Problems? See this thread at archive.org.
good post. and 'profit' is substitutable for 'performance'.Remember how the Intel CEO sold off his stock , all but the min required to be CEO, 1 week b4 Project Zero's POC was made public?
Interesting. Big picture, yet another angle -pissed off employee wants to upset his boss, read the Amsterdam POC & go for it. But selfishly I couldn't help but wonder, is oldschool AHCI mode a safer alt. for those who can still use it?
From Article above, ""Some of the data will always be the same, and other data will change. We see what occurs most often, and this is the data we’re interested in. It’s basic statistics." Scary!
"We have signed it away...", meaning our Govts.? I agree w/ you Prema on most points, but don't stop the good fight, you know? Its not easy, but there is still some semblance of Privacy today, if one works at it, no? (#eff) Peace!
-
-
The Performance Impact Of MDS / Zombieload Plus The Overall Cost Now Of Spectre/Meltdown/L1TF/MDS
by Michael Larabel in Software on 18 May 2019. 28 Comments
https://www.phoronix.com/scan.php?page=article&item=mds-zombieload-mit&num=1
"The past few days I've begun exploring the performance implications of the new Microarchitectural Data Sampling "MDS" vulnerabilities now known more commonly as Zombieload. As I shared in some initial results, there is a real performance hit to these mitigations. In this article are more MDS / Zombieload mitigation benchmarks on multiple systems as well as comparing the overall performance impact of the Meltdown / Spectre / Foreshadow / Zombieload mitigations on various Intel CPUs and also AMD CPUs where relevant.
While disabling Hyper Threading now is recommended by multiple parties if running untrusted code on the system, even if keeping HT/SMT active, the MDS mitigations do provide a very noticeable performance hit in many real and synthetic workloads with the updated Linux kernel patches paired with the newest Intel CPU microcode. Like the other mitigations to this point, the workloads affected most are those with lots of context switches / high interactivity between kernel and user-space.
Before getting to the benchmarks looking at the overall impact of the mitigations to date, first is looking at the MDS on/off costs on various systems while keeping Hyper Threading active. These tests were done on Ubuntu 19.04 using its newest stable release updates bringing a patched Linux 5.0 kernel and the new Intel CPU microcode images.
I tested the MDS on/off tests with a few distinctly different systems for seeing the mitigation cost for Zombieload. Following this batch of tests is a larger set of tests looking at no mitigations for the CPU vulnerabilities, the default mitigations, and then the default mitigations with Hyper Threading disabled. All of these benchmarks were carried out using the Phoronix Test Suite."
There are lots of graphs and supporting information (10 pages), please check out the results of his extensive testing at the URL above...
"If looking at the geometric mean for the tests run today, the Intel systems all saw about 16% lower performance out-of-the-box now with these default mitigations and obviously even lower if disabling Hyper Threading for maximum security. The two AMD systems tested saw a 3% performance hit with the default mitigations. While there are minor differences between the systems to consider, the mitigation impact is enough to draw the Core i7 8700K much closer to the Ryzen 7 2700X and the Core i9 7980XE to the Threadripper 2990WX.
More Linux mitigation benchmarks are coming up on Phoronix in the days ahead."
28 Comments
Gaming Performance Only Faintly Touched By MDS / Zombie Load Mitigations
by Michael Larabel in Linux Gaming on 17 May 2019 at 01:31 PM EDT. 14 Comments
https://www.phoronix.com/scan.php?page=news_item&px=Zombie-Load-Gaming-Impact
"Yesterday I published some initial MDS/Zombieload mitigation impact benchmarks while coming out still later today is much more data looking at the CPU/system performance impact... But is the gaming performance impaired by this latest set of CPU side-channel vulnerabilities?
With the Spectre/Meltdown mitigations, the gaming performance fortunately wasn't impaired by those mitigations. In fact, it was pretty much dead flat.
With my testing thus far of the MDS/Zombieload mitigations on Linux, there does appear to be a slight difference in the rather CPU-bound scenarios compared to Spectre/Meltdown, but still it should be negligible for gamers. Well, that is at least with the higher-end hardware tested thus far, over the weekend I'll be running some gaming tests on some low-end processors/GPUs.
