Intel and AMD affected by 2 security flaws

[Syryquil]

https://www.nytimes.com/2018/01/03/business/computer-flaws.html

 

Previously we only knew about meltdown, a bug affecting only Intel CPUs. Google has now told us about Spectre, which affects all CPUs, such as Intel, ARM and AMD.

 

Meltdown can be patched, with the performance hit (which has been found to be about 3% in games; 5% in DX12 games^Source), but Spectre has no know patch. Spectre is harder to exploit though.

 

Link to more in depth info from google: https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html

[TurbulentWinds]

Quote

"Linux operating system"

My head hurts.

[Misanthrope]

Your thread title is incorrect (And misleading) AMD is only affected by 1 and not 2 security flaws, only intel is affected by both.

[PocketNerd]

9 minutes ago, Misanthrope said:

Your thread title is incorrect (And misleading) AMD is only affected by 1 and not 2 security flaws, only intel is affected by both.

Technically you're incorrect. There are 3 variants of attack, 2 of which fall under the name of Spectre. AMD and ARM are vulnerable to Spectre (variants 1 and 2) while Intel is vulnerable to all 3 variants (Spectre and Meltdown).

Also, Spectre can be patched, but it has to be on an individual software basis.

[leadeater]

14 minutes ago, PocketNerd said:

Technically you're incorrect. There are 3 variants of attack, 2 of which fall under the name of Spectre. AMD and ARM are vulnerable to Spectre (variants 1 and 2) while Intel is vulnerable to all 3 variants (Spectre and Meltdown).

Also, Spectre can be patched, but it has to be on an individual software basis.

AMD is only confirmed for variant 1, part of Spectre. There are two different proof of concept exploits using variant 1.

https://googleprojectzero.blogspot.co.nz/2018/01/reading-privileged-memory-with-side.html

[Jito463]

Oddly enough, their testing methodology didn't include Ryzen.  I'd really like them to revisit that, because I'm curious if Ryzen is also vulnerable.

 

Quote

Tested Processors

• Intel(R) Xeon(R) CPU E5-1650 v3 @ 3.50GHz (called "Intel Haswell Xeon CPU" in the rest of this document)
• AMD FX(tm)-8320 Eight-Core Processor (called "AMD FX CPU" in the rest of this document)
• AMD PRO A8-9600 R7, 10 COMPUTE CORES 4C+6G (called "AMD PRO CPU" in the rest of this document)
• An ARM Cortex A57 core of a Google Nexus 5x phone [6] (called "ARM Cortex A57" in the rest of this document)

 

[leadeater]

12 minutes ago, Jito463 said:

Oddly enough, their testing methodology didn't include Ryzen.  I'd really like them to revisit that, because I'm curious if Ryzen is also vulnerable.

It is see, other topic. Have to actually read the Spectre white paper which says it was tested.

[mr moose]

16 minutes ago, leadeater said:

AMD is only confirmed for variant 1, part of Spectre. There are two different proof of concept exploits using variant 1.

https://googleprojectzero.blogspot.co.nz/2018/01/reading-privileged-memory-with-side.html

https://www.amd.com/en/corporate/speculative-execution

 

But they are using ambiguous language, not exactly ruling it out while making it sound like it's nothing.  This reads to me like it is vulnerable, just they don't know how yet. EDIT: or more importantly how to mitigate it yet.

[leadeater]

1 minute ago, mr moose said:

https://www.amd.com/en/corporate/speculative-execution

 

But they are using ambiguous language, not exactly ruling it out while making it sound like it's nothing.  This reads to me like it is vulnerable, just they don't know how yet.

Variant 3 is as far as I've read not at all applicable to AMD, variant 2 possibly but speculation is just that. Until it can be demonstrated it'll have to stay on the unaffected list, this one will have the bigger performance impact so a preemptive patch would be premature in my opinion.

[Misanthrope]

So we can at least add "Possibly" to the title for the time being? Because again this feels like trying to lump in AMD in something they might or might not be affected by, to different extends and definitively not on the most egregious of exploits like Intel.

[straight_stewie]

2 hours ago, Syryquil said:

Previously we only knew about meltdown, a bug affecting only Intel CPUs. Google has now told us about Spectre, which affects all CPUs, such as Intel, ARM and AMD.

 

Meltdown can be patched, with the performance hit (which has been found to be about 3% in games; 5% in DX12 games^Source), but Spectre has no know patch. Spectre is harder to exploit though.

Maybe now we can move on from the timelock that is x86 and move forward to improve on things.

[NvidiaIntelAMDLoveTriangle]

1 hour ago, Jito463 said:

Oddly enough, their testing methodology didn't include Ryzen.  I'd really like them to revisit that, because I'm curious if Ryzen is also vulnerable.

 

 

Who uses Ryzen?

Had to do it.

[ItsMitch]

Love a misleading thumbnail me, could of swore AMD said that the only potential vulnerability they have is Branch Target Injection, however,, there's no proof of an exploit happening and the other problem needs to be resolved by MoneySoft

[Bit_Guardian]

23 minutes ago, straight_stewie said:

Maybe now we can move on from the timelock that is x86 and move forward to improve on things.

If others could do it better, we'd have seen it already. Even IBM and ARM have failed so far to get close to the performance of x86. It's not the ISA at fault. It's the implementation.

[specter13]

2 hours ago, leadeater said:

AMD is only confirmed for variant 1, part of Spectre. There are two different proof of concept exploits using variant 1.

https://googleprojectzero.blogspot.co.nz/2018/01/reading-privileged-memory-with-side.html

AMD's processor was confirmed for variant 1 in a non-default state. Unless someone manually changed "eBPF JIT" to on the processor appears to remains unaffected unless that was not tested.

