I can see clearly with my spectre on. Researches announce Spectre V2, affects Intel (upto Alder) and Arm, AMD unaffected.

[Master Disaster]

Boy, the 2020s are shaping up to be the decade that keeps on giving.....

 

A team of security researchers have just announced a brand new variant of every ones favourite CVE, called Spectre V2 (very imaginative) this new variant apparently works on pretty much all current Intel and some current ARM CPUs.

Quote

VUSec security research group and Intel have revealed another Spectre-class speculative execution vulnerability called branch history injection, or BHI. The new exploit impacts all Intel processors released in the last several years and specific Arm core processors. Intel processors affected include the most recent 12th Gen Core Alder Lake CPUs. Surprisingly, AMD chips have shown no effect from the vulnerability at this time.

The attack once again takes advantage of branch prediction, this time its able to insert entries into the branch prediction list which the CPU will then process and is able to avoid the current fixes Intel and Arm put in place for Spectre V1. Along with the announcement the team also released a Proof Of Concept exploit demonstrating what it can do.

Quote

BHI is a proof-of-concept attack affecting vulnerable CPUs open to Spectre V2 exploits. The interesting part of this particular attack is that several mitigations were currently in place on the affected CPUs. BHI avoids the Intel Enhanced Indirect Branch Restricted Speculation (EIBRS) and the Arm ID_PFR0_EL1 CSV2 assignment. VUSec reports that BHI enables cross-privilege Spectre-v2 exploits, allowing kernel-to-kernel (intra-mode BTI) exploits and permitting attackers to place predictor entries into the global branch prediction history make kernel leak data. The result of the attack leaks arbitrary kernel memory on specific CPUs and could reveal hidden data such as passwords.

Both Intel & Arm have committed to releasing hardware fixes however its worth noting, this issue is actually already patched for Linux users running kernel v5.16 or higher. I guess being bleeding edge does pay off sometimes.

 

Source - https://wccftech.com/spectre-v2-vulnerability-strikes-again-in-intel-alder-lake-arm-cpus-amd-chips-unharmed/

CVE - https://nvd.nist.gov/vuln/detail/CVE-2022-25368   <----- Not actually live yet

CVE - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25368

 

I wonder how much more performance we are going to lose from our Intel CPUs for this fix? My poor laptop cannot take another 5% hit.

 

Edit - So I found a decent article from Armdevelopers.com that outlines exactly which Arm CPUs are vulnerable

Quote

In March 2022, researchers within the Systems and Network Security Group at Vrije Universiteit Amsterdam disclosed a new cache speculation vulnerability known as Branch History Injection (BHI) or Spectre-BHB. Spectre-BHB is similar to Spectre v2, except that malicious code uses the shared branch history (stored in the CPU Branch History Buffer, or BHB) to influence mispredicted branches within the victim's own hardware context. Once that occurs, speculation caused by mispredicted branches can be used to cause cache allocation, which can then be used to infer information that should not be accessible.

This vulnerability has been given the CVE number CVE-2022-23960.

Affected CPUs

Below is a list of Arm CPUs affected by Spectre-BHB.

Cortex-A

• Cortex-A15
• Cortex-A57
• Cortex-A65
• Cortex-A65AE
• Cortex-A72*
• Cortex-A73*
• Cortex-A75*
• Cortex-A76
• Cortex-A76AE
• Cortex-A77
• Cortex-A78
• Cortex-A78AE
• Cortex-A78C
• Cortex-X1
• Cortex-X2
• Cortex-A710

Neoverse

• Neoverse-E1
• Neoverse-N1*
• Neoverse-N2
• Neoverse-V1

Note: Cortex-A72 prior to r1p0, Cortex-A73 prior to r1p0, Cortex-A75 prior to r3p0, Cortex-A76 prior to r3p0, and Neoverse N1 prior to r3p0 do not support FEAT_CSV2. If software running on those CPUs is using Arm's recommended mitigation for Spectre v2, then they are protected against Spectre-BHB.

Cortex-R

Some Cortex-R CPUs (for example, the Cortex-R7 and the Cortex-R8) may be vulnerable to this attack. However, as with Spectre v2, the common usage model for those CPUs is for non-open software environments (where applications and processes are more strictly controlled), and as such this vulnerability is not exploitable. 

Mitigation

Mitigation will depend on the CPU and will either be based on implementing a loop to discard the branch history on entry to higher exception levels, or will involve flushing all branch predictions via an implementation specific route. Details are available in the Spectre-BHB whitepaper.

