Linked by Thom Holwerda on Wed 3rd Jan 2018 20:36 UTC
Intel

Update: Google's Project Zero disclosed details about the vulnerability a week ahead of schedule due to growing concerns, and they indeed confirm AMD and ARM processors are also affected:

The Project Zero researcher, Jann Horn, demonstrated that malicious actors could take advantage of speculative execution to read system memory that should have been inaccessible. For example, an unauthorized party may read sensitive information in the system’s memory such as passwords, encryption keys, or sensitive information open in applications. Testing also showed that an attack running on one virtual machine was able to access the physical memory of the host machine, and through that, gain read-access to the memory of a different virtual machine on the same host.

These vulnerabilities affect many CPUs, including those from AMD, ARM, and Intel, as well as the devices and operating systems running them.




Intel just published a PR statement about the processor flaw, and in it, it basically throws AMD and ARM under the bus. According to Intel, reports that only its own processors are affected are inaccurate, namedropping specifically AMD and ARM just to make it very clear who we're talking about here. From the statement:

Recent reports that these exploits are caused by a "bug" or a "flaw" and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices - with many different vendors' processors and operating systems - are susceptible to these exploits.

Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively. Intel has begun providing software and firmware updates to mitigate these exploits. Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.

More to surely come.

Thread beginning with comment 652469
To read all comments associated with this story, please click here.
WTF Intel?
by birdie on Wed 3rd Jan 2018 21:11 UTC
birdie
Member since:
2014-07-15

If we take AMD's response into consideration (that their CPUs are not affected) then Intel should expect a slander civil lawsuit. Someone in Intel's PR department should be taught not to throw baseless accusations at your competitors.

Yes, ARM64 is also affected but the extent of the problem is not known yet.

Reply Score: 8

RE: WTF Intel?
by Vanders on Wed 3rd Jan 2018 21:37 in reply to "WTF Intel?"
Vanders Member since:
2005-07-06

The statement had the intended effect: Intel's share price rallied a little (after dropping this morning) and AMD's dropped (after climbing all day).

Now all Intel have to hope is that the statement is entirely factual and that the bug isn't as bad as everyone now seem to think, because otherwise that could be a misleading statement...

Reply Parent Score: 8

RE: WTF Intel?
by Delgarde on Wed 3rd Jan 2018 22:05 in reply to "WTF Intel?"
Delgarde Member since:
2008-08-19

Actually, they state that processors from many other vendors are susceptible, but they've not actually named any of them in the context of that statement – AMD and ARM are specifically mentioned only in the second paragraph, talking about other companies Intel are working with to resolve the issue.

So quite a neatly worded statement, really. They carefully avoid making any claims about AMD and ARM vulnerability, but by mentioning them in the statement, they encourage people to make the association themselves.

Reply Parent Score: 19

RE[2]: WTF Intel?
by flanque on Thu 4th Jan 2018 05:44 in reply to "RE: WTF Intel?"
flanque Member since:
2005-12-15

Yes, this was quite clever and obvious, though on the other hand, I thought I missed something with Thom's under the bus comment. I guess not.

Reply Parent Score: 2

RE[2]: WTF Intel?
by galvanash on Thu 4th Jan 2018 16:26 in reply to "RE: WTF Intel?"
galvanash Member since:
2006-01-25

I would also stress to people reading this - it isn't an issue of Intel vs AMD or x86 vs ARM or anything like that...

Yes, Intel processors exhibit a rather aggressive form of speculation that AMD processors do not in a very specific usage scenario that makes them more susceptible to a very specific form of this attack. This particular behavior is not the root cause of the problem though - the root cause is simply a result of how all modern processors work.

In hindsight, and probably due more to luck than intent, AMD ended up with a slightly more resilient implementation of a very very specific thing. Problem is deep down all processor end up doing what is really causing the problem - they execute code speculatively and they currently can't hide all of the effects of this. The flaw in Intel's design is not the only way to crack this egg, there are many and more will surface over time...

Everyone is going to have to go back to the drawing board so to speak and work this out... It is a very big problem and it effects the entire industry, not any particular vendor. I think it can be fixed in the long term, and future CPUs will address it on a fundamental level and correct it, but for the time being its all going to be duck tape and bubble gum for everyone...

Hiding kernel page tables just addresses one specific (and very dangerous) form of attack, it doesn't actually fix anything long term...

Reply Parent Score: 3

RE: WTF Intel?
by galvanash on Thu 4th Jan 2018 05:12 in reply to "WTF Intel?"
galvanash Member since:
2006-01-25

If we take AMD's response into consideration (that their CPUs are not affected) then Intel should expect a slander civil lawsuit. Someone in Intel's PR department should be taught not to throw baseless accusations at your competitors.


