Author Topic: ZombieLoad Variant 2, yet another Intel-only side-channel dataleak vulnerability  (Read 2317 times)

0 Members and 1 Guest are viewing this topic.

Offline I wanted a rude usernameTopic starter

  • Frequent Contributor
  • **
  • Posts: 627
  • Country: au
  • ... but this username is also acceptable.
Quote
With November 14th, 2019, we present a new variant of ZombieLoad that enables the attack on CPUs that include hardware mitigations against MDS in silicon. With Variant 2 (TAA), data can still be leaked on microarchitectures like Cascade Lake where other MDS attacks like RIDL or Fallout are not possible. Furthermore, we show that the software-based mitigations in combinations with microcode updates presented as countermeasures against MDS attacks are not sufficient.

We disclosed Variant 2 to Intel on April 23th, 2019, and communicated that the attacks work on Cascade Lake CPUs on May 10th, 2019. On May 12th, 2019, the variant has been put under embargo and, thus, has not been published with the previous version of our ZombieLoad attack on May 14th, 2019.
(emphasis added)

Official page
ZDNet article
 

Offline Black Phoenix

  • Super Contributor
  • ***
  • Posts: 1129
  • Country: hk
The speculative execution process that Intel uses leaks like a sieve, that's for sure already know. What I still don't know is why Intel still doesn't block the process in any CPU currently in the market and releases a new method on the new products without know vulnerabilities for a while. Yes we are going to see drops in performance in some cases more the 40%, but it's better than having a house without a door. The AMD way of doing the same is not affected (for now). Better to take all the backlash and simply close the vulnerability for ever, and prevent future variants, that simply update the microcode, get a performance hit and then another vulnerability is discovered, update the microcode again, another hit in performance.

Intel, how about physical cores without HT, or small slow cores for some tasks not intensive and faster large cores for task intensive calculations. Intel CPU with ARM cores?
« Last Edit: November 14, 2019, 05:08:52 am by Black Phoenix »
 

Offline I wanted a rude usernameTopic starter

  • Frequent Contributor
  • **
  • Posts: 627
  • Country: au
  • ... but this username is also acceptable.
Possibly one or more of:
  • The design decisions that make their implementation both fast and vulnerable are so deep that it will take them years to switch to an alternative design
  • They have an alternative, but it's slower
  • They didn't take the problem seriously at first, and delayed committing to a rearchitecture
  • The complexity was already too great for them (see their delays in getting to 10 nm) and they can no longer manage it
  • They think the market will keep buying Intel regardless
 

Offline Black Phoenix

  • Super Contributor
  • ***
  • Posts: 1129
  • Country: hk
Possibly one or more of:
  • The design decisions that make their implementation both fast and vulnerable are so deep that it will take them years to switch to an alternative design
  • They have an alternative, but it's slower
  • They didn't take the problem seriously at first, and delayed committing to a rearchitecture
  • The complexity was already too great for them (see their delays in getting to 10 nm) and they can no longer manage it
  • They think the market will keep buying Intel regardless

I think is all at the same time...
 

Offline Mr. Scram

  • Super Contributor
  • ***
  • Posts: 9810
  • Country: 00
  • Display aficionado
The speculative execution process that Intel uses leaks like a sieve, that's for sure already know. What I still don't know is why Intel still doesn't block the process in any CPU currently in the market and releases a new method on the new products without know vulnerabilities for a while. Yes we are going to see drops in performance in some cases more the 40%, but it's better than having a house without a door. The AMD way of doing the same is not affected (for now). Better to take all the backlash and simply close the vulnerability for ever, and prevent future variants, that simply update the microcode, get a performance hit and then another vulnerability is discovered, update the microcode again, another hit in performance.

Intel, how about physical cores without HT, or small slow cores for some tasks not intensive and faster large cores for task intensive calculations. Intel CPU with ARM cores?
They'd probably open themselves up to huge liabilities. It's better to go on and pretend their world isn't burning.
 

Offline madires

  • Super Contributor
  • ***
  • Posts: 7695
  • Country: de
  • A qualified hobbyist ;)
Executive summary:
- Intel doesn't care about security
- buy CPUs from AMD
 

Offline Black Phoenix

  • Super Contributor
  • ***
  • Posts: 1129
  • Country: hk
They'd probably open themselves up to huge liabilities. It's better to go on and pretend their world isn't burning.

Heck, they world is not burning, is a hell currently:

 - Problems in the 10nm process that being delaying the new node, leaving them to reveal 14nm+++++++++++++++++ processor for the last 3 years (I think, maybe more);
 - The AMD attack on the Desktop CPU market with the Ryzen, the HEDT attack by Threadripper and the Server market (the last bastion) by Epyc;
 - This vulnerabilities that keep being discovered, mining even more what they been doing to change the current wind;
 - The change of the CEO, after an internal probe found that he had engaged in a consensual relationship with a subordinate, something that violated Intel's anti-fraternization policy;
 - The problems with the 5G modems and Apple contract, making Apple to settle with Qualcomm via count (https://www.anandtech.com/show/14676/apple-to-buy-bulk-of-intels-smartphone-modem-business), and Apple later buying the Intel modem division (https://www.anandtech.com/show/14676/apple-to-buy-bulk-of-intels-smartphone-modem-business)

A lot of things burning yes...



Currently the only market where they still have the big names are the laptop one, but with the rumours of ARM also joining that battle, and AMD also going to release new processors for that market well...

Fun fact - The above image is always printed in A3 and hang behind my work place. Been doing this in the last 6 years, since it first appeared in 2013 on a webtoon. It encapsulate this problem and the lack of action perfectly!
« Last Edit: November 14, 2019, 04:29:24 pm by Black Phoenix »
 
The following users thanked this post: I wanted a rude username


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf