Vulnerability Note VU#584653 - CPU Hardware Attacks Solution

Discussion in '[H]ard|OCP Front Page News' started by Kyle_Bennett, Jan 4, 2018.

  1. Kyle_Bennett

    Kyle_Bennett El Chingón Staff Member

    Messages:
    50,628
    Joined:
    May 18, 1997
    The guys that run the Vulnerability Notes Database finally have the 100% solution to defend against the Meltdown and Spectre attacks. Thanks cageymaru.

    Solution - Replace CPU hardware

    The underlying vulnerability is primarily caused by CPU implementation optimization choices. Fully removing the vulnerability requires replacing vulnerable CPU hardware
    .

    Glad we got that all fixed up, now we can move forward.
     
  2. thebufenator

    thebufenator Gawd

    Messages:
    808
    Joined:
    Dec 8, 2004
    Good thing I have my old Cyrix ready to go. Can't hack me.
     
    griff30, stefan231, 86 5.0L and 10 others like this.
  3. Jovian

    Jovian Limp Gawd

    Messages:
    295
    Joined:
    Jun 8, 2004
    HAHHAHAA! *crieis*
     
    cageymaru likes this.
  4. Spaceninja

    Spaceninja [H]ard|Gawd

    Messages:
    1,458
    Joined:
    Sep 15, 2004
    Christmas bonus is gonna be good this year.
     
  5. bugleyman

    bugleyman Gawd

    Messages:
    945
    Joined:
    Oct 27, 2010
    Come on, people. Didn't you read Intel's press release? Everything is fine. /s
     
  6. deeppow

    deeppow Limp Gawd

    Messages:
    409
    Joined:
    Sep 29, 2003
    It indicates that AMD is "Affected" yet several posts says it is not. Does this relate to old AMD cpus versus newer? Clarification is needed.

    Drilling down through the links isn't clear, at least in first quick read.

    I should add, thanks Kyle for your following and posts on the general subject!!
     
  7. cageymaru

    cageymaru [H]ard|News

    Messages:
    17,292
    Joined:
    Apr 10, 2003
  8. cybrnook

    cybrnook [H]ard|Gawd

    Messages:
    1,334
    Joined:
    Jan 14, 2013
    Two different issues have come out. Meltdown and Spectre. AMD seems to be affected by Spectre (along with intel and ARM), but intel seems to be the Meltdown target, and also the patch thats apparently going to affect performance from isolation overhead.
     
  9. MavericK

    MavericK Zero Cool

    Messages:
    30,478
    Joined:
    Sep 2, 2004
    As someone quickly pointed out, it affects ARM too...but still pretty cool/funny.
     
  10. alamox

    alamox Limp Gawd

    Messages:
    314
    Joined:
    Jun 6, 2014
    --------------------------------
    AMD Information for VU#584653
    CPU hardware vulnerable to side-channel attacks
    Status
    Affected

    Vendor Statement
    No statement is currently available from the vendor regarding this vulnerabilit
    ----------------------------------

    AMD issued a statement, i think the guys at cert are not up to date on what's going on, nor did they bother contacting them, maybe not even tried to replicate it on AMD system, my guess they just just assumed all x86 are affected.
    statement will probably be updated later
     
  11. WhoMe

    WhoMe Gawd

    Messages:
    641
    Joined:
    Jan 3, 2018
    Ah, OK, I've got some 386 system up in the shed, guess it's time to dust 'em off. Back to Turbo Pascal too.
     
  12. Kyle_Bennett

    Kyle_Bennett El Chingón Staff Member

    Messages:
    50,628
    Joined:
    May 18, 1997
    upload_2018-1-4_12-11-19.png

    https://www.amd.com/en/corporate/speculative-execution
     
    griff30 and panhead like this.
  13. DarkStar_WNY

    DarkStar_WNY 2[H]4U

    Messages:
    2,368
    Joined:
    Dec 27, 2006
    This begs the further question, replace my CPU with what? Unless the newest Intel or AMD CPUs don't have this issue how exactly can you avoid it?
     
    griff30 likes this.
  14. nysmo

    nysmo Gawd

    Messages:
    912
    Joined:
    Jan 7, 2016
    Also from what I gather Meltdown is the worse of the 2, and capable of being actively implemented via javascript and webpages. Spectre is more proof-of-concept / theoretical. They're not even sure how it could really be targeted.
     
