on other products in some configurations, including Ivy Bridge-, Sandy Bridge-, Skylake-, and Kaby Lake-based platforms. We have reproduced these issues internally and are making progress toward identifying the root cause. In parallel, we will be providing beta microcode to vendors for validation by next week.

For those customers looking for additional guidance, we have provided more information on this Intel.com Security Center site.  I will also continue to provide regular updates on the status.

----------

heise.de: "Windows/Meltdown: Patch für 32 Bit, AMD-Problem behoben"

-> Update: heise.de "Meltdown und Spectre: Intel zieht Microcode-Updates für Prozessoren zurück"

Noch größeres Chaos bei den Sicherheitslücken in Intel-Prozessoren: Weil Updates im manchen Fällen Probleme verursachen, rät Intel von der Installation ab; unter anderem HPE, Ubuntu, Red Hat und VMware ziehen Updates zurück.

Die Probleme reißen nicht ab: Intel rät davon ab, die zuvor bereitgestellten CPU-Microcode-Updates einzuspielen, die zum Schließen der Sicherheitslücke Spectre Variante 2 (Branch Target Injection, BTI, CVE-2017-5715) nötig sind. Einige PC-Hersteller haben zuvor bereitgestellte BIOS-Updates mit diesem Microcode-Updates wieder von ihren Webseiten genommen. Auch einige Linux-Distríbutionen ziehen Microcode-Updates zurück.

[67448eb73978bfox]

cnbc.com: "Intel stock rises on earnings beat, security concerns no issue for investors"
heise.de: "Intel liefert Rekordzahlen – Warten auf Lösung für Meltdown und Spectre"

Not really surprised since I've been monitoring the stock values of Intel and AMD almost daily since the story broke but once again I find it tough to stomach that cynicism wins once again. Still waiting if the insider trading is going to be punished though.

Not sure if the stock has been held artificially stable (as in a "too big to fail"-scenario) or if the regular share holders are really that unphased. But of course the lack of actual alternatives helps a lot too. Apparently there's a chinese competitor starting to slowly catch up (already advertising with alleged security regarding Meltdown/Specter). But frankly, I'm already having serious doubts regarding the trustworthyness of these too.

I also don't think Intel is out of the hot water just yet, there's still potential for mighty trouble in the near future.

[67448eb739982Olfred]

I would go with unphased. Intel had problems in the past and the stock returned to it's value again, and even rose a bit given the time.
Also there currently is no real incident where either of the exploits where used and it had a massive negative effect. Currently we are in a state where there is a possible problem, but it is already taken care off, so everything is fine. So why even bother?
Sure, there are "masses" of people screaming that Intel is the worst company ever and they will now buy AMD only. But AMD had some big fuckups themselves, where they denied problems and happily kept on selling their processors for over a year. And the same "masses" of people where screaming that AMD is the worst company and they will never buy from them again. So in the end you just shrug anything off what they are saying and look at the actual market, and you will see that in the end, the sales won't be affected that much. And in about a year or so Intel is going to put a new processor on the market which will actually be hardware fixed and the company will be running fine like always.

[67448eb739ab1fox]

It was never really down at any point, the scope of the problem is monumental and it's far from being fixed (or even unfixable in parts). Sorry, I do not get how this works.

[67448eb739e7dOlfred]

Sorry, I do not get how this works.

You don't get why the stock isn't going down or you don't get how the fixes work?

[67448eb73a0c1fox]

Despite your attempt to explain it, I still don't get why the stock value isn't going down went up.

[67448eb73a448Olfred]

