Zombieload Saga - New Intel Architecture security flaws, worse than Spectre/Meltdown

[ravenshrike]

Heh, Intel Xeons being down significantly on performance with rumors that Zen 3 will have 4 way SMT is particularly amusing. The scrambling last year over at Intel on their 7nm designs to figure out a implementation of HT that couldn't be attacked by these sorts of vulnerabilities had to be... epic.

[Stroal]

Really glad we switched all our VMs to EPYC. Our licensing cost was reduced and now I don't have to worry about this stuff. 

[Master Disaster]

1 hour ago, Stroal said:

Really glad we switched all our VMs to EPYC. Our licensing cost was reduced and now I don't have to worry about this stuff. 

Yet, it took months but eventually researchers found variants of Spectre & Meltdown that affected AMD CPUs. It's very likely this will be the same story.

 

These vulnerabilities might play a part in the death of X86 and the ARM takeover. Speculative Execution plays a big part in why X86 is so much faster than ARM, without it the performance gap narrows significantly. Pair that with the fact ARM is also cheaper and it's a very compelling deal for large server farms. Cheaper, more secure, requires less cooling and barely runs any slower? Why wouldn't you upgrade once the software catches up.

[Zodiark1593]

24 minutes ago, Master Disaster said:

Yet, it took months but eventually researchers found variants of Spectre & Meltdown that affected AMD CPUs. It's very likely this will be the same story.

 

These vulnerabilities might play a part in the death of X86 and the ARM takeover. Speculative Execution plays a big part in why X86 is so much faster than ARM, without it the performance gap narrows significantly. Pair that with the fact ARM is also cheaper and it's a very compelling deal for large server farms. Cheaper, more secure, requires less cooling and barely runs any slower? Why wouldn't you upgrade once the software catches up.

Higher performance ARM processors alsu utilize Speculative Excecution, and have also been vulnerable, with top-end designs (Apple's custom CPU, and Cortex A75) even having been confirmed to be affected by Meltdown. Lower end ARM processors such as Cortex A53, A55, A35, etc are simpler cores that are in-order, and are largely immune from aforementioned security issues.

 

The difference being x86 typically is reserved for the high end (performance-wise) so in-order x86 designs are seldom seen, and ARM typically offers a very wide range of performance levels (in synthesizable form for whatever SoC is required), so the in-order stuff from ARM gets more than it's share of use.

 

Also, original Atom exists too on x86, which (up until Silvermont) is also immune, albeit, closer in performance to Cortex A53.

[ZacoAttaco]

@rcmaehl once again, providing the goods. Your expertise is Cyber-Security is greatly appreciated, especially to those studying the topic like myself. mdsattacks.com seems to be a great website, seems to be very educational with a great interactive guide.

 

From my understanding Fallout seems to utilise some Speculative Execution vulnerabilities and a vulnerability within CPU buffers, specifically I noticed the Store and Forward Buffer of the CPU. Disheartening to hear the countermeasures in the new Coffee Lake i9 CPUs actually make them more vulnerable to Fallout.

 

Looking forward to learning more about these two new vulnerabilities in the days to come. Thanks again for sharing!

 

[JustWantTech]

I guess we might need to turn off hyperthreading manually in Windows.

Let's just hope the fixes is released as soon as possible. It should not be a problem as long as no one goes to suspicious website or have one of the website got hacked and put in suspicious malware.

[JustWantTech]

13 hours ago, Misanthrope said:

You know, Raja was recently talking shit expressing his concerns about his former employer and while I am nowhere near knowledgeable enough to emit any kind of value judgement on his concerns, as long as this shit keeps making the headlines AMD could really glue together chip dies crudely and it would still look better than this many critical vulnerabilities with seemingly no end in sight.

I think he's only talking shit to AMD Radeon rather than AMD as a whole.

[Drak3]

1 minute ago, JustWantTech said:

I think he's only talking shit to AMD Radeon rather than AMD as a whole.

No, he was talking about AMD in their entirety.

[Misanthrope]

12 minutes ago, JustWantTech said:

I think he's only talking shit to AMD Radeon rather than AMD as a whole.

 

10 minutes ago, Drak3 said:

No, he was talking about AMD in their entirety.

Yeah I was gonna say, AFAIK he was talking about the interconnect stuff and that's Zen stuff.

