CPU Vulnerabilities, Meltdown and Spectre, Kernel Page Table Isolation Patches, and more

Thanks. Its Alienware. Nothing you can do about it. We were promised an update last week and now now they have super advanced to next month.

 

Thanks Vasudev for the offline installer. Given that it's just appeared for hacktrix2006 I'll just wait for it to be done automatically - I'll click the Windows Update button every once in a while!

 

That's good. Because the delta package is around 500 Megs, you can install the complete set in just 5 mins w/o any wait.
I never use WU.

 

What did I just listen to?

I think they've been pushed for some systems (my SP2 had a surprise update late last night that I haven't checked yet, it's my update canary).

 

Ha, I like it!

 

@Mr. Fox @hmscott - I think you guys will get a kick out of reading Linus Torvalds's response to the issue directed at Intel:


From Linus Torvalds
Date Wed, 3 Jan 2018 15:51:35 -0800
Subject Re: Avoid speculative indirect calls in kernel


On Wed, Jan 3, 2018 at 3:09 PM, Andi Kleen <[email protected]> wrote:
> This is a fix for Variant 2 in
> https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
>
> Any speculative indirect calls in the kernel can be tricked
> to execute any kernel code, which may allow side channel
> attacks that can leak arbitrary kernel data.

Why is this all done without any configuration options?

A *competent* CPU engineer would fix this by making sure speculation doesn't happen across protection domains. Maybe even a L1 I$ that is keyed by CPL.

I think somebody inside of Intel needs to really take a long hard look at their CPU's, and actually admit that they have issues instead of writing PR blurbs that say that everything works as designed.

.. and that really means that all these mitigation patches should be written with "not all CPU's are crap" in mind.

Or is Intel basically saying "we are committed to selling you **** forever and ever, and never fixing anything"?

Because if that's the case, maybe we should start looking towards the ARM64 people more.

Please talk to management. Because I really see exactly two possibilities:

- Intel never intends to fix anything

OR

- these workarounds should have a way to disable them.

Which of the two is it?

Linus

 

@Prema - Will you be releasing updated ME or BIOS/UEFI in light of the new security issues? Has Clevo made an announcement on any firmware updates due to this?

 

If you've got more than one system, why not?

When put that way it makes it seem like something that should have always been protected.

 

Because it is! This is the biggest cockup in computer security possibly ever! It never should have exposed it in this way.

The hardware part from Intel requiring OS and firmware to fix it is huge, and it still isn't really fixed. AMD and ARM have to answer for some of this, too. But ARM put out a list of specifically effected designs and variants immediately, and gave details information on which ones are more vulnerable and why.

AMD published their findings showing they are almost certain meltdown doesn't apply to them. Spectre does. It applies to all, hence needing to work together on finding a solution.

So, this is why I have been irate, and I only knew about it for days. Imagine having to code for months to fix their cockup!

 

Anyone remember the iPhone performance hindering\Battery saver update a couple weeks ago? I wonder if this was Apple trying the patch on older phones first before applying it to the newer phones for guinea pigging purposes?

Just a thought, might not have anything to do with it ...

 

Here we go! Mine just updated through Windows Update with the security fix (amoungst other fixes):
https://support.microsoft.com/en-gb/help/4056892/windows-10-update-kb4056892

Will post back with any performance findings, I'll just do a few short tests tonight i.e. now.

EDIT: My Brief Findings on Performance Effect of Windows Bug Fix

Cinebench R15
previous highest score ever seen = 1055
post bug fix highest score = 1051
might have lost 0.4% performance here.

3DMark Firestrike
-Graphics Score & Combined Score no change
-Physics score (average of 2 runs): pre bug fix = 15254; post bug fix = 15204
-might have lost 0.3% performance in Physics Performance

3DMark Timespy
-Graphics Score no change
-Physics score very variable historically, but looks like no performance hit, didn't include numbers because variance too large, looks like same ball park, especially in terms of maximum Physics scores seen both pre & post.

