Bad news: A Spectre-like flaw will probably happen again

[startrekkie1701]

https://www.cnet.com/news/spectre-meltdown-arm-intel-apple-qualcomm-softbank-simon-segars-pcs-phones/

 

More bad news from this incident, and it's looking like thanks to this due to how cybersecurity is ever changing, according to the CEO of Arm Holdings Simon Segars, unless security is also on the hardware level (e.g. the very much not-going-to-happen elimination of what made Spectre and Meltdown a thing to begin with), reports like this...may be commonplace moving forward.

[bleedblue]

*Laughs in Ryzen*

[PocketNerd]

Makes sense, Security is a constant battle.

[straight_stewie]

1 minute ago, bleedblue said:

*Laughs in Ryzen*

Ryzen hasn't been third party tested for vulnerability yet. All you have is AMD's good word. 

[captain_to_fire]

 

Does it mean people should hold out until 9th generation Intel processors are released or not buy a phone at the moment until hardware changes are made on their SoCs?

[startrekkie1701]

1 minute ago, bleedblue said:

*Laughs in Ryzen*

I can't deny that I'm quite happy now knowing my first rig I'm building's gonna have a Ryzen 1700 in it so I'm with you on that.

 

That doesn't change the fact my laptop has a Kaby Lake i5 though...

[bleedblue]

Just now, straight_stewie said:

Ryzen hasn't been third party tested for vulnerability yet. All you have is AMD's good word. 

*Sweats in Ryzen*

[Canada EH]

8 minutes ago, straight_stewie said:

Ryzen hasn't been third party tested for vulnerability yet. All you have is AMD's good word. 

Will they show us how Ryzen is with a basic simple virus or bug?

Thats always their game plan, especially when showing off a product. Basic games with 828fps on ultra and no mention of what the game is.

[TetraSky]

Awesome, more CPU issues being discovered!
With some luck, it means that next gen CPUs will have these flaws patched in and will take another 20 years for new flaws to be found.

[straight_stewie]

Just now, gabrielcarvfer said:

The only way to let them fix problems after discovered is using FPGAs everywhere, but I doubt that this wouldn't be exploited in no time. Having a static flaw in hardware is better than having one that can change.

If we started using FPGAs for everything people would just look for flaws in the reprogramming logic anyway, and then we would have real problems.

[Mira Yurizaki]

Security has been on a hardware level to some degree. The problem is how it's implemented. Does speculative execution inherently carry security flaws like this? Or can you make it so it won't do things like reveal ring 0 data in a ring 3 context?

 

But hey, if we move to VLIW or NISC CPUs, Meltdown and Spectre won't be a problem because speculative execution is not used in those architectures.

[Zodiark1593]

So uhmm, me thinks I'll be using a Raspberry pi for general browsing.

 

 

6 minutes ago, M.Yurizaki said:

Security has been on a hardware level to some degree. The problem is how it's implemented. Does speculative execution inherently carry security flaws like this? Or can you make it so it won't do things like reveal ring 0 data in a ring 3 context?

 

But hey, if we move to VLIW or NISC CPUs, Meltdown and Spectre won't be a problem because speculative execution is not used in those architectures.

I am curious what implications it would carry for, well basically everything, if it is found that Speculative Excecution inherently carries such a downside.

[LtStaffel]

19 minutes ago, gabrielcarvfer said:

The only way to let them fix problems like that after discovering those flaws is using FPGAs everywhere, but I doubt that this wouldn't be exploited in no time. Having a static flaw in hardware is better than having one that can change.

We'll be using quantum computers way before we move to FPGAs

[leadeater]

38 minutes ago, straight_stewie said:

Ryzen hasn't been third party tested for vulnerability yet. All you have is AMD's good word. 

The researchers did test Ryzen and it was only confirmed vulnerable to Spectre Variant 1 with OS patches being able to mitigate that risk. Spectre Variant 2 was theorized as being vulnerable for AMD processors but throughout all their testing they could not get a working exploit. So it might be possible and it might not, but there wasn't a lack of trying or independent testing.

[ItsMitch]

Brb checking intel stocks tomorrow

[mr moose]

Didn't we already say this?  I really feel there were a few of us that pointed out that the nature of security flaws means that you don't know they exists until you actually find them.  Meaning all the hardware/software out there potentially has flaws the same just waiting to be discovered.

[Arika]

CPUs are complex as shit pieces of hardware. of course there is always going to be vulnerabilities like this. nothing is ever going to be perfect and completely flaw free, not intel, not AMD, not apple, nothing.

