Vulnerability Note VU#584653 - CPU Hardware Attacks Solution

FrgMstr

Just Plain Mean
Staff member
Joined
May 18, 1997
Messages
55,532
The guys that run the Vulnerability Notes Database finally have the 100% solution to defend against the Meltdown and Spectre attacks. Thanks cageymaru.

Solution - Replace CPU hardware

The underlying vulnerability is primarily caused by CPU implementation optimization choices. Fully removing the vulnerability requires replacing vulnerable CPU hardware
.

Glad we got that all fixed up, now we can move forward.
 
It indicates that AMD is "Affected" yet several posts says it is not. Does this relate to old AMD cpus versus newer? Clarification is needed.

Drilling down through the links isn't clear, at least in first quick read.

I should add, thanks Kyle for your following and posts on the general subject!!
 
It indicates that AMD is "Affected" yet several posts says it is not. Does this relate to old AMD cpus versus newer? Clarification is needed.

Drilling down through the links isn't clear, at least in first quick read.

I should add, thanks Kyle for your following and posts on the general subject!!
Two different issues have come out. Meltdown and Spectre. AMD seems to be affected by Spectre (along with intel and ARM), but intel seems to be the Meltdown target, and also the patch thats apparently going to affect performance from isolation overhead.
 
It indicates that AMD is "Affected" yet several posts says it is not. Does this relate to old AMD cpus versus newer? Clarification is needed.

Drilling down through the links isn't clear, at least in first quick read.

I should add, thanks Kyle for your following and posts on the general subject!!

--------------------------------
AMD Information for VU#584653
CPU hardware vulnerable to side-channel attacks
Status
Affected

Vendor Statement
No statement is currently available from the vendor regarding this vulnerabilit
----------------------------------

AMD issued a statement, i think the guys at cert are not up to date on what's going on, nor did they bother contacting them, maybe not even tried to replicate it on AMD system, my guess they just just assumed all x86 are affected.
statement will probably be updated later
 
Ah, OK, I've got some 386 system up in the shed, guess it's time to dust 'em off. Back to Turbo Pascal too.
 
It indicates that AMD is "Affected" yet several posts says it is not. Does this relate to old AMD cpus versus newer? Clarification is needed.

Drilling down through the links isn't clear, at least in first quick read.

I should add, thanks Kyle for your following and posts on the general subject!!
upload_2018-1-4_12-11-19.png


https://www.amd.com/en/corporate/speculative-execution
 
This begs the further question, replace my CPU with what? Unless the newest Intel or AMD CPUs don't have this issue how exactly can you avoid it?
 
Two different issues have come out. Meltdown and Spectre. AMD seems to be affected by Spectre (along with intel and ARM), but intel seems to be the Meltdown target, and also the patch thats apparently going to affect performance from isolation overhead.
Also from what I gather Meltdown is the worse of the 2, and capable of being actively implemented via javascript and webpages. Spectre is more proof-of-concept / theoretical. They're not even sure how it could really be targeted.
 
This begs the further question, replace my CPU with what? Unless the newest Intel or AMD CPUs don't have this issue how exactly can you avoid it?
They mean replace it once those available CPU's are released. Right now there is nothing you can replace with, other than perhaps any AMD cpu since they claim they arent effected by Meltdown.
 
So is this like Zeka bad, where everyone freaks out disproportionately to the actual impact? Or is this more like polio, where everyone freaks out and it is legitimately terrible? Just curious about the legitimacy of me knee-jerk reaction to build a Ryzen system...
 
I wonder for the security conchious of us. Will Intel offer a refund and replacement costs for my Intel CPU, heat sink and Motherboard? My ram and everything else can function on a new platform. But those two things are done.
 
So is this like Zeka bad, where everyone freaks out disproportionately to the actual impact? Or is this more like polio, where everyone freaks out and it is legitimately terrible? Just curious about the legitimacy of me knee-jerk reaction to build a Ryzen system...

Well, I'd build a Ryzen anyway (I did), but I'd say it's somewhere in between.
 
Question: Does this affect my ability to view pornography or game? No? I'm good. I mean, terrible situation but, you know..I'm good.
You should be fine until the porn servers slow down to a crawl (since they were near maxed out)...but slow motion porn is still good right?
 
I wonder for the security conchious of us. Will Intel offer a refund and replacement costs for my Intel CPU, heat sink and Motherboard? My ram and everything else can function on a new platform. But those two things are done.

That's about as likely as unicorns.
 
just wondering how intel is going to replace or compensate google, microsoft, alibaba for their cpus ? would love to read the contract right now :D
 
The people at Vulnerability Notes Database apparently don't know much about microprocessors.

1) Replacing the CPU only eliminates the vulnerability if there is a non-vulnerable CPU. I'm not aware of any at this time.

2) OS mitigation effectively can eliminate the vulnerability. For example, looking at the Project Zero PoC's, Meltdown vulnerability can be eliminated if kernel code always flushes the L1 data cache before reducing privilege. Because modern CPUs have a relatively fast L2 backing the L1, performance impact might not be significant. Specter variant 1 vulnerability might be eliminated by making sure every user process is in its own 4GB virtual memory space(s) that are not shared with other applications or with the kernel. Not much performance impact there, either, VMA space is cheap and abundant in 64-bit OS's.

3) The microcode patch capability in modern CPUs is pretty powerful. I won't be surprised if it's possible to patch-out the vulnerability via a bios update.