F1 2015
-Pre (2 runs): 177 fps
-Post (2 runs): 177 fps

F1 2016
-Pre (2 runs): 119 fps
-Post (2 runs): 119 fps

Dirt Rally
-Pre (2 runs): 167 fps
-Post (2 runs): 167 fps

The racing sim benchmarks above are very reproducible from run to run, so not surprised they are the same, and 2 runs is ok to check because of high reproducibility.

Conclusion:
To me it looks like there could be a 0.3 to 0.4% CPU performance hit with the latest bug patch on operations that are purely CPU limited, but gaming doesn't seem to be affected. In fact, you could almost go as far to say that there has been no performance loss anywhere as 0.3% differences are pretty close to the margin of error I'd say.

 

Really glad I dont have to install this mess of crap! Updates on my machine are only installed via Simplix packs. Why you ask? Its because I have control of my hardware, and PC. Those who wish to run
that abomination called windows 10 can forever be microsofts guinea pigs via their never ending beta service trash.

Edit: sorry for the mini rant

 

I installed the update, my taptop doesn't feel as snappy as it did before.

 

Is there a link to this update for Windows 7/8.1?

 

Agreed, though what I was getting at was that it seems really obvious in hindsight, but we're just finding out now about a problem that appears to go back to 1995? How did it go overlooked (and unexploited) by everyone (not just Intel) for so long in the first place? What about it made it either not come up at all in testing or (less likely) not seem to be a problem? If it was that simple someone would have been raising hell about it way earlier, right?

 

Who said it went overlooked? They have the modifier on their statements that "to their knowledge" no one has used it. The problem is that it doesn't show up as malicious code. That means, if not attached to an obvious known malware, you could have done this all along. Or think of injecting it to pull your passwords, etc., by injecting the code into a benign file, like a ME firmware update, chipset or me drivers, etc., through a man in the middle attack using your ISP, like what our government was shown to be doing in other countries (maybe not with this specific exploit, but we really don't know). Or maybe the NSA did that stateside. Because the binary is benign, something like that could have been done for awhile. That is why they just recommend page isolation for browsers:

"Our advice is to sit tight, install OS and firmware security updates as soon as you can, don't run untrusted code, and consider turning on site isolation in your browser ( Chrome, Firefox) to thwart malicious webpages trying to leverage these design flaws to steal session cookies from the browser process."
http://www.theregister.co.uk/2018/01/04/intel_amd_arm_cpu_vulnerability/

Once passwords are compromised, they have ALL of your data. So, we know when Google found it and the independent groups of researchers found it. What we don't know is when other parties MAY have found it and HOW LONG they may have used it. So, if you believe no one knew for ALL this time, I've got some land to sell you!

 

A story through rap music as an example of how morons speak out of ignorance as if they are an authority on the particular topic. Huh? What? LOL. That was what you posted about. (The ignorant comment made about it not being important to be able to or not needing to use 100% of their CPU resources.)

Yup, I have been alluding to that all along. Something really fishy about the whole deal. It doesn't paint a pretty picture of any of hardware ODMs or Micro$loth. It's either getting blow way out of proportion and over-hyped to the max to serve some kind of sinister agenda, or there has been a long-term massive cover-up with lots of people that knew about it and did nothing.

That's one of the reasons I am taking a que sera sera attitude about it. If it has been a problem since 1995, it's no more of a problem now than it was then. EXCEPT FOR the fact that so many of the media imbeciles are advertising and flaunting it, alerting all of the bad people to it, etc. They are actually creating chaos and drama, and fabricating conditions for increased security risk based on their actions.

Somebody, or a group of somebodies, are probably going to get filthy rich off of it, including the attorneys on both sides of the drama. If I were a betting man, I would bet there is a huge scam here and it is being spun a certain way for the purpose of profit. Just think about all of the serious exploits and security risks over the years that were mentioned in passing and quietly fixed. There is no reason for this topic to monopolize the media, just like there is no reason for most of the other stupid crap that the talking heads beat to death for weeks or even months. They create epic drama where none is warranted.

