https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/

This is pretty significant and could have a negative impact on a number of things we do, e.g. image processing.

If you're looking to build a new system right now, I would pause and/or strongly consider going AMD instead.

I just saw that, Chris. I'm feeling very smug about the AMD Threadripper system I ordered a few days ago :D

Cool - spill the beans on the specs, Rick - what are you getting and am I right to assume this will be a PI processing beast? :)

Yep, it's intended to provide scorching PI performance, Chris. CPU is a Threadripper 1950X 16-Core. 64GB DDR4 3600MHz RAM. 500GB NVMe SSD and 10TB HDD. Quadro P2000 graphics.

I have heard anecdotally that PI runs faster under Linux than Windows, so I'll do some comparative benchmarking and do my processing under Linux if it has a measurable advantage.

My current workstation has lasted me 7 years so I thought it was time for a significant upgrade!

Cheers,
Rick.

I have directly compared PI for Linux vs Windows on the same system - dual boot. And it's definitely better under Linux. I didn't have all variables locked down 100%, but I did notice the difference.

Great, thanks Chris. I'd guess it is mostly down to file system performance. Raw multithreaded processing in user space should be much the same.

Hi Chris,

Thanks for the heads-up.

Not a good way for the world to begin 2018.

Sounds like it has the potential for being the biggest computer vulnerability of all-time.

Given perhaps 1.3 billion machines or more might be vulnerable worldwide and given not all
will have their CPU's replaced or get a software patch, the potential for system breaches, information theft or serious
cyber attacks is mind-boggling.

It is not a question of if it has been exploited, it is now a question of how
many systems have been exploited already.

Sounds like someone at Intel was a naughty boy...nothing quite like trading off security for performance :lol:

At least it's not a remote exploit, Gary, but it could be very ugly. It will certainly be very disruptive.



Hard to tell until details are released (or leaked) but it's usually safer to assume incompetence rather than malice ;)

Not thinking through the security implications of speculative execution would be an easy mistake to make.

It's probably unlikely to get many exploits as fixes will come through, but it's the impact of the fixes that will be the bigger issue.

If we start seeing stuff performing significantly worse after the fix, there will be some screaming. I've been reading reports of some software that have had up to 63% performance loss due to the change. Obviously it depends on the software and what people do, but if it hits something common like web browsers, media players, etc. then stuff might hit the fan... :)

Every system call for a start.

Currently in Linux the kernel MMU page tables are mmap'ed so when
you do the context switch, they are just there and its all fast.

But the Linux patches are showing the TLB's are now having to be
flushed on each system call or each interrupt.

So for a start, anything doing lots of I/O will suffer.



Happy New Year Rick. Hope all is well.

True. But from what I can see is if there is some other buffer overrun
exploit in a web browser, you might use this flaw in combination with
that as part of a side-channel attack through some JavaScript.
See https://www.youtube.com/watch?v=ewe3-mUku94

The NSA, the Russians, the Chinese and the North Koreans will be busy.

I would not be surprised if they knew about the flaw for years and have been exploiting it.

Absolutely.

This issue has been publicly known since sometime in 2016. It's implications weren't fully understood at the time. So, I also won't be surprised if it's been known for a lot longer than that.

By the way, ARM64 is also affected (not AMD64).

Do you have a link?

Found a recent arm64 patch that unmaps the kernel while running in user space: https://lwn.net/Articles/740393/

It is based on the paper here: https://gruss.cc/files/kaiser.pdf

It looks like this is a general response to the problem of kernel bugs, Rowhammer attacks, etc. and not a reaction to a specific vulnerability. But I could be wrong. The details of the x86 problem have been kept very much under wraps.

Update: here's a 2016 paper that appears to describe the vulnerability: https://gruss.cc/files/prefetch.pdf

More gory details: https://spectreattack.com/

I haven't gone through it all, a brief skim is enough to know it's bad...

Rick, Chris,

Thanks for the links to the papers and other references.

One certainly gets the impression that there is a scramble to implement
Linux Kernel Page Table Isolation (was KAISER) and one can only assume
kernel programmers at Microsoft and Apple have been hard at it as well.

Probably no Christmas holiday break for some.

The urgency gives some merit to the prospect that exploits are already in the
wild today, not just on paper.

Specifically the vulnerability surrounding speculative execution to avoid
pipeline stalls may have been knowingly actively exploited (i.e. implementations
of Meltdown and Spectre) leading to the rush.

Let's face it. If the likes of the NSA had not done it years ago, they would have
poured enormous resources into implementing exploits during the past year.