^Source^ - https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/spectre-bhb

 

For clarity, it appears as though Spectre-BHI (aka V2 or the one that affects Intel) and Spectre-BHB (the one that affects Arm) are being treated as 2 separate CVEs. It looks like there are 2 CVEs registered, both are still in Reserved status ATM so they have very little info available.

[AlTech]

I have just one word: AyyyyMD.

 

But seriously, AMD not being affected makes you wonder what Intel and ARM are doing to constantly get these vulnerabilities.

[jagdtigger]

4 minutes ago, AluminiumTech said:

But seriously, AMD not being affected makes you wonder what Intel and ARM are doing to constantly get these vulnerabilities.

"Performance over everything else" mentality bite them in the butt again.... Obviously didnt learned the lesson the 1st time.

[Rauten]

Jesus F Christ, Casper is having a field day decade.

 

I wonder though, no mention of M1? Have they not tried it on Apple hardware, or is there something inherent in their designs that prevent this?

[Master Disaster]

1 minute ago, Rauten said:

Jesus F Christ, Casper is having a field day decade.

 

I wonder though, no mention of M1? Have they not tried it on Apple hardware, or is there something inherent in their designs that prevent this?

Very good point, hadn't even thought about that.

 

Maybe its the T1?

[Sauron]

[CarlBar]

14 minutes ago, AluminiumTech said:

But seriously, AMD not being affected makes you wonder what Intel and ARM are doing to constantly get these vulnerabilities.

 

Remember design wise there's a tendency towards evolutionary designs. ARM and Intel went heavy on features that proved vulnerable, AMD largely hasn't. That means it's a lot easier for AMD to fix things up as they need radical redesigns on less of their architecture. Your talking throwing 10+ years of development work out the window to start over, thats a lot of catch-up to do and isn't going to arrive quickly.

[porina]

28 minutes ago, AluminiumTech said:

But seriously, AMD not being affected makes you wonder what Intel and ARM are doing to constantly get these vulnerabilities.

You make it sound like AMD was immune but they were also affected by previous Spectre variations. I tried to find a simple summary table of who was affected by what and haven't managed to find one yet, but I did find the below saying that a new feature added to Zen 3 opened up a new vulnerability.

 

https://www.techradar.com/uk/news/amd-admits-zen-3-processors-are-vulnerable-to-spectre-like-side-channel-attack

[Somerandomtechyboi]

Yayyy more f ing slowdowns just because of this spectre nonsense

 

i only just got x58, i dont need the damn performance to be nuked just as i get it, that will mean having to run this thermonuclear reactor of a 12 year old 6 core even faster which also means rip power bills and rip cooler (max 4g at 95c w 1.27v on prime95 smallest ffts), well atleast this isnt the only platform getting nuked cause of this spectre bullcrap

¯\_ (ツ) _/¯ 

[mr moose]

26 minutes ago, CarlBar said:

 

Remember design wise there's a tendency towards evolutionary designs. ARM and Intel went heavy on features that proved vulnerable, AMD largely hasn't. That means it's a lot easier for AMD to fix things up as they need radical redesigns on less of their architecture. Your talking throwing 10+ years of development work out the window to start over, thats a lot of catch-up to do and isn't going to arrive quickly.

They are all doing everything they can to be revolutionary, that is how businesses keep in front of competitors.  Intel hit a design problem with SE, AMD hit a design problem with GN and bulldozer.  With Speculative execution AMD just got lucky with a design that was more immune to it than intel's design,  I really doubt it had anything to do with intention.   I also don't think the absence of a problem on one product means that that product is intrinsically easier to fix.

[Lightwreather]

Welp, clearly someone had cursed computers during the early 2020s.

Can I propose a witch hunt to find out whom?

/s

[Salv8 (sam)]

5 minutes ago, J-from-Nucleon said:

Welp, clearly someone had cursed computers during the early 2020s.

Can I propose a witch hunt to find out whom?

/s

mate a witch hunt would actually be a worthwhile investment, find out who cursed us and why.

[Sauron]

1 hour ago, Rauten said:

I wonder though, no mention of M1? Have they not tried it on Apple hardware, or is there something inherent in their designs that prevent this?

1 hour ago, Master Disaster said:

Very good point, hadn't even thought about that.

 

Maybe its the T1?

The T1 can't do anything about speculative execution vulnerabilities. However, this isn't really an ISA related problem. Just like AMD can be unaffected while Intel is, Apple's chips may not be affected even though ARM Cortex chips are. ARM chips seem to be vulnerable to the exploit because they use a mechanism called "branch history buffer" in their speculative execution pipeline, I haven't found any information on a possible Apple equivalent. Remember that this is a specific exploit that is shown to be possible on these chips, it doesn't mean there are no unknown different exploits that could apply to other chips.

[leadeater]

6 hours ago, mr moose said:

With Speculative execution AMD just got lucky with a design that was more immune to it than intel's design,  I really doubt it had anything to do with intention.

Nah AMD on purpose as part of the cache and memory design implemented more validation and gatekeeping. This was due to the known existing issues that did or could in theory, that did, affect all modern CPUs.

 

It was no fluke, however they did have the benefit of circumstances and timing, two things not afforded to Intel or ARM.

 

Some of these specific designs were given by AMD as evidence to why they were not vulnerable to some of the Speculative exploits that Intel, PowerPC, ARM etc were. Everyone seems to forget IBM/PowerPC, yes they were affected also.

[LAwLz]

It honestly amazes me that people still talk about Spectre as if it was something that only affected Intel and not AMD.

Even when the original announcement was first made, AMD processors were vulnerable to 2 out of the 3 attacks, yet people pretended like it was an Intel issue (Intel were vulnerable to 3 out of 3).

 

Anyway, I wouldn't bet on AMD being immune but I hope they are, and I hope Intel and ARM fixes this issue quickly.

[Zodiark1593]

3 hours ago, Master Disaster said:

Very good point, hadn't even thought about that.

 

Maybe its the T1?

During the original Spectre and Meltdown releases, Apple explicitly mentioned patching iOS for the vulnerabilities, which would infer that, at least at one point, Apple CPUs were especially vulnerable. 

[Master Disaster]

22 minutes ago, LAwLz said:

It honestly amazes me that people still talk about Spectre as if it was something that only affected Intel and not AMD.

Even when the original announcement was first made, AMD processors were vulnerable to 2 out of the 3 attacks, yet people pretended like it was an Intel issue (Intel were vulnerable to 3 out of 3).

 

Anyway, I wouldn't bet on AMD being immune but I hope they are, and I hope Intel and ARM fixes this issue quickly.

Yeah, I remember it clearly because I was running a 2700X at the time and when it first hit I thought I had dodged the bullet. It only took a few weeks for the AMD equivalent to emerge though.

[Sauron]

32 minutes ago, LAwLz said:

Even when the original announcement was first made, AMD processors were vulnerable to 2 out of the 3 attacks, yet people pretended like it was an Intel issue (Intel were vulnerable to 3 out of 3).

The thing with that was that mitigations for AMD didn't have the same performance impact as those for Intel, since the third vulnerability was also the worst one.

[Mark Kaine]

Maybe Im rembering wrong, but didn't they first say AMD isnt vulnerable to the first exploit and that later changed to "less" vulnerable?

 

I do remember doing this "ghost spectre" (?) test and there was no discernable performance difference with or without the patches (although i didn't really trust that test either*)

 

 

edit: oh i see, so it *was* affected too

*edit2: reason i didn't trust the test was i also run it on my intel laptop and there wasnt a performance difference either ¯\_(ツ)_/¯

[CarlBar]

7 hours ago, mr moose said:

They are all doing everything they can to be revolutionary, that is how businesses keep in front of competitors.  Intel hit a design problem with SE, AMD hit a design problem with GN and bulldozer.  With Speculative execution AMD just got lucky with a design that was more immune to it than intel's design,  I really doubt it had anything to do with intention.   I also don't think the absence of a problem on one product means that that product is intrinsically easier to fix.

 

I never said anything about intent. I was just pointing out that AMD's approach, (however it happened) has left them less vulnerable to start with and that gives them less work to do to fill in the holes. Intel/e.t.c. have across the board issues throughout their speculative execution systems and because design is evolutionary rather than revolutionary, (in general), Intel/e.t.c. would have to discard enormous amounts of stuff and start over to guarantee killing future exploits, whilst AMD can mostly keep what they have and continue to build on it as most of it seems to be sound from a security standpoint, (they still have some work to do, but the less they have to rip out the more they can benefit from all their previous work).

 

5 hours ago, LAwLz said:

It honestly amazes me that people still talk about Spectre as if it was something that only affected Intel and not AMD.