Because the investors know that intel isn't stupid and nothing really bad happend out of the possible exploits, so no real mass hysteria ensued.
Why are people not bothered by all this? Because people are stupid and lazy and generally don't care.
It's like, there is an unsafe ledge somewhere and people are pointing out that it is unsafe and something should be done. But no one cares to do something about it. Yeah, its unsafe, but no one ever got hurt, so whatever *shrugs*. But now someone falls down the ledge and get's badly hurt or even dies. Suddenly there is a big uproar about it with pointing fingers who is to blame. Everyone is suddenly concerned about every ledge in the world. Suddenly on that specific ledge a railing get's installed which is three times safer than it needs to be, addes with big signs and warnings about the possible danger. Mass media reports that the dangerous ledge is now safe and everyone glees in joy that we are safe now. At the same time all the other ledges which lighted up in concern are out of their minds becaus by now everyone doesn't even think about them anymore and they return to their lazy lifes. Shortly after this everyone forgets about it and the new installed safety railing get's neclected. A few years later it's in a state of unsafety again because nobody cares.
That's how people work. And people who are making the money out of stocks and shit, they know that.
If something happened like. Credit card credentials stolen from "big famous company" using the given exploit and now people lost money and yadda yadda, intel is to blame, intel has to pay. Then some other major companies which are in the server market (or somehow order high quantities from intel), step in and say that out of safety concern they won't buy intel products anymore. Then, the stocks would fall. But as it is now. Everything is fine.
Intel actually had another record quarterly and probably will have another one this year. Probably not the next, but by the end of the year, they will. And the quarterly numbers were released on the 25th I think. So those numbers alone triggered the people to buy stocks. When someone despite all that managed to make more money than before, you can bet they are able to manage to make even more money.

[67448eb73a6d4Kolya]

Eh, most people just can't do anything about it. So while there may be "masses" of people screaming at Intel, they are really a minority.
Give the people an update that makes their machines run 30% slower - then you'll hear the majority screaming bloody hell. Because that's something that everyone can understand.

[67448eb73a8defox]

I'm looking at this from a "why is the public outcry not louder"-angle and I wasn't expecting the masses to scream at Intel. I'm trying to understand it from a stock trader's perspective.

Sure, if I had the money to just wait any crisis out, I know people will forget just about anything at some point and the (expectable) damages will be paid off eventually (since Intel must sit on unbelievable amounts of money to survive even that - I've seen numbers being speculated that reached as high as 40 billions in the event they had to recall all the affected CPUs). But when I heared about this as a share holder who isn't sure to be able to sit it out, my instincts would tell me to get rid of the stock asap. Didn't happen. There was merely a minor bump in value of 4% for not even handful of days. There's many, many examples where much smaller incidents sent company stock on a roller coaster for months, for at least as long as the consequencies are not clear and the issues aren't fixed. Intel remains rock solid and even manages to raise their stock value even with several damocles swords hanging over their head. I do acknowledge that other fields of Intel's activities are affecting this too though.

Some things just don't compute (for me). I wouldn't be a successfull stock trader.

[67448eb73aa66voodoo47]

to make it simple, general rules don't apply to certain players. intel is one of them.

[67448eb73ab50fox]

That does seem to be the case to me too.

[67448eb73ac33Olfred]

It's just, who else is there besides Intel? AMD.
Do I need to say more?

[67448eb73ad14fox]

Yes, too big to fail.

[67448eb73ae14voodoo47]

hey, remember the Phenom patch? no? that's right, nobody does. because nobody cares.

[67448eb73b5e2Marvin]

It's just, who else is there besides Intel? AMD.
Do I need to say more?

Kind of. Because the continuing fuckups made by Intel are exactly what AMD needs to start catching up again, now that their CPUs are competetive again. And that's only desktop and server CPUs, on mobile, Intel has nothing.

[67448eb73b8e7fox]

hey, remember the Phenom patch? no? that's right, nobody does. because nobody cares.

That's right but the two cases aren't comparable regarding scale and threat potential. Should make some difference. AMD certainly isn't a white knight either though, neither in the past, nor now.

[67448eb73c2bfJDoran]

Speaking as a home PC user (games, internet, word processing, etc), and a low grade PC professional (I work in I.T. Support, but nothing complicated, and it's all Windows based), I'm not too bothered about these glitches for several reasons, and the same reasons seem to account for other peoples' lack of interest in these two glitches, from the people at work and my friends who I've discussed this with.


1. Every few months there's news of a newly discovered security glitch or new type of malware or something else to beware of, but I've never actually been effected by any of them, so I mostly just don't even bother reading about them anymore. At home I keep my anti-virus/anti-malware software fully updated, same with the firewall, and that plus common sense so far has kept my PC and laptops clean and safe. It's the same at  work except I'm not in charge of external security, the PC users don't commander a machine for their own purposes or run their own stuff on them, plus even my boss is PC-savy (a rarity, in my experience), so there's no obvious weak link in our security.

