security NVIDIA and Princeton University collaborated to make a working proof of concept tool that exploits Spectre and Meltdown

[AlTech]

30 minutes ago, leadeater said:

I didn't think they had anything current?

The only CPU core they've ever designed is their 64 Bit Project Denver ARM core.

 

They're allegedly working on Project Denver 2.0 

[captain_to_fire]

9 minutes ago, leadeater said:

I would like to note that the Spectre mitigation included in the Windows Updates is off by default on Windows Server and the current advice from Microsoft is to leave it off unless the server is at an exposed risk of exploitation.

Isn’t that Microsoft rolled back on the Spectre v2 update because it was problematic? 

 

[leadeater]

27 minutes ago, hey_yo_ said:

Isn’t that Microsoft rolled back on the Spectre v2 update because it was problematic? 

It was always off by default for servers with a reg key required to enable variant 1 and variant 2 mitigation individually, both are on by default on Windows desktop editions.

[LAwLz]

29 minutes ago, leadeater said:

None of their GPU hardware is effected and their ARM CPUs they never really 'confirmed' they were, they are working on microcode updates for them to ensure they are not though so that could be an admission of exposed risk or just playing it safe.

None of their GPU hardware was, but their software was vulnerable to Spectre.

They did confirm that their CPUs are vulnerable. The one they didn't "confirm" was Meltdown. Here are the quotes from Nvidia:

Quote

Variant 1 (CVE-2017-5753): Mitigations are provided with the security update included in this bulletin. NVIDIA expects to work together with its ecosystem partners on future updates to further strengthen mitigations.

Variant 2 (CVE-2017-5715): Mitigations are provided with the security update included in this bulletin. NVIDIA expects to work together with its ecosystem partners on future updates to further strengthen mitigations.

Variant 3 (CVE-2017-5754): At this time, NVIDIA has no reason to believe that Shield TV/tablet is vulnerable to this variant.

The language is clear. They have released updates for it and will work with partners to further strengthen mitigations. If they have to strengthen their current mitigations then it is clear that they are affected. There would be no reason for the distinct language difference between Spectre and meltdown if all they did was "play it safe and update just in case".

They also released this:

Quote

• Variant 1 (CVE-2017-5753): Software mitigations for the Arm CPU issue are provided with the security update included in this bulletin. NVIDIA expects to work together with its ecosystem partners as future updates are released to further strengthen mitigations for the potentially affected CPU.

• Variant 2 (CVE-2017-5715): Software mitigations for the Arm CPU issue are provided with the security update included in this bulletin. NVIDIA expects to work together with its ecosystem partners as future updates are released to further strengthen mitigations for the potentially affected CPU.

• Variant 3 (CVE-2017-5754): NVIDIA believes that Jetson TX2 is not vulnerable to this variant.

• Variant 3a (CVE-2017-5754): Based on Arm's Security Update, NVIDIA has no reason to believe that Jetson TX2 needs software mitigations for this variant.

 

36 minutes ago, leadeater said:

Nvidia's risk is extremely low for Spectre so unfortunately for them that warrants a joke about it or two. You've got companies trying to develop microcode updates for effected products which is taking a significant amount of time and effort, which this project is unlikely to immediately help with that, yet they are helping increase the risk of exploitation.

Totally agree that the risk is smaller for Nvidia than everyone else, but this is a research project by a university.

Not to mention that all the processors Nvidia users for their servers and other equipment are vulnerable too. The more vulnerabilities they find, the more vulnerable their own equipment is too.

 

So in order for this conspiracy theory to make any sense you have to believe that:

1) Nvidia are willing to spend time and money harming their competitors in the short term, even though it will benefit everyone in the world long-term.

2) Nvidia has managed to get a university in on it.

3) That Nvidia are so willing to harm Intel and AMD, that they would be willing to put their own equipment at risk.

4) Not just put their own equipment like their factories at risk, but also their own customers that uses things like their Tegra chips (which is a large amount of cars, among other things).

 

Seems like a fairly big stretch to me.

[leadeater]

7 minutes ago, LAwLz said:

The language is clear. They have released updates for it and will work with partners to further strengthen mitigations. If they have to strengthen their current mitigations then it is clear that they are affected. There would be no reason for the distinct language difference between Spectre and meltdown if all they did was "play it safe and update just in case".