From the tests ran so far with the high-end parts, having the MDS mitigations active only would cause a frame or few hit in the rather CPU-bound scenarios. In those cases already, the games tend to run well over one hundred frames per second so would likely not be noticeable at all to gamers.
...check out the website for results...
So maybe a ~1% hit for some Linux games (if that in some configurations) as a result of the new default MDS mitigations and stopping short of disabling Hyper Threading, but even there most Linux games at least don't use more than a few cores/threads. But as said, will have some low-end Linux gaming hardware tests out in the days ahead.
More of the CPU/system benchmarks that are much more interesting in the context of these mitigations will be out shortly where it seems to be commonly 4~5% but more significant in the context switching heavy workloads."
14 Comments
xfcemint
Junior Member Join Date: May 2019 Posts: 38
#3 05-17-2019, 03:14 PM
"I think the article should have made it more clear that this is with HT on.
To really mitigate ZombieLoad, you need HT off.
Although I speculate that for games, in most cases there will be little difference. But, for the sake of clarity and to provide non-confusing data, you always have to do a run with HT off, and to clearly note it in the article.
Well, in fact, it is also going to depend on number of CPU cores. If a game needs more than 2 cores, and the CPU cannot provide them, there might be some performance hits."Last edited: May 19, 2019 -
[Intel]
Engineering New Protections Into Hardware
https://www.intel.com/content/www/u...ngineering-new-protections-into-hardware.html
Overview
"In 2018, the class of speculative execution side channel vulnerabilities, commonly referred to as Spectre and Meltdown, presented a unique challenge to Intel and the entire industry.
Intel provided microcode updates (MCU) supporting nearly 10 years of Intel® products, which were coupled with updates from our partners to help protect against these vulnerabilities.
We have also taken steps to integrate these protections into our hardware.
Side Channel Mitigation by Product CPU Model
The table below provides details on how the protections are integrated into Intel® products:
[The table is very short, but the data columns are too wide to see, snapshot, and replicate here, please follow the link above to view the list and see what your CPU / Stepping has.]
Frequently Asked Questions
Q1. Are there any differences in the level of protection provided by software mitigated and hardware mitigated versions of these SKUs?
A: No. We expect that the level of protection equivalent whether you have microcode update (MCU) based or hardware-based mitigations in place. The hardware-based mitigations are part of our ongoing commitment to advance security at the silicon level.
Q2. Are there any differences in performance between software mitigated and hardware mitigated versions of these SKUs?
A: For application based workloads, representative of typical usage, such as SYSmark* 2014 SE, PCMark10, WebXPRT 2015, and 3DMark Skydiver Physics the data confirms that the performance between steppings is the same within the normal run to run variation. For some synthetic I/O workloads, we have observed a performance difference between steppings. These synthetic I/O workloads are not representative of mainstream usage.
Q3: How do I determine what I have and how side channel vulnerabilities are mitigated?
A: From the Microsoft Windows Command prompt run “wmic cpu get caption”. Use the result to cross reference the table below.
Q4. What does the “CPU Caption” tell me and how does it map to product SKU?
A: The product caption gives information of what product model and silicon stepping you have. You can see for example on Model 142, as we moved from Stepping 11 to Stepping 12 we integrated hardware mitigations for Variant 2 and L1TF. To determine which products models and stepping maps to what SKU, see the table below.
Another table to view on the site...
AFAIK these new in hardware mitigations only include microcode patch updates burned onto the chip - a stepping change, no other architectural changes have been implemented.
OS patches appropriate for the mitigations are still required, there is no advantage to having the [inactivated] microcode updated on the CPU without the matching OS patch(es).
Intel has not done much in the way of hardware mitigations yet considering it's been going on 2 years since the vulnerabilities were first given to Intel. It's possible that if Intel began dusting off new architecture designs mothballed from before the 4 core ad infinitum dark age, Intel might be able to deliver new CPU architectural designs in the next 12-18 months. Practically speaking, one full generation of release cycle away.
A Look At The MDS Cost On Xeon, EPYC & Xeon Total Impact Of Affected CPU Vulnerabilities
Written by Michael Larabel in Software on 20 May 2019.
https://www.phoronix.com/scan.php?page=article&item=intel-mds-xeon&num=1
"This weekend I posted a number of benchmarks looking at the performance impact of the new MDS/Zombieload vulnerabilities that also included a look at the overall cost of Spectre / Meltdown / L1TF / MDS on Intel desktop CPUs and AMD CPUs (Spectre).