Basically, this is just another in the long line of "Beware!" warnings, that for years haven't meant much to me, and even if it is much, much more serious than anything earlier, it's something that will effect countless millions of PCs if it effects me, and with those sort of figures involved, the potential loss of money and for Intel the loss of face and prestige will mean that the experts will do everything they can to minimise or remove the risk.



2. Most of us spend (or 'waste', in our own eyes) eight hours a day, five days a week, doing jobs we don't like (I don't mind mine so much, though it is boring, but I spend nearly three hours a day commuting, and that I do hate) but also we nowadays worry about losing that job as the banks, the "Let's outsource to keep costs down" attitudes of modern businesses, the rising populations in many countries, and the ever widening gap between rich and poor, plus other economic factors, are driving down the number of jobs in respect to that country's population. Plus we live in a world where we or the people we love could be murdered by a mugger or a cretinous terrorist in a stolen car, or a drunk-driver any night, Trump and Kim Jong Un might well start World War 3, global warming, pollution, destroying the rain forests, and poisoning the oceans are massively damaging the environment but it won't stop as the big businesses that are profiting from it are only interested in the short term financial gain and by the time the evidence of the near-permanent damage we've done to the Earth becomes obvious even to the most close-minded deniers, it will be far too late to do anything to reverse large parts of it.

Factor in the more personal problems we all have, big and small (I can no longer eat some of the food I used to love, due to old age (47, though my body thinks it's 90) and my body developing faults, if you'll excuse my self pity!  ) etc, and for most people there's more to worry about than just a computer related problem, especially one as seemingly hugely complicated and yet distant as this seems to be.



3. This is real life, where most of us are badly paid, and even if we could easily afford to scrap our CPUs (and motherboard, probably) then what would we buy? Most of us, myself included, don't even understand these current problems, and so we have to follow the advice of those (who claim to be) more knowledgeable, but for all we know, the next hardware we buy to avoid these flaws might still have them (but hidden deeper) or have even worse flaws. And any new CPUs made to circumvent these flaws might introduce incompatibilities with current games and software. And given the current cost of RAM and especially for high end GFX cards, now is not the time for a total PC upgrade or new system.

And if we can't buy or replace parts to fix the problem, then why worry about it?



4. Even if mass hackings happen, then to most people it will be a real nuisance, but not life threatening. It's not like a batch of cars being found with a faulty break line or anything else that can cause physical harm. Yes, lots of people would be upset if their Facebook details were hacked (I've no idea why, I've never understood why anyone uses social-media), the same if these glitches resulted in private photos or letters being stolen,  and having to change your passwords for websites (when the passwords have been stolen) is a annoying, but most people don't think these things will happen to them (which is why so few non-PC-savy people ever back up their (to them) important date. For most people, as long at they can use Facebook, Twitter, Steam, etc, then that's pretty much all that matters.



5. The fact that it might well cause millions of people to lose lots of money if their online banking details are stolen no doubt does worry a lot of people, but again, the "It would never happen to me" belief is very strong, and anyway, most of us don't have too much to lose and even if we don, we believe that we'd have no trouble making the bank see that it wasn't our fault, so we should be OK.

And despite the countless flaws in the above 'reasons', it's human nature combined with the miserable state of the world that makes many of us so complacent about yet another thing we're told to be worried about. It's not a clever attitude, but it is the one most members of the public have.

But official PC and related groups (the magazine and web site media, hardware and software manufacturers, and PC related watchdog groups, etc) should be very concerned about this, and should be making the problems, the potential ramifications, and any advisable solutions, as well know to the effected public as they can. Maybe most of them are, but personally I'm not too bothered. Diabetes, glaucoma, my resultant fading eyesight, the state of my roof, etc, are much more pressing worries to me.

It's just, who else is there besides Intel? AMD.
Do I need to say more?

Yes. Lack of competition is never good for the consumer.

[67448eb73c4adfox]

JDoran, I undertstand and I share these feelings often enough. Personally I'm not feeling overly alarmed about about my personal security situation either although it would be warranted 24/7 all year round with or without Meltdown/Specter. What does shock me (once again) is the seemingly total lack of consequencies for the responsible parties and the apparent indifference of their share holders (as discussed earlier).

----------

heise: "Meltdown & Spectre: Windows-Update deaktiviert Schutz gegen Spectre V2"
(summary: MS released KB4078130 to deactivate previous attempts to protect against Specter variant #2 to prevent from system instabilities.)