It wasn't really that clear in the same statement linked.

 

Quote

Jetson TX2 integrates Arm-based (CPU) processors that may, in certain circumstances, benefit from software mitigations to reduce the risk of the exploits identified in the Google Project Zero disclosure. For more information, refer to the Arm Security Update.

 

This bulletin addresses NVIDIA software updates for Jetson TX2 to mitigate aspects of the potential CPU vulnerabilities.

That's a bit far from a "We are affected by Spectre confirmation" in my view.

 

Edit:

Like not all ARM architectures are vulnerable to Spectre so a solid yes/no would be much better than "Eh maybe?"

 

7 minutes ago, LAwLz said:

Seems like a fairly big stretch to me.

That's why I said it was mostly sarcasm, most people are thinking it and I'll happily take that opportunity to make a well timed joke about it. It's not like Nvidia is actually going to do something to jeopardize the host systems they rely on to work or the business relationship with Intel for example.

[asus killer]

3 hours ago, mr moose said:

Yes, they did. Because not only is that standard business practice in situations like this, but no one can expect the tech industry to just stop and wait to see what happens next.

this affected AMD, Intel and ARM. It's hard to think they all knew and kept going, for me at least. 

[leadeater]

6 minutes ago, asus killer said:

this affected AMD, Intel and ARM. It's hard to think they all knew and kept going, for me at least. 

It's very well documented that this was the case, same story with the massive Intel IME security flaw. Product sales in the tech space generally don't stop for security issues.

[asus killer]

44 minutes ago, leadeater said:

It's very well documented that this was the case, same story with the massive Intel IME security flaw. Product sales in the tech space generally don't stop for security issues.

ok if you tell me it's well documented that is another story, i had no idea that has the case

 

[leadeater]

13 minutes ago, asus killer said:

ok if you tell me it's well documented that is another story, i had no idea that has the case

 

 

Quote

Google said it informed the affected companies about the Spectre flaw on 1 June 2017 and later reported the Meltdown flaw before 28 July 2017. Both Intel and Google said they were planning to release details of the flaws on 9 January, when they said more fixes would be available, but that their hand had been forced after early reports led to Intel stock falling by 3.4% on Wednesday.

https://www.theguardian.com/technology/2018/jan/04/meltdown-spectre-worst-cpu-bugs-ever-found-affect-computers-intel-processors-security-flaw

[asus killer]

10 minutes ago, leadeater said:

 

 

https://www.theguardian.com/technology/2018/jan/04/meltdown-spectre-worst-cpu-bugs-ever-found-affect-computers-intel-processors-security-flaw

ok, i taught you meant to say they knew from the start (i guess this affected cpu's from 2007 at least). 

I think that was bad, but there was a press blackout as to access the issue and try and get a fix before everyone knew and potential hackers could exploit it. If they stopped selling cpus all together in that blackout period i think the cure would be worst then the decease. There would simply not be a cpu to buy, a cell phone, a laptop, a desktop,... and no one could know why. I think it would have been impractical to stop selling them even if they knew by then.

[captain_to_fire]

6 minutes ago, asus killer said:

If they stopped selling cpus all together in that blackout period i think the cure would be worst then the decease.

 all processors are affected both new and old even processors from 20 years ago are affected by Spectre and Meltdown including that awful Pentium 4 and Pentium D. That’s like asking Microsoft to stop selling their Surface PCs because of an embarrassing Windows Hello vulnerability or asking Apple to stop selling the iPhone X because FaceID can be bypassed by a well made mask or an identical twin. 

[Zodiark1593]

5 hours ago, mr moose said:

If what I have been reading recently is anything accurate.  Despite their best efforts they are not going to produce a flawless chip (without going back tot he dark ages of CPU design) and we are fucked anyway. 

 

Here's to positive thinking and not being a fatalist.

Well, consider that such OoO CPUs with Speculative Excecution are, by design, excecuting code of their own accord to some extent, one could say such a design was never a great idea from a pure security standpoint. However, reliance on such performance gains is great enough that aside from specialty applications, losing the performance would be far too painful a hit to consider. 