 

 

Now we need research done on Ryzen..

[Matu20]

TLDR, what do these attacks do?

[samcool55]

Note: the performance impact is caused by the patch for Meltdown, it seems like the patch for the 2 Surge exploits don't cause much of a performance difference.

34 minutes ago, Matu20 said:

TLDR, what do these attacks do?

It's maybe not the best source but it's at least something

TL:DR: the exploits allow you to read/write from different memory area's where you shouldn't have access to.

 

[CTR640]

How is this even possible to have the security problems happens to CPU's?

[Zodiark1593]

11 minutes ago, CTR640 said:

How is this even possible to have the security problems happens to CPU's?

It would seem that some of the means CPU designers have employed in the pursuit of performance over the years have also opened the design up to security flaws.

[LAwLz]

26 minutes ago, samcool55 said:

Note: the performance impact is caused by the patch for Meltdown, it seems like the patch for the 2 Surge exploits don't cause much of a performance difference.

I'd be very careful trusting what AMD says regarding performance. That post is based on speculation and AMD's PR post.

There is a reason why they are using words like "negligible" instead of giving more objective percentage numbers.

[Bouzoo]

3 hours ago, samcool55 said:

Note: the performance impact is caused by the patch for Meltdown, it seems like the patch for the 2 Surge exploits don't cause much of a performance difference.

Are you sure?

 

Quote

Preliminary conclusion

Given what I am currently seeing, desktop users and PC gamers should not be worried about significant performance drops. Most test results do show a negative effect on performance, but we're really talking in a realm of 2% differentials here. The file IO tests didn't worry me either, and we used the fastest consumer NVME SSD on the globe to be able to see a bigger effect when measured. We did see a bit of a drop off in 4K performance, mostly reads up-to 4%. That's the worst I have been able to find out of all tests though we had an issue with write perf (not related to the patches), we'll look into this but that likely is the newly updated Samsung NVMe driver. Now my remark here needs to include this, there probably will be some firmware updates and perhaps new patches, these all can have an effect on performance. However, if you have a reasonably modern PC and IF this patch is all there is to it, you'll be hard-pressed to notice any difference, if at all. Again I would like to re-iterate that the effect on older dual and quad-core processors with a lower frequency could be far worse, the truth here is that I do not know the effect on that just yet. But on your average modern PC, this doesn't seem to be that worrying at all. That said - I'll need to test older processors, if there's a need performance differences wise, we'll certainly report back on that. 

This article is aimed at gamers and Windows 10 desktop users, the results in the server segment might look and be rather different. In the end, please do get yourself patched up okay?

They are preliminary but I don't see anything close to what the media and people iare talking about.

[samcool55]

2 hours ago, Bouzoo said:

Are you sure?

 

They are preliminary but I don't see anything close to what the media and people iare talking about.

Very sure, it's when the system gets a lot of syscalls stuff starts to go downhill and that's exactly what it's all about in the business world. Database stuff, webservers, compilers that use a lot of small files, those workloads are taking a big hit. The average user like is will very likely not notice any difference because we don't have workloads that are really heavy.

The hits aren't 30% but more like 10% which can be a big deal. Just imagine you are running a business and you pay 10k a month for a cloud service, suddenly for the same service you'll need to pay an extra 10% because you don't get as much performance as you used to due to this.

 

That's why the big guys are worried because someone will pay for this eventually. Consumers don't need to worry, we'll get patches and probably end up with a very small performance hit, end of story. But the guys, especially the ones that offer cloud services like AWS and MS Azure, those guys will feel this and i won't blame them if they are mad for this, specifically against Intel because not only will they offer a "worse" service than before (worse performing VM's) but also the massive reboot in a few days for Azure for example will cause angry calls and mad people which is something they don't want.

 

Benchmarks on both AMD and Intel hardware can be found here:

https://www.phoronix.com/scan.php?page=article&item=linux-kpti-kvm&num=2

https://www.phoronix.com/scan.php?page=article&item=linux-more-x86pti&num=1

https://www.phoronix.com/scan.php?page=article&item=linux-415-x86pti&num=2

[Bouzoo]

13 minutes ago, samcool55 said:

Benchmarks on both AMD and Intel hardware can be found here:

https://www.phoronix.com/scan.php?page=article&item=linux-kpti-kvm&num=2

https://www.phoronix.com/scan.php?page=article&item=linux-more-x86pti&num=1

https://www.phoronix.com/scan.php?page=article&item=linux-415-x86pti&num=2

Oh, good good. I haven't been following this very closely, but nowhere did I find people mentioning enterprise hardware (I know, quite bizarre), nor have I been researching for sources. 

[samcool55]

12 minutes ago, Bouzoo said:

Oh, good good. I haven't been following this very closely, but nowhere did I find people mentioning enterprise hardware (I know, quite bizarre), nor have I been researching for sources. 

Good sources that validate this "disaster" are indeed rare. It requires a lot of testing and the fact patches appear basically everywhere and almost nobody knows if they actually work or not doesn't help much either.

 

The fact a patch was released to fix the Meltdown bug and then another patch to disable the Meltdown patch for AMD cpu's is just a small example of how confusing and imo mess it currently is.

 

edit: source (it's quite technical btw) https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=00a5ae218d57741088068799b810416ac249a9ce&utm_source=anz

[mr moose]

13 hours ago, CTR640 said:

How is this even possible to have the security problems happens to CPU's?

Because CPUS are so complex that humans are not able to grasp the entirety of the device.  By it's sheer nature it is impossible to account for every possible scenario that might occur, this is why all new CPU's have copious amounts of fixes and after release adjustments (errata).  It is not uncommon for many of the issues to be security related.