Spectre Variant 4 Disclosed, Mitigations to Result in Another Performance Hit

[Megalith]

Another variant of Spectre was disclosed this week by Microsoft, Google, AMD, ARM, Intel, and Red Hat. Variant 4, labeled "Speculative Store Bypass,” allows hackers to read older system values in a CPU stack or other memory locations. Intel’s microcode fixes will result in a performance hit of 2-8%, and the company’s hardware-based safeguard, “virtual fences,” will not protect against Variant 4 at all.

Patrick Moorhead, principal analyst at Moor Insights and Strategy, said that Variant 4 would be much harder to “fix” architecturally than V1, V2, or V3a. “You either have to turn memory disambiguation on or off, which will be a BIOS setting,” he told Threatpost in an email. “It’s important to note that browsers have already included mitigations and that from a severity standpoint, has been flagged as ‘medium’ severity, compared to V1, V2, and V3, which were flagged as ‘high.'”

 

[dgz]

So, we get the usual 2-8% performance [hit] this time. Congrats!

 

[DF-1]

i thought this was the v3 one?

I really cant keep up. Scrap the entire thing and start anew.

 

[Spidey329]

At this rate, the cumulative performance hit is going to be 30%-50% if this keeps up.

 

[Hallucinator]

Patches with performance hit is like putting a restrictive carburetor intake adapter on a Dodge Viper - rendering it into a Slant 6 Dart.

 

[Exavior]

guess pretty soon they will have to go back to making faster clock speeds to give us faster processors since their last round of tricks seem to not be very good in the end.

 

[DeathFromBelow]

If any of you Intel guys need an upgrade now I have a couple Bulldozer and Piledriver machines availible to sell.

 

[Disco_Stu_04]

Well, I was hoping to upgrade my 2600K to a x299 platform. I suppose I will keep waiting however I am taking a risk--

I doubt Asus will adequately patch my older system but I struggle to justify paying money for a newer fully patched yet performance-compromised system.

 

[Navilor]

Patches with performance hit is like putting a restrictive carburetor intake adapter on a Dodge Viper - rendering it into a Slant 6 Dart.

My first car was a 1969 Dodge Dart GT with a 225 slant 6. It had a white paint job with a either a gold/tan or faded white interior. Nice car but no power.

 

[Vercinaigh]

Well, I was hoping to upgrade my 2600K to a x299 platform. I suppose I will keep waiting however I am taking a risk--

I doubt Asus will adequately patch my older system but I struggle to justify paying money for a newer fully patched yet performance-compromised system.

Or, you know, AMD, that doesn't have most of these problems and their fixes don't result in near this kinda issue. Atleast as far as I've been keeping up.

 

[Killerxp100]

What a great way to make people upgrade.

 

[mullet]

What a great way to make people upgrade.

Yeah upgrade to AMD, I will never spend another dime on any product again that has intel on it.

 

[ADRENALIN_2099]

Fucking hell. So that's like a 16% hit so far

 

[HaloSVT]

It is truly the end times.

 

[kandrey89]

Sounds like all the 5-10% Intel gains per generation are setting back Intel by what? 6 years

 

[Disco_Stu_04]

Or, you know, AMD, that doesn't have most of these problems and their fixes don't result in near this kinda issue. Atleast as far as I've been keeping up.

...

"doesn't have most of these problems"

Like you said, there's issues with AMD as well --- honestly why spend the money now on AMD?

Furthermore, is AMD less at risk because of the design? Or just lower market share and therefore less in-depth scrutiny?

 

[Ranma]

Actually AMD is not affected because of the different architecture. But You should know that because you come to this site..

 

[Disco_Stu_04]

Actually AMD is not affected because of the different architecture. But You should know that because you come to this site..

If I read the following correctly, it sounds like what you said was incorrect?

https://www.amd.com/en/corporate/security-updates

AMD PROCESSOR SECURITY

Overview
At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. Recent public disclosures have brought to the forefront the constant need to protect and secure data.

This site is a centralized location for the latest security-related updates as they relate to AMD.






