Memory management bug in Intel CPUs threatens massive performance hits.

[glarsson]

Indications that Apple fixed this in MacOS 10.13.2 released in December 6, 2017.

https://twitter.com/aionescu/status/948609809540046849

As MacOS use PCID the performance hit is said to be less. No complaints about 10.13.2 anyway ...   

[wraper]

Intel's PR response:

https://newsroom.intel.com/news/intel-responds-to-security-research-findings/

This is rather interesting. I read that this only affects Intel chips, yet Intel is stating it affects AMD and Acorn chips as well.

Intel are some huge dicks. They wrote statement in a sleazy way as if it suggests AMD is affected as well but without actually saying so:

Recent reports that these exploits are caused by a “bug” or a “flaw” and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits.

Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively.

That caused AMD stock dropping a few %, then AMD replied with:

To be clear, the security research team identified three variants targeting speculative execution. The threat and the response to the three variants differ by microprocessor company, and AMD is not susceptible to all three variants. Due to differences in AMD’s architecture, we believe there is a near zero risk to AMD processors at this time. We expect the security research to be published later today and will provide further updates at that time.

[andersm]

The details have now been released at https://spectreattack.com/. The Meltdown attack, which is more serious at least in the short term, affects only Intel CPUs, while the Spectre attacks probably affect every processor featuring speculative execution.

[bd139]

Thanks for the link. Facts have finally dropped!

Also: https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html

And oh fuck it is Intel, AMD and ARM. Looks like Intel weren't being dicks after all. Well they were because they shouldn't comment on other vendors.

edit: well one is Intel only.

[wraper]

Variant 1: Bounds check bypass
This section explains the common theory behind all three variants and the theory behind our PoC for variant 1 that, when running in userspace under a Debian distro kernel, can perform arbitrary reads in a 4GiB region of kernel memory in at least the following configurations:

Intel Haswell Xeon CPU, eBPF JIT is off (default state)
Intel Haswell Xeon CPU, eBPF JIT is on (non-default state)
AMD PRO CPU, eBPF JIT is on (non-default state)

Apparently the only AMD which tested to be affected are old models running Linux with non default config.

[bd139]

I'm not sure they actually cover every CPU stepping and architecture with the test cases. What would be nice is a red/green test book of what has and hasn't been tested.

Well looks like I'm in for a late night

[Koldman]

I don't quite understand the whole thing, but I feel like the kid that saved all his paper route money and bought a new bike only for it to fall apart.

[MT]

Soo are Intel huge dicks or not? 

[wraper]

Soo are Intel huge dicks or not?

Average 

[MT]

So Intel are average dicks!? Soooo what are AMD and ARM?

[wraper]

So Intel are average dicks!? Soooo what are AMD and ARM?

Not enough data yet.

[MT]

Ahhh! so in meantime we just go ape shouting "world end is near"!

[wraper]

https://www.amd.com/en/corporate/speculative-execution

Variant One   Bounds Check Bypass   Resolved by software / OS updates to be made available by system vendors and manufacturers. Negligible performance impact expected.
Variant Two   Branch Target Injection   Differences in AMD architecture mean there is a near zero risk of exploitation of this variant. Vulnerability to Variant 2 has not been demonstrated on AMD processors to date.
Variant Three   Rogue Data Cache Load   Zero AMD vulnerability due to AMD architecture differences.

[wraper]

As I understand it from data currently available, AMD is only affected on Linux with non default configuration.

AMD PRO CPU, eBPF JIT is on (non-default state)

[andersm]

ARM have released a white paper, and a list of which of their cores are affected by which issues: https://developer.arm.com/support/security-update

[David Hess]

Looks like a fix might take a branch prediction rework.  If so, not trivial, and if a fix wasn't already in the works, something like this could take quite some time to fix.

The problem is speculative execution accessing protected memory.  The fix would be to fault the speculated instructions before they access memory instead of at retirement which is what AMD does by tagging the TLBs so the speculated memory accesses to protected memory do not occur.

[David Hess]

And this is what happens people when you layer abstractions so deep and so complicated that you require several volumes of books to just explain the ISA and to maintain backwards compatibility to what is fundamentally some crack smoke inspired architecture from the late 1970s.

The problem occurs because of how speculative execution works so it applies to RISC designs as well.  ARM is apparently vulnerable to it but AMD is not because they tag and invalidate their TLBs which prevents this very problem.

[andersm]

But AMD CPUs have this Cortex A5 management unit running inside, and since it's part of the security subsystem, I assume it has a higher security clearance. What if the hacker can inject some bad code pieces to the ARM firmware, then using it to attack the ARM, then using the ARM to attach the Zen cores?

The Cortex-A5 is an in-order core, so it is not vulnerable to anything involving speculative execution. Also, these attacks only allow for extracting data, they can't (directly) be used to modify anything.

[Mr.B]

Thank you to all the very knowledgeable low level CPU experts here.
This post is just to acknowledge the community experts and bookmark this thread so that I can follow it easily.
The gravity of this situation intrigues me….
The combination of the immense possible damage to Intel and the resulting fallout in the general computing arena, be it attacks or a resultant processing impact due to an OS level patch, cannot be underestimated IMHO.

[Jeroen3]

If they offered replacements it would destroy them entirely. Watch the corporate wriggling over the next few months.

Since when is bug present? I read apocalyptic headlines saying two decades, but that seems a bit long.

[Mr. Scram]

Since when is bug present? I read apocalyptic headlines saying two decades, but that seems a bit long.

I think I read Sandy Bridge and up, which seems to make some sense from an architectural point of view.

[bd139]

I think this could go a long way back as suggested. Speculative out of order execution goes back to Pentium Pro if I remember correctly. It would be nice to confirm it either way but the effort required is likely extensive.

You have to ask: how long have the security services known about this?

As an example of where this is heading it looks like we’ve already had patches for AWS deployed quietly. No word from some vendors yet on patch status. I suspect some are as surprised as we are.

[Mr. Scram]

I think this could go a long way back as suggested. Speculative out of order execution goes back to Pentium Pro if I remember correctly. It would be nice to confirm it either way but the effort required is likely extensive.

You have to ask: how long have the security services known about this?

As an example of where this is heading it looks like we’ve already had patches for AWS deployed quietly. No word from some vendors yet on patch status. I suspect some are as surprised as we are.

There's a huge load of very critical leaks surfacing lately. If you stack those together, you basically have free reign over almost every computer. Intel ME, the various macOS vulnerabilites where you can get root access without much trouble and a few more.

[bd139]

Yes indeed. It doesn’t look good for the IT business at all. I have, as someone deeply involved in the security side of things, considered cashing everything I have in and bailing. It’s too bloody stressful keeping the snowflakes covered in piss alive (google “programming sucks” for context of that comment).

There’s a bigger one on the cards as well. While this is confined to a single machine we’re actually running short on viable crypto tech at the moment. The cat and mouse game that is played against ciphers, key exchange and transport layer protocols is currently letting the cat doing some serious catching up...

[JoeN]

Is this even an issue for standalone PCs ?

The Spectre attack can be delivered as Javascript which means some site you go to could deliver it and search your memory for something interesting and phone home.  The attack is actually pretty slow though, I guess maybe it's not likely to find anything, but it can randomly poke around.  Fixing Javascript to disallow it should be easy, though.

https://spectreattack.com/spectre.pdf
https://meltdownattack.com/meltdown.pdf

"The unoptimized code in Appendix A reads approximately 10KB/second on an i7 Surface Pro 3."

The attack is right in this document in C, they don't give a Javascript example, I think for a good reason.

This is Meltdown reading memory from another process: