CPU Vulnerabilities, Meltdown and Spectre, Kernel Page Table Isolation Patches, and more

Meltdown/Spectre week three: World still knee-deep in something nasty
And years away from safety
By Simon Sharwood, APAC Editor 22 Jan 2018 at 04:31
https://www.theregister.co.uk/2018/01/22/meltdown_spectre_week_three_the_good_the_bad_and_the_wtf/

"It is now almost three weeks since The Register revealed the chip design flaws that Google later confirmed and the world still awaits certainty about what it will take to get over the silicon slip-ups.

The short version: on balance, some steps forward have been taken but last week didn't offer many useful advances.

In the "plus" column, Microsoft and AMD got their act together to resume the flow of working fixes. Vendors started to offer tools to manage the chore of fixing the twin flaws, such as VMware’s dashboard kit for its vRealize Operations automation tools.

Typing

$ grep . /sys/devices/system/cpu/vulnerabilities/*

into a Linux terminal window now reveals whether you have a Meltdown/Spectre problem to address.

Spoiler: Downside...

On the downside, Intel faced a rebellion of sorts as major enterprise vendors like Red Hat, Lenovo, VMware and many others told their users to ignore Chipzilla’s first batch of microcode updates because they made servers reboot a lot. Intel first said only Broadwell and Haswell CPUs had the problem, but later said its more recent Ivy Bridge, Sandy Bridge, Skylake and Kaby Lake architectures are all misbehaving after patching. The company also revealed that data centre workloads will be slower after it’s done patching.

That’s bad news for all sorts of reasons, not least that some users rushing to cope with the twin menaces may have overlooked the fact that appliances sold as “it just does the job, don’t worry about the innards” often have Intel Inside. Hence analyst firm Gartner’s advice to remember that devices like application delivery controllers or WAN optimisation boxen pack x86s, need a fix and won’t optimise things quite as optimally from now on. Which means talking to telcos and all sorts of other fun.

News that software-defined storage powered by ZFS or Microsoft may slow down can't have put smiles on too many faces either.

Also unwelcome was news that Spectre impacts Oracle's SPARCplatform, with patches due some time in February. Nor are the hordes of smaller ARM licensees making much noise.

News that the sky has not fallen in on public clouds won a better reception. Indeed, there are even signs that big players have stopped worrying and learned to love the bomb, or at least minimise the impact of their patches.

Smaller clouds have had less to say, perhaps because they resent not having been included in the original cabal that nutted out a response to Meltdown/Spectre. The Register hears gossip to the effect that Oracle, for one, is furious it wasn’t immediately invited to the top table. It has, however, scheduled and/or executed patches for its x86 cloud. We’ve seen evidence of the same at VMware-on-AWS, Linode, IBM cloud and others.

But we've also heard an industry-wide silence about CPU-makers’ roadmaps for a Meltdown-and-Spectre-free future. Rumours are rife that a generation of products will have to be redesigned, at unknowable expense and delaying next-generations products by un-guessable amounts of time.

The news isn’t all glum, however: marketers have cottoned on to the fact that Meltdown and Spectre represent an opportunity to spruik products like data centre inventory tools or performance analysis code. Their offers aren't classy, but are at least far more sensible than all the initial coin offerings landing in Reg inboxes.

 

Yeah, it's too bad CERT didn't stick to their original recommendation that a fix requires replacing the hardware:

A government-backed group of experts quietly walked back the suggestion you should replace your processors to fix a big security flaw
By Matt Weinberger, Jan. 4, 2018, 4:47 PM
http://www.businessinsider.com/intel-chip-bug-cert-says-replacement-is-the-only-way-2018-1

• Originally, CERT/CC, a cybersecurity team with close ties to the United States government, said the only guaranteed way to mitigate the threat of Spectre was to replace all of the affected processors with updated ones.
• However, later on Thursday afternoon, CERT/CC withdrew that recommendation, saying merely that anybody affected should install operating system updates as soon as possible.

 

Industry pressure!

