CPU Vulnerabilities, Meltdown and Spectre, Kernel Page Table Isolation Patches, and more

I'm very concerned about following:
Quote: "SplitSpectre is a proof-of-concept built from Speculator, the team's automated CPU bug-discovery tool, which the group plans to release as open-source software. Their work is described here in an academic paper emitted earlier this week."
END of quote
Lets help everybody find new security holes, but it will take months to patch and secure millions of systems worldwise, it could take weeks for one good hacker with proper tools to write a code, so guess which side will get advantage.

And also this:
Quote:
"The big silicon design houses keep details of the inner mechanisms of their processors under tight wraps, which means discovering speculative execution flaws and suchlike requires a non-trivial amount of reverse-engineering."
DUH, let's release all the info, make a job of finding security holes that much easier, so even high school hacker can do it.
Some systems are not easily patched and if they think any current system can be 100% secure, they don't know what are they talking about. It's just amount of effort to break any system. Future Quantum computers promise 100% security, but maybe we just didn't learn enough.
Problem with NSA was, they couldn't assure they own security, how are they supposed to secure the nation.

 

You can't keep vulnerability information quiet and hide it in hopes that the problems will go away, that's been proven time and time again over many decades, centuries really.

That's why there are a number of organizations that compile databases of insecurity details and make them publicly available. Making such information available to let people know if their software and hardware are vulnerable is the first step to making them secure.

Whether the vulnerabilities are checked by a System Administrator via a tool that lets them know what is insecure, or whether a bad actor runs their package to test vulnerabilities via exploits they will use to compromise the system to gather information, the result is the same if the system isn't patched against the security vulnerabilities.

The difference is the System Administrator now has a tool that they can use to verify the patches were correctly applied and are working as advertised.

The bad actors already have their own tools, and likely as not won't trust the "good guys" tools as they won't trust them to not "phone home" as they are run - or produce worse side effects, making their use trackable - whether they do or not doesn't matter - the bad actor won't use a tool he can't control.

One of the big complaints is we had no easy method of testing for vulnerabilities before / after patching to know for sure whether our systems were vulnerable or whether they were now secure after patching.

And, there are already many other tools put out to do vulnerability testing, this new tool isn't the first that will show vulnerabilities.

You can't be afraid to confront problems head on in the open space of visibility, casting light - information - on a problem is how you solve it. If you can't see the problem, you can't be sure you've solved it.

 

Once again, maybe you haven't looked at Intel's cavalier attitude in addressing these flaws. Intel even argued it was a feature at one point. They blew off the L1 cache exploit and the memory side channel attacks. And you are complaining about this after the largest desktop chip maker completely ignored the data, even when given to them months before release, then pushed off fixing it to software manufacturers? When security experts are ignored, guess what they do... They press the issue.

How much do you see Intel fans trying to day don't secure your systems? A lot. Why? Performance hits. How about how many exploits were addressed at the hardware level? And Intel is the MOST exposed company. Security experts said initially you can't be secure until you get hardware level mitigations, them softened the tone after realizing it would destroy Intel. Look at Torvald's and others rants on Intel's reaction to this. Look at how HT must be turned off on Intel's machines because the software fix has a harder performance hit. And you are complaining about the messenger?

If tech companies won't take it seriously, which AMD and ARM have, but Intel does not seem to have publicly, then this just accelerates the findings of exploits and forces their hands. It really is about your security, yet you complain. Guess what? I read all the time no one has pulled out these exploits in the wild, which I disbelieve. But, if true, then you have nothing to worry about, unless you are saying that is just propaganda. Are you?

Sent from my SM-G900P using Tapatalk

 

I myself disabled those OS level fixes to actually minimise perf. hit!

 

I disabled prefetches and other predictive parts on an Intel chip, along with HT. There is no safe Intel chip. Meanwhile, although researchers say AMD may be effected by some, I'm amazed no follow up research was done to conclude whether or not those vulnerabilities are present in some cases. Seems they lumped AMD on as a tag along, but I don't remember if AMD has concluded they are vulnerable or not on those. Kind of a **** show if you ask me in regards to all the security vulnerabilities this year.

Sent from my SM-G900P using Tapatalk

 

Maybe not a good idea to advertise your unprotected vulnerability in public.

 

I feel there are more serious exploits in Intel CPUs worse than Spectre which can track what you did Last Summer/winter.
I hope Intel CPUs don't piggyback my computer hardware pron videos and classify me as an offender for watching disassembly videos of AW,Clevo and MSI.

 

There are now Web Browser level exploits that take advantage of the vulnerabilities now, which means such methods will start being put into use and come through links, ad's, and prey on those that haven't patched, or have disabled their vulnerability patches to avoid the performance hit.

