New Speculative Execution Bug Allegedly Affects Intel CPUs

AlphaAtlas

[H]ard|Gawd
Staff member
Joined
Mar 3, 2018
Messages
1,713
Back in 2018, when the Spectre and Meltdown vulnerabilities were first publicized, many security experts feared that they opened a figurative Pandora's box. Those two exploits are part of a wider class of potential speculative execution flaws, and this week, those fears were realized, as researchers from Worcester Polytechnic Institute have revealed a new speculative execution exploit dubbed "Spoiler."

Intel CPUs reportedly use "dependency resolution logic" to resolve false dependencies when speculatively executing load operations, and the researchers say "the dependency resolution logic suffers from an unknown false dependency independent of the 4K aliasing. The discovered false dependency happens during the 1 MB aliasing of speculative memory accesses which is exploited to leak information about physical page mappings." In that vein, the researchers claim this particular exploit only requires "a limited set of instructions," and that all Intel "Core" CPUs running on any operating system are vulnerable to the attack. The attack can be loaded with Javascript code from a website, without any need for privilege escalation beforehand, and the researchers successfully demonstrated the exploit on Nehalem, Sandy Bridge, and Ivy Bridge-based Xeon servers. Intel was reportedly informed of the exploit on December 1st, 2018, and they recently published this response:

Intel received notice of this research, and we expect that software can be protected against such issues by employing side channel safe software development practices. This includes avoiding control flows that are dependent on the data of interest. We likewise expect that DRAM modules mitigated against Rowhammer style attacks remain protected. Protecting our customers and their data continues to be a critical priority for us and we appreciate the efforts of the security community for their ongoing research.

The research paper's conclusion:

While speculative execution enables both SPOILER and Spectre and Meltdown, our newly found leakage stems from a completely different hardware unit, the Memory Order Buffer. We exploited the leakage to reveal information on the 8 least significant bits of the physical page number, which are critical for many microarchitectural attacks such as Rowhammer and cache attacks. We analyzed the causes of the discovered leakage in detail and showed how to exploit it to extract physical address information. further, we showed the impact of SPOILER by performing a highly targeted Rowhammer attack in a native user-level environment. We further demonstrated the applicability of SPOILER in sandboxed environments by constructing efficient eviction sets from JavaScript, an extremely restrictive environment that usually does not grant any access to physical addresses. Gaining even partial knowledge of the physical address will make new attack targets feasible in browsers even though JavaScript-enabled attacks are known to be difficult to realize in practice due to the limited nature of the JavaScript environment. Broadly put, the leakage described in this paper will enable attackers to perform existing attacks more efficiently, or to devise new attacks using the novel knowledge.
 
Last edited:
  • Like
Reactions: PaulP
like this
I know it isn't likely to affect me in a meaningful way, but now some of the luster is gone from my beautiful new computer. :(
 
and just when you thought the waterfall dried up... it rains..


Someone on Hardocp have a suggestion? Aside from going AMD?

while most of this stuff sounds bad outside of corporate/business systems the risks are pretty low. i wouldn't go out and immediately buy an AMD system just because of these exploits even though the fear mongers will say otherwise. no one cares enough about the average users data when there are easier and cheaper ways to get your private information.
 
Last edited:
  • Like
Reactions: M76
like this
Someone on Hardocp have a suggestion? Aside from going AMD?

Disable javascript in your browser. I run with Palemoon along with the Toggle Javascript addon. I have trouble with a few sites, if I trust it I toggle java and reload. You could run a browser in a vm. A browser sandbox might also help, not sure.
 
I wouldn't go sticking my head in the sand.
and just when you thought the waterfall dried up... it rains..




while most of this stuff sounds bad outside of corporate/business systems the risks are pretty low. i wouldn't go out and immediately buy an AMD system just because of these exploits even though the fear mongers will say otherwise. no one cares enough about the average users data when there are easier and cheaper ways to get your private information.
 
Any meaningful performance lead that Intel has, dies, if they patch all their security vulnerabilities. They just keep on coming too... It's been proven that Intel CPUs take massive hits from the previous threats. Stack this one on top and it gets even worse.

