A Massive Intel Hardware Bug May Be on the Horizon

naib

[H]ard|Gawd
Joined
Jul 26, 2013
Messages
1,289
That Intel, AMD, and ARM CPUs are vulnerable to Spectre attacks is not a speculation.
cab9430cb6a5aebe5b41a66d3cdb1c52b82d39b24a662baca26cc6e60d8812d1.jpg


AMD is only susceptible to Spectre (type1) on linux with a non-default setting so don't use that setting & equally older AMD chips... .... Its PR by Intel to rope AMD into this when all of Intel chips are susceptible to ALL attacks, Their architecture is susceptible to ALL attacks & only & equally the AMD attack only showed up with a non-default setting
 

juanrga

2[H]4U
Joined
Feb 22, 2017
Messages
2,804
DSpmxcLUQAA2VRu.jpg

But your boy Ryan Shrout posted google verbatim.

Near zero, that is like yeah there may be some chance but Intel on the other hand is 100% at risk in all three variants, bet those investors just love cyber criminals stealing billions annually and now they know why.

So sum it up like this, if Intel are found guilty of knowingly short cutting security to boost performance then well they are liable for all loss suffered, the ramifications are unknown but investor confidence, consumer confidence will take a massive hit.

cab9430cb6a5aebe5b41a66d3cdb1c52b82d39b24a662baca26cc6e60d8812d1.jpg


Juan will spin this into AMD's near Zero risk being worse than Intel's 100% risk. Even then AMD's type 1 fix is software, Intels is hardware change. I guess all those datacenters and cloud servers will will replace with safer hardware.

From the Meltdownattack and Spectreattacks sites created by the researchers that discovered those security flaws.

Which systems are affected by Meltdown?
Desktop, Laptop, and Cloud computers may be affected by Meltdown. More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013). We successfully tested Meltdown on Intel processor generations released as early as 2011. Currently, we have only verified Meltdown on Intel processors. At the moment, it is unclear whether ARM and AMD processors are also affected by Meltdown.

Which systems are affected by Spectre?
Almost every system is affected by Spectre: Desktops, Laptops, Cloud Servers, as well as Smartphones. More specifically, all modern processors capable of keeping many instructions in flight are potentially vulnerable. In particular, we have verified Spectre on Intel, AMD, and ARM processors.
 

Verge

Supreme [H]ardness
Joined
May 27, 2001
Messages
7,273
10d0Nxy.png

YiPHT6v.png


A 23% reduction in the most important disk I/O on desktop. This is synthetic, but a demonstration of what use cases will be the most impacted.

And there is that pesky security issue others are pointing out.

CPU patch causing performance issues.... lets benchmark IO????


so confused
 

naib

[H]ard|Gawd
Joined
Jul 26, 2013
Messages
1,289
CPU patch causing performance issues.... lets benchmark IO????


so confused
Not really... the mitigation results in additional syscalls and io generally has alot more
 

extide

2[H]4U
Joined
Dec 19, 2008
Messages
3,494
CPU patch causing performance issues.... lets benchmark IO????


so confused

Confused you are indeed!

That patch affects context switches between user mode and kernel mode, not pure CPU perf. I/O is one thing that does a lot of that kind of context switching. Particularly things with high IOPS, as opposed to big sequentials reads or writes.
 

naib

[H]ard|Gawd
Joined
Jul 26, 2013
Messages
1,289
Confused you are indeed!

That patch affects context switches between user mode and kernel mode, not pure CPU perf. I/O is one thing that does a lot of that kind of context switching. Particularly things with high IOPS, as opposed to big sequentials reads or writes.
yup so anything that interfaces with hardware will be affected. This is why I am worried about my hdd access being impacted as it is encrypted
 

juanrga

2[H]4U
Joined
Feb 22, 2017
Messages
2,804
Is the consumer now the gamer?

Some people in forums and certain 'news' sites have been pretending those days that everyone with an Intel processor will see performance reduced by up to 30%. HU simply tested the claims and proves that "the up to 30%" is in reality "up to 5%" in the consumer space. It confirms tests made before by computerbase and hardwareluxx.

So what is your problem with reviews sharing facts?
 

