Intel Has Disclosed New Security Flaws that Affect SGX and Virtualization

So, given the pit Intel have dug themselves into, I'd love to hear what their plan is to get out. Customers don't appreciate patches that take them back a generation or three in terms of CPU performance. They also don't appreciate baked-in volnerabilities. It doesn't seem like IME isn't doing them any favors, either. Speaking of which, does anyone have an idea of how many of Intel's customers actually use IME?
 
Do we have a good article comparing performance between Intel and AMD with the exploits patched?
 
I wonder what sort of total/aggregate performance hit we're at with the plethora of Intel vulnerability patches vs. unpatched
 
mope54 said:
Do we have a good article comparing performance between Intel and AMD with the exploits patched?
Click to expand...
i'm sure anandtech has something on it probably just have to do some searching to find it.
 
Tiberian said:
I don't like it when these types of exploits are called "flaws" because it's literally impossible to design anything that cannot be exploited to some degree(s) given time and the desire to do it. When Intel was making these processors nobody at the time was thinking "Hey, let's do this, which exploits that, and then we're in like Flynn" so, while some responsibility on how the situation is handled after such exploits are created/discovered/made us of does fall back on the makers of the processors, I can't honestly point a finger at Intel and say "Hey, look, even a 1st grader could have seen what was going to happen here..." because at the time that wasn't a possibility for anyone.

People find exploits all the time, hell I think sendmail still has shit exploited to this day and it's what, 50+ years old now? :D
Click to expand...

Agreed, it is very easy years later to find something like this and complain but it's difficult enough to avoid what you can think of.
 
Cmdrmonkey said:
What the fuck has Intel even been doing since they released Sandy Bridge in 2011? Their chips haven't improved in any meaningful way, and they keep finding more security issues with them.
Click to expand...
They've been busy pushing out Intel Management Engine (ME) updates. Funny how there's no problem getting an upgrade for that garbage but BIOS updates be damned.
 
Flaw is used too loosely. Like an auto manufacturer identifying the flaw of glass windows that thieves smash to break into your car.
 
MRAB54 said:
They've been busy pushing out Intel Management Engine (ME) updates. Funny how there's no problem getting an upgrade for that garbage but BIOS updates be damned.
Click to expand...
Aren't BIOS updates pushed out by the board manufacturers while ME updates are from Intel?

Besides, is everyone here even using ME? I uninstalled it a year or two ago and if that's where the fixes for the "flaws" are coming from I'm not going to start now.
 
mnewxcv said:
Flaw is used too loosely. Like an auto manufacturer identifying the flaw of glass windows that thieves smash to break into your car.
Click to expand...
That would be a vulnerability, yeah. Maybe that is a better term, but a flawless cpu would have no vulnerabilities. Thus, the cpu (or microcode) is flawed, and this vulnerability is due to one of those flaws.
 
mnewxcv said:
Flaw is used too loosely. Like an auto manufacturer identifying the flaw of glass windows that thieves smash to break into your car.
Click to expand...

Well if an auto maker built a car that started with any key... because it didn't bother to check if the inserted key was the correct one till after the engine was started. I think people would consider that a design flaw. That is the reason Intel has had so much trouble... their chips don't check if they have permission to use cache memory until their spec engine decides if the work it just did in that memory space is required.

It really is like getting in a car without the right key having it start.... and then if the driver decides to put their foot on the gas bothering to check if they actually inserted the proper key.

Their by design performance cheat (that's what it really is) has massive implications for cloud servers, where a user space program can get itself into a situation where its sharing cache with other users, or the servers OS. I would agree with most people that these types of flaws aren't likely to effect you and me at home on our desktops at all... on a larger level though this stuff has to rattle the purchasers ordering millions of dollars of cloud and data center gear.
 
mope54 said:
Besides, is everyone here even using ME? I uninstalled it a year or two ago and if that's where the fixes for the "flaws" are coming from I'm not going to start now.
Click to expand...
What you uninstalled is just the software that interfaces with IME. IME is still there, running, and baked into the silicon. AFAIK there's no way to completely disable it.
 
I also quit doing the firmware updates when I uninstalled the software. So although I haven't disabled it, does that mean I don't have any updates that would diminish my chips performance?
 
Mega6 said:
You should care now while your ipc is being drained significantly by mandatory patches.
Click to expand...
I always campaigned that the patches should be strictly opt in for home users.
 
M76 said:
I always campaigned that the patches should be strictly opt in for home users.
Click to expand...

home users are not technically inclined enough to know what to opt in or out of. multiple viruses and malware attacks have proven this. advanced users should be clever enough to disable, exclude and/or opt out of the updates they don't want or need. Mandatory is the way to go there.

Working for corporate, the windows team pushed out a wonderful IIS update KB last month that screwed the "iisreset /stop" on many webservers and I got fkd on that. So much for advanced users as well.
 
You must log in or register to reply here.
Back
Top