Quick Facts about Meltdown and Spectre

Discussion in '[H]ard|OCP Front Page News' started by Kyle_Bennett, Jan 4, 2018.

  1. Kyle_Bennett

    Kyle_Bennett El Chingón Staff Member

    Messages:
    48,674
    Joined:
    May 18, 1997
    Quick Facts about Meltdown and Spectre

    Meltdown and Spectre have your scratching your head? In-house HardOCP security expert, Joe Wood, has walked us through some very ugly facts about these two new attacks that were fully exposed this week.

    LOGO FULL SIZE.gif
     
    rive22, Calavaro, Red Falcon and 10 others like this.
  2. cybrnook

    cybrnook [H]ard|Gawd

    Messages:
    1,230
    Joined:
    Jan 14, 2013
    Quick and easy to read/follow, this was needed.
     
    tikiman2012, Calavaro and Sith'ari like this.
  3. ryan_975

    ryan_975 [H]ardForum Junkie

    Messages:
    14,229
    Joined:
    Feb 6, 2006
    I would suggest clarifying that point 6 means an attack on one virtual machine can dump the contents of the host and ALL other virtual machines running on it, but otherwise very concise and to the point.
     
  4. pcgeekesq

    pcgeekesq Limp Gawd

    Messages:
    500
    Joined:
    Apr 23, 2012
    Point 2 is not supported by the Project Zero descriptions of the vulnerability. At least some of the vulnerabilities are restricted to a limited (4BG) VMA space, and the rate of leakage (2000 bytes per second) makes dumping "the entire memory" impractical-- a mere 8GB of memory would take over 1000 hours to leak.

    I stopped reading at point 2, because if it's that wrong, how right can the rest be? Joe Wood may be a "security expert," but does he understand enough about CPU micro-architecture to read and truly understand the analysis from Google's Project Zero?

    Disclosure: I was a microprocessor architect and then a crypto-security system architect for Intel until about a decade ago.
     
    EdZ, lilbabycat, Araxie and 6 others like this.
  5. shad0w4life

    shad0w4life Gawd

    Messages:
    588
    Joined:
    Jun 30, 2008
    Didn't they say Spectre was easily fixed

    Variant 1 affected AMD but was resolved via Software


    Variant 2 and 3 didn't affect AMD or have not been demonstrated to affect AMD to date.
     
  6. ryan_975

    ryan_975 [H]ardForum Junkie

    Messages:
    14,229
    Joined:
    Feb 6, 2006
    Yeah, but with ASLR, how hard is to get a different 4GB range until you've covered the entire range of allocated memory? And the white paper was proof of concept to show that the vulnerability was real. In the real world, who knows what optimizations can be found that would speed things up quite a bit.
     
  7. NoOther

    NoOther [H]ardness Supreme

    Messages:
    5,131
    Joined:
    May 14, 2008
    To note here, that article is a bit alarmist. It doesn't expose ALL data, to be clear it only exposes data currently in memory and sometimes even limited only to kernel memory or L1D cache, not all data in storage. Also it requires specific access to the system and is not guaranteed to be successful. To be truly successful, it would require root privileges, with normal user privileges it is far more limited and even then requires more hoops and time.

    The "not been demonstrated to affect AMD" is not completely accurate. Spectre was tested successfully on AMD, but they did not do a Demo of it. Mostly because they believe it will be a long term problem and don't want to make it easy to duplicate, while they did do a demo of Meltdown, because there is a fix in place for it.
     
    EdZ and pcgeekesq like this.
  8. pcgeekesq

    pcgeekesq Limp Gawd

    Messages:
    500
    Joined:
    Apr 23, 2012
    Each process in Win64 can have 16 TB of VM, and the entirety of all process can have 256 TB (plus however much physical memory you have) of VM.
    So at first glance, it looks like one process in Win64 can't get access to the entirety of the machine's VM, much less the entirety of the available VM address space, which is at least as large.
     
    EdZ likes this.
  9. ryan_975

    ryan_975 [H]ardForum Junkie

    Messages:
    14,229
    Joined:
    Feb 6, 2006
    This was a demo to show that the vulnerability exists and is on some level practically exploitable. Real-world exploits could be implemented in a different way that does allow a much larger data dump. Or another vulnerability is found that is dependent on this vulnerability that lets the attacker write code into kernel space of the host and then dump everything at full speed or stream it all over the network, or at least sift through the in-situ contents to see if anything good can be found.
     
    EdZ and Sith'ari like this.
  10. pcgeekesq

    pcgeekesq Limp Gawd

    Messages:
    500
    Joined:
    Apr 23, 2012
    Sure, but that's just speculation on your part. And not even the worst case speculation -- the worst case would be that information discoverable using these attacks allows more than just mere info leakage, such as actually allowing a system to be taken over. Of course, there have been plenty of those attacks in the past, but the world still spins.
     