[Drak3]

1 minute ago, Misanthrope said:

 

Yeah I was gonna say, AFAIK he was talking about the interconnect stuff and that's Zen stuff.

Not only that, but we know that AMD is/was heavily considering adapting Infinity Fabric for a scalable GPU system that was basically an MCM.

 

To which, Intel doesn't compete in the GPU market in the same way AMD and Nvidia was. So, his statement of "No significant software ecosystem" without Intel doesn't hold up if he's only talking about RTG.

[Stefan Payne]

With all this Spectre/Meltdown stuff popping up every other month and showing new, worse Vulnerabilitys, why are people still buying Intel CPUs??
Especially if there are viable alternatives??

 

Makes no sense...

 

And with all that stuff going on, isn't it almost bad enough for a recall??

[pas008]

7 minutes ago, Stefan Payne said:

With all this Spectre/Meltdown stuff popping up every other month and showing new, worse Vulnerabilitys, why are people still buying Intel CPUs??
Especially if there are viable alternatives??

 

Makes no sense...

 

And with all that stuff going on, isn't it almost bad enough for a recall??

remember intel has bug bounty program to they are most likely going to be looked at for flaws

 

does amd have bug bounty program like the others?

not saying they have vulnerabilities like these but do they have everyone trying to find flaws to get paid?

[pas008]

11 hours ago, ravenshrike said:

Heh, Intel Xeons being down significantly on performance with rumors that Zen 3 will have 4 way SMT is particularly amusing. The scrambling last year over at Intel on their 7nm designs to figure out a implementation of HT that couldn't be attacked by these sorts of vulnerabilities had to be... epic.

amd is pushing for intel to use all their shit

intel had 4 way on knights landing

[maartendc]

13 hours ago, justpoet said:

Fairly high until all the browsers put in mitigations and you get the microcode updates.  Once those both happen, reasonably low.

I am not sure. I thought Meltdown and Spectre were only vulnerable to local attacks.

 

It seems disconcerting that this exploit can apparently be executed via Javascript. So-called Drive-by attacks on websites. Extremely disconcerting.

 

Once the browser is patched however, it seems you would need local access to the machine OR malicious software to exploit it, which makes the risk lower.

 

With Spectre and Meltdown, the implications were especially severe for servers, because if you are running two clients on the same server, one could potentially extract data out of the CPU of another app / client (or something to that effect, I might have the terminology wrong).

 

The real question is: once Intel patches this with Microcode updates: how will it affect CPU performance?? Spectre and Meltdown fixes DID slow down CPU's although not too severely. Again the branch predicting / speculative execution is vulnerable.

 

I doubt AMD will be spared from this / future vulnerabilities like this, because as far as I know, AMD CPU's do similar predicting.

 

 

 

 

[maartendc]

This is a good article about the status of fixes for this mess: https://www.zdnet.com/article/patch-status-for-the-new-mds-attacks-against-intel-cpus/

 

Quote

The good news is that Intel had more than a year to get this patched, and the company worked with various OS and software vendors to coordinate patches at both the hardware and software level. Both the hardware (Intel CPU microcode updates) and software (OS security updates) protections must be installed at the same time to fully mitigate MDS attacks. If patches aren't available yet, disabling the Simultaneous Multi-Threading (SMT) feature on Intel CPUs will significantly reduce the impact of all MDS attacks.

Below is a summary of all the fixes currently available for today's MDS attacks, along with support pages describing additional mitigation techniques.

Intel

In a security advisory, Intel said today that it released updated Intel microcode updates to device and motherboard vendors.

When would these microcode updates end up on users' computers, it's anybody's guess. If we're to learn anything from the Meltdown and Spectre patching process, the answer is probably never, and Microsoft will eventually have to step in and deliver Intel's microcode updates part of the Windows Update process, just like it did for Meltdown and Spectre last year.
 

In the meantime, Intel has published a list of impacted Intel processors, complete with in-depth details about the status of available microcode updates for each CPU model.

Microsoft

Until the Intel microcode updates reach users' computers, Microsoft has published OS-level updates to address the four MDS vulnerabilities.

Per Microsoft's MDS security advisory, OS updates are available for Windows and Windows Server, but also SQL Server databases.

Azure clients are already protected because Microsoft has already taken steps to patch its cloud infrastructure and mitigate the threat.

Apple

Mitigations for MDS attacks have been deployed with macOS Mojave 10.14.5, released today.

