thesmokingman
Supreme [H]ardness
- Joined
- Nov 22, 2008
- Messages
- 6,617
Ugh he made the claim it will be an easy fix jackass.
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Vulnerability Note VU#584653 - CPU Hardware Attacks Solution
- Thread starter FrgMstr
- Start date
Ugh he made the claim it will be an easy fix jackass.
His short position on Intel is all the proof he needs.
You said "No bios update possible," a massively ignorant statement that discredits you completely regarding these issues.
I, on the other hand, offered possible fixes, based on my many years working as a microprocessor architect for (wait for it) Intel, that anyone with a similar level of knowledge can evaluate for their likely correctness.
Then I turned to the Dark Side, and became an attorney.
I no longer work for or with Intel, have very little Intel or AMD stock, and have no Intel or AMD stock options.
Current AMD Ryzen based chips are not affected only AMD pro and FX series.
BinarySynapse
[H]F Junkie
- Joined
- Feb 6, 2006
- Messages
- 15,103
One of the whitepapers (I forget which) stated that Ryzen was tested and vulnerable.
Grimlaking
2[H]4U
- Joined
- May 9, 2006
- Messages
- 3,245
Yea may require some time in small claims court.
Grimlaking
2[H]4U
- Joined
- May 9, 2006
- Messages
- 3,245
Speaking of AMD EPYC CPU's, the only vendor I can find... after a admittedly 30 minute search... was HPE.. and their build page.. SUCKS SUCH ASS. Not to mention you can only put in HP components.. Sorry but I was one HP and one Intel NIC, I want multiple FC controllers from a vendor OTHER THAN HP. Damnit.. why can't HPE be more like Dell?
Sorry.. just another pain point thanks to this debacle by Intel.
Sorry.. just another pain point thanks to this debacle by Intel.
Reports indicate that it was scheduled in October, after the disclosure of the flaw to Intel: https://www.marketwatch.com/story/i...of-vulnerability-before-disclosure-2018-01-03
Reports also indicate that the flaw is in the architecture, not the physical makeup of the processor. A BIOS update could turn on, or off, access to problem transistors, but it can't change the way they communicate with each other: https://techcrunch.com/2018/01/03/k...s-affecting-nearly-every-computer-and-device/
This is [H]ardOCP, build your own!
thebufenator
[H]ard|Gawd
- Joined
- Dec 8, 2004
- Messages
- 1,383
It's not hard.
I can literally rent time on a cloud instance, and then dump the entire memory of all VM's running on the same hypervisor.
At 2000 bytes per second, without much control over which bytes you get. Yawn.
Act now, I won't be surpirsed if the cloud processing vendors implement a one-client-per-hypervisor temporary workaround.
rezerekted
2[H]4U
- Joined
- Apr 6, 2015
- Messages
- 3,052
SeymourGore
Supreme [H]ardness
- Joined
- Dec 12, 2008
- Messages
- 4,429
Maybe if Intel asks nicely they could license out AMD's CPUs for their systems like they did with AMD's GPUs. Might need some sort of adapter to make them compatible, but I'm sure Intel's engineers could figure it out!
Grimlaking
2[H]4U
- Joined
- May 9, 2006
- Messages
- 3,245
Yea, are you going to tell your enterprise that. "Hey look I know we can't buy from HP easily... as getting a quote is hard. But really I can build some 2u rack servers for our mission critical DB servers. Will I have parts on call if something breaks.. I mean sure kinda if you want to buy them. 4 hour response no matter what.. I mean maybe.. Install base of thousands of customers proving reliability.. well no not really.
For my home system I will build my own all day... and for a small business sure. But for an enterprise? It doesn't make sense.
BinarySynapse
[H]F Junkie
- Joined
- Feb 6, 2006
- Messages
- 15,103
It sounds like they've been actively trying to fix this since they were told about it last June had planned to have fixes ready to go for when they announced the vulnerability next week. Some pesky kids stuck their noses into the Linux source code and discovered the plot beforehand.
Ah, if only Intel worked that way.
More likely this issue got back-burnered by office politics ("It's a highly unlikely attack that just leaks a little random data. Resource my project instead.") for months. Then the PR shit-storm broke, and the pertinent CPU guys have been working 20-hour days ever since.
No one builds servers for an enterprise in this day and age. Cloud is all. Cloud let's me have vacations. Hardware problems are Someone else's problems. Network issues are The Cloud's problems. I'll enjoy my margarita's at the beach and not give 2 shits if a system 'dies' when autoscaling creates another one and if a system needs more resources 3 clicks and I'm done.
Unless you have a team of hundreds data centers are a ridiculous waste of resources for companies. Commodity VM's in the Cloud.****
****Not for everyone but for lots of companies. Fuck rebooting servers at 3AM on saturday 100miles away. Never again.
D
Deleted member 93354
Guest
We just don't know either way. It could be an attack like Row Hammer in which it's a physics problem of the cache. You can't microcode fix that. It took a DDR change revision to make rows refresh in pairs to prevent it. We do know it's some type of cache poisoning.
D
Deleted member 93354
Guest
You know I find it odd coffee lake was pushed out so quick.
When did Intel know about this? Did intel know they could be sitting on defective wafers and rush the release along with AMD's challenge?
When did Intel know about this? Did intel know they could be sitting on defective wafers and rush the release along with AMD's challenge?
Google, ARM, Microsoft Issue Statements Regarding Discovered Security Flaws
quote:
ARM
This method requires malware running locally and could result in data being accessed from privileged memory. Our Cortex-M processors, which are pervasive in low-power, connected IoT devices, are not impacted.