 

Spectre (or any other related flaw) will probably be one of those possibilities we'll have to live with and what we're now aware of. Unless we can push some 8+ GHz on in-order cores, I don't see that changing anytime even in the distant future. For the Tin Foil Hat folks, solutions already exist (Raspberry Pi) for instances where security is required such as checking bank info.

[bcredeur97]

4 hours ago, leadeater said:

Of course Nvidia helps develop something that will not impact themselves in a single way but screw over other major technology companies, only 50% sarcasm btw.

it technically does impact their desktop GPU market somewhat. If no one can securely have a PC, then they won't buy a PC, which means they won't have a GPU.

If anything they are doing this to make sure the CPU companies push out a REAL, proper fix for the issue... perhaps what you said is also part of the reason but on a large scale, it does affect them a bit

 

this is also UNLESS they are about to drop a Desktop CPU lineup on everyone. which would be quite a shock.

[Zodiark1593]

6 hours ago, mr moose said:

If what I have been reading recently is anything accurate.  Despite their best efforts they are not going to produce a flawless chip (without going back tot he dark ages of CPU design) and we are fucked anyway. 

 

Here's to positive thinking and not being a fatalist.

Double toast via phone...

[LukaH]

fight the power!

[Notional]

I know Intel has done some scummy things over the year, but Nvidia is an outright evil empire at this point. Actively working to give criminals tools to steal data from you. That's even worse than their proprietary vendor locked in overpriced crap.

[Space Reptile]

15 hours ago, ARikozuM said:

NVIDIA, WHY HAVE YOU FORSAKEN US?!

<---- Petition to add NVIDIA to the list of unapproved companies 

[Shreyas1]

15 hours ago, hey_yo_ said:

Maybe NVIDIA is planning to make their own desktop processors just like Intel is making their own dGPUs.

I've heard that Nvidia wants to replace cpus with gpus entirely 

[mr moose]

6 hours ago, asus killer said:

ok, i taught you meant to say they knew from the start (i guess this affected cpu's from 2007 at least). 

I think that was bad, but there was a press blackout as to access the issue and try and get a fix before everyone knew and potential hackers could exploit it. If they stopped selling cpus all together in that blackout period i think the cure would be worst then the decease. There would simply not be a cpu to buy, a cell phone, a laptop, a desktop,... and no one could know why. I think it would have been impractical to stop selling them even if they knew by then.

exactly.  When you hear people complaining they should have stopped selling, you are basically hearing from people who either want money from a law suit or fanboys who just hate for the sake of hate.  There are very logical reasons why ALL companies continue business as normal.

[captain_to_fire]

6 hours ago, Shreyas1 said:

I've heard that Nvidia wants to replace cpus with gpus entirely 

Are they citing end of Moore’s law as well? 

[Shreyas1]

2 hours ago, hey_yo_ said:

Are they citing end of Moore’s law as well? 

Pretty sure yea

 

here: https://www.pcgamer.com/nvidia-ceo-says-moores-law-is-dead-and-gpus-will-replace-cpus/

Edited February 21, 2018 by Shreyas1
Added link

[captain_to_fire]

4 minutes ago, Shreyas1 said:

Pretty sure yea

 

here: https://www.pcgamer.com/nvidia-ceo-says-moores-law-is-dead-and-gpus-will-replace-cpus/

Would it be considered dead if Intel can manage 1 nm transistors?

[Shreyas1]

1 minute ago, hey_yo_ said:

Would it be considered dead if Intel can manage 1 nm transistors?

I doubt they even could if they tried

 

I think the whole transistor concept will die soon 

Edited February 21, 2018 by Shreyas1

[pyrojoe34]

20 hours ago, hey_yo_ said:

While NVIDIA develops their own x86/64 processor that is free from Spectre and Meltdown. 

You think Intel will actually license x86 to Nvidia? Unless they get ordered to (anti-trust protections have become a joke so I doubt it)... I don’t see why they would...

 

Unless something big changes, only Intel, AMD, and VIA can make x86-based CPUs.

 

They could try to make a completely novel architecture/instruction set but that would be a massive hurdle and require every OS/program to be completely rewritten which I just don’t see happening any time soon.