HOWEVER, like others have said, this likely won't severely impact individual users. So, unless you're developing a new technology or are a professional writer and live and die by the content on your PC you will probably be fine. I'm rolling with Intel because, currently, it's fast single thread performance is where it's at for my older apps. Moving forward, if you don't already have a PC or are in the market looking for a new one, WAIT. 7nm Ryzen is 2-3 Months away. AMD's processors have, essentially, proven to be almost bulletproof compared to Intel and they are committed to correcting the previously noted security flaws in their new hardware. Not that much of this really even effected them anyway and their microcode updates that mitigate these issues rarely slow their CPUs down (last one was something like a 3% slowdowon compared to a 10-20+% slowdown Intel faced depending upon workload).

I will stick with my Intel processors for now, however, Ryzen 7nm may very well change my mind.
 
while most of this stuff sounds bad outside of corporate/business systems the risks are pretty low.
This is grossly foolish to say.

These attacks are going to get simplified, evolved, and distributed just like all the other exploits that have become available over the years and eventually make their way into the more common virus kits.

There is nothing about them that prevents that sort of thing from happening and they're flat out too good to ignore by the virus writers and hackers.

Doubly so if the researchers' claims of the unlikely hood of a microcode patch being effective.
 
If you think this won't hit you, you're a fool. The fact this can be delivered through JavaScript means it can be injected into any hacked website and hit the masses. If you think the websites you visit are impenetrable, think again. Even websites like CNN have been hacked to deliver malicious code.

The fact Intel still hasn't solved this at the silicon level clearly shows they don't actually care. Fuck you Intel.
 
7nm Rome chips cannot arrive soon enough for servers, cloud and data centers. Tables are turning hyper fast now...
 
Disable javascript in your browser. I run with Palemoon along with the Toggle Javascript addon. I have trouble with a few sites, if I trust it I toggle java and reload. You could run a browser in a vm. A browser sandbox might also help, not sure.

I think the gist of it is there is no sandboxing this away. It's a very simple bit of code that reveals memory addresses, which are the keys to your whole system. The thing with all of these side channel attacks is that whereas your software is sandboxed/tightly controlled permissions and domains/whatever the hardware has none of these whatsoever in its prefetch/branch prediction/speculative execution units. So at a stroke all your security counts for diddly squat as key hardware blocks have an overview of everything everywhere and can be fooled into revealing everything at any time.
 
Disable javascript in your browser. I run with Palemoon along with the Toggle Javascript addon. I have trouble with a few sites, if I trust it I toggle java and reload. You could run a browser in a vm. A browser sandbox might also help, not sure.
I'm trying this now, and it's effectively a worthless move. Every single website so far (hardforum for notifications, gmail, outlook.office.com, dropbox.com. google.com) has needed javascript to run correctly, and in several cases to run at all. If I'm just going to permit every website I visit to use it anyway, blocking it is somewhat stupid. I suppose it does prevent the random website you go to from running anything.
 
Last edited:
while most of this stuff sounds bad outside of corporate/business systems the risks are pretty low. i wouldn't go out and immediately buy an AMD system just because of these exploits even though the fear mongers will say otherwise. no one cares enough about the average users data when there are easier and cheaper ways to get your private information.

So youre saying all the individuals that were hit by ransomeware were just dolphins caught in the whale net? Color me unimpressed. Its incredibly foolish imo to say only businesses have to worry about this. Your entire life is electronic now...see how much youd like it if some enterprising enemy of yours decided he wanted to take everything and used a packaged up version of this to steal your shit.

Disable javascript in your browser. I run with Palemoon along with the Toggle Javascript addon. I have trouble with a few sites, if I trust it I toggle java and reload. You could run a browser in a vm. A browser sandbox might also help, not sure.

So your suggestion is to disable the internet?
 
The fact Intel still hasn't solved this at the silicon level clearly shows they don't actually care.
In fairness to Intel they only learned about this exploit at the very end of last year.