  11. longblock454

    longblock454 [H]ard|Gawd

    Messages:
    1,549
    Joined:
    Nov 28, 2004
  12. NoOther

    NoOther [H]ardness Supreme

    Messages:
    5,131
    Joined:
    May 14, 2008
    That is in reference to meltdown only.
     
    longblock454 likes this.
  13. niconx

    niconx 2[H]4U

    Messages:
    2,913
    Joined:
    Sep 26, 2004
    Sith'ari likes this.
  14. pcgeekesq

    pcgeekesq Limp Gawd

    Messages:
    500
    Joined:
    Apr 23, 2012
    And apparently anyone claiming that was wrong. "Intel has developed and is rapidly issuing updates for all types of Intel-based computer systems — including personal computers and servers — that render those systems immune from both exploits (referred to as “Spectre” and “Meltdown”) reported by Google Project Zero." -- Intel press release.
     
  15. Kyle_Bennett

    Kyle_Bennett El Chingón Staff Member

    Messages:
    48,674
    Joined:
    May 18, 1997
    Just got this from SoftLayer....

    Customer Identification: KB Networks
    Event Type: Announcement Event
    Subject: Event 53338231 - Service Disruption -- Bare Metal Maintenance Required
    =================================================================
    / Event Description /
    IBM Cloud Systems Engineers have been notified of a security vulnerability affecting Bare Metal devices. Due to the nature of this vulnerability and the components which are affected, a Firmware Update and Operating System Update will be required. Please watch for these updates as they become available in your control portal. We will push these notifications as soon as we receive updates from the relevant vendors.
    If assistance is required, please contact IBM Cloud support. Additional information on Bare Metal servers can be found at: http://knowledgelayer.softlayer.com/topic/bare-metal-server
    IBM Cloud
     
    Revdarian and Schtask like this.
  16. Kyle_Bennett

    Kyle_Bennett El Chingón Staff Member

    Messages:
    48,674
    Joined:
    May 18, 1997
    erek likes this.
  17. NoOther

    NoOther [H]ardness Supreme

    Messages:
    5,131
    Joined:
    May 14, 2008
    Because obviously Intel is truthful that it can solve all these problems through a software patch when the people that found the issue said not all instances could be solved through software? Interesting... The reports from people that have seen the initial patches only seem to deal with Meltdown.
     
  18. jbltecnicspro

    jbltecnicspro [H]ardness Supreme

    Messages:
    5,715
    Joined:
    Aug 18, 2006
    So I'm a bit confused - are there Windows 7 patches out there to correct this? Or is it only Windows 10 for now? My google-foo has gone to shit, because I can't seem to find it.
     
  19. NoOther

    NoOther [H]ardness Supreme

    Messages:
    5,131
    Joined:
    May 14, 2008
    This page has links to the KBs associated with it
     
  20. MMitch

    MMitch Limp Gawd

    Messages:
    202
    Joined:
    Nov 29, 2016
    My machine just installed KB4056891 which Microsoft says patches all variant... see below link
    https://wccftech.com/microsoft-rolling-out-emergency-windows-10-fix-chip-bugs/

    Is it effective ? No clue...
     
  21. octane

    octane [H]Lite

    Messages:
    94
    Joined:
    Jun 10, 2017
  22. MMitch

    MMitch Limp Gawd

    Messages:
    202
    Joined:
    Nov 29, 2016
    Well replying to you on my trusty 2500K seems normal... We'll see once pr0n kicks in !
     
    octane likes this.
  23. octane

    octane [H]Lite

    Messages:
    94
    Joined:
    Jun 10, 2017
    Ahh yes! The porn test... :D
     
  24. MMitch

    MMitch Limp Gawd

    Messages:
    202
    Joined:
    Nov 29, 2016
    It wasn't slower... I'm done :D
     
  25. NoOther

    NoOther [H]ardness Supreme

    Messages:
    5,131
    Joined:
    May 14, 2008
    It is sneaky because they can patch meltdown, and they can patch against "specific" targets using Spectre, but they can't completely patch against Spectre, at least according to the researchers.
     
  26. Dekar12

    Dekar12 Gawd

    Messages:
    678
    Joined:
    Oct 2, 2003
    NSA backdoor into every piece of computer hardware built in the past decade.... /puts on the tinfoil hat
     
  27. J3RK

    J3RK [H]ardness Supreme

    Messages:
    7,399
    Joined:
    Jun 25, 2004
    Ha, well, the last MS patch that installed on one of my "extra" machines in my work-room at home actually caused it to stop booting completely, so you're doing ok. :D Plus side, it's the third machine I'd use for anything in that room. Negative side, it's the first machine my seven year old would go to to play Minecraft. By-product, now my second machine is in use for Minecraft until I fix the third machine.
     