As one of the papers cited tests on smartphones as well as servers, that
represents billions of devices.

The additional clock cycles that will be required for interrupt service routines
is unfortunate. You really just want to get in and out of those handlers as fast
as possible whilst doing the minimum you have to do.

Certainly the performance counters have unwittingly become tools for
exploiting other hardware and software security mechanisms.

That’s more charitable than my cynic’s view, Rick :D

I struggle to believe that, in some meeting back in the depths of time, that some engineer didn’t pipe up with why not ring fencing the lookahead tables, etc, was a bad idea. And I hate sentences with so many negatives. I’m giving Intel the benefit of the doubt that there are more smart people working there than stupid people.

Considering Intel’s history when it comes to competition just makes it sound all the more unlikely. OK, conspiracy mode off...

News of the bug has now reached the mainstream press with Forbes magazine reporting on it :-
https://www.forbes.com/sites/thomasbrewster/2018/01/03/intel-meltdown-spectre-vulnerabilities-leave-millions-open-to-cyber-attack/#930982c39328

Intel have released this statement :-
https://newsroom.intel.com/news/intel-responds-to-security-research-findings/

Some early Kernel-based Virtual Machine (KVM) benchmarking when
running the Linux 4.15 KPTI patches :-
https://www.phoronix.com/scan.php?page=article&item=linux-kpti-kvm&num=1

(Note this article is multiple pages. Page selection at bottom of article)

For anybody who's interested in embedded devices ARM has released a list of their architectures that are vulnerable to these attacks:

https://developer.arm.com/support/security-update

Hi Rick,

That would imply that somewhere around 99% of all smartphones and tablets on the planet are affected for a start.

Just be aware that there are two issues at hand, Meltdown and Spectre.

Meltdown impacts only the Intel CPUs and ARM64 (Cortex-A75 only (https://www.extremetech.com/computing/261439-spectre-meltdown-new-critical-security-flaws-explored-explained)). It is more severe, for example javascript in browser could read kernel memory. This is the big one as it is problem with the actual Intel architecture and can be only fixed in software by significant performance penalties or by a hardware change (moving to AMD CPU).

Spectre on the other hand includes several possible attacks. It is not as severe as it is more difficult to exploit but also more difficult to fix. It affects all CPUs. However, it is worth noting that the newer AMD CPUs (Ryzen and Epyc) employ a hardware neural network for branch prediction. This is much less predictable but, in theory, still possible to exploit.

Also note that Intel propaganda machine is trying hard to confuse the issue and minimise the damage by mixing up two exploits (Meltdown and Spectre) and trying to make it look like all CPUs are affected. In reality one type of exploit with less severity is general while the severe one is Intel specific.

G'day Gary,

Yes, unfortunately... smartphones and tablets tend to use the newer ARM architectures. They also run a lot of third party software.

For more deeply embedded devices things may not be quite so bad. A lot of the processors used there have architectures that aren't affected and the software is more locked down. I have been checking all the parts we use at work...

Cheers,
Rick.

A glimmer of hope from Google regarding the Spectre problem (https://security.googleblog.com/2018/01/more-details-about-mitigations-for-cpu_4.html) (variant 2). "Retpoline" effectively disables speculative execution by isolating branch target prediction. The patch works on the binary level and not at the OS level. Google claims that the performance loss is almost zero, close to the old mispredicted branch.

Of course this does not address Meltdown (variant3) so KPTI is still needed for the Intel CPUs with possibly large performance hits.

It seems like Intel's protected mode wasn't so protected after all...

https://imgs.xkcd.com/comics/meltdown_and_spectre.png

Apple released a statement today with regards their mitigation plans for all Mac OS, iOS and tvOS devices :-
https://support.apple.com/en-us/HT208394

Pity this didnt come out a few months ago.
Apple could have blamed the "designed slowdown" of old machines on this instead of trying to cover up crud batteries :-)
Andrew ( am i being to cynical ? )

:lol: :thumbsup:

Good to know my watch is ok :)

some benchmarking

https://www.youtube.com/watch?v=JbhKUjPRk5Q

write-speeds have taken a hit

Peter Bright, Technology Editor at Ars, writes in a 16 Jan 2018 article on how Spectre and Meltdown patches are causing some drivers to have issues
and that Intel's CPU microcode update caused crashes on some systems.

Intel then issued a warning not to install it on systems with Haswell and Broadwell processors.

Some older anti-virus software is also getting in the way of OS patches.

Story here :-
https://arstechnica.com/gadgets/2018/01/spectre-and-meltdown-patches-causing-trouble-as-realistic-attacks-get-closer/