  15. nysmo

    nysmo Gawd

    Messages:
    912
    Joined:
    Jan 7, 2016
    They mean replace it once those available CPU's are released. Right now there is nothing you can replace with, other than perhaps any AMD cpu since they claim they arent effected by Meltdown.
     
    griff30 likes this.
  16. HeadRusch

    HeadRusch Gawd

    Messages:
    784
    Joined:
    Jun 8, 2007
    Question: Does this affect my ability to view pornography or game? No? I'm good. I mean, terrible situation but, you know..I'm good.
     
  17. spugm1r3

    spugm1r3 [H]ard|Gawd

    Messages:
    1,081
    Joined:
    Sep 28, 2012
    So is this like Zeka bad, where everyone freaks out disproportionately to the actual impact? Or is this more like polio, where everyone freaks out and it is legitimately terrible? Just curious about the legitimacy of me knee-jerk reaction to build a Ryzen system...
     
    Armenius likes this.
  18. thesmokingman

    thesmokingman [H]ardness Supreme

    Messages:
    4,782
    Joined:
    Nov 22, 2008
     
    griff30, almalino and spugm1r3 like this.
  19. OldBuzzard

    OldBuzzard Gawd

    Messages:
    700
    Joined:
    Jun 6, 2004
    Works for me :)

    I've hated Intel ever since the Athlon days when they were using illegal anti-competitive business practices against AMD.

    I've never bought an Intel CPU and as long as they continue to be a bottom dwelling, scum sucking company, I never will.
     
    JustReason and Rauelius like this.
  20. Grimlaking

    Grimlaking [H]ard|Gawd

    Messages:
    1,906
    Joined:
    May 9, 2006
    I wonder for the security conchious of us. Will Intel offer a refund and replacement costs for my Intel CPU, heat sink and Motherboard? My ram and everything else can function on a new platform. But those two things are done.
     
  21. Rauelius

    Rauelius 2[H]4U

    Messages:
    2,123
    Joined:
    Jan 2, 2008
    Well, I'd build a Ryzen anyway (I did), but I'd say it's somewhere in between.
     
    griff30 likes this.
  22. WhoMe

    WhoMe Gawd

    Messages:
    641
    Joined:
    Jan 3, 2018
    You should be fine until the porn servers slow down to a crawl (since they were near maxed out)...but slow motion porn is still good right?
     
    tesfaye and auntjemima like this.
  23. thesmokingman

    thesmokingman [H]ardness Supreme

    Messages:
    4,782
    Joined:
    Nov 22, 2008
    That's about as likely as unicorns.
     
  24. alamox

    alamox Limp Gawd

    Messages:
    314
    Joined:
    Jun 6, 2014
    just wondering how intel is going to replace or compensate google, microsoft, alibaba for their cpus ? would love to read the contract right now :D
     
  25. pcgeekesq

    pcgeekesq Gawd

    Messages:
    695
    Joined:
    Apr 23, 2012
    The people at Vulnerability Notes Database apparently don't know much about microprocessors.

    1) Replacing the CPU only eliminates the vulnerability if there is a non-vulnerable CPU. I'm not aware of any at this time.

    2) OS mitigation effectively can eliminate the vulnerability. For example, looking at the Project Zero PoC's, Meltdown vulnerability can be eliminated if kernel code always flushes the L1 data cache before reducing privilege. Because modern CPUs have a relatively fast L2 backing the L1, performance impact might not be significant. Specter variant 1 vulnerability might be eliminated by making sure every user process is in its own 4GB virtual memory space(s) that are not shared with other applications or with the kernel. Not much performance impact there, either, VMA space is cheap and abundant in 64-bit OS's.

    3) The microcode patch capability in modern CPUs is pretty powerful. I won't be surprised if it's possible to patch-out the vulnerability via a bios update.

    I won't be surprised when the hysteria over this bug fades, it turns out to be not much of an issue for most people.
     
    Ziontrain, Armenius and face2palm like this.
  26. geok1ng

    geok1ng [H]ard|Gawd

    Messages:
    2,004
    Joined:
    Oct 28, 2007
    corredt me if i get this wrong: the vulnerabilities on Intel CPu are related to engineer decisions that improved IPC?

    So AMD almost reached Intel's level of IPC without resorting to exploitable solutions?
     
  27. cybrnook

    cybrnook [H]ard|Gawd

    Messages:
    1,334
    Joined:
    Jan 14, 2013
    But any data you have in a cloud environment that's backbone is running on an intel VM platform (very likely vsphere + intel) is theoretically exposed. Your google data, your apple data, dropbox, aws, azure, one drive etc.....
     
