Randomized Security Bulletin :: Spectre (update)

[TopHatProductions115]

According to recent sources, the Spectre vulnerability has only proved to be more potent as time passes. Now, even the resource isolation of nested VMs can't save you:

• https://crip.to/secrets/blog/new-round-of-hardware-exploits-found-in-intel-hardware
• https://www.tomshardware.com/news/intel-spectre-ng-cpu-flaws,37018.html

 

And this is only compounded by the fact that Intel stated (a month ago) that they won't be patching older CPUs for Spectre.

• https://www.theverge.com/2018/4/4/17198322/intel-spectre-patch-update-fix

 

While I do not believe that their is any particular (or bad, for that matter) motivation behind this move, I do think that it is a bad move on Intel's part. People have already purchased these devices, only to find out that they are now vulnerable to an attack that takes advantage of Speculative execution (possibly over a decade after initial purchase) - a feature that most modern Intel CPUs now have. If anything, I'd think it would be fair to at least try and provide working security patches (microcode changes) for cores dating back to the Intel Core 2 Duo/Core Duo (2005 and later) and call it a day. That would at least cover a vast majority of people using modern Intel-powered machines by giving them the option to apply the patch if they so choose. I also do understand that the performance hit would be pretty substantial. However, what would you rather sacrifice - your system's security at (some of) the lowest levels, or speed and performance? I'd rather at least have the option. Those who have it worst are those who aren't using Intel cores from the last 3 generations.

 

Please feel free to comment below about how this has affected you (if at all). Reddit has an older thread (from when Spectre and Meltdown were new to public eyes) if you wanna get in on any info that was found in that as well:
 

Also, a quick clarifying note:

https://stackoverflow.com/questions/49601910/out-of-order-execution-vs-speculative-execution

 

I now correct myself once more...

Edited May 12, 2018 by TopHatProductions115

[iRileyx]

I don't get what the news here is?

[TopHatProductions115]

@RKRiley It's not meant to be a news flash, as much as it is an update on the issue. In particular, one with a focus on Intel's response(s) to the vulnerabilities shown thus far. In addition to any new developments pertaining to the vulnerability itself (such as new forms of the exploit in question or new implications that may not have been covered on this forum prior to this post).

[Zodiark1593]

It would seem that letting the cpu re-order what code it runs on it's own accord wasn't a great idea from a security standpoint. Still, even if Spectre was trivial to exploit, I doubt that the security benefits of dropping Speculative Execution would ever outweigh the severe performance impact that doing so would impose.

 

Cortex A55 is probably the fastest in-order cpu core widely available, aside from maybe Nvidia's Denver core.

[TopHatProductions115]

@Zodiark1593

I have to say, when I was first learning about x86 arch (and learned about Speculative execution), I thought that it might be an issue - always have to think of:

"How is the CPU deciding what to execute next? Can that mechanism (or related processes) be altered to allow for a feasible attack vector?"

 

Corrected myself, @ScratchCat

Edited May 12, 2018 by TopHatProductions115

[ScratchCat]

2 hours ago, TopHatProductions115 said:

@Zodiark1593

I have to say, when I was first learning about x86 arch (and learned about OOO execution), I thought that it might be an issue - always have to think of:

"How is the CPU deciding what to execute next? Can that mechanism (or related processes) be altered to allow for a feasible attack vector?"

Isn't speculative execution different from/more of a subclass of OoO? Hence OoO is not necessarily the issue?

From what I understood speculative execution occurs when the processor attempts to start the calculations from a branch prior to the verification of the branch conditions while OoO mainly deals with executing independent instructions in a more efficient order i.e. to prevent idle time.

 

For example:

OoO:

/code
c <- 1
b <- 2
x <- y + z
a <- b + c

/cpu instruction order
r1 <- fetch y
r2 <- fetch z
r3 <- fetch c
r4 <- fetch b
/c and b arrive before z and y as in cache
r6 <- r3 + r4
/now execute y and z
r5 <- r1 + r2

Speculative Execution:

/code
if a = 5 do
  y <- 3
else do
  y <- 4
  
/cpu instructions
r1 <- fetch a
/while we are waiting we guess that a is 5 so start executing that branch
r2 <- 3
/a now arrives, we guessed in correctly so rollback event and continue
r2 <- 2

 

 

[mr moose]

4 hours ago, TopHatProductions115 said:

And this is only compounded by the fact that Intel stated (a month ago) that they won't be patching older CPUs for Spectre.

 - https://www.theverge.com/2018/4/4/17198322/intel-spectre-patch-update-fix

 

 

I'd be weary of trying to interpret motivation from a news article.  Many times companies do things for entirely different reasons than reported.  

 

[TopHatProductions115]

@mr moose Good point. While I did not intend to imply motivation, it could be interpreted as such. I shall correct that now.