 

I feel Intel will offer some discounts for affected customers and enterprises on new 10nm CPUs.
Worldwide recall of affected chips will be major loss. I don't mind exchanging my dead laptops/desktops for a working PCs.

 

Software Techniques for Managing Speculation on AMD Processors Whitepaper
1/24/2018
http://www.amd.com/en/corporate/speculative-execution

In response to recently disclosed research techniques capable of exploiting the speculative behavior of modern processors to leak information to unauthorized code, AMD has published a whitepaper that provides software developers with guidance on options for managing speculative execution on AMD processors.

Managing Speculation on AMD Processors Whitepaper
http://developer.amd.com/wordpress/media/2013/12/Managing-Speculation-on-AMD-Processors.pdf

"AMD is aligned with the x86 community that V1-1 (lfence) is the preferred variant 1 software solution and that the V2-1 (retpoline) is the preferred variant 2 software solution. AMD continues to evaluate opportunities for new mitigations in both the x86 ISA and micro-architecture for future AMD processors"

 

This is great news that new CPUs coming this year will have the fix built into hardware. I'd said over on a Guru3d forum that Intel should concentrate their efforts on doing just that, because I believe it's poor to release new CPUs with vulnerabilities already baked in. I just read about this story over on Guru3d, but you beat me to it! http://www.guru3d.com/news-story/in...e-fix-for-spectre-and-meltdown-this-year.html

 

I am 90% sure that the in-silicone fix will be for Meltdown only. Meaning only matching AMD in the best case.

 

Whether that works would likely depend heavily on how good the discount is.

 

Like AMD though it may make the one variant of Spectre highly unlikely as well. So you have to be careful as it could be a mixed message.

 

$100 off on high end BGA costing USD 3000 or more. <3000 USD only 50$ discount. Offers last for a year only, so upgrade and switch to better Intel CPUs.

 

Latest version of Chrome came out recently, and it helps protect against Meltdown & Spectre: http://www.guru3d.com/news-story/google-chrome-adds-protection-against-meltdown-and-spectre.html

Does the included Meltdown & Spectre fix in this latest version of Chrome do the same thing as "Strict Site Isolation" in this chrome flag? chrome://flags/#enable-site-per-process
Or is it better to leave "Strict Site Isolation" enabled in the new version of Chrome? (at the moment I have it enabled)

 

I'd leave it on, It believe it addresses other concerns besides just Spectre and Meltdown IIRC.

 

Yes, I have that intuition about it too. I googled it, and didn't come up with much, but it did say in the release notes for Chrome version 64 that Strict Site Isolation now only has 10% maximum performance impact (or was it memory usage) vs 20% maximum performance impact of the previous version - so I figured "Strict Site Isolation" must to do something above & beyond the inherent Meltdown/Spectre fixes that have been shipped with version 64.

 

If it's still the same as when it was introduced, you can also tweak it to only affect certain sites for better overall performance.

 

Yep, I read about that briefly, but I think I'll just leave it enabled for all, as that's the best security & I haven't really noticed any loss in performance.

 

I haven't really tested between full and site-specific, might do that when I have a chance.

 

Seems like im suffering performance loss on my current laptop ever since i installed the meltdown patch from windows update. My CPU clocks wont go past 1.5GHz even with turbo boost on and the only way for my CPU clocks to go back to normal is to restart my laptop and then eventually it happens again. Its annoying when i want to play game because i have to restart windows each time it happens

I guess Microsoft is trying to force me to upgrade to Windows 10

 

Microsoft hasn't missed an angle yet forcing upgrades to Windows 10, why would Microsoft pass on this opportunity to do it once again?

 

I had this problem..Try using TS and set speedshift epp to 0.. It worked for me.. But to be honest I am not sure if it is because of the bios update of dell alienware 17 r3 which is buggy or from windows 10 meltdown and Spectre patch.. I have also tried disabling the microsoft meltdown amd spectre patch using InSpectre software and the performance increased abit but not the same as it used too.. Solve this cpu throttling problem thanks to @Papusan and @Vasudev hope this helps..