In this article are similar benchmarks but turning the attention now to Intel Xeon hardware and also comparing those total mitigation costs against AMD EPYC with its Spectre mitigations.
This article offers a look at the MDS/Zombieload mitigations on a 1st Gen Skylake Xeon Scalable server as well as a Kabylake Xeon E3 server for reference. Following that is a look at the total CPU vulnerability mitigation costs for 1st Gen Xeon Scalable, 2nd Gen Xeon Scalable (Cascade Lake), and an AMD EPYC 2P server as well for its Spectre mitigations.
As expected given Intel's guidance last week of their latest Xeon processors being mitigated for MDS, indeed, the dual Xeon Platinum 8280 Cascade Lake server reported it was not affected by the MDS mitigations and thus not enabled. So for the MDS tests up first it's just some reference results using a dual Xeon Gold 6138 Skylake server running Ubuntu 19.04 with the Linux 5.0 patched kernel and reference results side-by-side for a separate Xeon E3-1275 v6 server.
All of these mitigation benchmarks were driven in a fully-automated and reproducible manner using the Phoronix Test Suite.
[...lots of benchmark results, please see site at URL above...]
If looking at the geometric mean of all the benchmarks carried out, the EPYC 7601 averages out to about a 1% hit with its Spectre mitigations.
The dual Xeon Platinum 8280 Cascadelake setup with its mostly hardware-based mitigations was slower by 4% with the relevant mitigations enabled.
(l1tf: Not affected + mds: Not affected + meltdown: Not affected + spec_store_bypass: Mitigation of SSB disabled via prctl and seccomp + spectre_v1: Mitigation of __user pointer sanitization + spectre_v2: Mitigation of Enhanced IBRS IBPB: conditional RSB filling).
Meanwhile the dual Xeon Gold 6138 server that unfortunately doesn't have the hardware mitigations saw a 11% hit from the benchmarks run with these Spectre / Meltdown / L1TF / MDS mitigations or 15% if disabling Hyper Threading as an additional measure based on the benchmarks carried out today."
Looking forward to a wider range of testing, as this doesn't seem representative of DC work in general. Reports of 20%-40% performance hits from what workloads? I guess we'll have to be patient to find out.
Checkout J's video about disabling HT, J used the 8700k for testing but comes to the conclusion that HT isn't that important for gaming, and suggests saving $ and getting the 9xxxKF => CPU's without HT, when building new PC's.
Now it makes sense why Intel came out with a whole line of HT-less CPU's, they are more secure without HT in current architecture. Might as well save the silicon real estate, power, thermals, (and $?) and get HT-less to start.
Is Hyper-Threading Even Necessary? ZombieLoad Impact Testing (8700k)
JayzTwoCents
Published on May 20, 2019
http://forum.notebookreview.com/thr...ke-z370-and-z390.809268/page-42#post-10913286 -
-
-
NetCAT is another side-channel attack against Intel CPU's with DDIO Enabled in server environments...another side-channel attack vulnerability...
Weakness in Intel chips lets researchers steal encrypted SSH keystrokes
DDIO makes servers faster. It can also allow rogue servers to covertly steal data.
DAN GOODIN - 9/10/2019, 11:35 AM
https://arstechnica.com/information...s-researchers-steal-encrypted-ssh-keystrokes/
"In late 2011, Intel introduced a performance enhancement to its line of server processors that allowed network cards and other peripherals to connect directly to a CPU's last-level cache, rather than following the standard (and significantly longer) path through the server's main memory. By avoiding system memory, Intel's DDIO—short for Data-Direct I/O—increased input/output bandwidth and reduced latency and power consumption.
Now, researchers are warning that, in certain scenarios, attackers can abuse DDIO to obtain keystrokes and possibly other types of sensitive data that flow through the memory of vulnerable servers. The most serious form of attack can take place in data centers and cloud environments that have both DDIO and remote direct memory access enabled to allow servers to exchange data.
