Meltdown & Spectre

[Xann]

Quote

 

Critical flaws revealed to affect most Intel chips since 1995

Most Intel processors and some ARM chips are confirmed to be vulnerable, putting billions of devices at risk of attacks. One of the security researchers said the bugs are "going to haunt us for years."

Just hours after proof-of-concept code was tweeted, security researchers have revealed the long-awaited details of two vulnerabilities in Intel processors dating back more than two decades.

Two critical vulnerabilities found in Intel chips can let an attacker steal data from the memory of running apps, such as data from password managers, browsers, emails, and photos and documents.

The researchers who discovered the vulnerabilities, dubbed "Meltdown" and "Spectre," said that "almost every system," since 1995, including computers and phones, is affected by the bug. The researchers verified their findings on Intel chips dating back to 2011, and released their own proof-of-concept code to allow users to test their machines.

"An attacker might be able to steal any data on the system," said Daniel Gruss, a security researcher who discovered the Meltdown bug, in an email to ZDNet.

"Meltdown is not only limited to reading kernel memory but it is capable of reading the entire physical memory of the target machine," according to the paper accompanying the research.

The vulnerability affects operating systems and devices running on Intel processors developed in the past decade, including Windows, Macs, and Linux systems.

 

ZDNet

Magic

Motorola should have stuck at it.

[villakram]

Meltdown is the important and verified in the public huge hole that affects Intel only. It has been demonstrated that one can access another users processes in a server setting. I wonder how long have our favourite 3 letter agencies known about Meltdown.

Spectre is a lot more speculative right now, but has longer term implications for all current processor architectures. The details of these hacks is pretty cool in a nerdy way.

 

[Tegis]

And the patches in the operating systems will affect performance a great deal in the Meltdown case. From 5% up to 30% at some specific workloads. Lovely

[Davkaus]

Most consumer applications on Windows aren't being hit too badly. Seems to be IOPS that are hit hardest. My DBA and VM admins are not looking forward to the fallout though.

Edited January 5, 2018 by Davkaus

[Daweii]

2 hours ago, Tegis said:

And the patches in the operating systems will affect performance a great deal in the Meltdown case. From 5% up to 30% at some specific workloads. Lovely

I wonder if an overclock mitigates that somewhat. 

I mean lets say the patch decreases CPU performance by 5% so if I go by stock performance I am down 5%, but if I have a 20% overclock from 4.2Ghz to 4.8Ghz then I am still up 15%.

I'm just trying to wrap my head around how such a decrease will affect real world usage. 

I understand that the vast majority affected are CPU's doing very very specific tasks, but I'm still very curious if there are things users can do to mitigate the effects of such a performance decrease.

[limpid]

I think we now know why the next generation of Intel CPUs was delayed. They needed a gap so that there wouldn't be a performance drop on the new chips.

[limpid]

1 hour ago, Davkaus said:

Most consumer applications on Windows aren't being hit too badly. Seems to be IOPS that are hit hardest. My DBA and VM admins are not looking forward to the fallout though.

How do we know? There aren't any patches for Windows available yet.

[limpid]

26 minutes ago, Daweii said:

I wonder if an overclock mitigates that somewhat. 

I mean lets say the patch decreases CPU performance by 5% so if I go by stock performance I am down 5%, but if I have a 20% overclock from 4.2Ghz to 4.8Ghz then I am still up 15%.

Are you paying for the extra electricity in my farm?  

[Davkaus]

12 minutes ago, limpid said:

How do we know? There aren't any patches for Windows available yet.

KB4056892?

There are more patches to come, but that's their initial pass at patching the exploit.

Edited January 5, 2018 by Davkaus

[limpid]

2 minutes ago, Davkaus said:

KB4056892?

There are more patches to come, but that's their initial pass at patching the exploit.

Sorry, I must have been misinformed. I thought MS had announced there would be no patches until Tuesday.

The patch you mention is documented here and doesn't mention anything which describes a fix for broken CPUs or Ring 3 to Ring 0 escalations. Their catalogue says this patch is only available for Win10 and WS2016 (typical). I'm quite happy to believe that Microsoft are crap at communicating though.

[Davkaus]

I was only aware of it because we got warned with 20 minutes notice that all of our Azure VMs would be shut down due to the patch (not from our interval guys, MS pushed the patch and started rolling reboots, good thing our contingency works!).

I think the only indication that it's their first pass at a Meltdown fix is a comment from their PR guy, and a notification that briefly popped up in the Azure portal. Pretty piss poor, tbh.

[limpid]

1 hour ago, Davkaus said:

I was only aware of it because we got warned with 20 minutes notice that all of our Azure VMs would be shut down due to the patch (not from our interval guys, MS pushed the patch and started rolling reboots, good thing our contingency works!).

I think the only indication that it's their first pass at a Meltdown fix is a comment from their PR guy, and a notification that briefly popped up in the Azure portal. Pretty piss poor, tbh.

Is Azure / HyperV a linux based hypervisor? The linux kernel patches have been in testing for a little while (apparently).

We also now can surmise the reason for the "go slow" on Macs after their last update.

[Xann]

Quote

 

The Problem with Processor Vulnerabilities

Last week the technology world was shaken by the disclosure of two vulnerabilities in modern processors: Meltdown and Spectre. The announcement was a bit haphazard, thanks to the fact that the disclosure date was moved up by a week due to widespread speculation about the nature of the vulnerability (probably driven by updates to the Linux kernel), but also because Meltdown and Spectre are similar in some respects, but different in others...

 

Stratechery

A bit more on how they work and why they're such a problem.

[Xann]

 

Quote

 

When the blockbuster twin security exploits known as Meltdown and Spectre appeared in early 2018, Mozilla was among the first to respond, retroactively changing several behaviors of Firefox to help prevent them.

Both attacks rely on using high-speed timing measurements to detect sensitive information, so somewhat counterintuitively, the patches had to decrease the speed of seemingly mundane computations. The first change was to slow down the performance API for web browsers, which had previously been able to analyze the behavior of a page at speeds fast enough to be used in an attack; the second change removed SharedArrayBuffer, a new kind of data structure atop which similar timers could be trivially rebuilt. Similar changes were also soon also implemented by Microsoft for Internet Explorer and Edge browsers and also by WebKit, a tool for viewing the web that is used to build Safari, Mobile Safari, Android Browser, and the dedicated browsers embedded on many other devices. As of this writing, SharedArrayBuffer is now disabled in all major browsers.

The speed and power of our computers until now has always been a lie, built atop a foundation that must now be undone.

Backpedaling on established features of the internet was necessary, but also strange and unexpected. The web is, among other things, a decentralized specification: It is an agreement about how to build things, and then also how to run the things that have been built. In order for a new feature to meaningfully exist on the web, developers and browsers and standards bodies must all first come to an understanding about how it will work. Once you add something to that agreement, you can't remove it, because you have no idea what problems might arise, or even in which far-flung corners they may appear.

In contrast, technology systems and programming languages that operate in narrower contexts—on a specific server, for example, or inside a specific app—can successfully withstand more dramatic changes to their behaviors. Any upgrade-related malfunctions are localized, and accordingly easy to fix. There are no such promises with a distributed web, though, so its technologies have always evolved in ways that maintain backwards compatibility. This is why old web pages pretty much always continue to work in newer browsers.

Spectre forced browsers to finally break the compatibility covenant of the web. It's entirely likely that no meaningful projects relying on those features even exist, and even if they do, there may still be simple, safer workarounds. Nonetheless, such a prominent episode in which the internet broke its own code retroactively comes with a cost, at least ideologically. The web can't quite be trusted as an infallible platform to the extent it had been...

 

Wired