 

So glad I just bought a coffee lake chip.......

You think there will be any chance of exchange?

I know silly queston, I'll just get my wallet out now.

 

I'm happy I haven't bought any new computer late last year Most likely, will everything work better when I upgrade this fall. At least I will not see downgrade in performance like others who now seeing a downgrade vs before the patches, HeHe

 

I havent seen a drop in performance at all Of course I havent installed any patches either

 

You will need to use InSpectre tool forever if you update windows or new firmware

 

There has been no firmware released for either my laptop or my desktop, both are MSI.
I havent checked for my Alienware M13 R2 yet, and probably wont.

The bad thing is, I will want to upgrade firmware on my desktop, as it will most likely have the new agesa, but I really dont want the patch

 

@Raiderman Does MSI board x370 use Aptio or InsydeH20?

 

I don't trust Intel with in-silicon fixes, who knows maybe its new target for in-house malware and telemetry.

 

Im not sure which one it is, why?

 

Planning a desktop rig with TR2 or Zen2 based TR.

 

So here is the Torvald tirade from last weekend in its entirety:

From Linus Torvalds <>
Date Sun, 21 Jan 2018 13:35:59 -0800
Subject Re: [RFC 09/10] x86/enter: Create macros to restrict/unrestrict Indirect Branch Speculation

• share 0
• share 2k

On Sun, Jan 21, 2018 at 12:28 PM, David Woodhouse <dwmw2@infradead.org> wrote:
> On Sun, 2018-01-21 at 11:34 -0800, Linus Torvalds wrote:
>> All of this is pure garbage.
>>
>> Is Intel really planning on making this **** architectural? Has
>> anybody talked to them and told them they are f*cking insane?
>>
>> Please, any Intel engineers here - talk to your managers.
>
> If the alternative was a two-decade product recall and giving everyone
> free CPUs, I'm not sure it was entirely insane.

You seem to have bought into the cool-aid. Please add a healthy dose
of critical thinking. Because this isn't the kind of cool-aid that
makes for a fun trip with pretty pictures. This is the kind that melts
your brain.

> Certainly it's a nasty hack, but hey — the world was on fire and in the
> end we didn't have to just turn the datacentres off and go back to goat
> farming, so it's not all bad.

It's not that it's a nasty hack. It's much worse than that.

> As a hack for existing CPUs, it's just about tolerable — as long as it
> can die entirely by the next generation.

That's part of the big problem here. The speculation control cpuid
stuff shows that Intel actually seems to plan on doing the right thing
for meltdown (the main question being _when_). Which is not a huge
surprise, since it should be easy to fix, and it's a really honking
big hole to drive through. Not doing the right thing for meltdown
would be completely unacceptable.

So the IBRS garbage implies that Intel is _not_ planning on doing the
right thing for the indirect branch speculation.

Honestly, that's completely unacceptable too.

> So the part is I think is odd is the IBRS_ALL feature, where a future
> CPU will advertise "I am able to be not broken" and then you have to
> set the IBRS bit once at boot time to *ask* it not to be broken. That
> part is weird, because it ought to have been treated like the RDCL_NO
> bit — just "you don't have to worry any more, it got better".

It's not "weird" at all. It's very much part of the whole "this is
complete garbage" issue.

The whole IBRS_ALL feature to me very clearly says "Intel is not
serious about this, we'll have a ugly hack that will be so expensive
that we don't want to enable it by default, because that would look
bad in benchmarks".

So instead they try to push the garbage down to us. And they are doing
it entirely wrong, even from a technical standpoint.

I'm sure there is some lawyer there who says "we'll have to go through
motions to protect against a lawsuit". But legal reasons do not make
for good technology, or good patches that I should apply.

> We do need the IBPB feature to complete the protection that retpoline
> gives us — it's that or rebuild all of userspace with retpoline.

********.

Have you _looked_ at the patches you are talking about? You should
have - several of them bear your name.

The patches do things like add the garbage MSR writes to the kernel
entry/exit points. That's insane. That says "we're trying to protect
the kernel". We already have retpoline there, with less overhead.