2:02 - Researchers discover SplitSpectre, a new Spectre-like CPU attack
http://forum.notebookreview.com/thr...tumblr-for-the-articles.826348/#post-10833711

Researchers discover SplitSpectre, a new Spectre-like CPU attack
Spectre-like variations continue to be discovered, just as academics predicted at the start of 2018.
By Catalin Cimpanu for Zero Day | December 4, 2018 -- 01:36 GMT (17:36 PST) |

"...For their academic paper, the research team says it successfully carried out a SplitSpectre attack against Intel Haswell and Skylake CPUs, and AMD Ryzen processors, via SpiderMonkey 52.7.4, Firefox's JavaScript engine.

Nonetheless, researchers said that existing Spectre mitigations would thwart the SplitSpectre attacks. This includes CPU microcode updates that CPU vendors have released over the past year, updates to popular code compilers to harden apps against Spectre-like attacks, and the browser-level modifications that browser vendors have shipped with post-January 2018 browser releases to make it infeasible to carry out web-based Spectre attacks.

However, if users have failed to install these updates, a SplitSpectre attack is theoretically possible.

" All things considered, our analyses lead us to conclude that the attack is viable, and that the ability to trigger it in practice depends on the identified microarchitectural properties of individual CPU families," researchers said.

Identifying these "microarchitectural properties of individual CPU families" is possible. In fact, the research into this new Spectre variation was aided by a new tool that the research team developed, named Speculator.

This new tool can allow targeted and precise measurement of microarchitectural characteristics, details that can be incorporated in designing more efficient SplitSpectre attacks. The research team plans to release this tool as open source in the future.

More on SplitSpectre can be found in an academic paper entitled " Let's Not Speculate: Discovering and Analyzing Speculative Execution Attacks."

It's no surprise that a new Spectre variation has come to light. The research team who found the initial Meltdown and Spectre attacks predicted this was going to happen. Members of that original research team published seven Meltdown and Spectre variations last month."

 

I have a dirty cheap tablet from late 2017 with BIOS that was never updated by manufacturer. It is used mostly as second wireless monitor for my laptop via Windows Connect (which utilizes Wi-Fi Direct/Miracast), I also allow guests to use it (then it ends up connected to my internal network). Used to have microcode updates applied every boot via VMWare driver, but it once messed up Windows Update process which took hours of troubleshooting till I finally fixed the issue, and I didn't bother using the microcode updates via VMWare on this device ever since.

The question - should I really bother with protecting this device with microcode updates via VMware driver, given very narrow use case? I do use RDP and SMB3 on other devices in my home network, but can switch to tethering the tablet to smartphone for internet access instead (when the internet access is required - most of the time the tablet is used as a monitor, disconnected from internal network for better wireless monitor performance) so that it is unable to eavesdrop on those connections .

 

Skip VMware updater if you applied uCodes through MSFT update.

 

Am I supposed to apply these updates manually, or are they downloaded and installed automatically?

 

Its installed automagically if you have enabled WU.

 

It is supposed to be installed automagically on systems that receive mitigations via BIOS updates? I checked my laptop, and it's definitely missing, despite WU being on; will check tablet and NAS later today.

 

No BIOS update, but they employ cpu mcupdate driver to achieve that. You can use wumt to download 800kb msu file as well. Use HWINFO to check uCode version.

 

I mean, can the fact that my laptop already has the same C6 microcode version (that KB4346084 is supposed to deliver) flashed via BIOS update, be the reason I did not receive KB4346084?

Because if it's not that, then laptop's WU is messed up and I'll need to fix it. (=

 

Linux and Windows applies the microcode regardless of your BIOS uCode.

 

So here's what happening. Both my laptop & NAS are Skylake and have C6 microcode according to HWinfo. Neither has KB4346084 installed.

My tablet has N3450 Apollo Lake CPU. KB4346084 is not applicable, it does not have microcode for Apollo Lake.

My OOSU10 settings regarding WU:


So, as far as I understand, I have two problems:

1. WU ignores applicable updates for some reason, despite correct settings.

2. The only way to get microcode update for the tablet is via VMWare driver applying it at boot, because MS has no love for Apollo Lake.

And the original question still stands - should I even bother with Spectre-Meltdown mitigations for Apollo Lake tablet, given its specific usecase?

 

It might be good to know whether it works and how to apply it either way, and if the patch doesn't affect fluid use, then I'd apply it and leave it installed and enabled.

 

FYI. You can even see the uCode version in ThrottleStop + XTU as well as many other tools

How to determine if a specific KB Windows update has been applied to your computer

 

Where in TS? I haven't seen that at all. XTU does show full specs in System Info.

 

Look into FIVR and "Integrated Voltage Regulator" tab.