Updates
“Speculative Store Bypass” Vulnerability Mitigations for AMD Platforms
5/21/18

Today, Microsoft and Google Project Zero researchers have identified a new category of speculative execution side channel vulnerability (Speculative Store Bypass or SSB) that is closely related to the previously disclosed GPZ/Spectre variant 1 vulnerabilities. Microsoft has released an advisory on the vulnerability and mitigation plans.

AMD recommended mitigations for SSB are being provided by operating system updates back to the Family 15 processors (“Bulldozer” products). For technical details, please see the AMD whitepaper. Microsoft is completing final testing and validation of AMD-specific updates for Windows client and server operating systems, which are expected to be released through their standard update process. Similarly, Linux distributors are developing operating system updates for SSB. AMD recommends checking with your OS provider for specific guidance on schedules.

Based on the difficulty to exploit the vulnerability, AMD and our ecosystem partners currently recommend using the default setting that maintains support for memory disambiguation.

We have not identified any AMD x86 products susceptible to the Variant 3a vulnerability in our analysis to-date.

As a reminder, security best practices of keeping your operating system and BIOS up-to-date, utilizing safe computer practices and running antivirus software are always the first line of defense in maintaining device security.



Spectre Mitigation Update
4/10/18 (Updated 5/8/18 to reflect Microsoft release of Windows Server 2016)

Today, AMD is providing updates regarding our recommended mitigations for Google Project Zero (GPZ) Variant 2 (Spectre) for Microsoft Windows users. These mitigations require a combination of processor microcode updates from our OEM and motherboard partners, as well as running the current and fully up-to-date version of Windows. For Linux users, AMD recommended mitigations for GPZ Variant 2 were made available to our Linux partners and have been released to distribution earlier this year.

As a reminder, GPZ Variant 1 (Spectre) mitigation is provided through operating system updates that were made available previously by AMD ecosystem partners. GPZ Variant 3 (Meltdown) does not apply to AMD because of our processor design.

While we believe it is difficult to exploit Variant 2 on AMD processors, we actively worked with our customers and partners to deploy the above described combination of operating system patches and microcode updates for AMD processors to further mitigate the risk. A whitepaper detailing the AMD recommended mitigation for Windows is available, as well as links to ecosystem resources for the latest updates.



Operating System Updates for GPZ Variant 2/Spectre

Microsoft is releasing an operating system update containing Variant 2 (Spectre) mitigations for AMD users running Windows 10 (version 1709) today. Support for these mitigations for AMD processors in Windows Server 2016 is expected to be available following final validation and testing. (Note: May 8, 2018 Microsoft released an operating system update for Windows Server 2016.)



AMD Microcode Updates for GPZ Variant 2/Spectre

In addition, microcode updates with our recommended mitigations addressing Variant 2 (Spectre) have been released to our customers and ecosystem partners for AMD processors dating back to the first “Bulldozer” core products introduced in 2011.

AMD customers will be able to install the microcode by downloading BIOS updates provided by PC and server manufacturers and motherboard providers. Please check with your provider for the latest updates.

We will provide further updates as appropriate on this site as AMD and the industry continue our collaborative work to develop solutions to protect users from security threats.



Mark Papermaster, Senior Vice President and Chief Technology Officer

 

[knowom]

i1-6100 skylake selling points voided, skyOC, voided upgrade path, and -16% hardware penalty. I know what brand CPU I'm not buying to replace it in about 6 months by the time it's been vulnerability fixed to down to Celeron or Atom CPU.

 

[Skylinestar]

At this rate, the cumulative performance hit is going to be 30%-50% if this keeps up.

No overclock can mitigate this hit

Dick: Check out my latest wc i7 8700K rig. I gain 50% speed boost in benchmark.
John: Make sure you apply all the latest Spectre/Meltdown patch.
Dick: Aye.
(patching UEFI, Win10 updates).
(run benchmark)
Dick: My bechmark scores are back to non-overclock.
(e-peen shrink)
John: Or you prefer to have your private data stolen

 

[SixFootDuo]

Funny to see all of you running around scurred flailing your arms all around screaming the sky if falling.

Really?



Macrium reflect free

Image your OS, an older non fcked version and or use Windows 10 Lite V1 to V4

Don't update your bios or revert to an older bios

Just enjoy your shit and all your performance

Like I do

reimage your system every few days.