  28. Delicieuxz

    Delicieuxz Limp Gawd

    Messages:
    381
    Joined:
    May 11, 2016
    I think that Intel just made AMD's decade.
     
    primetime likes this.
  29. thesmokingman

    thesmokingman [H]ardness Supreme

    Messages:
    4,782
    Joined:
    Nov 22, 2008
    No bios update possible, its a hardware flaw and fundamental to the design of speculation execution. It's already been stated before from numerous sources that its not fixable in bios.

    Also, I'm sure Kraznich is pretty damn confident Intel will fix it with a bios patch right since he just dumped $24million of his stock lol?
     
    N4CR and jwcalla like this.
  30. jwcalla

    jwcalla 2[H]4U

    Messages:
    3,637
    Joined:
    Jan 19, 2011
    Intel Release #1: "We recommend replacing all your hardware with our newest, fixed CPUs when they become available. We would like to reward our loyal customer base with a $10 off coupon for their inconvenience."

    Intel Release #2: "We are increasing MSRPs for our CPUs by $20 across the board."
     
    JustReason, schlitzbull, c3k and 5 others like this.
  31. pcgeekesq

    pcgeekesq Gawd

    Messages:
    695
    Joined:
    Apr 23, 2012
    'Theoretically exposed"? Have you read what it takes to pull these attacks off, and what the result is? 2000 bytes/sec of random information leakage. Wow.

    For most people, the risk of being "exposed" by a malicious act of some disgruntled AWS/Google sysadmin, or even more likely by their own stupidity (e.g., publicly accessable AWS stores), is probably much higher.
     
    Armenius likes this.
  32. codeflux

    codeflux 2[H]4U

    Messages:
    2,531
    Joined:
    Mar 28, 2002
    Well, I guess that's one way to boost the CPU sales, am I right?

    1. Sneak in a vulnerability
    2. Wait for everyone to upgrade
    3. Disclose vulnerability
    4. PROFIT
     
    wootius likes this.
  33. jwcalla

    jwcalla 2[H]4U

    Messages:
    3,637
    Joined:
    Jan 19, 2011
    The first thing I thought of was that Intel intentionally put this "flaw" into their processors as a backdoor at the request of the NSA and just got caught. That's when I realized I had foil around my head.

    But seriously... could there be a more perfect, easily exploitable flaw than this?
     
    Nukester and primetime like this.
  34. bugleyman

    bugleyman Gawd

    Messages:
    945
    Joined:
    Oct 27, 2010
    For YOUR PC? Probably not that much impact, at least once your OS is patched.

    For the Internet in general, it will be quite expensive/painful. And if your data is compromised, it could be quite bad for you indeed.
     
  35. thesmokingman

    thesmokingman [H]ardness Supreme

    Messages:
    4,782
    Joined:
    Nov 22, 2008
    There are murmurings that this flaw is connected to many unexplained state level breaches/attacks.
     
    wootius likes this.
  36. pcgeekesq

    pcgeekesq Gawd

    Messages:
    695
    Joined:
    Apr 23, 2012
    You apparently aren't aware that a BIOS can (and often does) include code issued by the CPU manufacturer that patches the internally-stored microcode of the CPU itself. See https://www.intel.com/content/www/us/en/support/articles/000006993/processors.html. It's been used to correct hardware flaws in the past, and apparently will be used to fix this too.

    And Kraznich's stock sale was probably scheduled long ago. Speculation that it was a response to this bug is just fake news.
     
  37. thesmokingman

    thesmokingman [H]ardness Supreme

    Messages:
    4,782
    Joined:
    Nov 22, 2008
  38. pcgeekesq

    pcgeekesq Gawd

    Messages:
    695
    Joined:
    Apr 23, 2012
    Yes. Easily. Google "IME"
     
    N4CR and Armenius like this.
  39. auntjemima

    auntjemima 2[H]4U

    Messages:
    3,140
    Joined:
    Mar 1, 2014
    And you have none to back up yours, so keep spouting the same bullshit?
     
  40. pcgeekesq

    pcgeekesq Gawd

    Messages:
    695
    Joined:
    Apr 23, 2012
    You didn't bother to read the links I provided, did you?
    Sorry, though, I had to give up my red-cover architecture documents when I left Intel, so I can't provide the section on microcode patching to you as "proof."
    Nor will I violate the confidentially agreement I signed when I joined Intel by telling you any of the decade-old details I might remember.