 

The microcode Patch mess continue... And why you shouldn't Clean Up Component Store (WinSxS folder) using /StartComponentCleanup and /ResetBase

Windows 10: Error 0xc0000142 after update KB4100347
Published on 18 December 2018 by Günter Born

​

Windows 10 users have recently received the microcode update KB4100347 again. However, some users experience problems after the error 0xc0000142 is reported. The problem can also occur with other updates.


Possible fixes in the link.

This above show why you should be damn careful with Clean Up Component Store (WinSxS folder) using /StartComponentCleanup and /ResetBase with Dism Command after updates @Vasudev @Ultra Male

 

I never download ucode update. I test the update for 3 days and if it passes only then I use ResetBase otherwise it stays there.

 

The Intel Microcode Boot Loader Protects Older CPUs From Spectre
By Lawrence Abrams, November 12, 2018 06:34 PM
https://www.bleepingcomputer.com/ne...boot-loader-protects-older-cpus-from-spectre/

"The Intel Microcode Boot Loader creates a bootable USB flash drive that automatically applies the latest Intel microcodes to your identified CPU so that you are protected from the speculative execution side-channel attacks called Spectre.

Spoiler: Details...

Spectre is vulnerability found in Intel & AMD CPUs that allow a malicious process to steal information from another running process on the computer. To fix these vulnerabilities, Intel released updated microcodes that patch Intel CPUs so that they become protected from the vulnerability.

For Windows 10 and Windows Server 2016 users, Microsoft distributed these updated microcodes automatically as a Windows update. Unfortunately, older operating systems and thus the CPUs that run them, would not be receiving the patches and would not be protected. This is where the Intel Microcode Boot Loader comes into play.

Created by Eran "Regeneration" Badit, this tool will use the Intel BIOS Implementation Test Suite (BITS) and the Syslinux bootloader to automatically detect and apply the most current microcodes for an Intel processor. This allows computer using old processors to become protected.

"Microsoft issued a fixed microcode update for Spectre via KB4090007 only for Windows 10 and 2nd generation i7s (Sandy Bridge) and newer," Badit told BleepingComputer via email. "Motherboard vendors released BIOS/UEFI updates only to their recent products. Plenty of users were left in the dark. Users with modern CPUs and Windows 8/7/Vista/XP, users with Nehalem and Westmere (like myself)."To use

In order to use the tool you need a USB flash drive with at least 25MB of storage and a motherboard whose BIOS supports the booting of USB flash drives. You can then perform the following instructions:

1. Format a USB flash drive with FAT32 filesystem.
2. Extract the archive to the USB flash drive and run install.exe to make it bootable.
3. Enter the BIOS/UEFI, assign the USB flash drive as the 1st boot device and enable legacy boot mode.
4. The boot loader will regularly update the microcode and load the OS.

When the install.exe is run it will extract a batch file to the %Temp% folder and execute it.

This batch file will use Syslinux.exe to make the USB drive bootable and then identifies your CPU ID using the command "wmic cpu get processorid ". It then copies the appropriate microcodes for your CPU to the directory used by BITS to update your microcodes when the computer boots.

When you boot up with the bootable USB drive, the bootloader will start, apply the included microcodes for the identified CPU, and then boot the operating system. A demonstration video showing this in practice is displayed below.

According to Badit, this release contains the microcodes for 392 Intel CPUs produced from 1996 to 2018. These microcodes are found in the \boot\mcudb folder and can be updated with newer ones if they are released in the future.

It should be noted that in order to utilize this tool, users must always boot up using this flash drive as the patches are applied at run time.

Finally, while BleepingComputer analyzed the contents of the program to make sure no malicious activity was occurring, 2/68 security products did detect this program as a threat. These are most likely false positives, but users should only use this program if they feel comfortable with how the tool works."

Source:

Intel Microcode Boot Loader
https://www.techpowerup.com/forums/threads/intel-microcode-boot-loader.248858/

"In early 2018, security researchers discovered several security vulnerabilities affecting all processors: Meltdown and Spectre. These vulnerabilities allow speculative execution side-channel attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754). While Meltdown was resolved with an OS patch, Spectre required a microcode update.

Since the microcode is stored and automatically loaded by the BIOS/UEFI, motherboard manufacturers required to issue an update. However, manufacturers normally release firmware updates only for their newest products. Plenty of motherboards still remain vulnerable until this very day.

Intel Microcode Boot Loader is a workaround for the microcode problem on Intel-based motherboards. It updates the microcode every time the system is booted. Based on Intel BIOS Implementation Test Suite (BITS), users no longer need to modify BIOS/UEFI ROMs to stay protected from security vulnerabilities, bugs and erratas.

This solution requires permanently plugged USB flash drive with at least 25MB (or similar device) and BIOS/UEFI supporting boot from USB devices. Alternatively, advanced users can install it to a local drive on top of the System Reserved partition (see localdrive.txt for instructions).

Instructions:
1. Format a USB flash drive with FAT32 filesystem.
2. Extract the archive to the USB flash drive and run install.exe to make it bootable.
3. Enter the BIOS/UEFI, assign the USB flash drive as the 1st boot device and enable legacy boot mode.
4. The boot loader will regularly update the microcode and load the OS.

Notes:
* This release includes the latest ucodes for 392 Intel CPUs produced from 1996 to 2018.
* The ucodes are stored in the \boot\mcudb folder if you wish to update in the future.
* If you get 'Ucode not found' warning during installation, or plan to deploy on another PC, look for the correct ucode (by CPUID) in \boot\mcudb and copy it to \boot\mcu.

Changes (v0.5.1):
* Fixed a bug in the installer.
* Improved support for a local drive installation.
* Updated microcode database.

Downloads:
Intel Microcode Boot Loader | Mirror #1 | Mirror #2 "

Intel Microcode Boot Loader Demo
Eran Badit
Published on Oct 24, 2018
Intel Microcode Boot Loader is a workaround for the microcode problem on Intel-based motherboards. It updates the microcode every time the system is booted. Based on Intel BIOS Implementation Test Suite (BITS), users no longer need to modify BIOS/UEFI ROMs to stay protected from security vulnerabilities, bugs and erratas.

 

Cool, but it means you have to have the USB stick attached to the PC each time you boot up (turn on) your PC. (and you have to have your PC BIOS permanently set for "boot from USB"). So they're the two drawbacks of this, but good to have this option for older operating systems & older CPUs.

 

Anyone that paranoid about the vulnerability needs to get a newer computer and stop using an antique. Or, just stop worrying their pretty little head about a vulnerability that, to date, has no known evidence of malware exploitation.

 

Or flash modded bios using win-raid tips & tricks.

 

Notice how you don't bring up Intel can't write microcode for ****, including to fix their damn security issues. Microsoft applying it is only party of the problem, Intel writing **** microcode and being **** on security is the other.

See how asinine that is. It's true, generally, but this at least has more truth than speaking general business aspects without examining any details before you speak on a company, making this slightly different from what you do....

Sent from my SM-G900P using Tapatalk

 

Bull. After the new browser based attacks being shown exploiting spectre and meltdown, and this effecting all CPUs, plus the global contraction of the economy (look it up), liquidity is contracting. That means fewer are able to just run out and update systems. This is for them. You do realize according to the IRS and social security administration, the median income is $30-34K. According to two other studies, half of Americans can't afford a $500 emergency, the other saying $1000 emergency and up to 67% of the population. Does that sound like people can just run out and update regularly? So even if they are worried, that isn't necessarily a solution for some. Or say they bought an HEDT system in the past couple years and haven't met the depreciation goals, so need to hang onto it. The answer to security isn't always run out and get a new one. Although, other times there is no choice, and spectre and meltdown (and the memory exploits, and the l1 cache exploits and the ME exploits) get really close, although not all of those are fixed in new hardware either.

Sent from my SM-G900P using Tapatalk

 

Form my experience, outside anyone in the tech industry or in the IT dept there is no rush for adoption or any need to fix the problem and as stated Intel will not address for older systems. But I don't know how far back this goes... 3yrs? 5yrs? But to be fair, (and maybe it isn't at risk), but I haven't seen too much effort going into addressing my Athlon based system either. I should probably look into that.

However, for those in the US with PCs (more and more are just going to mobile devices) a fix is not terribly out of due to financial reasons. My wife works in our local, public educational system, and pretty much all families near or below poverty levels seem to always find a way to purchase that latest iPhone or android device. Put me and my iPhone 5 to shame. So most can get a new chrome book, or whatever, if they feel it is needed.

In another example, my octo-generian parents, who are on a very fixed budget, just replaced their ancient Vista based PC with a $200-$250 BGA laptop. I'm glad they did, but also sorry, as someone who has to help explain how to now do things in Win 10. (Maybe I should have had them use an @Ultra Male Win 10 build.)

I'm not saying people should ignore this problem, merely trying to affix an explanation to decisions others make in my life's experiences. And TBH, the USB fix is a nice alternative. However, it's unfortunately going to take a highly reported breach to get people to take action. To quote Mr. Matt Hooper - "I think that I am familiar with the fact that you are going to ignore this particular problem until it swims up and bites you IN THE A**!"

 

The criticality of readiness, being prepared to meet a security emergency head-on with solutions before the need arises is the idea here, as always with threats perceived but not currently being experienced.

If we always waited until it was absolutely necessary, the incursion would already be completed and we might not even know it's happened.

Whether you have mitigations "enabled", or merely installed and at the ready - having run through successful activation at least a few times under all the conditions needed and tested to work to the best of available tools of verification - then you are prepared and ready to defeat any adversary given adequate notice. Or, run mitigations enabled so you don't need human intervention to put the mitigation into service.