There wouldn't be enough time to implement a hardware fix of some sort in any of their upcoming or current CPUs.

If the memory model itself requires large changes in order to implement a fix that doesn't cause any performance degradations then it'll take quite a while before you see a hardware fix.
 
In fairness to Intel they only learned about this exploit at the very end of last year.

There wouldn't be enough time to implement a hardware fix of some sort in any of their upcoming or current CPUs.

If the memory model itself requires large changes in order to implement a fix that doesn't cause any performance degradations then it'll take quite a while before you see a hardware fix.
The words Fair and Intel rarely ever coexist together properly .... The problem I see with the "new transparency" Intel is pushing is that they've said Jack and shit about correcting any of these issues in their upcomming 10nm generation. If I recall correctly there was some article about how the fixes weren't making it into that generation. Perhaps on 7nm in 2020-2021... On the AMD side of the spectrum, AMD has already committed to correcting these issues.

Intel cannot correct these security holes if they want to remain competitive vs AMD and they've already lost their process lead.

Intel is in deep shit for sitting on their asses too long and not innovating.
 
Someone on Hardocp have a suggestion? Aside from going AMD?
Since this new exploit is is only useful to make other side-channel attacks for effective, deploying mitigations against those side-channel attacks is your only option right now.
 
The words Fair and Intel rarely ever coexist together properly ....
I agree! However I think this may be one of those few times.

The problem I see with the "new transparency" Intel is pushing is that they've said Jack and shit about correcting any of these issues in their upcomming 10nm generation.
Do you mean this one (SPOILER) only or Meltdown and Spectre too? I believe they haven't commented on SPOILER but hardware corrections for Meltdown and Spectre should be implemented for Icelake and Coffeelake already has them.

Intel is in deep shit for sitting on their asses too long and not innovating.
Absolutely!

I believe AMD has a real chance to get a decent chunk of both server and desktop marketshare from Intel thanks to their screw ups. Not sure about AMD's prospects in the the laptop market on the other hand. AMD seems to be having a very hard time getting any traction there.

Since this new exploit is is only useful to make other side-channel attacks for effective, deploying mitigations against those side-channel attacks is your only option right now.
As I understand it even with Spectre and Meltdown mitigations active SPOILER is still going to work unfortunately.

That along with its reported ease of use and the difficulty (or perhaps impossibility if the researchers who developed SPOILER are correct) of Intel doing a effective microcode update is what is making it so very scary.
 
If you think this won't hit you, you're a fool. The fact this can be delivered through JavaScript means it can be injected into any hacked website and hit the masses. If you think the websites you visit are impenetrable, think again. Even websites like CNN have been hacked to deliver malicious code.

The fact Intel still hasn't solved this at the silicon level clearly shows they don't actually care. Fuck you Intel.

It isn't a simple fix. You could say they don't care or you could say it's a set of vulnerabilities that strike at the very heart of the means by which CPUs have been made faster for close to 15 years. The entire idea that speculative execution/memory prefetch/memory disambiguation could become a yawning security chasm was completely unforeseen until relatively recently and it took a good while to demonstrate proof of concept attacks. Now it's grown legs and there are attack vectors all over the place. It takes what.... 5 years to design and begin selling a cpu and the ip in it has been worked on and iterated for a decade+ and now they have to go back and somehow make sweeping changes without affecting performance. That's a job that will take years to do. Not to mention rowhammer (spam memory cells with bits billions of times until they freak out and flip 0 to 1 or vice versa) which just about every cpu in at least the last decade is vulnerable to and will be an absolute bitch to fix (in hardware)
 
Disable javascript in your browser. I run with Palemoon along with the Toggle Javascript addon. I have trouble with a few sites, if I trust it I toggle java and reload. You could run a browser in a vm. A browser sandbox might also help, not sure.
Running a VM will not solve these for you. As a VCP I guarantee that we have to patch at the host level for these and the feeling is NOT negligible.
 