"This update prevents exploitation of these vulnerabilities via JavaScript or as a result of navigating to a malicious website in Safari," Apple said.

The fix has no "measurable performance impact," the company added.

I mean.. as far as I know installing the Microcode updates requires updating the BIOS? So you will never be fully protected from this, unless your Motherboard manufacturer releases a microcode update?

 

• First of all, the average user does not know how to update the BIOS
• Secondly, motherboard manufacturers support for older motherboards is really bad usually.
• Thirdly, updating the BIOS is not without risk of bricking the PC, so even as an experienced user, I am not too keen on updating the BIOS too often.

 

Is this the world we live in now? Are BIOS updates going to be like Android updates or Software updates: critical to your security? Will we need to start looking at which manufacturer updates their BIOS the best when selecting a motherboard?

 

Further, if we cannot get these kinds of vulnerabilities under control, is this the end of Hyperthreading and SMT??

[justpoet]

1 minute ago, maartendc said:

I am not sure. I thought Meltdown and Spectre were only vulnerable to local attacks.

 

It seems disconcerting that this exploit can apparently be executed via Javascript. So-called Drive-by attacks on websites. Extremely disconcerting.

 

Once the browser is patched however, it seems you would need local access to the machine OR malicious software to exploit it, which makes the risk lower.

 

With Spectre and Meltdown, the implications were especially severe for servers, because if you are running two clients on the same server, one could potentially extract data out of the CPU of another app / client (or something to that effect, I might have the terminology wrong).

 

The real question is: once Intel patches this with Microcode updates: how will it affect CPU performance?? Spectre and Meltdown fixes DID slow down CPU's although not too severely. Again the branch predicting / speculative execution is vulnerable.

 

I doubt AMD will be spared from this / future vulnerabilities like this, because as far as I know, AMD CPU's do similar predicting.

Early implementations of Spectre were browser based.  It essentially is a timing attack, and browsers made javascript be less precise with timing returns, and added some random waits (of a couple ms) in a couple key places too.  This mitigated the common "off pc" attack vector, though didn't solve the underlying issue.  That's probably "good enough" for the majority of people.

 

Meltdown was a privilege escalation attack on the CPU (rather than the OS), but was best known and worried about because of being able to go between cloud instances.

 

Microcode and OS updates fixed most of the attack vectors on many of the chips for those, with an aprox 4% slow down in the end for average work loads after multiple iterations of patches.  To fully fix it, you needed the new architecture chips as well, or to disable speculation/hyperthreading.

 

This new set of vulnerabilities is similar to Spectre in that it can do everything it needs from within javascript, and browsers are implementing similar mitigations for it, though this new set is actually more powerful and can get more data than spectre.  While some processors are getting microcode updates for this, intel is not expected to go back to older chips for this, and their prior hardening implementation of the speculative units for the newer chip architectures is actually MORE susceptible to these new rounds of attacks.

 

Like with Spectre/Meltdown, the true full fix is to disable speculation/hyperthreading.  I would expect that, like with those, there will be patches that will be "good enough" for the average end user, and only carry a 5%ish performance penalty.

 

Lastly, I would suggest that while spectre was basically a generic timing attack against all forms of speculation, intel has always done speculation in more places in their chip architecture and also used it far more aggressively than AMD/ARM.  This is why only a couple of the various issues have been for all processors, while many have been intel only.

[justpoet]

4 minutes ago, maartendc said:

I mean.. as far as I know installing the Microcode updates requires updating the BIOS? So you will never be fully protected from this, unless your Motherboard manufacturer releases a microcode update?

 

• First of all, the average user does not know how to update the BIOS
• Secondly, motherboard manufacturers support for older motherboards is really bad usually.
• Thirdly, updating the BIOS is not without risk of bricking the PC, so even as an experienced user, I am not too keen on updating the BIOS too often.

 

Is this the world we live in now? Are BIOS updates going to be like Android updates or Software updates: critical to your security? Will we need to start looking at which manufacturer updates their BIOS the best when selecting a motherboard?

 

Further, if we cannot get these kinds of vulnerabilities under control, is this the end of Hyperthreading and SMT??

Modern OSs can load microcode overrides prior to loading themselves, much like the bios/EFI can.  It isn't as guaranteed as bios/efi being updated, in case somebody booted to another OS, or you installed a fresh OS, but it is "good enough" for anybody that isn't doing this for a living to be covered, and to not need to know much about bios updates and the like.

