Memory management bug in Intel CPUs threatens massive performance hits.

[tszaboo]

https://www.techpowerup.com/240273/intel-aware-of-cpu-flaws-before-ceo-brian-krzanich-planned-usd-24m-stock-sale

Intel CEO Brian Krzanich sold the maximum amount of shares in the company he could, keeping only the mandatory 250,000 minimum shares that come with his position at Intel. In total, Brian Krzanich's sold shares totaled 245,743 shares of stock he owned outright, and 644,135 shares he got from exercising his options. So, the man sold around 80% of his Intel shares while the company (and he himself, surely) knew the flaw would become public knowledge soon enough

Sounds like insider trading to me.

[David Hess]

But AMD CPUs have this Cortex A5 management unit running inside, and since it's part of the security subsystem, I assume it has a higher security clearance. What if the hacker can inject some bad code pieces to the ARM firmware, then using it to attack the ARM, then using the ARM to attach the Zen cores?

This would be a big deal but has nothing to do with the exploits being discussed.

[dr.diesel]

Spectre Attack Example:

https://github.com/Eugnis/spectre-attack

[Jeroen3]

It works... Intel i7-4710MQ 

[Mr. Scram]

One thing I've learned about computers, is that it does not matter if the crypto is good, if the implementation is bad. And so, then things get really complicated, and a single wrong character in some piece of code somewhere, can lead to what is called a 'catastrophic failure' with regard to having some expected security.

An important aspect of computer security is probably how allowing physical access to an adversary makes having security more like an impossibility, as the risk of anyone tampering with physical hardware at some location is more like a feature, than a threat model.

Again, like in normal life if they want you, they have you. Obviously, there are many parties out there that collect vast amounts of zero days to use against anyone they please. However, the reality is most of us aren't important enough for zero days. Those are expensive and relatively rare and reserved for state level chess, or as the basis for a large criminal attack. There's bound to be some application or even libraries on your computer you haven't updated and that might be enough. If you somehow dodged that bullet in the most unlikely fashion, there's still social engineering. There are attacks that can catch even very careful people out and if they don't, the customer service of all the services you use aren't so well behaved. You can do everything right and still suffer from someone else's mistakes. There are a couple of well known cases where this happened.

The uncomfortable truth is that when your time has come, you're done. Of course, this applies to regular life too and people prefer to deny that too.

[Mr. Scram]

You can use NoScript and leave Javascript turned on for certain sites.  I don't think Youtube is going to send you anything malicious.

They won't risk the fallout from doing so in this case, but I don't put it beyond them to not only index your behaviour when you use their software, but your behaviour elsewhere as well. Like a Facebook button, except it's not just your browsing behaviour, but everything you do on your computer. I realize this could be considered tin foil hatty, but it's been shown again and again that companies will overstep boundaries until the law tells them they can't, and even try to get away with as much as they can.

[bd139]

Indeed. It’s the “better to ask for forgiveness than permission” argument. Doesn’t wash when EU GDPR kicks in. Seriously large damaging fines for pulling that shit.

[Mr. Scram]

Indeed. It’s the “better to ask for forgiveness than permission” argument. Doesn’t wash when EU GDPR kicks in. Seriously large damaging fines for pulling that shit.

The GDPR seems a bit overreaching in some areas, but considering the things that have been going on that might just be what's needed. I just hope it isn't used to slap regular IT companies around, while the big parties dance between the raindrops with impunity.

[bd139]

It's about shafting the big guys and the finance sector. We're having to move a lot of mountains to make it work.

Looking at 17% loss on everything now with the patches: https://lkml.org/lkml/2018/1/3/281

[justanothercanuck]

I hope the hell POWER wins some fans out of this.

Not sure if anyone caught this, still reading through the other 4 pages...

https://access.redhat.com/security/vulnerabilities/speculativeexecution

PPC is out too.  I wouldn't be surprised if newer SPARC was also out since they also do branch prediction and/or out-of-order execution, but c'mon...  who owns modern Oracle hardware? 

[bd139]

Ah bugger. I had some hopes for POWER.

This dude is still OK! 

[GeorgeOfTheJungle]

Looking at 17% loss on everything now with the patches: https://lkml.org/lkml/2018/1/3/281

Yep. "The impact of this will vary depending on the workload. Every time a program makes a call into the kernel—to read from disk, to send data to the network, to open a file, and so on—that call will be a little more expensive, since it will force the TLB to be flushed and the real kernel page table to be loaded. Programs that don't use the kernel much might see a hit of perhaps 2-3 percent—there's still some overhead because the kernel always has to run occasionally, to handle things like multitasking.

But workloads that call into the kernel a ton will see much greater performance drop off. In a benchmark, a program that does virtually nothing other than call into the kernel saw its performance drop by about 50 percent; in other words, each call into the kernel took twice as long with the patch than it did without. Benchmarks that use Linux's loopback networking also see a big hit, such as 17 percent in this Postgres benchmark. Real database workloads using real networking should see lower impact, because with real networks, the overhead of calling into the kernel tends to be dominated by the overhead of using the actual network"

I wonder if the i5/i7 in a MacBookPro6,1 (running Snow Leopard) is affected by this? Or this only happens on newer cpus?