Otherwise there's a good chance you'll wish you had, only to find it will be too late.

Cleaning up the mess is almost always worse than the prevention, especially if you don't have deep backup coverage.

We are our own System Administrators, whether we acknowledge it or not, and only have ourselves to blame if we screw up. If your family and friends depend on you as their System Administrator, they'll blame you too.

 

Look, the second it was shown to be a browser exploit, it went from no rush (mainly because no example of use, level of access to the system, etc.) to being a liability for all. If you implemented the underlying mitigations, plus the browser updates, you are fine. Unfortunately, due to software companies breaking their software with updates or not managing compatibility, people don't want to upgrade. I even understand waiting, to a degree, on retpoline being adopted for the spring windows update. But, once it jumps to where a phishing site can utilize these exploits, the worry should be significantly elevated. You can't look at a web address and immediately know it wasn't spoofed. That is the issue.

And yes, although I mentioned Intel, which has more exposure, it is true of AMD and ARM devices as well. And even though anecdotal evidence says otherwise, the hard economic evidence of show downs and overall trends says another. In that way, 2018 was an aberration on PC sales from people finally updating from sandy bridge and older systems, with the general tend being downward except for cloud and a couple other commercial side products.

Hell, even though articles have detailed different ways to do browser exploits of it for months, those have gotten little coverage. Just two days ago Tom's hardware caught on.

https://www.tomshardware.com/news/meltdown-spectre-exploit-browser-javascript,36221.html

https://www.bleepingcomputer.com/news/security/some-spectre-in-browser-mitigations-can-be-defeated/

And that is why unless a major hack is publicised, these exploits are downplayed and go under the radar.

Sent from my SM-G900P using Tapatalk

 

Spectre is here to stay: An analysis of side-channels and speculative execution
Cornell University
arXiv.org > cs > arXiv:1902.05178
Computer Science > Programming Languages
Ross Mcilroy, Jaroslav Sevcik, Tobias Tebbi, Ben L. Titzer, Toon Verwaest
(Submitted on 14 Feb 2019)
https://arxiv.org/abs/1902.05178

"The recent discovery of the Spectre and Meltdown attacks represents a watershed moment not just for the field of Computer Security, but also of Programming Languages. This paper explores speculative side-channel attacks and their implications for programming languages. These attacks leak information through micro-architectural side-channels which we show are not mere bugs, but in fact lie at the foundation of optimization.

We identify three open problems, (1) finding side-channels, (2) understanding speculative vulnerabilities, and (3) mitigating them.

For (1) we introduce a mathematical meta-model that clarifies the source of side-channels in simulations and CPUs. For (2) we introduce an architectural model with speculative semantics to study recently-discovered vulnerabilities. For (3) we explore and evaluate software mitigations and prove one correct for this model.

Our analysis is informed by extensive offensive research and defensive implementation work for V8, the production JavaScript virtual machine in Chrome. Straightforward extensions to model real hardware suggest these vulnerabilities present formidable challenges for effective, efficient mitigation.

As a result of our work, we now believe that speculative vulnerabilities on today's hardware defeat all language-enforced confidentiality with no known comprehensive software mitigations, as we have discovered that untrusted code can construct a universal read gadget to read all memory in the same address space through side-channels.

In the face of this reality, we have shifted the security model of the Chrome web browser and V8 to process isolation.

https://arxiv.org/pdf/1902.05178.pdf
Comments: 26 pages
Subjects: Programming Languages (cs.PL); Cryptography and Security (cs.CR)
ACM classes: F.3.2
Cite as: arXiv:1902.05178 [cs.PL]
(or arXiv:1902.05178v1 [cs.PL] for this version)

 

I looked around the Forum for mention of this PoC exploit on Intel Skylake+ processors had been posted (didn't see it anywhere -forgive a redundant post if Ive overlooked it).
This thread seemed as good place as any to note this Intel SGX Enclave exploit. Looks very gnarly (story from 2/13, didnt catch when PoC was released). 20.8 seconds! Just gnarly, not in the good way.
https://thehackernews.com/2019/02/intel-sgx-malware-hacking.html

 

Never trusted that SGX garbage.

 

Yep Garbage. Caused some BSOD problems when I first bought my desktop. Turned it off and never had a problem again.

 

"Google: Software is never going to be able to fix Spectre-type bugs"

- Spectre-like vulnerabilities are likely to be a continued feature of processors and, further, that software-based techniques for protecting against them will impose a high performance cost.

https://arstechnica.com/gadgets/201...er-going-to-be-able-to-fix-spectre-type-bugs/

---

SPECTRE vulnerabilities... The gift that keeps on giving.