Google
The Project Zero researcher, Jann Horn, demonstrated that malicious actors could take advantage of speculative execution to read system memory that should have been inaccessible. For example, an unauthorized party may read sensitive information in the system's memory such as passwords, encryption keys, or sensitive information open in applications. Testing also showed that an attack running on one virtual machine was able to access the physical memory of the host machine, and through that, gain read-access to the memory of a different virtual machine on the same host.
These vulnerabilities affect many CPUs, including those from AMD, ARM, and Intel, as well as the devices and operating systems running them.
As soon as we learned of this new class of attack, our security and product development teams mobilized to defend Google's systems and our users' data. We have updated our systems and affected products to protect against this new type of attack. We also collaborated with hardware and software manufacturers across the industry to help protect their users and the broader web. These efforts have included collaborative analysis and the development of novel mitigations.
We are posting before an originally coordinated disclosure date of January 9, 2018 because of existing public reports and growing speculation in the press and security research community about the issue, which raises the risk of exploitation. The full Project Zero report is forthcoming.
Microsoft
We're aware of this industry-wide issue and have been working closely with chip manufacturers to develop and test mitigations to protect our customers. We are in the process of deploying mitigations to cloud services and have also released security updates to protect Windows customers against vulnerabilities affecting supported hardware chips from Intel, ARM, and AMD. We have not received any information to indicate that these vulnerabilities had been used to attack our customers.
quote:
ARM
This method requires malware running locally and could result in data being accessed from privileged memory. Our Cortex-M processors, which are pervasive in low-power, connected IoT devices, are not impacted.
The Project Zero researcher, Jann Horn, demonstrated that malicious actors could take advantage of speculative execution to read system memory that should have been inaccessible. For example, an unauthorized party may read sensitive information in the system's memory such as passwords, encryption keys, or sensitive information open in applications. Testing also showed that an attack running on one virtual machine was able to access the physical memory of the host machine, and through that, gain read-access to the memory of a different virtual machine on the same host.
These vulnerabilities affect many CPUs, including those from AMD, ARM, and Intel, as well as the devices and operating systems running them.
As soon as we learned of this new class of attack, our security and product development teams mobilized to defend Google's systems and our users' data. We have updated our systems and affected products to protect against this new type of attack. We also collaborated with hardware and software manufacturers across the industry to help protect their users and the broader web. These efforts have included collaborative analysis and the development of novel mitigations.
We are posting before an originally coordinated disclosure date of January 9, 2018 because of existing public reports and growing speculation in the press and security research community about the issue, which raises the risk of exploitation. The full Project Zero report is forthcoming.
Microsoft
We're aware of this industry-wide issue and have been working closely with chip manufacturers to develop and test mitigations to protect our customers. We are in the process of deploying mitigations to cloud services and have also released security updates to protect Windows customers against vulnerabilities affecting supported hardware chips from Intel, ARM, and AMD. We have not received any information to indicate that these vulnerabilities had been used to attack our customers.
BinarySynapse
[H]F Junkie
- Joined
- Feb 6, 2006
- Messages
- 15,103
Yeah, even after working in Corporate IT for 4 years, I still have a naively optimistic view of things.
Rahh
[H]ard|Gawd
- Joined
- Jan 14, 2005
- Messages
- 1,607
A shit ton of fake news surrounding this and all the details have yet to come out.
velusip
[H]ard|Gawd
- Joined
- Jan 24, 2005
- Messages
- 1,579
"You should only be running signed code anyways." - Microsoft and Intel
Master_shake_
Fully [H]
- Joined
- Apr 9, 2012
- Messages
- 17,794
Not a great solution.
Well unless you sell desktop and server CPUs that aren't affected.
Well unless you sell desktop and server CPUs that aren't affected.
M76
[H]F Junkie
- Joined
- Jun 12, 2012
- Messages
- 14,035
With a stone hatchet. This is the ultimate "that's why we can't have nice things"
after 30 sec search, you can buy epyc cpus on newegg, and you have 3rd party mobos like gigabyte mz31
link : https://www.newegg.com/Product/ProductList.aspx?Submit=ENE&Depa=0&Order=BESTMATCH&Description=amd epyc cpu&IsRelated=1&cm_sp=KeywordRelated-_-amd_epyc-_-amd epyc cpu
Last edited:
thebufenator
[H]ard|Gawd
- Joined
- Dec 8, 2004
- Messages
- 1,383
Totally not a fucking problem at all. You are right.
Btw, what is your experience in network exploitation?
Rahh
[H]ard|Gawd
- Joined
- Jan 14, 2005
- Messages
- 1,607
Solution
Apply updates
Operating system and some application updates mitigate these attacks.
Apply updates
Operating system and some application updates mitigate these attacks.
umm.. until the patches are out and more information is available.... surfing pr0n may not be the safest thing to do on a pc currently..
naib
[H]ard|Gawd
- Joined
- Jul 26, 2013
- Messages
- 1,289
like via javascript?
Now that its in the wild... 2-3 days tops before yes this will be exploited. Like any exploit... sure you have to get it on the system. Believe it or not that is really not even remotely close to the hard part. lol Yes this one is pretty major as its hardwired into pretty much ever system on the planet at the moment.
Sure this will get patched with software fixes. Will companies be happy loosing up to 30% of their I/O performance. I'm going to bet that answer is no they won't be very happy about it. lol