  28. ecktt

    ecktt Limp Gawd

    Messages:
    360
    Joined:
    Oct 22, 2004
    I'm here patching 100s of servers!!! I'll be here all weekend.....Remember the old days....when you could have just turned off Super Prefetch in the CMOS settings?
     
    maxius likes this.
  29. pcgeekesq

    pcgeekesq Limp Gawd

    Messages:
    500
    Joined:
    Apr 23, 2012
    Do you understand the difference between a software patch and a microcode patch?

    Note that most if not all modern x86 processors translate the x86 instructions into native hardware instructions before executing them. Microcode patches alter these translations, and can therefore be used to make some pretty large changes in how the processor operates. It's a very powerful tool.

    And Intel's truthfulness, like any publicly-traded corporation, is a function of how much any lie might affect the stock price. Lying about this probably would affect it a good bit, creating potentially severe civil and criminal liability, so they are less likely to do so.
     
    Araxie and ecktt like this.
  30. pcgeekesq

    pcgeekesq Limp Gawd

    Messages:
    500
    Joined:
    Apr 23, 2012
    That better be some pretty thick tinfoil. The universal backdoor is the one the g-man came through before he put a gun to your head to make you give him your password.
     
  31. joecop120

    joecop120 [H]ard|Gawd

    Messages:
    1,148
    Joined:
    Nov 12, 2006
    Ah man my Intel Atom D525 / nVidia ION board isnt affected. Phew.
     
    c3k, auntjemima, J3RK and 1 other person like this.
  32. J3RK

    J3RK [H]ardness Supreme

    Messages:
    7,399
    Joined:
    Jun 25, 2004
    :D

    I could pretty happily go back to 68000 and 6510 based machines for a while, while they work this all out. Then come back to modern architecture when it's all resolved.

    Well, I don't think I'll be able to move the whole datacenter at work over to those, but I can operate at home like that for maybe 6 month (until I get bored of it...) :D
     
  33. MMitch

    MMitch Limp Gawd

    Messages:
    202
    Joined:
    Nov 29, 2016
    Everytime a patch broke my windows it was because I was using an out-of-date 3rd party SW that uses USB devices (Logitech KB/M).
    Need to resort to safe mode to fix those... (W10 safe mode is strange to access at best)

    Seems like Windows Update should flag potentially problematic 3rd party applications before doing an update...
     
  34. Zarathustra[H]

    Zarathustra[H] Pick your own.....you deserve it.

    Messages:
    23,500
    Joined:
    Oct 29, 2000
    Thanks for this Joe,. You Always break this stuff down nicely and understandably.

    It would seem to me that the real problem here is Spectre. The Meltdown patch will hurt some performance but c'est la vie. Expect your $5 settlement discount on your next Intel CPU.

    Spectre is a realm problem for anyone that runs systems with different users and permissions on the same physical machine, previously isolated via VM's or Linux Containers (LXC or Open VZ)

    Unfortunately much of the hosting business depends on this functionality to get economies of scale out of their servers these days. The real losers here are the hosting companies and the likes of Amazon AWS etc.

    I have a VM server in my basement and I was just in the process of setting up a VLAN:ed off VM to give to a friend when this news hit.

    Now I am thinking about whether I'd want to do that. I mean, I trust the guy, but still.
     
    Schtask likes this.
  35. ryan_975

    ryan_975 [H]ardForum Junkie

    Messages:
    14,229
    Joined:
    Feb 6, 2006
    Spectre is a real problem for anyone regardless of how many users are on the system, or how many virtual machines are running on it.
     
    Schtask likes this.
  36. J3RK

    J3RK [H]ardness Supreme

    Messages:
    7,399
    Joined:
    Jun 25, 2004
    That actually is a possibility as I have a few oddball controllers attached to that one. I just haven't had time to sit down and mess with it yet. Safe Mode didn't work either though, so hopefully just disconnecting all of it will at least get me that far. I'm not opposed to just wiping it either, but then when it hits that update again it could do the same thing. (so hopefully I can just fix it)
     
  37. Zarathustra[H]

    Zarathustra[H] Pick your own.....you deserve it.

    Messages:
    23,500
    Joined:
    Oct 29, 2000

    Well, what is the attack vector? You need to have admin access to a machine in order to exploit it right? So, the machine is already compromised at that point.

    The difficulty seems to me is VM's in which third parties maybe have been intentionally been granted administrative access to the CPU cores, and can then use them to trick them to dump the contents of their memory.

    Or maybe I've misunderstood how it works?