OrangeKhrush

[H]ard|Gawd
Joined
Dec 15, 2016
Messages
1,673
From the Meltdownattack and Spectreattacks sites created by the researchers that discovered those security flaws.

Basically what everyone has posted already, type 1 affects all players but is the easiest to address on a software level.

Type 2 seems to be only intel confirmed attacks, "near zero" kind of a small number to really blow smoke on this for AMD.

Meltdown, there is no confirmed data, so in 6 months no meltdown intrusions confirmed on AMD CPU's, AMD have seemed pretty confident in their assessment and thus the big issue seems to be more about Intel here. After 6 months if there was any mud to sling at AMD it would have happened so the scales of things are kind of like 98% intel 2% AMD.
 

OrangeKhrush

[H]ard|Gawd
Joined
Dec 15, 2016
Messages
1,673
Some people in forums and certain sites have been pretending those days that everyone with an Intel processor will be the performance reduced by up to 30%. HU simply tested the claims and proves that "the up to 30%" is in reality "up to 5%" in the consumer space.

So what is your problem with reviews sharing facts?

they showed massive losses in IO performance, sure that affects a certain consumer, but as long as the blessed gamer can have his fun.
 

juanrga

2[H]4U
Joined
Feb 22, 2017
Messages
2,804
Basically what everyone has posted already, type 1 affects all players but is the easiest to address on a software level.

Spectre, which affects to all players, is the more difficult problem to solve. There is no known patch and some security experts claim a redesign of CPUs will be needed. Again it is all in the information that you refuse to read:

Why is it called Spectre?
The name is based on the root cause, speculative execution. As it is not easy to fix, it will haunt us for quite some time.

they showed massive losses in IO performance, sure that affects a certain consumer, but as long as the blessed gamer can have his fun.

Can't you read? Sure some customers will see a noticeable performance hit. What HU, Computerbase, and hardwareluxx have debunked is the FUD that all Intel customers will suffer massive losses.
 

OrangeKhrush

[H]ard|Gawd
Joined
Dec 15, 2016
Messages
1,673
Spectre, which affects to all players, is the more difficult problem to solve. There is no known patch and some security experts claim a redesign of CPUs will be needed. Again it is all in the information that you refuse to read:





Can't you read? Sure some customers will see a noticeable performance hit. What HU, Computerbase, and hardwareluxx have debunked is the FUD that all Intel customers will suffer massive losses.

Spectre type 1 cannot be prevented but regular OS updates address potential attacks or in at least mitigates it. In short we cannot make it go away but we can spray bug repellent and get some reprieve.

Notice how no database/enterprise information is being leaked, that is likely the big one here, most likely non disclosure agreements prevent this but yeah those markets are probably why Intel's first response was an embarrassing piss willy deflection, they look like a corporate that is very concerned and if what is said is true, they have every reason to be.
 

erek

Supreme [H]ardness
Joined
Dec 19, 2005
Messages
7,924
Initializing installation... done!
Installing Security Update for Windows (KB4056892) (update 1 of 1)...
 

GDI Lord

Limp Gawd
Joined
Jan 14, 2017
Messages
229
Notice how no database/enterprise information is being leaked, that is likely the big one here, most likely non disclosure agreements prevent this but yeah those markets are probably why Intel's first response was an embarrassing piss willy deflection, they look like a corporate that is very concerned and if what is said is true, they have every reason to be.
This.
 

The King of Pants

[H]ard|Gawd
Joined
Jul 7, 2004
Messages
1,280
View attachment 48691

Well, If the NSA says "Jump," Intel says, "How high? :LOL:
This.

At a minimum, NSA knew about this shit if they didn't commission it.

I saw a series of posts on another board last night where security dudes were listing intrusions/breaches by suspected state actors that had never been adequately explained, but matched up with what you could accomplish with Spectre. Most from the last 5-7 years.
 

leSLIe

Fisting is Too Mainstream for Me
Joined
Oct 18, 2004
Messages
13,925
This.

At a minimum, NSA knew about this shit if they didn't commission it.

I saw a series of posts on another board last night where security dudes were listing intrusions/breaches by suspected state actors that had never been adequately explained, but matched up with what you could accomplish with Spectre. Most from the last 5-7 years.

Lets not forget CPU serial numbers either.
https://www.theregister.co.uk/2002/06/25/why_intel_loves_palladium/

Who knows what program might be underway right now regarding this.
 