 

[DeathFromBelow]

If I read the following correctly, it sounds like what you said was incorrect?

https://www.amd.com/en/corporate/security-updates

Intel made certain performance optimizations that accidentally* broke security. There are 5 variants of the Spectre/Meltdown exploits. The Meltdown bugs are Intel only. AMD needs microcode updates for variants 2 and 4 and an OS update for v1.

Has anyone actually seen any real-world examples of those exploits in action on AMD hardware without physical access to the machine? My understanding is that its impractical.

 

[d3athf1sh]

If any of you Intel guys need an upgrade now I have a couple Bulldozer and Piledriver machines availible to sell.

hell, i have an old athlon II x2 245 just sitting in a box somewhere if anyone needs it. you probably wouldn't notice much of a performance difference, at this point!

 

[mesyn191]

Macrium reflect free Image your OS, an older non fcked version and or use Windows 10 Lite V1 to V4 Don't update your bios or revert to an older bios Just enjoy your shit and all your performance Like I do reimage your system every few days.

This is, uuuh, silly since a)you'll effectively never get any bug or driver fixes for your install of windows/linux if you're forcing it to revert to an old image and b)you'll still get infected even if you're constantly reverting to your old OS install every few days which means the virus can grab your personal info/credit card #'s/passwords/etc. that you use before reverting again and c)most people are VERY aggressively not interested in running their PC like this (even if they have the technical inclination which many don't) and its unreasonable to expect them to do so.

IAMD needs microcode updates for variants 2 and 4 and an OS update for v1.

Its also worth pointing out the performance penalty for the fixes on Zen based AMD systems is pretty negligible too (0-3% IIRC) for the v1 exploits while for Intel just the 1st round of fixes for Meltdown/Spectre were much larger (3-8%) and the fixes for these new exploits will impose further hits to performance. Enough that current Intel CPU's will perform about the same or slower than Ivybridge or possibly even Sandybridge! In which case AMD's current Zen and Zen+ CPU's will end up being a bit faster over all per clock....which is quite the role reversal to say the least.

If you have a 2015 or newer (ie. Kabylake, Skylake, Broadwell) Intel chip clocked at or over 4.5Ghz that -won't- be a devastating problem since you'll still have a fairly fast system that probably won't bottleneck anything much if at all. But for older Intel CPU's, which don't support some of the same features or instructions newer Intel CPU's do, I believe the performance hit for the fixes can be quite large at times (ie. 20% or more performance hit just for the v1 fixes) depending on what you're doing so it -might- actually be worthwhile (really will depend on your budget) to upgrade to something Zen+ based even if you've got your current older system overclocked to well over 4Ghz.

Honestly with Zen2 (which is supposed to be 10%+ faster per clock vs Zen+ and clock to near 5Ghz along with more cores) probably coming in early or mid 2019 its probably worthwhile to hold off on upgrading for that to come out at least.

I do know Intel is expected to have chips out by year end with hardware fixes for the v1 Meltdown/Spectre exploits but no word yet on the v2 exploits or if there will still be some sort of performance hit present.

Has anyone actually seen any real-world examples of those exploits in action on AMD hardware without physical access to the machine? My understanding is that its impractical.

I believe there have been some proof of concepts in the papers that released some info about these exploits originally but as far as I know nothing is out there in the wild. It seems like they'll get this patched soon anyways so unless they screw up implementing the patch somehow none of this seems to matter much at all for AMD Zen based chips.

 

[DukenukemX]

Actually AMD is not affected because of the different architecture. But You should know that because you come to this site..

Don't make me throw water on you. Cold water.

 

[Master_shake_]

So where are we now?

4 versions 4 performance hots should put us near Sandy bridge performance, no?

Intel's stock price should be zero or near zero.

 

[DejaWiz]

They're going to have to go back to the "PR" performance rating schema from long ago...

"Introducing the new Intel 9th Generation Core i7-9700K PR-PIII 1000. Special imtroductory price of only $389!"

 

[John721]

In terms of performance impacts from implementing all these spectre fixes, is amd less affected than intel?

 

[mesyn191]

In terms of performance impacts from implementing all these spectre fixes, is amd less affected than intel?

AMD is virtually unaffected performance wise from any of the fixes. Even in most synthetic benches the performance hit Zen gets is usually negligible.