So somebody isn't telling the truth here. Somebody is pushing complete
garbage for unclear reasons. Sorry for having to point that out.

If this was about flushing the BTB at actual context switches between
different users, I'd believe you. But that's not at all what the
patches do.

As it is, the patches are COMPLETE AND UTTER GARBAGE.

They do literally insane things. They do things that do not make
sense. That makes all your arguments questionable and suspicious. The
patches do things that are not sane.

WHAT THE F*CK IS GOING ON?

And that's actually ignoring the much _worse_ issue, namely that the
whole hardware interface is literally mis-designed by morons.

It's mis-designed for two major reasons:

- the "the interface implies Intel will never fix it" reason.

See the difference between IBRS_ALL and RDCL_NO. One implies Intel
will fix something. The other does not.

Do you really think that is acceptable?

- the "there is no performance indicator".

The whole point of having cpuid and flags from the
microarchitecture is that we can use those to make decisions.

But since we already know that the IBRS overhead is <i>huge</i> on
existing hardware, all those hardware capability bits are just
complete and utter garbage. Nobody sane will use them, since the cost
is too damn high. So you end up having to look at "which CPU stepping
is this" anyway.

I think we need something better than this garbage.

Linus
https://lkml.org/lkml/2018/1/21/192

Edit: So, looking at this, the fix to Spectre is going to be so costly in performance that Intel is leaving it up to people who may not know they have to switch it on to do so to be protected. Don't see this on the AMD side, but am glad AMD said, after the fact, they will be doing a microcode update to close off the possibility of the variant being discussed, even though they said they believe they have a near zero exposure to it. Happy Saturday!!!

 

Dont forget to get asrock MoBo, heard theit bios can tdp mod the cpu!( just heard)!

 

Well, yeah, many people have been jumping hapily that they fixed thier laptop! Now my question is , do u really need to fix them, at the cost of performance? Answer IMHO is no. We arent any kinda Ceo, or hackers having 100s of bitcoins in our laptops, that someone sitting in this world would try to hack our pcs!
I really dont understand, meltdown and spectre fixes were ment for datacentres and enterprises, not for gamers!
@Papusan would agree to this, you are just lucky papusan, you havent burnt your money in coffeelake, you really are sir!

 

Aptio!

 

You don't understand, this is about getting your info and settling in bulk, not necessarily you for you. Or, if you do any business on a laptop...

Sent from my SM-G900P using Tapatalk

 

Sir, thats what i said, these patches are made for buisness kinda people! I am talking for someone who just opens his laptop and directly double clicks on pubg or csgo or dota!(ie gamers)! These patches just dosent bother any area where a "gamer" does his things!

 

Beggars can't be choosers. Meaning, hackers will gladly steal Steam/Origin/etc. accounts from numerous tech-unsavvy gamers who favor performance over security updates, and sell them - after exploing credit cards & paypal accounts those gamers used to purchase their games.

 

I agree with @ajc9988 spectre exe file can be embedded within a clean exe file and 20 bytes plus additional code to implement TCP/IP to send/receive packets of C code can be used to do anything on your PC. Your data to be more specific the end user's data be it simple browsing history to your secure vault's password can be captured/stored in a file w/o any suspicious behaviour.
You must know, these data's are encrypted and sold off at mind boggling prices w/o the user knowing anything. It's really dangerous.
For example: You came up with PoC for Spectre and you have a surprise exam coming up next week but you haven't prepared anything. So you embed the PoC into your USB drive and go to your faculty to *clear your doubts*. You plugged in the USB drive and your code being FUD is easily bypassed by their enterprise AVs and steals every bit on info about documents stored on C:/Usr/""/Docs.. and lot of more info can be passed back/forth from their secure ethernet/wifi w/o even faculty knowing a thing about PCs.
Now you see how dangerous it can be. Even Steam/Origin/Uplay achievements can be sold at high prices.

 

I will take a pic and show the setting to him when the time comes.