The entire idea that speculative execution/memory prefetch/memory disambiguation could become a yawning security chasm was completely unforeseen until relatively recently
This isn't correct. There are white papers from the P!!! and K7 Athlon era talking about doing attacks like this. And I can vaguely recall some people voicing worries about this sort of thing all the way back in the 90's when the Pentium Pro came out.

It did take a long time to make those concepts into actual effective attacks but to say this was completely unforeseen is totally wrong. After all if it was totally unforeseen AMD's Zen would've been just as vulnerable to Spectre, Meltdown, and SPOILER. But it isn't.

Intel was lax on security, favoring development efforts focused performance and power usage and now that mistake is coming back to bite them.

Not to mention rowhammer (spam memory cells with bits billions of times until they freak out and flip 0 to 1 or vice versa) which just about every cpu in at least the last decade is vulnerable to and will be an absolute bitch to fix (in hardware)
Rowhammer is a memory flaw rather than a CPU flaw. Nothing Intel or AMD can really do to fix it. Its up to the DRAM OEM's to fix it. Maybe we'll see a fix with DDR5.

What AMD or Intel can do is make it much harder for Rowhammer attacks to be successful by officially implementing and supporting ECC DRAM on all their products and not just server stuff. Technically and unofficially AMD already does and has done it for years, going on back to at least Bulldozer, they just don't guarantee it'll work properly 100% of the time on their consumer market stuff.

Now some versions of Rowhammer apparently can work on even ECC DRAM but its a very slow process that can take weeks to be effective and I believe so far has only been shown to be effective on DDR3 ECC DRAM.
 
This isn't correct. There are white papers from the P!!! and K7 Athlon era talking about doing attacks like this. And I can vaguely recall some people voicing worries about this sort of thing all the way back in the 90's when the Pentium Pro came out.

It did take a long time to make those concepts into actual effective attacks but to say this was completely unforeseen is totally wrong. After all if it was totally unforeseen AMD's Zen would've been just as vulnerable to Spectre, Meltdown, and SPOILER. But it isn't.

Intel was lax on security, favoring development efforts focused performance and power usage and now that mistake is coming back to bite them.


Rowhammer is a memory flaw rather than a CPU flaw. Nothing Intel or AMD can really do to fix it. Its up to the DRAM OEM's to fix it. Maybe we'll see a fix with DDR5.

What AMD or Intel can do is make it much harder for Rowhammer attacks to be successful by officially implementing and supporting ECC DRAM on all their products and not just server stuff. Technically and unofficially AMD already does and has done it for years, going on back to at least Bulldozer, they just don't guarantee it'll work properly 100% of the time on their consumer market stuff.

Now some versions of Rowhammer apparently can work on even ECC DRAM but its a very slow process that can take weeks to be effective and I believe so far has only been shown to be effective on DDR3 ECC DRAM.

Thank you! I went and did some reading. You are correct. Learned something today.

Re: rowhammer cpu vs ram problem. Well yes but ram is present in cpus, which I took as clear. Rowhammer flips bits.... to infer the contents of neighbouring memory cells. ECC has 2 problems vs rowhammer: flipping 3 or more bits defeats it (the tech needs improving) and it needs to be in every cache and dram pool on every cpu (cost). Like all side channel attacks rowhammer is evolving and has been demonstrated to affect ddr4. So whatever ddr5 brings to the table it better be pretty good.
 
Disable javascript in your browser. I run with Palemoon along with the Toggle Javascript addon. I have trouble with a few sites, if I trust it I toggle java and reload. You could run a browser in a vm. A browser sandbox might also help, not sure.

From what I read elsewhere, VM/Sandbox does not protect from this exploit. Don't have the link handy but I read this yesterday on /. so it's likely it was in the link there...
 
i can see this being a pain for the home market, as for the server side. Well you shouldn’t be web surfing from a core, application, file server etc...
 
i can see this being a pain for the home market, as for the server side. Well you shouldn’t be web surfing from a core, application, file server etc...