Its Intel that is getting hit relatively hard. I guess they depended more on speculative loads than AMD did or something. Or they were more lax in their implementations. Or a combo of both. The fixes essentially end up reducing the effectiveness of the different types of speculative loads that are going on or in some cases eliminate them entirely depending on which core architecture you're talking about.

Its mostly the older ones (Haswell and older) that get effected the most but the newer ones still take a big enough hit to cumulatively eliminate nearly all the performance gains Intel made with them vs Sandybridge or Ivybridge.

 

[Gottfried Leibnizzle]

Fucking hell. So that's like a 16% hit so far

Moron's law: the performance hit due to vulnerability patches doubles every 18 months.

 

[SDplus]

I'm starting to think that this is all a deliberate push to make people that are happy with semi-old equipments performance feeling forced to upgrade to new stuff. It has been the bane of the industry as of late that new softwares and OS's has not been challenging enough to make people do the regular upgrades. This is a variant of Apple slowing down old phones...

 

[DukenukemX]

I'm starting to think that this is all a deliberate push to make people that are happy with semi-old equipments performance feeling forced to upgrade to new stuff. It has been the bane of the industry as of late that new softwares and OS's has not been challenging enough to make people do the regular upgrades. This is a variant of Apple slowing down old phones...

This doesn't benefit Intel at all, but AMD on the other hand... Unless this performance hit effects games, it will probably just effect servers again. But either way it doesn't make Intel look good as the upgrades could go Ryzen. So far AMD has taken nearly 50% of the CPU market. Intel might get servers to upgrade to newer Intel's but that would just be a really short term benefit with long term problems.

 

[Hallucinator]

My first car was a 1969 Dodge Dart GT with a 225 slant 6. It had a white paint job with a either a gold/tan or faded white interior. Nice car but no power.

My first car? Dull looking white 1963 Plymouth Valiant convertible/blue interior with Slant 6 - only 170 cu. No power (101 hp sleeper) but ton of fun

 

[SLee]

So far AMD has taken nearly 50% of the CPU market. Intel might get servers to upgrade to newer Intel's but that would just be a really short term benefit with long term problems.

AMD's sales may have grown by something like 50%, but it's actual share is something like 12% of desktop and 1% of server.

https://www.tomshardware.com/news/amd-cpu-gpu-market-share,36592.html

 

[Kdawg]

i am 100% unpatched.

0% performance loss.

 

[Vercinaigh]

i am 100% unpatched.

0% performance loss.

And 100% security risk. But hey who cares all your personal information is already all over the internet anyways right?! What's a bit more!

AMD's sales may have grown by something like 50%, but it's actual share is something like 12% of desktop and 1% of server.

https://www.tomshardware.com/news/amd-cpu-gpu-market-share,36592.html

Pretty sure he means sales since launch, not over all market. I can buy the 50% of new CPU's sold being AMD, but it's prolly a fair bit less. Love mine though, not so much my 3930k that was latency locking so bad the system timed out and hard reset from these patches, forced upgrade yo.

 

[knowom]

Intel made certain performance optimizations that accidentally* broke security. There are 5 variants of the Spectre/Meltdown exploits. The Meltdown bugs are Intel only. AMD needs microcode updates for variants 2 and 4 and an OS update for v1.

Has anyone actually seen any real-world examples of those exploits in action on AMD hardware without physical access to the machine? My understanding is that its impractical.

There is also the security through obscurity aspect as well in AMD's case much like Apple compared to Microsoft.

 

[Ebernanut]

There is also the security through obscurity aspect as well in AMD's case much like Apple compared to Microsoft.

This has nothing to do with obscurity. Both are being researched fully because this isn't some malware writer trying to infect the most machines with as little effort as possible, in fact if anything Intel has the deepest pockets and the most to gain by finding issues in AMD CPUs(like many suspect the CTS labs bullshit was).

 

[Skylinestar]

i am 100% unpatched.

0% performance loss.

You just beat hwbot #1 oc.

 

[WhoBeDaPlaya]

At this rate, the cumulative performance hit is going to be 30%-50% if this keeps up.

No, at this rate, the question is will there be any performance gain left from speculative execution?