I won't be surprised when the hysteria over this bug fades, it turns out to be not much of an issue for most people.
 
corredt me if i get this wrong: the vulnerabilities on Intel CPu are related to engineer decisions that improved IPC?

So AMD almost reached Intel's level of IPC without resorting to exploitable solutions?
 
Question: Does this affect my ability to view pornography or game? No? I'm good. I mean, terrible situation but, you know..I'm good.
But any data you have in a cloud environment that's backbone is running on an intel VM platform (very likely vsphere + intel) is theoretically exposed. Your google data, your apple data, dropbox, aws, azure, one drive etc.....
 
The people at Vulnerability Notes Database apparently don't know much about microprocessors.

1) Replacing the CPU only eliminates the vulnerability if there is a non-vulnerable CPU. I'm not aware of any at this time.

2) OS mitigation effectively can eliminate the vulnerability. For example, looking at the Project Zero PoC's, Meltdown vulnerability can be eliminated if kernel code always flushes the L1 data cache before reducing privilege. Because modern CPUs have a relatively fast L2 backing the L1, performance impact might not be significant. Specter variant 1 vulnerability might be eliminated by making sure every user process is in its own 4GB virtual memory space(s) that are not shared with other applications or from the kernel.

3) The microcode patch capability in modern CPUs is pretty powerful. I won't be surprised if it's possible to patch-out the vulnerability via a bios update.

I won't be surprised when the hysteria over this bug fades, it turns out to be not much of an issue for most people.

No bios update possible, its a hardware flaw and fundamental to the design of speculation execution. It's already been stated before from numerous sources that its not fixable in bios.

Also, I'm sure Kraznich is pretty damn confident Intel will fix it with a bios patch right since he just dumped $24million of his stock lol?
 
Intel Release #1: "We recommend replacing all your hardware with our newest, fixed CPUs when they become available. We would like to reward our loyal customer base with a $10 off coupon for their inconvenience."

Intel Release #2: "We are increasing MSRPs for our CPUs by $20 across the board."
 
But any data you have in a cloud environment that's backbone is running on an intel VM platform (very likely vsphere + intel) is theoretically exposed. Your google data, your apple data, dropbox, aws, azure, one drive etc.....

'Theoretically exposed"? Have you read what it takes to pull these attacks off, and what the result is? 2000 bytes/sec of random information leakage. Wow.

For most people, the risk of being "exposed" by a malicious act of some disgruntled AWS/Google sysadmin, or even more likely by their own stupidity (e.g., publicly accessable AWS stores), is probably much higher.
 
Well, I guess that's one way to boost the CPU sales, am I right?

1. Sneak in a vulnerability
2. Wait for everyone to upgrade
3. Disclose vulnerability
4. PROFIT
 
The first thing I thought of was that Intel intentionally put this "flaw" into their processors as a backdoor at the request of the NSA and just got caught. That's when I realized I had foil around my head.

But seriously... could there be a more perfect, easily exploitable flaw than this?
 
So is this like Zeka bad, where everyone freaks out disproportionately to the actual impact? Or is this more like polio, where everyone freaks out and it is legitimately terrible? Just curious about the legitimacy of me knee-jerk reaction to build a Ryzen system...

For YOUR PC? Probably not that much impact, at least once your OS is patched.

For the Internet in general, it will be quite expensive/painful. And if your data is compromised, it could be quite bad for you indeed.
 
The first thing I thought of was that Intel intentionally put this "flaw" into their processors as a backdoor at the request of the NSA and just got caught. That's when I realized I had foil around my head.

But seriously... could there be a more perfect, easily exploitable flaw than this?

There are murmurings that this flaw is connected to many unexplained state level breaches/attacks.
 
No bios update possible, its a hardware flaw and fundamental to the design of speculation execution. It's already been stated before from numerous sources that its not fixable in bios.

Also, I'm sure Kraznich is pretty damn confident Intel will fix it with a bios patch right since he just dumped $24million of his stock lol?

You apparently aren't aware that a BIOS can (and often does) include code issued by the CPU manufacturer that patches the internally-stored microcode of the CPU itself. See https://www.intel.com/content/www/us/en/support/articles/000006993/processors.html. It's been used to correct hardware flaws in the past, and apparently will be used to fix this too.

And Kraznich's stock sale was probably scheduled long ago. Speculation that it was a response to this bug is just fake news.
 
The first thing I thought of was that Intel intentionally put this "flaw" into their processors as a backdoor at the request of the NSA and just got caught. That's when I realized I had foil around my head.

But seriously... could there be a more perfect, easily exploitable flaw than this?
Yes. Easily. Google "IME"
 
Where? Where is your proof? You got jack to backup your claims.
You didn't bother to read the links I provided, did you?
Sorry, though, I had to give up my red-cover architecture documents when I left Intel, so I can't provide the section on microcode patching to you as "proof."
Nor will I violate the confidentially agreement I signed when I joined Intel by telling you any of the decade-old details I might remember.
 
Where? Where is your proof? You got jack to backup your claims.
He embedded links. He is right though, and not only can microcode fixes be place in the BIOS, they can be update by the OS as well.

Microcode updates in the BIOS are why my Dell 390 can't run Ivy Bridge processors while the Dell 3010 with the EXACT SAME motherboard can.
 
Back
Top