Zarathustra[H]

Extremely [H]
Joined
Oct 29, 2000
Messages
33,799
Google reported it to them at least as early as June 2017. and it was supposed to go public next week, so him selling all he could in November looks very bad.

Agreed, he should definitely be investigated.

I was simply speaking to smoking man's suggestion that this was intentional cheating on speculative execution dating back to ~1996. That's the part that I think is a stretch.
 

juanrga

2[H]4U
Joined
Feb 22, 2017
Messages
2,804
Notice how no database/enterprise information is being leaked, that is likely the big one here, most likely non disclosure agreements prevent this but yeah those markets are probably why Intel's first response was an embarrassing piss willy deflection, they look like a corporate that is very concerned and if what is said is true, they have every reason to be.

Except that database benchmarks have been shared. They have been mentioned in this forum.
 

juanrga

2[H]4U
Joined
Feb 22, 2017
Messages
2,804
Google, ARM, Microsoft Issue Statements Regarding Discovered Security Flaws


ARM
This method requires malware running locally and could result in data being accessed from privileged memory. Our Cortex-M processors, which are pervasive in low-power, connected IoT devices, are not impacted.

Google
The Project Zero researcher, Jann Horn, demonstrated that malicious actors could take advantage of speculative execution to read system memory that should have been inaccessible. For example, an unauthorized party may read sensitive information in the system's memory such as passwords, encryption keys, or sensitive information open in applications. Testing also showed that an attack running on one virtual machine was able to access the physical memory of the host machine, and through that, gain read-access to the memory of a different virtual machine on the same host.

These vulnerabilities affect many CPUs, including those from AMD, ARM, and Intel, as well as the devices and operating systems running them.

As soon as we learned of this new class of attack, our security and product development teams mobilized to defend Google's systems and our users' data. We have updated our systems and affected products to protect against this new type of attack. We also collaborated with hardware and software manufacturers across the industry to help protect their users and the broader web. These efforts have included collaborative analysis and the development of novel mitigations.

We are posting before an originally coordinated disclosure date of January 9, 2018 because of existing public reports and growing speculation in the press and security research community about the issue, which raises the risk of exploitation. The full Project Zero report is forthcoming.

Microsoft
We're aware of this industry-wide issue and have been working closely with chip manufacturers to develop and test mitigations to protect our customers. We are in the process of deploying mitigations to cloud services and have also released security updates to protect Windows customers against vulnerabilities affecting supported hardware chips from Intel, ARM, and AMD. We have not received any information to indicate that these vulnerabilities had been used to attack our customers.
 

Tsumi

[H]F Junkie
Joined
Mar 18, 2010
Messages
13,535
So why are the Intel cpus still on the market?

Why wouldn't they be? It's not a health or safety hazard, and there is a software fix.


Hardest hit will be the big customers (Amazon, Google, Microsoft, etc.) I'm about 90% sure Intel will work out a separate deal with them. The rest of us will get peanuts (i.e. $20 back or $50 coupon as others have been saying). For people comparing this to the Volkswagen scandal… no, this is nowhere near on the same scale of malicious intent. We aren't going to get those buyback deals.
 

Grimlaking

2[H]4U
Joined
May 9, 2006
Messages
3,246
Here is my issue. Purely from a security standpoint. If Intel was willing to make this security costly shortcut in their CPU's and have it in place for over a decade... AND potentially license this same architecture to ARM and AMD for their CPU's... Why would I trust them from a security standpoint?

If I can go AMD for a one time hit and no additional cost in software licensing, and little to no impact in performance... why wouldn't I?

Just spitballing here. Yes it will be a labor and Hardware cost to make the jump... but why would I NOT want to make said jump? Unless the performance impact is actually negligible. I have friends with older CPU's that have installed this patch/fix on NON cutting edge Intel CPU's and the impact has been palpable.
 

Tsumi

[H]F Junkie
Joined
Mar 18, 2010
Messages
13,535
Here is my issue. Purely from a security standpoint. If Intel was willing to make this security costly shortcut in their CPU's and have it in place for over a decade... AND potentially license this same architecture to ARM and AMD for their CPU's... Why would I trust them from a security standpoint?

