Quick Facts about Meltdown and Spectre

FrgMstr

FrgMstr

Just Plain Mean
Staff member
Joined
May 18, 1997
Messages
55,601
Quick Facts about Meltdown and Spectre

Meltdown and Spectre have your scratching your head? In-house HardOCP security expert, Joe Wood, has walked us through some very ugly facts about these two new attacks that were fully exposed this week.

LOGO FULL SIZE.gif
 
I would suggest clarifying that point 6 means an attack on one virtual machine can dump the contents of the host and ALL other virtual machines running on it, but otherwise very concise and to the point.
 
Point 2 is not supported by the Project Zero descriptions of the vulnerability. At least some of the vulnerabilities are restricted to a limited (4BG) VMA space, and the rate of leakage (2000 bytes per second) makes dumping "the entire memory" impractical-- a mere 8GB of memory would take over 1000 hours to leak.

I stopped reading at point 2, because if it's that wrong, how right can the rest be? Joe Wood may be a "security expert," but does he understand enough about CPU micro-architecture to read and truly understand the analysis from Google's Project Zero?

Disclosure: I was a microprocessor architect and then a crypto-security system architect for Intel until about a decade ago.
 
Didn't they say Spectre was easily fixed

Variant 1 affected AMD but was resolved via Software


Variant 2 and 3 didn't affect AMD or have not been demonstrated to affect AMD to date.
 
pcgeekesq said:
Point 2 is not supported by the Project Zero descriptions of the vulnerability. At least some of the vulnerabilities are restricted to a limited (4BG) VMA space, and the rate of leakage (2000 bytes per second) makes dumping "the entire memory" impractical-- a mere 8GB of memory would take over 1000 hours to leak.

I stopped reading at point 2, because if it's that wrong, how right can the rest be? Joe Wood may be a "security expert," but does he understand enough about CPU micro-architecture to read and truly understand the analysis from Google's Project Zero?

Disclosure: I was a microprocessor architect and then a crypto-security system architect for Intel until about a decade ago.
Click to expand...

Yeah, but with ASLR, how hard is to get a different 4GB range until you've covered the entire range of allocated memory? And the white paper was proof of concept to show that the vulnerability was real. In the real world, who knows what optimizations can be found that would speed things up quite a bit.
 
To note here, that article is a bit alarmist. It doesn't expose ALL data, to be clear it only exposes data currently in memory and sometimes even limited only to kernel memory or L1D cache, not all data in storage. Also it requires specific access to the system and is not guaranteed to be successful. To be truly successful, it would require root privileges, with normal user privileges it is far more limited and even then requires more hoops and time.

shad0w4life said:
Didn't they say Spectre was easily fixed

Variant 1 affected AMD but was resolved via Software


Variant 2 and 3 didn't affect AMD or have not been demonstrated to affect AMD to date.
Click to expand...

The "not been demonstrated to affect AMD" is not completely accurate. Spectre was tested successfully on AMD, but they did not do a Demo of it. Mostly because they believe it will be a long term problem and don't want to make it easy to duplicate, while they did do a demo of Meltdown, because there is a fix in place for it.
 
ryan_975 said:
Yeah, but with ASLR, how hard is to get a different 4GB range until you've covered the entire range of allocated memory?
Click to expand...
Each process in Win64 can have 16 TB of VM, and the entirety of all process can have 256 TB (plus however much physical memory you have) of VM.
So at first glance, it looks like one process in Win64 can't get access to the entirety of the machine's VM, much less the entirety of the available VM address space, which is at least as large.
 
  • Like
Reactions: EdZ
like this
pcgeekesq said:
Each process in Win64 can have 16 TB of VM, and the entirety of all process can have 256 TB (plus however much physical memory you have) of VM.
So at first glance, it looks like one process in Win64 can't get access to the entirety of the machine's VM, much less the entirety of the available VM address space, which is at least as large.
Click to expand...