Better tell that to every enterprise running VDI's. (Virtual Desktops.) Especially some of the smaller shops that might have a small vm cluster with independent VDI's for the users that co mingle on their server VM hosts because it didn't make sense to buy more. Oh and anyone running a virtual desktop say in the Amazon Cloud or any other cloud for that matter.
 
Speculative (Spectre/Meltdown) security threats have been known to intel for about two years now (or more perhaps behind closed doors). I have yet to see them come out with a silicon solution for _ANY_ of them. Until they actually come at their silicon from a security perspective, this will continue to get worse, and not be comprehensively addressed.

In fairness to Intel they only learned about this exploit at the very end of last year.

There wouldn't be enough time to implement a hardware fix of some sort in any of their upcoming or current CPUs.

If the memory model itself requires large changes in order to implement a fix that doesn't cause any performance degradations then it'll take quite a while before you see a hardware fix.
 
Yes I can say they don't care, because they've known about speculative exploits for about two years now, and they haven't put out ANY silicon solutions to mitigate them. That's negligent.

It isn't a simple fix. You could say they don't care or you could say it's a set of vulnerabilities that strike at the very heart of the means by which CPUs have been made faster for close to 15 years. The entire idea that speculative execution/memory prefetch/memory disambiguation could become a yawning security chasm was completely unforeseen until relatively recently and it took a good while to demonstrate proof of concept attacks. Now it's grown legs and there are attack vectors all over the place. It takes what.... 5 years to design and begin selling a cpu and the ip in it has been worked on and iterated for a decade+ and now they have to go back and somehow make sweeping changes without affecting performance. That's a job that will take years to do. Not to mention rowhammer (spam memory cells with bits billions of times until they freak out and flip 0 to 1 or vice versa) which just about every cpu in at least the last decade is vulnerable to and will be an absolute bitch to fix (in hardware)
 
Yes I can say they don't care, because they've known about speculative exploits for about two years now, and they haven't put out ANY silicon solutions to mitigate them. That's negligent.
On the one hand I agree with you, this is unacceptable, should have dumped everything they had into a hardware level fix immediately. But on the other, I think the reality is this would take a redesign that will take years, if not decades, to implement. In the mean time, should they just shut down the fabs, produce nothing? When a solution is finally revealed that completely abandons speculative execution (the only real way to protect against this,) it will likely be many years from now, perform much worse than today's chips, and cost a fortune.
 
Disable javascript in your browser. I run with Palemoon along with the Toggle Javascript addon. I have trouble with a few sites, if I trust it I toggle java and reload. You could run a browser in a vm. A browser sandbox might also help, not sure.

vm's do not protect against this.....
 
Someone on Hardocp have a suggestion? Aside from going AMD?
Going AMD.

I’ll be eagerly awaiting the Zen2 update this year with a motherboard that’s guaranteed to accept the cpu. My 2700x has been great so far.

It’s been the first time I’ve built AMD since the Opteron 165 days.

I’m done with the new monthly threats and performance robbing patches from intel.
 
This is grossly foolish to say.

These attacks are going to get simplified, evolved, and distributed just like all the other exploits that have become available over the years and eventually make their way into the more common virus kits.

There is nothing about them that prevents that sort of thing from happening and they're flat out too good to ignore by the virus writers and hackers.

Doubly so if the researchers' claims of the unlikely hood of a microcode patch being effective.

I wouldn't hold your breath on that. The nature of how these attacks and how they are pulled off combined with the time frame you have to do an attack to get the information you are looking for, makes it hardly worth exploit writers time. There is zero guarantee on the kind of information you could get, or that you get any useful information at all. So it really limits the targets for these attacks.
 
Better tell that to every enterprise running VDI's. (Virtual Desktops.) Especially some of the smaller shops that might have a small vm cluster with independent VDI's for the users that co mingle on their server VM hosts because it didn't make sense to buy more. Oh and anyone running a virtual desktop say in the Amazon Cloud or any other cloud for that matter.

Ohh I would, if you are running core services and desktops on the same server I believe that is a foul. The thin client/zero client/virtual solution should be separate even on the hardware level.