A server leased by a malicious hacker could abuse the vulnerability to attack other customers. To prove their point, the researchers devised an attack that allows a server to steal keystrokes typed into the protected SSH (or secure shell session) established between another server and an application server.
Merely scratching the surface
The researchers have named their attack NetCAT, short for Network Cache ATtack. Their research is prompting an advisory for Intel that effectively recommends turning off either DDIO or RDMA in untrusted networks. The researchers say future attacks may be able to steal other types of data, possibly even when RDMA isn't enabled. They are also advising hardware makers do a better job of securing microarchitectural enhancements before putting them into billions of real-world servers.
"While NetCAT is powerful even with only minimal assumptions, we believe that we have merely scratched the surface of possibilities for network-based cache attacks, and we expect similar attacks based on NetCAT in the future," the researchers, from the Vrije Universiteit Amsterdam and ETH Zurich, wrote in a paper published on Tuesday. "We hope that our efforts caution processor vendors against exposing microarchitectural elements to peripherals without a thorough security design to prevent abuse."
The researchers devised NetCAT after reverse-engineering DDIO and finding that last-level caches were sharing data across CPUs and peripherals, even when they received untrusted or potentially malicious input. Among the things this shared resource divulged was the precise arrival times of data packets sent in sensitive connections such as SSH. The information gave the researchers a side channel they could use to deduce the contents of each keystroke.
NetCAT is based partly on the observation that humans follow largely universal typing patterns that can often reveal clues about the keys they enter into a keyboard. For instance, it's usually faster for most people to type an "s" immediately after an "a" than to type a "g" right after typing an "s." These patterns allowed the researchers to use DDIO to carry out a keystroke timing attack, similar to this one, that uses statistical analysis of the inter-arrival timings of packets. Below is a video demonstrating the attack:
NetCAT remotely leaking keystrokes from a victim SSH session
VUSec
Published on Sep 10, 2019
bitburner 1 day ago
"Too bad you didn’t do a simple google search to find out that NetCAT is already the name of an old and extremely popular security tool."
Continuing article...
"The researchers used rapid delivery provided by RDMA to simplify the attack, but it's not a strict requirement, and future attacks may not need it at all. In an email, Kaveh Razavi, one of the Vrije Universiteit researchers who wrote the paper NetCAT: Practical Cache Attacks from the Network, wrote:
" In short, the root cause of the vulnerability boils down to Intel's DDIO feature enabling the (last-level) CPU cache to be shared with arbitrary peripherals such as network cards.
This dramatically extends the attack surface of traditional cache side-channel attacks, which are normally mounted on a local setting (say from a VM to another in the cloud), exposing servers to cache side-channel disclosure from untrusted clients over the network.
Using RDMA (for convenience), we have demonstrated the vulnerability can be exploited in real-world settings to leak sensitive information (e.g., keystrokes from an SSH session)."
PRIME+PROBE
To suss out the timing information from the last-level cache, the researchers used a technique known as PRIME+PROBE. It involves first priming the cache by receiving packets that will be read from certain memory locations. The result: the technique brings the cache to a known state. The attack then waits for the target SSH client to type a letter. That triggers the PROBE stage, which attempts to detect any changes by receiving the same packets from the same memory locations.
"If the client has typed a key, then these packets will arrive slightly slower, signaling a keystroke," Razavi wrote. "By performing PRIME+PROBE in a loop, NetCAT can find out whenever the victim types something in a network connection."
The researchers proposed a second attack scenario that uses DDIO as a covert channel to funnel sensitive data off a server. In one variation, the covert channel connects a targeted server to an unnetworked, cooperating sandboxed process on a remote machine. A second variation creates a covert channel between two cooperating network clients running inside two separate networks.
Covert channels are mechanisms attackers use to transfer data between processes or hardware that are barred by security policies from communicating with one another. By stealthily bypassing this policy, attackers can steal sensitive data in a way that's not detectable by the target.
The research is impressive, and the vulnerability it reveals is serious. Anyone who uses Intel-made processors inside data centers or other untrusted networks should carefully review the research, Intel's advisory, and any advisories by the network provider to ensure DDIO doesn't present a threat.
People should also be aware that disabling DDIO comes at a significant performance cost.
So far as the researchers know, chips from AMD and other manufacturers aren't vulnerable because they don't store networking data on shared CPU caches.