 

The explanation is that it doesn't matter what you embed it in to use, it just has to be run local, look like benign code, and not trip an AV that doesn't yet know the benign code that accomplishes the goal, so passes just fine on scan. After you get a person's passwords or account information, you have the means to either steal what you need, or have what you need to sell. You think gamers are immune? Did you see the swatting in KS resulting in a man being dead that wasn't even involved over a matter of $1.50 bet? What if you create something so with little effort a person could be sure they hit their mark and you cannot tell me people don't look for or sell that info, or that they don't try to doxx people they're pissed at, etc.

Edit: I agree with @hmscott , let's not talk of uses for the exploit. I've already thought of worse ways it can be used, but that isn't the point here. That is the only reason I mentioned my previous example. All that needs known is that this is a large deal and that it needs taken seriously, even by end consumers.

 

Okkaaayyy, now i get it.
Seems like gotta patch my p775tm1 when its repaired!

 

If you prefer old performance or want to see if you are affected. InSpectre tool is now up in Release #6 (Jan 27, 2018)

Spoiler: ChangeLog <InSpectre> tool Release #6

Release #6 — Worked around a Microsoft bug and more . . .
Users of an earlier version of Windows 10 (version 1703 ‑ the non-Fall Creator's Update) reported that InSpectre did not believe that their system had been patched for the Spectre vulnerability. Upon analysis, a bug was discovered in that version of Windows which affected the way 32-bit applications, such as InSpectre, viewed the system. This was apparently fixed in the later “Fall Creator's Update” (version 1709) but not in the earlier version. A 64-bit “probe” was added to the 6th release of InSpectre to work around this bug in version 1703 so that InSpectre would accurately reflect any system's true protection.

And, while we were at it, the language presented in the summary was changed from “vulnerable” to “protected” so that “YES” was the good answer and “NO!” was the bad answer.

 

Still shows No for Spectre in RS#6

 

I used InSpectre to disable the meltdown patch the other day and it works for now and i hope it stays like that. My system isnt patched for Spectre because HP hasnt released a BIOS fix for it yet. I hope Intel release a better patch that wont decrease performance because its like a double edge sword imo.

Lol i wouldnt be surprised, like i said before this could be a new way for Microsoft to push Windows 7/8.1 users to upgrade to 10

 

Won't happen.

----------------------------------------------------

Intel Warned China of Meltdown and Spectre Before the US Government

It's no surprise that leading Chinese tech companies have close associations with the Chinese Government and the PLA. Intel has waded into controversial waters as reports point to the chipmaker sharing information about its products' vulnerability to Meltdown and Spectre with Chinese tech companies before warning the United States Government, potentially giving the Chinese government either a head-start into securing its IT infrastructure, or exploiting that of a foreign government.

"Lenovo the Spybox and Alibaba were among the first big tech companies to be informed about Meltdown and Spectre; Lenovo is Intel's biggest PC OEM customer, while Alibaba is the world's largest e-commerce platform and cloud-computing service provider. Both companies are known to have close associations with the Chinese government. The United States Government was not part of the first group of companies informed about the deadly vulnerabilities."

Yeah, it seems like a BIG Joke!!! Maybe Russia as well? Is Intel a Chinese tech companie

 

Maybe it was Chinese who asked Intel to put those attack vectors in the first place.

 

Both Intel and Microsoft lick the chinese's toes. Or shall we say the ass? Where the money is Hope you haven't forgot the <special> Chinese WinCrap X version.

 

Yuck..
I know about Spl. version made for china.
They have largest population in the world and user base is high in China/India/Brazil than US/Japan/GCC.

 

Spectre & Meltdown vulnerability/mitigation checker for Linux
https://github.com/speed47/spectre-meltdown-checker

Spectre & Meltdown Checker
"A simple shell script to tell if your Linux installation is vulnerable against the 3 "speculative execution" CVEs that were made public early 2018.

Without options, it'll inspect your currently running kernel. You can also specify a kernel image on the command line, if you'd like to inspect a kernel you're not running.

The script will do its best to detect mitigations, including backported non-vanilla patches, regardless of the advertised kernel version number.