 

New Spectre-Busting Update Speeds Up Windows 10 PCs
CHRIS HOFFMAN @chrisbhoffman, MARCH 4, 2019, 2:59PM EDT
https://www.howtogeek.com/406724/new-spectre-busting-update-speeds-up-windows-10-pcs/

"Windows 10 PCs running the October 2018 Update are now getting improved Spectre fixes. This should speed up many PCs Microsoft slowed down with January 2018’s Spectre patches. This improvement, named “Retpoline,” was originally scheduled for Windows 10’s next update.

Technical information about how Google’s “Retpoline” works is available, but you don’t need to sweat the details. When implemented in Windows, it means the operating system can protect against Spectre attacks without a noticeable performance penalty.

We previously wrote that Spectre fix-related speedups would arrive with the forthcoming Windows 10’s April 2019 Update, also called 19H1. Now, Microsoft is slowly enabling this feature on current Windows 10 PCs—as long as they’re running the October 2018 Update. This is the first time these patches have been available on a stable version of Windows.

This change arrived in Windows update KB4482887, released on March 1, 2019. However, this only enables the new Retpoline feature “on certain devices.” As Microsoft’s Retpoline blog post explains:

Over the coming months, we will enable Retpoline as part of phased rollout via cloud configuration. Due to the complexity of the implementation and changes involved, we are only enabling Retpoline performance benefits for Windows 10, version 1809 and later releases.

In other words, Microsoft will slowly enable Retpoline on small amounts of PCs at a time, ensuring it works properly—that’s the “phased rollout.” And it will only be enabled on your PC if you’ve upgraded to Windows 10’s October 2018 Update.

All PCs will get this improvement when they upgrade to the April 2019 Update according to Microsoft’s Mehmet Iyigun.

Today, we're starting our phased roll out of Retpoline performance optimization for Spectre variant 2 mitigations to Windows 10 1809. As we've shared before, Windows 10 19H1 will ship with Retpoline enabled by default. https://t.co/qCloXzDzWk #retpoline #spectre #windows

— Mehmet Iyigun (@mamyun) March 1, 2019

This feature is still disabled by default, and you probably don’t have it enabled even if you’re using the October 2018 Update. But, if those Spectre patches slowed down your PC, it should speed back up soon.

RELATED: Windows 10’s Next Update Will Make Your PC Faster, Thanks to Better Spectre Fixes - CHRIS HOFFMAN @chrisbhoffman OCTOBER 19, 2018, 12:09PM EDT"

Mitigating Spectre variant 2 with Retpoline on Windows
Mehmet_Iyigun, 12-05-2018 04:37 PM
https://techcommunity.microsoft.com...riant-2-with-Retpoline-on-Windows/ba-p/295618

"Updated March 1, 2019: The post below outlines the performance benefits of using Retpoline against the Spectre, Variant 2 (CVE-2017-5715) attack—as observed with 64-bit Windows Insider Preview Builds 18272 and later. While Retpoline is currently disabled by default on production Windows 10 client devices, we have backported the OS modifications needed to support Retpoline so that it can be used with Windows 10, version 1809 and have those modifications in the March 1, 2019 update (KB4482887).

Over the coming months, we will enable Retpoline as part of phased rollout via cloud configuration.

Due to the complexity of the implementation and changes involved, we are only enabling Retpoline performance benefits for Windows 10, version 1809 and later releases..."

March 1, 2019—KB4482887 (OS Build 17763.348)
Applies to: Windows 10, version 1809Windows Server 2019, all version
Release Date: March 1, 2019 Version: OS Build 17763.348
https://support.microsoft.com/en-us/help/4482887/windows-10-update-kb4482887

• Enables “Retpoline" for Windows on certain devices, which may improve performance of Spectre variant 2 mitigations (CVE-2017-5715). For more information, see our blog post, "Mitigating Spectre variant 2 with Retpoline on Windows".

 

Is there anyway we can turn this to be useful for us instead? I imagine this as being a gateway for overclocking locked CPU's that perviously had that intel micro code that was only unlocked via Over priced extreme editions. Im all ears for doing this instead. My 7700hq never goes past 66c under 99% utilization, so going from 3.4ghz to something like 3.8 seems like a nice thing to do.

 

3.4GHz is all you'll get on all cores

 

Thats not my point, the point is to use the micro code to raise that. Those same blobs we oh so like are the same ones that said they where totally immune to things like this, but whatever.

 

Keep dreaming, Intel CPUs are locked by blown transistors, not microcode. Plus microcode updates are encrypted binary blobs.

 

We don't talk about Haswell

 

I've got this latest update installed on both my desktop & laptop PC, but I don't see any performance improvements of this retpoline update. Not expecting to see a performance improvement on my desktop because Skylake and onwards CPU's don't benefit from retpoline; however, my laptop has a Sandy Bridge CPU so should benefit from retpoline, but I'm not seeing any increase in Cinebench 15 CPU score, and I lost 3% performance historically with the Spectre mitigations, so was expecting to see that performance loss recovered with this update. I have KB4482887 installed on my laptop, so that includes the retpoline fix, or do I still have to wait for Microsoft to enable retpoline through "the cloud"? The wording is a bit ambiguous in the Microsoft documentation.

 

Windows 10 Update KB4482887 Released With Performance Fix for Spectre Bug bleepingcomputer.com



Retpoline: attenuation of the Specter variant 2 from Windows 10 1809 deskmodder.de

 

19H1 with retpo is just like Linux. Performance is great and battery life has been increased by 2 hrs. Well, CB r15 extreme score of 175 on 6700hq is absolute crap.

 

Yeah, I've already read all such information, and it's still ambiguous regarding whether retpoline is enabled or not. Their 'cloud configuration rollout' thing they talk about with regards to retpoline enablement, that might mean that they will roll out KB4482887 steadily & in phases, rather than gradually rolling out retpoline enablement for those that already have KB4482887 installed. I'm not sure which it is, does KB4482887 mean that if you have it installed you have retpoline fixes or not? Or can you have KB4482887 installed & still you need to wait for Microsoft to enable retpoline on your PC? That's the ambiguous part of their documentation.

 

Intel’s Newest Spoiler: A Spectre-Style Hardware Exploit That Leaks Private Data
Just when we thought that the worst was over with respect to speculative execution hardware exploits like Spectre, we get hit with another whopper...
http://forum.notebookreview.com/thr...f-pcs-vulnerable.810994/page-30#post-10875906

 

Not much more than this can be done...

Boost Windows 10 Performance with Retpoline Spectre Mitigation Bleepingcomputer | Mar 5, 2019

 

SPOILER alert, literally: Intel CPUs afflicted with simple data-spewing spec-exec vulnerability
'Leakage ... is visible in all Intel generations starting from first-gen Core CPUs'
By Thomas Claburn in San Francisco 5 Mar 2019 at 06:34
https://www.theregister.co.uk/2019/03/05/spoiler_intel_processor_flaw/

148 Comments

Note: "The issue is separate from the Spectre vulnerabilities, and is not addressed by existing mitigations. It can be exploited from user space without elevated privileges."

Updated: Further demonstrating the computational risks of looking into the future, boffins have found another way to abuse speculative execution in Intel CPUs to steal secrets and other data from running applications.

This security shortcoming can be potentially exploited by malicious JavaScript within a web browser tab, or malware running on a system, or rogue logged-in users, to extract passwords, keys, and other data from memory. An attacker therefore requires some kind of foothold in your machine in order to pull this off. The vulnerability, it appears, cannot be easily fixed or mitigated without significant redesign work at the silicon level.

Spoiler: More...

Speculative execution, the practice of allowing processors to perform future work that may or may not be needed while they await the completion of other computations, is what enabled the Spectre vulnerabilities revealed early last year.

In a research paper distributed this month through pre-print service ArXiv, "SPOILER: Speculative Load Hazards Boost Rowhammer and Cache Attacks," computer scientists at Worcester Polytechnic Institute in the US, and the University of Lübeck in Germany, describe a new way to abuse the performance boost.

The researchers – Saad Islam, Ahmad Moghimi, Ida Bruhns, Moritz Krebbel, Berk Gulmezoglu, Thomas Eisenbarth and Berk Sunar – have found that "a weakness in the address speculation of Intel’s proprietary implementation of the memory subsystem" reveals memory layout data, making other attacks like Rowhammer much easier to carry out.

The researchers also examined Arm and AMD processor cores, but found they did not exhibit similar behavior.

"We have discovered a novel microarchitectural leakage which reveals critical information about physical page mappings to user space processes," the researchers explain.

"The leakage can be exploited by a limited set of instructions, which is visible in all Intel generations starting from the 1st generation of Intel Core processors, independent of the OS and also works from within virtual machines and sandboxed environments."

The issue is separate from the Spectre vulnerabilities, and is not addressed by existing mitigations. It can be exploited from user space without elevated privileges.

Spoiler: Doesn't stand for anything, 'Sp' = Speculative

SPOILER doesn't stand for anything. In an email to The Register, Daniel (Ahmad) Moghimi explained: "We picked a named that starts with 'Sp', since it's an issue due to speculative execution and it kinda spoils existing security assumptions on modern CPUs."

SPOILER describes a technique for discerning the relationship between virtual and physical memory by measuring the timing of speculative load and store operations, and looking for discrepancies that reveal memory layout.

"The root cause of the issue is that the memory operations execute speculatively and the processor resolves the dependency when the full physical address bits are available," said Moghimi. "Physical address bits are security sensitive information and if they are available to user space, it elevates the user to perform other micro architectural attacks."