At the same time, people should remember that the research isn't likely to materialize into widespread attacks in the real world any time soon.
" NetCAT is a complex attack and is likely not the low-hanging fruit for the attackers," Razavi wrote. "In server settings with untrusted clients, where security matters more than performance, however, we recommend DDIO to be disabled."
Reader Comments
Twilight Sparkle, SEP 10, 2019 12:09 PM
"Hunt and peck is now a security technique."
April King, SEP 10, 2019 11:39 AM
"NetCAT is just about the worst possible name for a piece of software like this, since it's been used by netcat (aka `nc`) for about 25 years now. Searches are going to be a nightmare."
IDK, adding DDIO and / or RDMA / SSH, that should help narrow the results.
ChronoReverse, SEP 10, 2019 11:44 AM
"Another day another Intel performance enhancement that turns out to be a security flaw."
John_5mith, SEP 10, 2019 11:56 AM
" Wickwick wrote:
Is it just me or is it starting to feel that any sort of cache is just waiting to be abused?"
" Cache is the root of all evil."
Intel NetCat Security Flaw: The Last Straw to Break the Camel's back...
Moore's Law Is Dead
Premiered 12 hours ago
Another month, another crippling security flaw.
Love Thy Neighbor 9 hours ago
"Doesn't matter. Intel is the BEST at Windows Media Player."
Jason Gooden 12 hours ago
"I was making lunch when I heard Intel had anther security flaw, I just kept making lunch without breaking stride. Not surprised at all, that’s pretty sad."
gamamew 11 hours ago
"LOL so Intel chips are more of a piece of garbage than ever. If you want SMT and virtualization you have to go red team."
Sergio Madureira 12 hours ago
"New security flaw - Intel runs to the closest sand pit to bury their head in"
Replace Intel CPU's is the only sure way to fix these vulnerabilities... gee, didn't CERT say that at the very start of all of this going on 2 years ago??
Cybersecurity agency: The only sure defense against huge chip flaw is a new chip
BY Marcus Gilmer, 2018-01-04 18:54:41 UTC
https://mashable.com/2018/01/04/chip-flaw-cert-recommendation/
Xeon and Other Intel CPUs Hit by NetCAT Security Vulnerability, AMD Not Impacted
by Nathaniel Mott September 11, 2019 at 7:48 AM
https://www.tomshardware.com/news/intel-xeon-cpu-netcat-security-vulnerability-flaw,40376.html
NetCAT: Practical Cache Attacks from the Network
Michael Kurth, Ben Gras, Dennis Andriesse, Cristiano Giuffrida, Herbert Bos, and Kaveh Razavi
Department of Computer Science Vrije Universiteit Amsterdam, The Netherlands
https://www.cs.vu.nl/~herbertb/download/papers/netcat_sp20.pdfLast edited: Sep 13, 2019 -
Haha..... But I'm sad that nearly all my laptops must be switched to an new AMD based laptop.
hmscott likes this. -
-
-
-
Hope you like this wallpaper. Register to this forum just to reply you
p.s I am the one who photoshop this wallpaper
New wallpaper in 4K resolution. Enjoy~
http://fav.me/ddk3t87Last edited: Nov 10, 2019Starlight5, Vasudev, Papusan and 3 others like this. -
Maybe you should create a new wallpaper for the newest Intel chips
![[IMG]](images/storyImages/gwn2is94dEEYqBxCxuKTsW.jpg)
Intel has steadily added new hardware-based mitigations for many of the new vulnerabilities, like MSBDS, Fallout, and Meltdown, with new steppings of its die.jclausius, VICKYGAMEBOY, Vasudev and 2 others like this. -
-
What performance slows down specifically for you in your VM's?
I'm fully prepared to take a ~10 sec hit on performance for security, but I don't think I'll gamble with driver/optimization/program and O/S updates with Ryzen 3 which could easily take minutes or hours/weeks/months to be ironed out.
Trading 'slowdowns' is not what I optimize my workloads. Especially trading for unknowns.
CPU Vulnerabilities, Meltdown and Spectre, Kernel Page Table Isolation Patches, and more
Discussion in 'Hardware Components and Aftermarket Upgrades' started by hmscott, Jan 2, 2018.