If I can go AMD for a one time hit and no additional cost in software licensing, and little to no impact in performance... why wouldn't I?

Just spitballing here. Yes it will be a labor and Hardware cost to make the jump... but why would I NOT want to make said jump? Unless the performance impact is actually negligible. I have friends with older CPU's that have installed this patch/fix on NON cutting edge Intel CPU's and the impact has been palpable.

The big hole in your argument is that the CPU designers knew they were creating a low level security hole that could be hacked. Additionally, from what I have read, this isn't something Intel licensed to other companies, but rather a technique for improving CPU speed of which there are several ways to implement with similar effects. They end up having similar vulnerabilities, but the degree of vulnerability is different.

The other factor is simply the manufacturing scale of the company. Simply put, AMD cannot churn out as many chips as Intel. If you need sonething now, you will buy what is available, cost be damned, because waiting will cost more than you save. This extends to ease of obtaining replacement parts as well.

Finally, there is a pesky thing called contracts and the simple fact that large businesses simply aren't as nimble as individuals.
 

Grimlaking

2[H]4U
Joined
May 9, 2006
Messages
3,246
The big hole in your argument is that the CPU designers knew they were creating a low level security hole that could be hacked. Additionally, from what I have read, this isn't something Intel licensed to other companies, but rather a technique for improving CPU speed of which there are several ways to implement with similar effects. They end up having similar vulnerabilities, but the degree of vulnerability is different.

The other factor is simply the manufacturing scale of the company. Simply put, AMD cannot churn out as many chips as Intel. If you need sonething now, you will buy what is available, cost be damned, because waiting will cost more than you save. This extends to ease of obtaining replacement parts as well.

Finally, there is a pesky thing called contracts and the simple fact that large businesses simply aren't as nimble as individuals.

All true, but thankfully my companies contract isn't with Intel. It's with Dell. So that part will be relatively easy. The real trick IF we think switching is needed... will be getting the biggest discount possible due to returned hardware.
 

Zarathustra[H]

Extremely [H]
Joined
Oct 29, 2000
Messages
33,799
The big hole in your argument is that the CPU designers knew they were creating a low level security hole that could be hacked. Additionally, from what I have read, this isn't something Intel licensed to other companies, but rather a technique for improving CPU speed of which there are several ways to implement with similar effects. They end up having similar vulnerabilities, but the degree of vulnerability is different.

The other factor is simply the manufacturing scale of the company. Simply put, AMD cannot churn out as many chips as Intel. If you need sonething now, you will buy what is available, cost be damned, because waiting will cost more than you save. This extends to ease of obtaining replacement parts as well.

Finally, there is a pesky thing called contracts and the simple fact that large businesses simply aren't as nimble as individuals.


I still don't buy that this was an intentional shortcut with a known vulnerability. Microprocessor design is complicated. It might seem obvious with the benefit of hindsight, but I highly doubt it was intentionally launched knowing there was high risk.

That being said, you are right. AMD can't replace Intel volume wise, but they will be able to charge full price for the CPU's they can churn out, and sell as many as they can possibly churn out, which should be pretty good for the bottom line, especially considering all the outstanding debt they have coming due in the next couple of years.

I'm not THAT worried about Meltdown though. It is patchable, sure with a performance impact, but still it is patchable. With AMD nipping at their heels from a performance perspective, this may move Intel's enterprise products from a slight performance advantage to a slight performance disadvantage until updated silicon can be launched, but it doesn't stop them dead in the water. They are still in the game.

What I am more worried about is Spectre. It's in 100% of all CPU designs on the market for the last ~25 years, and cannot be patched in software. This is where the real risk lies.
 
Last edited:

Tsumi

[H]F Junkie
Joined
Mar 18, 2010
Messages
13,535
I still don't buy that this was an intentional shortcut with a known vulnerability. Microprocessor design is complicated. It might seem obvious with the benefit of hindsight, but I highly doubt it was intentionally launched knowing there was high risk.

That being said, you are right. AMD can't replace Intel volume wise, but they will be able to charge full price for the CPU's they can churn out, and sell as many as they can possibly churn out, which should be pretty good for the bottom line, especially considering all the outstanding debt they have coming due in the next couple of years.