As stated elsewhere, Intel never even mention AMD by name and were careful in how they worded their statement - good luck with that lawsuit...

Regardless, it doesn't matter. AMD processors are definitely affected, and considering the technical details of the attack, any processor that implements any form of speculative execution (which is basically anything remotely modern) is probably susceptible to some form of this attack if it has a cache or some other resource that can be used to perform timing checks. Its just a matter of time really.

Worst-Cause-Scenerio - Every byte of address space in a computer system could be read at any time by a low privilege process. Memory protection is effectively dead. The only real fundamental fix is to eliminate speculative execution entirely (and that would be very very very VERY bad for performance)...

This is a doozy folks. The fix everyone is concerned about doesn't even begin to cure this issue, it is just emergency treatment for the worst of the immediate bleeding. This is probably going to get worse over time as the bad guys figure out a bazillion ways to exploit this.

Reply Parent Score: 3

RE[2]: WTF Intel?
by Alfman on Thu 4th Jan 2018 06:19 in reply to "RE: WTF Intel?"
Alfman Member since:
2011-01-28

galvanash,

Worst-Cause-Scenerio - Every byte of address space in a computer system could be read at any time by a low privilege process. Memory protection is effectively dead. The only real fundamental fix is to eliminate speculative execution entirely (and that would be very very very VERY bad for performance)...

This is a doozy folks. The fix everyone is concerned about doesn't even begin to cure this issue, it is just emergency treatment for the worst of the immediate bleeding. This is probably going to get worse over time as the bad guys figure out a bazillion ways to exploit this.



These problems do run deep, but if we try to tackle the problems one at a time and gut some of the conventions that got us here in the first place, it may be salvageable.

x86 caches are problematic because the same cache lines are shared across security boundaries. That needn't be the case. Furthermore the whole motivation for merging kernel address space into user address space had to do with the fact that it avoided expensive TLD cache invalidation on every syscall, but this is a limitation of x86 (and other) CPUs, not something that's strickly necessary. The sparc architecture offered an alternative design that did not require invalidation across context switches.


http://www.informit.com/articles/article.aspx?p=1218201&seqNum=4

The SPARC has a cache of virtual to physical mappings, just as x86 does. This is called a translation look-aside buffer (TLB). In the case of the SPARC, each entry has a process ID associated with it, so the buffer doesn’t have to be flushed when a new process runs. Unlike x86, the SPARC is unaware of the structure of the page tables—they’re entirely the operating system’s responsibility. Whenever an address is accessed that isn’t in the cache, a page fault is issued, and the OS must provide the correct mapping.



I think the oracles used in "spectre" style attacks will be the most invidious because the statistical analysis can be applied on so many levels. Still, they depend on the ability to accurately measure fast events as well as reproducible results. Reducing userspace clock resolution could help as well as adding more noise to the side channel "signals". I suspect x86 architectural changes will be unavoidable, but I also wonder how much running something like "folding@home" in the background could help add timing noise in the interim?

Edited 2018-01-04 06:23 UTC

Reply Parent Score: 3

RE[2]: WTF Intel?
by BlueofRainbow on Thu 4th Jan 2018 14:40 in reply to "RE: WTF Intel?"
BlueofRainbow Member since:
2009-01-06

I think you framed the situation extremely well in brand-name neutral fashion:

any processor that implements any form of speculative execution (which is basically anything remotely modern) is probably susceptible to some form of this attack if it has a cache or some other resource that can be used to perform timing checks.


The actual implementation of the exploit will likely be specific to a given processor family.

Anyways, it would be interesting to hear what retired professor Niklaus Wirth would say about the situation. After all, he has sought simple solutions to complex hardware/software design constraints. Speculative execution, while attempting to improve performance, has introduced a security flaw. The additional code complexity required to patch the hole will in turn reduce performance and may in fact introduce further security flaws.

Maybe the next generation of processors should not implement any form of speculative execution?

Reply Parent Score: 3

RE[2]: WTF Intel?
by zima on Fri 5th Jan 2018 16:50 in reply to "RE: WTF Intel?"
zima Member since:
2005-07-06

Worst-Cause-Scenerio - Every byte of address space in a computer system could be read at any time by a low privilege process. Memory protection is effectively dead.

Hm, "funny" how we could end up back in the wild west of a situation WRT memory protection like where, say, Amiga was (and still is) 3 decades ago...

Reply Parent Score: 3