This was a demo to show that the vulnerability exists and is on some level practically exploitable. Real-world exploits could be implemented in a different way that does allow a much larger data dump. Or another vulnerability is found that is dependent on this vulnerability that lets the attacker write code into kernel space of the host and then dump everything at full speed or stream it all over the network, or at least sift through the in-situ contents to see if anything good can be found.
 
ryan_975 said:
This was a demo to show that the vulnerability exists and is on some level practically exploitable. Real-world exploits could be implemented in a different way that does allow a much larger data dump. Or another vulnerability is found that is dependent on this vulnerability that lets the attacker write code into kernel space of the host and then dump everything at full speed or stream it all over the network, or at least sift through the in-situ contents to see if anything good can be found.
Click to expand...
Sure, but that's just speculation on your part. And not even the worst case speculation -- the worst case would be that information discoverable using these attacks allows more than just mere info leakage, such as actually allowing a system to be taken over. Of course, there have been plenty of those attacks in the past, but the world still spins.
 
NoOther said:
That is in reference to meltdown only.
Click to expand...

And apparently anyone claiming that was wrong. "Intel has developed and is rapidly issuing updates for all types of Intel-based computer systems — including personal computers and servers — that render those systems immune from both exploits (referred to as “Spectre” and “Meltdown”) reported by Google Project Zero." -- Intel press release.
 
Just got this from SoftLayer....

Customer Identification: KB Networks
Event Type: Announcement Event
Subject: Event 53338231 - Service Disruption -- Bare Metal Maintenance Required
=================================================================
/ Event Description /
IBM Cloud Systems Engineers have been notified of a security vulnerability affecting Bare Metal devices. Due to the nature of this vulnerability and the components which are affected, a Firmware Update and Operating System Update will be required. Please watch for these updates as they become available in your control portal. We will push these notifications as soon as we receive updates from the relevant vendors.
If assistance is required, please contact IBM Cloud support. Additional information on Bare Metal servers can be found at: http://knowledgelayer.softlayer.com/topic/bare-metal-server
IBM Cloud
 
pcgeekesq said:
And apparently anyone claiming that was wrong. "Intel has developed and is rapidly issuing updates for all types of Intel-based computer systems — including personal computers and servers — that render those systems immune from both exploits (referred to as “Spectre” and “Meltdown”) reported by Google Project Zero." -- Intel press release.
Click to expand...

Because obviously Intel is truthful that it can solve all these problems through a software patch when the people that found the issue said not all instances could be solved through software? Interesting... The reports from people that have seen the initial patches only seem to deal with Meltdown.
 
So I'm a bit confused - are there Windows 7 patches out there to correct this? Or is it only Windows 10 for now? My google-foo has gone to shit, because I can't seem to find it.
 
jbltecnicspro said:
So I'm a bit confused - are there Windows 7 patches out there to correct this? Or is it only Windows 10 for now? My google-foo has gone to shit, because I can't seem to find it.
Click to expand...

This page has links to the KBs associated with it
 
NoOther said:
Because obviously Intel is truthful that it can solve all these problems through a software patch when the people that found the issue said not all instances could be solved through software? Interesting... The reports from people that have seen the initial patches only seem to deal with Meltdown.
Click to expand...

My machine just installed KB4056891 which Microsoft says patches all variant... see below link
https://wccftech.com/microsoft-rolling-out-emergency-windows-10-fix-chip-bugs/

Is it effective ? No clue...
 
NSA backdoor into every piece of computer hardware built in the past decade.... /puts on the tinfoil hat
 
MMitch said:
My machine just installed KB4056891 which Microsoft says patches all variant... see below link
https://wccftech.com/microsoft-rolling-out-emergency-windows-10-fix-chip-bugs/

Is it effective ? No clue...
Click to expand...

Ha, well, the last MS patch that installed on one of my "extra" machines in my work-room at home actually caused it to stop booting completely, so you're doing ok. :D Plus side, it's the third machine I'd use for anything in that room. Negative side, it's the first machine my seven year old would go to to play Minecraft. By-product, now my second machine is in use for Minecraft until I fix the third machine.
 
I'm here patching 100s of servers!!! I'll be here all weekend.....Remember the old days....when you could have just turned off Super Prefetch in the CMOS settings?
 
NoOther said:
Because obviously Intel is truthful that it can solve all these problems through a software patch when the people that found the issue said not all instances could be solved through software? Interesting... The reports from people that have seen the initial patches only seem to deal with Meltdown.
Click to expand...
Do you understand the difference between a software patch and a microcode patch?

Note that most if not all modern x86 processors translate the x86 instructions into native hardware instructions before executing them. Microcode patches alter these translations, and can therefore be used to make some pretty large changes in how the processor operates. It's a very powerful tool.