I'm not THAT worried about Meltdown though. It is patchable, sure with a performance impact, but still it is patchable. With AMD nipping at their heels from a performance perspective, this may move Intel'd enterprise products from a slight performance advantage to a slight performance disadvantage until updated silicon can be launched, but it doesn't stop them dead in the water. They are still in the game.

What I am more worried about is Spectre. It's in 100% of all CPU designs on the market for the last ~25 years, and cannot be patched in software. This is where the real risk lies.

Typing on my phone makes me miss key words. I meant that the big hole in his argument is assuming Intel engineers knew they were creating a hackable security hole.
 

Gideon

2[H]4U
Joined
Apr 13, 2006
Messages
3,000
Typing on my phone makes me miss key words. I meant that the big hole in his argument is assuming Intel engineers knew they were creating a hackable security hole.

They did choose to bypass a security check to speed up their chips. Something AMD chose not to do and why AMD chips are not affected by this mess. One might say they chose a riskier route figuring it would never bite them in the ass. In this case someone found the shortcut and now Intel is paying for it. The bigger question is did they fix this issue for their newest processors that are coming out on the 10nm node?
 

BinarySynapse

[H]F Junkie
Joined
Feb 6, 2006
Messages
15,103
They did choose to bypass a security check to speed up their chips. Something AMD chose not to do and why AMD chips are not affected by this mess. One might say they chose a riskier route figuring it would never bite them in the ass. In this case someone found the shortcut and now Intel is paying for it. The bigger question is did they fix this issue for their newest processors that are coming out on the 10nm node?

The didn't bypass it. They delayed it. When the speculated branch fails, the results are discarded and the correct branch is re-executed and nothing is updated in the registers or memory, so there's no violation of access. The researchers have found a way to time the speculative execution in a way that leaks data around the boundary check.

AMD likely does speculative execution before doing a page-table check, they just have a less vulnerable implementation (or how it's vulnerable hasn't been discovered yet).
 

Tsumi

[H]F Junkie
Joined
Mar 18, 2010
Messages
13,535
They did choose to bypass a security check to speed up their chips. Something AMD chose not to do and why AMD chips are not affected by this mess. One might say they chose a riskier route figuring it would never bite them in the ass. In this case someone found the shortcut and now Intel is paying for it. The bigger question is did they fix this issue for their newest processors that are coming out on the 10nm node?

Again, you are making the assumption they knew what level of risk they were taking. CPUs are extremely complicated and have complex interactions. Chip makers cannot know every possible permutation that can happen. It took them 20 years to figure out their method had this flaw, which shows how hard it was to find in the first place. Of course, once found it is easily exploitable, but that's not the point.

AMD uses a different method. That doesn't mean they knew about this security risk, just that their engineers came up with something different to accomplish the same thing.
 

Meeho

Supreme [H]ardness
Joined
Aug 16, 2010
Messages
5,393
Again, you are making the assumption they knew what level of risk they were taking. CPUs are extremely complicated and have complex interactions. Chip makers cannot know every possible permutation that can happen. It took them 20 years to figure out their method had this flaw, which shows how hard it was to find in the first place.
That we know. I wouldn't at all be surprised certain agencies knew about this long before the public did.
 

Gideon

2[H]4U
Joined
Apr 13, 2006
Messages
3,000
Again, you are making the assumption they knew what level of risk they were taking. CPUs are extremely complicated and have complex interactions. Chip makers cannot know every possible permutation that can happen. It took them 20 years to figure out their method had this flaw, which shows how hard it was to find in the first place. Of course, once found it is easily exploitable, but that's not the point.

AMD uses a different method. That doesn't mean they knew about this security risk, just that their engineers came up with something different to accomplish the same thing.

Nowhere did I say they knew it was a risk but they did choose a less secure path. I have no doubt building a chip is complicated, but any engineer knows certain things are riskier then others and this issue has been a non issue for many years. AMD chose a different path and perhaps they were more cautious or they just got lucky to avoid this mess. But their reaction by pointing the finger at everyone else tells me a few things and the fact that their performance on certain tasks takes a bit of a hit. I think they tried a little too hard to get performance out of their chips, but it very well could have been a innocent error, sadly we will never know for sure which it was.
 
  • Like
Reactions: Meeho
like this
Top