 

just be thankful that the people finding these issues are doing it for the good of people instead of for malicious reasons

[jasonc_01]

2 hours ago, startrekkie1701 said:

https://www.cnet.com/news/spectre-meltdown-arm-intel-apple-qualcomm-softbank-simon-segars-pcs-phones/

 

More bad news from this incident, and it's looking like thanks to this due to how cybersecurity is ever changing, according to the CEO of Arm Holdings Simon Segars, unless security is also on the hardware level (e.g. the very much not-going-to-happen elimination of what made Spectre and Meltdown a thing to begin with), reports like this...may be commonplace moving forward.

Not surprised.

Also please grammars and punctuate better in the future. 

[DocSwag]

2 hours ago, Zodiark1593 said:

So uhmm, me thinks I'll be using a Raspberry pi for general browsing.

 

 

I am curious what implications it would carry for, well basically everything, if it is found that Speculative Excecution inherently carries such a downside.

I'm guessing that there's got to be a way to keep it from reading higher security level stuff when speculating. I'd imagine you could probably implement tags or something.

[mr moose]

1 hour ago, Sierra Fox said:

just be thankful that the people finding these issues are doing it for the good of people instead of for malicious reasons

And that they are doing the right thing getting all parties concerned to fix the issue before making it public. 

[SpaceGhostC2C]

3 hours ago, hey_yo_ said:

 

Does it mean people should hold out until 9th generation Intel processors are released or not buy a phone at the moment until hardware changes are made on their SoCs?

It could be even worse, since we don't know at which stage of development it is, and it's not clear how quickly can Intel (or anyone else) find an alternative design that can eliminate this threat while not sacrificing performance (nor how willing are they to release a "crippled" architecture while a suitable alternative is not yet found).

For instance, we know the issue became known to Intel in mid-2017 the latest, but Coffee Lake (and I think X299 too) got released anyway, even though it implied anticipating their own schedule. I wouldn't count on everything that comes out in the near future to be Spectre/Meltdown-free other than through the software patches being pushed.

[captain_to_fire]

9 minutes ago, SpaceGhostC2C said:

It could be even worse, since we don't know at which stage of development it is, and it's not clear how quickly can Intel (or anyone else) find an alternative design that can eliminate this threat while not sacrificing performance (nor how willing are they to released a "crippled" architecture while a suitable alternative is not yet found).

For instance, we know the issue became known to Intel in mid-2017 the latest, but Coffee Lake (and I think X299 too) got released anyway, even though it implied anticipating their own schedule. I wouldn't count on everything that comes out in the near future to be Spectre/Meltdown-free other than through the software patches being pushed.

I can understand the struggle for x86/64 processors but what about ARM? I'm guessing Apple's chip design team is working their asses right now to eliminate Meltdown and Spectre in their upcoming A12 chip for the 2018 iPhone but what about Qualcomm's Snapdragon 845? The chip was released by the end of 2017 so did Qualcomm did a redesign in the SoC architecture to patch Meltdown and Spectre without crippling performance? 

 

I just hope the 9th gen Intel processors got submitted to third parties for a security audit before selling them and I think other chip designers and manufacturers should do the same.

[Sniperfox47]

13 minutes ago, hey_yo_ said:

I can understand the struggle for x86/64 processors but what about ARM? I'm guessing Apple's chip design team is working their asses right now to eliminate Meltdown and Spectre in their upcoming A12 chip for the 2018 iPhone but what about Qualcomm's Snapdragon 845? The chip was released by the end of 2017 so did Qualcomm did a redesign in the SoC architecture to patch Meltdown and Spectre without crippling performance? 

 

I just hope the 9th gen Intel processors got submitted to third parties for a security audit before selling them and I think other chip designers and manufacturers should do the same.

You do realize that chip architecture development, whether for ARM or for X86 is a multi-year and increadibly complex project right? And that for Apple to implement a CPU on a phone, they have to have a largely finalized SoC many many months before the phone is due out right?

 

I wouldn't expect any of the chips coming out in 2018 to have mitigations for Spectre Variant 2. I'd honestly be surprised if even the 2019 chips have it.

[Zodiark1593]

Could an expansion card for desktops be made that is essentially a self-contained computer for running untrusted code? Perhaps like a Raspberri Pi AiB that runs the browser (with So-Dimm memory expansion), then sends the video output to your system for display.

 

Could be a way to prevent remote attacks for client/home based systems without affecting performance besides the browser and maybe reduce the need for the patches.

 

Heck, Intel has Atom cores without OoO they could use for such develolment. Ramp up the clocks a lot, add a gpu that can decode anything on the web, and it could do well for this role. User throws on the browser of choice and off they go.

 

 

*dumb idea, I knows...*

[Froody129]

2 hours ago, jasonc_01 said:

Not surprised.

Also please grammars and punctuate better in the future. 

Please use correct grammar and punctuate better in the future.*