[bd139]

Snow leopard isn't patched. Only Sierra and High Sierra are.

I just moved two postgres and two nginx nodes over to new kernels. Here we go

[Mr. Scram]

Yep. "The impact of this will vary depending on the workload. Every time a program makes a call into the kernel—to read from disk, to send data to the network, to open a file, and so on—that call will be a little more expensive, since it will force the TLB to be flushed and the real kernel page table to be loaded. Programs that don't use the kernel much might see a hit of perhaps 2-3 percent—there's still some overhead because the kernel always has to run occasionally, to handle things like multitasking.

But workloads that call into the kernel a ton will see much greater performance drop off. In a benchmark, a program that does virtually nothing other than call into the kernel saw its performance drop by about 50 percent; in other words, each call into the kernel took twice as long with the patch than it did without. Benchmarks that use Linux's loopback networking also see a big hit, such as 17 percent in this Postgres benchmark. Real database workloads using real networking should see lower impact, because with real networks, the overhead of calling into the kernel tends to be dominated by the overhead of using the actual network"

I wonder if the i5/i7 in a MacBookPro6,1 (running Snow Leopard) is affected by this? Or this only happens on newer cpus?

Any except the most ancient Intel CPU is affected by this. Whatever the case, unless you have a reason to think you're not affected it's likely you are.

[GeorgeOfTheJungle]

I wonder if the i5/i7 in a MacBookPro6,1 (running Snow Leopard) is affected by this? Or this only happens on newer cpus?

Any except the most ancient Intel CPU is affected by this. Whatever the case, unless you have a reason to think you're not affected it's likely you are.

Snow leopard isn't patched. Only Sierra and High Sierra are.

Ufff, In practice, then, ~ all the PCs in the world are vulnerable? And I'm going to have to abandon my beloved Snow Leopard? Shit.

[nfmax]

Snow leopard isn't patched. Only Sierra and High Sierra are.

Is Sierra patched already? I haven't seen that stated anywhere else yet. I just moved my 'testbed' MBP to 10.13.2 so I can use email/web and shut down my main iMac until the dust settles a bit. But the older Macs that won't run Sierra? Are they just scrap now? I have two PPC macs which run my music library and drive the scanner that HP couldn't be bothered to support on Lion (!). Ill probably have to set up a seperate airgapped cabled network for them now. To say nothing of my father's MBP which is too old for Sierra.

You would have to be mad to buy a computer or phone of any type now or for the next two or three years, without extreme need - although I gather Raspberry Pis of all versions are not affected.

[Kalvin]

Does this also affect virtualized OSs, like a Linux running in Virtualbox, ie. can the Linux running inside the Virtualbox running on Windows 10 host compromise the Windows 10 host? 

[nfmax]

Does this also affect virtualized OSs, like a Linux running in Virtualbox, ie. can the Linux running inside the Virtualbox running on Windows 10 host compromise the Windows 10 host?

Yes

Basically the hardware protection between privilege levels has been demonstrated not to work.

[wraper]

Does this also affect virtualized OSs, like a Linux running in Virtualbox, ie. can the Linux running inside the Virtualbox running on Windows 10 host compromise the Windows 10 host?

Yep it does.
On a side note, AMD introduced RAM encryption in EPYC which basically makes it immune to this.

[rrinker]

Does this also affect virtualized OSs, like a Linux running in Virtualbox, ie. can the Linux running inside the Virtualbox running on Windows 10 host compromise the Windows 10 host?

 That is the BIGGEST danger of this and why Microsoft rushed out patching their host systems for their Azure cloud environment ahead of their original planned date.
 Mostly without incident but we've had a few customers with issues where things didn't come up cleanly after the host was restarted under their VM.

[bd139]

Yep it does.
On a side note, AMD introduced RAM encryption in EPYC which basically makes it immune to this.

Until someone works out how to read the keys with it

[Mr. Scram]

Does this also affect virtualized OSs, like a Linux running in Virtualbox, ie. can the Linux running inside the Virtualbox running on Windows 10 host compromise the Windows 10 host?

Yep it does.
On a side note, AMD introduced RAM encryption in EPYC which basically makes it immune to this.

If that works properly and sufficiently it might just net them a huge piece of the pie.

[BravoV]

If that works properly and sufficiently it might just net them a huge piece of the pie.

Yep, have a friend that works in big corporation at high level, just told me that regarding their company's major servers refresh program that is due this year, the upper management had decided to rule out Intel based servers as they're going to issue a major purchase order for this Q1.

I can imagine similar scenes are also happening and will happen at least for Q1 and Q2 this year throughout the world big companies.

Looks like 2018 is a good year for AMD's CEO Lisa Su at least.

[dr.diesel]

I plan to do the same, AMD is now competitive enough to suit my/customers needs, but also, Intel needs more competition.

[cdev]

This is really about two huge security problems.  Fixing them will impact performance on affected HW.

https://spectreattack.com/

>>  https://meltdownattack.com/meltdown.pdf    (Intel specific)

>> https://spectreattack.com/spectre.pdf    (Likely impacts other HW platforms  as well)

Also, several other quite similar other exploits have been discovered recently.

It seems to me that there is likely much more to this and related stories. Time will tell.