[DrDerp]

I clicked on this because I expected to see Intel versions of zombie anime idol girls.

I’m sorely disappointed.

[Arika]

I5 HYYYPPPEE

[Drak3]

24 minutes ago, Arika S said:

I5 HYYYPPPEE

i7 9700K HYYYPPPPEEEEEEE

[ravenshrike]

1 hour ago, pas008 said:

amd is pushing for intel to use all their shit

intel had 4 way on knights landing

No, AMD is copying HP, who not only invented SMT but has continuously used it since. They also came out with 4 way SMT before Intel. What's more, Knight's Landing was hardware based SMT which given SPECTRE and MELTDOWN is highly unlikely to ever be a thing again.

[Drak3]

1 minute ago, Mr Prince said:

For AMD sake i hope they don't have these vulnerabilities or vulnerabilities of there own

I can guarantee that they do. How easy to exploit them is a different discussion.

[pas008]

13 minutes ago, ravenshrike said:

No, AMD is copying HP, who not only invented SMT but has continuously used it since. They also came out with 4 way SMT before Intel. What's more, Knight's Landing was hardware based SMT which given SPECTRE and MELTDOWN is highly unlikely to ever be a thing again.

So you saying that they can fix it on 2way but not 4 way?

 

[maartendc]

51 minutes ago, justpoet said:

Early implementations of Spectre were browser based.  It essentially is a timing attack, and browsers made javascript be less precise with timing returns, and added some random waits (of a couple ms) in a couple key places too.  This mitigated the common "off pc" attack vector, though didn't solve the underlying issue.  That's probably "good enough" for the majority of people.

 

Meltdown was a privilege escalation attack on the CPU (rather than the OS), but was best known and worried about because of being able to go between cloud instances.

 

Microcode and OS updates fixed most of the attack vectors on many of the chips for those, with an aprox 4% slow down in the end for average work loads after multiple iterations of patches.  To fully fix it, you needed the new architecture chips as well, or to disable speculation/hyperthreading.

 

This new set of vulnerabilities is similar to Spectre in that it can do everything it needs from within javascript, and browsers are implementing similar mitigations for it, though this new set is actually more powerful and can get more data than spectre.  While some processors are getting microcode updates for this, intel is not expected to go back to older chips for this, and their prior hardening implementation of the speculative units for the newer chip architectures is actually MORE susceptible to these new rounds of attacks. 

 

Like with Spectre/Meltdown, the true full fix is to disable speculation/hyperthreading.  I would expect that, like with those, there will be patches that will be "good enough" for the average end user, and only carry a 5%ish performance penalty. 

 

Lastly, I would suggest that while spectre was basically a generic timing attack against all forms of speculation, intel has always done speculation in more places in their chip architecture and also used it far more aggressively than AMD/ARM.  This is why only a couple of the various issues have been for all processors, while many have been intel only. 

Extremely useful information, thank you!

 

Like you probably can tell, I only know half of how these things work. Good to hear from someone with a deeper understanding.

 

I think it is interesting like you said, the patches are "good enough" for most users, as it just introduces workarounds that make the exploits less exploitable. But like you say, the one and true only fix is to disable Hyperthreading.

 

Good to know that AMD relies less on SMT / speculation in their chip designs, did not know that. So AMD is by design a safer choice I guess, although not immune to some forms of it. Will be interesting to see if Intel will start altering their chip design in the longer term based on these hardware vulnerabilities.

47 minutes ago, justpoet said:

Modern OSs can load microcode overrides prior to loading themselves, much like the bios/EFI can.  It isn't as guaranteed as bios/efi being updated, in case somebody booted to another OS, or you installed a fresh OS, but it is "good enough" for anybody that isn't doing this for a living to be covered, and to not need to know much about bios updates and the like. 

Ah, good to know. Did not know the OS could load Microcode. In that case, BIOS update is nice, but less of a concern.

[RejZoR]

13 hours ago, ravenshrike said:

Heh, Intel Xeons being down significantly on performance with rumors that Zen 3 will have 4 way SMT is particularly amusing. The scrambling last year over at Intel on their 7nm designs to figure out a implementation of HT that couldn't be attacked by these sorts of vulnerabilities had to be... epic.

Wait, 4 way SMT as in 4 threads per 1 physical core? Interesting, haven't heard that one in any rumor about Zen3...