As for Amazon, it will be interesting to see how that all plays out. Because meltdown has existed for several years and yet AWS is still here...
 
Ohh I would, if you are running core services and desktops on the same server I believe that is a foul. The thin client/zero client/virtual solution should be separate even on the hardware level.

As for Amazon, it will be interesting to see how that all plays out. Because meltdown has existed for several years and yet AWS is still here...

This last speculative execution CVE that came out late 2018 is only patched at the Hypervisor level. And if you have the patch enabled you only have access to your core CPU's no Hyperthreaded Logical CPU's for you. My environment due to what I do was over built and ok. But can you imagine people using 4:1 overallocation on logical threads that are now simply screwed? It suddenly became 8:1.
 
Intel is in deep shit for sitting on their asses too long and not innovating.

And to that I say GOOD! I'm glad to see Intel reaping what they sowed. The way i see it is they wanted to milk the consumer and intentionally neglected meaningful improvement due to no competition. They wanted to sell the same thing over and over year after year with minimal changes. My next PC will be AMD, my last one would have been but I couldn't get AMD parts timely to replace a dead PC as it died a few days after ryzen launch. I'll intentionally be avoiding Intel products now. Their misfortune makes me smile.
 
Even if x86-64 doesn't die from all of these flaws, ARM-based CPUs and AMD are going to continue moving forward.
Good riddance, Intel.
 
ECC has 2 problems vs rowhammer: flipping 3 or more bits defeats it
That approach only works with DDR3 ECC DRAM so far.

It hasn't been shown to work with DDR4 ECC DRAM. The DRAM OEM's were aware of Rowhammer type attacks in the early DDR3 days and hardened DDR4 ECC DRAM to make it at least resistant to it (they claim its proofed against it). The guys who figured out how to do the 3 bit flip on DDR3 ECC DRAM claim DDR4 ECC DRAM is still susceptible to it but its been quite a while since those claims were made and no real world proof of concept of the attack has been successfully performed yet.

So at a minimum DDR4 ECC DRAM (which is what Zen, Zen+, Zen2, Skylake, and so on all support) is fairly well hardened against that sort of attack and may indeed be actually completely proof against it.

and it needs to be in every cache and dram pool on every cpu (cost).
Actually Rowhammer attacks only works on system RAM and not the CPU caches.

Rowhammer attacks won't work on the CPU caches because they're designed in a physcially different manner. The actual transistors in the SRAM arrays in those caches are hardened against physical abuse like that and have much more stringent quality control too. Rowhammer only works at all because the DRAM industry was focused on trying to make memory as cheap as possible to improve their profits so they cheaped out durability and security and tried to maximize DRAM cell transistor density with further process shrinks.

The DRAM OEM's already know how to prevent Rowhammer attacks from working, they just don't want to. Maybe with this latest attack they'll be embarassed enough that they'll actually bother to really fix the problem with DDR5.

they've known about speculative exploits for about two years now, and they haven't put out ANY silicon solutions to mitigate them.
But Coffeelake and Whiskeylake already have hardware mitigations against Meltdown and Spectre right?

The nature of how these attacks and how they are pulled off combined with the time frame you have to do an attack to get the information you are looking for, makes it hardly worth exploit writers time.
The researchers claim they were able to get successful attacks within seconds though. If it was taking weeks to perform a single successful attack then you'd have a point.

There is zero guarantee on the kind of information you could get, or that you get any useful information at all. So it really limits the targets for these attacks.
Not really.

A fast executing attack means the attack can be re-ran over and over and over quickly without issue and "eventually" (in scare quotes because we're probably talking about a time frame of minutes not hours or days or weeks) the attacker will find what they want.

Well it’s Zen2, which is the third gen of zen.
Zen+ was a bug fixed Zen along with a minor process improvement (it wasn't a optical shrink so think of Globalfoundries "12nm" as a "14nm+" instead) rather than a new evolution of the Zen architecture.

Zen2 has actually large and significant changes to the architecture itself and isn't just a bug fix or a shrink so you should think of it as the 2nd generation core and not the 3rd.
 
Back
Top