And Intel's truthfulness, like any publicly-traded corporation, is a function of how much any lie might affect the stock price. Lying about this probably would affect it a good bit, creating potentially severe civil and criminal liability, so they are less likely to do so.
 
Dekar12 said:
NSA backdoor into every piece of computer hardware built in the past decade.... /puts on the tinfoil hat
Click to expand...
That better be some pretty thick tinfoil. The universal backdoor is the one the g-man came through before he put a gun to your head to make you give him your password.
 
joecop120 said:
Ah man my Intel Atom D525 / nVidia ION board isnt affected. Phew.
Click to expand...

:D

I could pretty happily go back to 68000 and 6510 based machines for a while, while they work this all out. Then come back to modern architecture when it's all resolved.

Well, I don't think I'll be able to move the whole datacenter at work over to those, but I can operate at home like that for maybe 6 month (until I get bored of it...) :D
 
J3RK said:
Ha, well, the last MS patch that installed on one of my "extra" machines in my work-room at home actually caused it to stop booting completely, so you're doing ok. :D Plus side, it's the third machine I'd use for anything in that room. Negative side, it's the first machine my seven year old would go to to play Minecraft. By-product, now my second machine is in use for Minecraft until I fix the third machine.
Click to expand...

Everytime a patch broke my windows it was because I was using an out-of-date 3rd party SW that uses USB devices (Logitech KB/M).
Need to resort to safe mode to fix those... (W10 safe mode is strange to access at best)

Seems like Windows Update should flag potentially problematic 3rd party applications before doing an update...
 
Thanks for this Joe,. You Always break this stuff down nicely and understandably.

It would seem to me that the real problem here is Spectre. The Meltdown patch will hurt some performance but c'est la vie. Expect your $5 settlement discount on your next Intel CPU.

Spectre is a realm problem for anyone that runs systems with different users and permissions on the same physical machine, previously isolated via VM's or Linux Containers (LXC or Open VZ)

Unfortunately much of the hosting business depends on this functionality to get economies of scale out of their servers these days. The real losers here are the hosting companies and the likes of Amazon AWS etc.

I have a VM server in my basement and I was just in the process of setting up a VLAN:ed off VM to give to a friend when this news hit.

Now I am thinking about whether I'd want to do that. I mean, I trust the guy, but still.
 
Zarathustra[H] said:
Thanks for this Joe,. You Always break this stuff down nicely and understandably.

It would seem to me that the real problem here is Spectre. The Meltdown patch will hurt some performance but c'est la vie. Expect your $5 settlement discount on your next Intel CPU.

Spectre is a realm problem for anyone that runs systems with different users and permissions on the same physical machine, previously isolated via VM's or Linux Containers (LXC or Open VZ)

Unfortunately much of the hosting business depends on this functionality to get economies of scale out of their servers these days. The real losers here are the hosting companies and the likes of Amazon AWS etc.

I have a VM server in my basement and I was just in the process of setting up a VLAN:ed off VM to give to a friend when this news hit.

Now I am thinking about whether I'd want to do that. I mean, I trust the guy, but still.
Click to expand...

Spectre is a real problem for anyone regardless of how many users are on the system, or how many virtual machines are running on it.
 
MMitch said:
Everytime a patch broke my windows it was because I was using an out-of-date 3rd party SW that uses USB devices (Logitech KB/M).
Need to resort to safe mode to fix those... (W10 safe mode is strange to access at best)

Seems like Windows Update should flag potentially problematic 3rd party applications before doing an update...
Click to expand...

That actually is a possibility as I have a few oddball controllers attached to that one. I just haven't had time to sit down and mess with it yet. Safe Mode didn't work either though, so hopefully just disconnecting all of it will at least get me that far. I'm not opposed to just wiping it either, but then when it hits that update again it could do the same thing. (so hopefully I can just fix it)
 
ryan_975 said:
Spectre is a real problem for anyone regardless of how many users are on the system, or how many virtual machines are running on it.
Click to expand...


Well, what is the attack vector? You need to have admin access to a machine in order to exploit it right? So, the machine is already compromised at that point.

The difficulty seems to me is VM's in which third parties maybe have been intentionally been granted administrative access to the CPU cores, and can then use them to trick them to dump the contents of their memory.

Or maybe I've misunderstood how it works?
 
You must log in or register to reply here.
Back
Top