Even when the original announcement was first made, AMD processors were vulnerable to 2 out of the 3 attacks, yet people pretended like it was an Intel issue (Intel were vulnerable to 3 out of 3).

 

Anyway, I wouldn't bet on AMD being immune but I hope they are, and I hope Intel and ARM fixes this issue quickly.

 

I've been including qualifying statements for a reason, AMD has been hit, but not as consistently or severely as Intel/e.t.c. There's clearly somthing in their design of their branch prediction architecture that renders them less vulnerable. And that means they have a lot less work to do to close the holes they do have.

 

4 hours ago, Mark Kaine said:

Maybe Im rembering wrong, but didn't they first say AMD isnt vulnerable to the first exploit and that later changed to "less" vulnerable?

 

I do remember doing this "ghost spectre" (?) test and there was no discernable performance difference with or without the patches (although i didn't really trust that test either*)

 

 

edit: oh i see, so it *was* affected too

*edit2: reason i didn't trust the test was i also run it on my intel laptop and there wasnt a performance difference either ¯\_(ツ)_/¯

 

Thats my memory, AMD was initially declared not vulnerable, then versions of some of the exploits where found on AMD. In general Intel has been hit more often and harder, with AMD often requiring quite a bit of modification to make attacks work, if they can be made workable at all. But they haven't been immune.

[starsmine]

Well, AMD added Shadow Stack for a reason with zen 3, for the rare times where a sepctre adjacent attack does get through, shadow stack can flag it, since it acts like ECC but for the stack. 

[AlTech]

13 hours ago, porina said:

You make it sound like AMD was immune but they were also affected by previous Spectre variations. I tried to find a simple summary table of who was affected by what and haven't managed to find one yet, but I did find the below saying that a new feature added to Zen 3 opened up a new vulnerability.

 

https://www.techradar.com/uk/news/amd-admits-zen-3-processors-are-vulnerable-to-spectre-like-side-channel-attack

I mean at the time when Spectre happened AMD was immune, it's only somehow after the fact that it's changed.

[Curufinwe_wins]

18 minutes ago, AluminiumTech said:

I mean at the time when Spectre happened AMD was immune, it's only somehow after the fact that it's changed.

This is not correct and never was correct. GPZ Variant 1 affected AMD from the start and AMD admitted as much. AMD tried to claim immunity to GPZ Variant 2, and had to walk back that statement 9 days later because it was in fact *ALSO* applicable. 

 

Quote

In a blog post, the Project Zero team stated that one of these security flaws—dubbed the “Spectre” vulnerability—allows third parties to gather passwords and other sensitive data from a system’s memory.  In response to the Project Zero team’s announcement, a spokesperson for AMD advised investors that while its own chips were vulnerable to one variant of Spectre, there was “near zero risk” that AMD chips were vulnerable to the second Spectre variant.

Then, on January 11, 2018, post-market, AMD issued a press release entitled “An Update on AMD Processor Security,” acknowledging that its chips were, in fact, susceptible to both variants of the Spectre security flaw.

 

Salt at the compilation source, it is actually well written though: https://wccftech.com/amd-class-action-law-suits-for-spectre-vulnerabilities-intel-four-meltdown/

 

The most recent related vulnerability before today in April of '21 also affected both Intel and AMD through uOP caching.

 

[Arika]

29 minutes ago, AluminiumTech said:

I mean at the time when Spectre happened AMD was immune, it's only somehow after the fact that it's changed.

which means it wasn't immune, it just took a bit longer to find the exploit because it wasn't 100% identical to intel and ARM, which i suspect will be the same case with this one.

[tim0901]

14 hours ago, AluminiumTech said:

But seriously, AMD not being affected makes you wonder what Intel and ARM are doing to constantly get these vulnerabilities.

AMD is just affected by other speculative execution vulnerabilities. Here's one released the same day:

 

https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1026

 

Quote

"Mitigation G-5 helps address potential vulnerabilities associated with speculative behavior of branch instructions."

 

CVE - https://access.redhat.com/security/cve/cve-2021-26341

CVE - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26341 (Not yet live)

 

I have to question why AMD's vulnerabilities don't get the same headlines as those for Intel. Red Hat's assessment of both vulnerabilities lists them as equal in impact/CVSS score (here's their page on the Intel/ARM vulnerability) so I don't think it's because one of them is far more dangerous than the other.

 

Is it really just that people like to shit on Intel?