Memory madness
Modern processors manage reading and writing to RAM using a memory order buffer to keep track of operations. The buffer is used to perform store instructions – copying data from a CPU register to main memory – in the order they are laid out in executable code, and perform load operations – copying data from main memory to a register – out-of-order, speculatively. It allows the processor to run ahead and speculatively fetch information from RAM into the registers, provided there are no dependency problems, such as a load relying on an earlier store that hasn't yet completed.

Speculating about a load operation may result in false dependencies if physical address information isn't available. Intel's chips perform memory disambiguation to prevent computation on invalid data, arising from incorrect speculation.

They just don't do it all that well. "The root cause for SPOILER is a weakness in the address speculation of Intel’s proprietary implementation of the memory subsystem which directly leaks timing behavior due to physical address conflicts," the paper explains.

"Our algorithm, fills up the store buffer within the processors with addresses that have the same offset but they are in different virtual pages," said Moghimi. "Then, we issue a memory load that has the same offset similarly but from a different memory page and measure the time of the load. By iterating over a good number of virtual pages, the timing reveals information about the dependency resolution failures in multiple stages."

SPOILER, the researchers say, will make existing Rowhammer and cache attacks easier, and make JavaScript-enabled attacks more feasible – instead of taking weeks, Rowhammer could take just seconds. Moghimi said the paper describes a JavaScript-based cache prime+probe technique that can be triggered with a click to leak private data and cryptographic keys not protected from cache timing attacks.

Mitigations may prove hard to come by. "There is no software mitigation that can completely erase this problem," the researchers say. Chip architecture fixes may work, they add, but at the cost of performance.

Intel is said to have been informed of the findings on December 1, 2018. The chip maker did not immediately respond to a request for comment. The paper's release comes after the 90 day grace period that's common in the security community for responsible disclosure.

Moghimi doubts Intel has a viable response. "My personal opinion is that when it comes to the memory subsystem, it's very hard to make any changes and it's not something you can patch easily with a microcode without losing tremendous performance," he said.

" So I don't think we will see a patch for this type of attack in the next five years and that could be a reason why they haven't issued a CVE."

Updated to add
An Intel spokesperson told us after publication that it hopes applications can be built in future to defend against SPOILER attacks, or hardware protections can be deployed:

" Intel received notice of this research, and we expect that software can be protected against such issues by employing side channel safe development practices. This includes avoiding control flows that are dependent on the data of interest. We likewise expect that DRAM modules mitigated against Rowhammer style attacks remain protected. Protecting our customers and their data continues to be a critical priority for us and we appreciate the efforts of the security community for their ongoing research."

Intel CPUs Reportedly Vulnerable To New "SPOILER" Speculative Attack
Written by Michael Larabel in Security on 5 March 2019 at 09:28 AM EST. 32 Comments
https://www.phoronix.com/scan.php?page=news_item&px=Intel-SPOILER-Attack

"SPOILER is the newest speculative attack affecting Intel's micro-architecture.

Researchers out of the Worcester Polytechnic Institute and University of Lubeck discovered this new speculative attack dubbed SPOILER, Speculative Load Hazards Boost Rowhammer and Cache Attacks.

Intel was notified of this issue a few months ago but no software/hardware fix appears ready yet, while the researchers claim there might not be an effective software solution available at least anytime soon -- and any mitigation would likely come at a performance cost, as we've seen with Spectre and Meltdown over the past year.

AMD and ARM CPUs aren't believed to be impacted by SPOILER.

In this work, we are the first to show that the dependency resolution logic that serves the speculative load can be ex-ploited to gain information about the physical page mappings. Microarchitectural side-channel attacks such as Rowhammer and cache attacks rely on the reverse engineering of the virtual-to-physical address mapping. We propose the SPOILER attack which exploits this leakage to speed up this reverse engineer-ing by a factor of 256. Then, we show how this can improve the Prime+Probe attack by a 4096 factor speed up of the eviction set search, even from sandboxed environments like JavaScript. Finally, we improve the Rowhammer attack by showing how SPOILER helps to conduct DRAM row conflicts deterministically with up to 100% chance, and by demonstrat-ing a double-sided Rowhammer attack with normal user’s privilege. The later is due to the possibility of detecting contiguous memory pages using the SPOILER leakage.

The SPOILER research paper can be read here:
https://arxiv.org/pdf/1903.00446.pdf

Update: An Intel spokesperson has provided us with the following statement:

" Intel received notice of this research, and we expect that software can be protected against such issues by employing side channel safe software development practices. This includes avoiding control flows that are dependent on the data of interest. We likewise expect that DRAM modules mitigated against Rowhammer style attacks remain protected. Protecting our customers and their data continues to be a critical priority for us and we appreciate the efforts of the security community for their ongoing research."

38 Comments