Example of script output

• Intel Haswell CPU running under Ubuntu 16.04 LTS

• AMD Ryzen running under OpenSUSE Tumbleweed

• Batch mode (JSON flavor)

Quick summary of the CVEs
CVE-2017-5753 bounds check bypass (Spectre Variant 1)

• Impact: Kernel & all software
• Mitigation: recompile software and kernel with a modified compiler that introduces the LFENCE opcode at the proper positions in the resulting code
• Performance impact of the mitigation: negligible

CVE-2017-5715 branch target injection (Spectre Variant 2)

• Impact: Kernel
• Mitigation 1: new opcode via microcode update that should be used by up to date compilers to protect the BTB (by flushing indirect branch predictors)
• Mitigation 2: introducing "retpoline" into compilers, and recompile software/OS with it
• Performance impact of the mitigation: high for mitigation 1, medium for mitigation 2, depending on your CPU

CVE-2017-5754 rogue data cache load (Meltdown)

• Impact: Kernel
• Mitigation: updated kernel (with PTI/KPTI patches), updating the kernel is enough
• Performance impact of the mitigation: low to medium

Disclaimer
This tool does its best to determine whether your system is immune (or has proper mitigations in place) for the collectively named "speculative execution" vulnerabilities. It doesn't attempt to run any kind of exploit, and can't guarantee that your system is secure, but rather helps you verifying whether your system has the known correct mitigations in place. However, some mitigations could also exist in your kernel that this script doesn't know (yet) how to detect, or it might falsely detect mitigations that in the end don't work as expected (for example, on backported or modified kernels).

Your system exposure also depends on your CPU. As of now, AMD and ARM processors are marked as immune to some or all of these vulnerabilities (except some specific ARM models). All Intel processors manufactured since circa 1995 are thought to be vulnerable. Whatever processor one uses, one might seek more information from the manufacturer of that processor and/or of the device in which it runs.

The nature of the discovered vulnerabilities being quite new, the landscape of vulnerable processors can be expected to change over time, which is why this script makes the assumption that all CPUs are vulnerable, except if the manufacturer explicitly stated otherwise in a verifiable public announcement.

This tool has been released in the hope that it'll be useful, but don't use it to jump to conclusions about your security."

 

Windows Update KB4078130 deactivates Spectre Patch-Ghacks.net
by Martin Brinkmann on January 29, 2018 in Windows - Last Update: January 29, 2018 - No comments
Microsoft released the Windows Update KB4078130 yesterday. It disables the mitigation against Spectre, Variant 2 on all supported versions of the company's Windows operating system when installed.

Microsoft released updates for Windows on the January 2018 Patch Day to mitigate Spectre and Meltdown vulnerabilities disclosed earlier. The company stopped the distribution of these updates to select AMD devices shortly after initial deployment because it caused blue screen of death crashes on Windows 7 machines with AMD hardware.

Intel acknowledged "higher than expected reboots and other unpredictable behavior" and recommendedto customers on January 22nd that customers "stop deploying the current microcode version on impacted processors."

KB4078130 deactivates Spectre Patch
KB4078130 is not offered through Windows Update. The update is available on the Microsoft Update Catalog website. Users and admins need to download it manually to install it on affected systems.

The update is available for all supported versions of Windows -- client and server. It has a size of 24 Kilobytes.

Microsoft recommends that the patch is only applied to systems on which unexpected reboots or other issues are noticed after installation of the January 2018 security updates.

You may use InSpectre by Gibson to disable the protection as well.

Closing Words
Disabling the protection should resolve unexpected reboot and other issues caused by the Spectre Variant 2 patch. It is not necessary to install the updates on systems that run without any of these issues after update installation. (via Born and Deskmodder)

 

For me on creators Spectre Mitigation is disabled and on Linux All variant's mitigation at OS are enabled.

 

I fixed it for you

Lol i wouldnt be surprised, like i said before this could be a new way for Microsoft to push Windows 7/8.1 users to upgrade to LINUX

Sent from my SM-G935T using Tapatalk