So, it went unfixed for 20+ years. Fix it. Shut up. Move on. End of story. Change the channel. Another soap opera is ready for us.

 

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002

 

To @Robbo99999 and others wondering about the rollout through Windows Update...

"The update will also be available for older and supported versions of Windows today, but systems running operating systems like Windows 7 or Windows 8 won’t automatically be updated through Windows Update until next Tuesday. Windows 10 will be automatically updated today. " - https://www.theverge.com/2018/1/3/16846784/microsoft-processor-bug-windows-10-fix

 

Definitely not saying it's just now coming to attention of all entities, but to go observably unexploited for so long, it can't have been a simple thing, and if someone knew about it and sat on it that long without it getting out they must have way better leak protection than I would give Intel credit for, and even more than I'd give any of the letter agencies for. I thought the NSA's exploits were based on other more obvious vulnerabilites anyway.

 

https://www.reddit.com/r/pcgaming/c...edium=hot&utm_source=reddit&utm_name=pcgaming

Gonna be staying away from this update.

 

https://www.techspot.com/article/1554-meltdown-flaw-cpu-performance-windows/

 

Good luck with AMD!! For the MEI FW... See my reply below.

Dell/dellienware's engineers is prepering for refreshed thinner laptop models for 2018. No time for EOL models in the moment!!

Windows 10 CPU Bug Fix Patch Benchmarks-Guru3.com

Preliminary conclusion
Given what I am currently seeing, desktop users and PC gamers should not be worried about significant performance drops. Most test results do show a negative effect on performance, but we're really talking in a realm of 2% differentials here. The file IO tests didn't worry me either, and we used the fastest consumer NVME SSD on the globe to be able to see a bigger effect when measured. We did see a bit of a drop off in 4K performance, mostly reads up-to 4%. That's the worst I have been able to find out of all tests though we had an issue with write perf (not related to the patches), we'll look into this but that likely is the newly updated Samsung NVMe driver.

Now my remark here needs to include this, there probably will be some firmware updates and perhaps new patches for all protections to kick in, accumulated and activated these all can have an effect on performance. However, if you have a reasonably modern PC and IF this patch is all there is to it, you'll be hard-pressed to notice any difference, if at all. Again I would like to re-iterate that the effect on older dual and quad-core processors with a lower frequency could be far worse, the truth here is that I do not know the effect on that just yet. But on your average modern PC, this doesn't seem to be that worrying at all. That said - I'll need to test older processors, if there's a need performance differences wise, we'll certainly report back on that.


Cinebench R15 multi-threaded, yes we drop a few points again. But again this is not even remotely significant. The generic consensus, however, remains that all tests show slightly slower performance, that is a fact!!

 

I've just finished perfomance testing the Windows Bug Fix Patch, and I edited my previous post with my findings below:

My Brief Findings on Performance Effect of Windows Bug Fix

Cinebench R15
previous highest score ever seen = 1055
post bug fix highest score = 1051
might have lost 0.4% performance here.

3DMark Firestrike
-Graphics Score & Combined Score no change
-Physics score (average of 2 runs): pre bug fix = 15254; post bug fix = 15204
-might have lost 0.3% performance in Physics Performance

3DMark Timespy
-Graphics Score no change
-Physics score very variable historically, but looks like no performance hit, didn't include numbers because variance too large, looks like same ball park, especially in terms of maximum Physics scores seen both pre & post.

F1 2015
-Pre (2 runs): 177 fps
-Post (2 runs): 177 fps

F1 2016
-Pre (2 runs): 119 fps
-Post (2 runs): 119 fps

Dirt Rally
-Pre (2 runs): 167 fps
-Post (2 runs): 167 fps

The racing sim benchmarks above are very reproducible from run to run, so not surprised they are the same, and 2 runs is ok to check because of high reproducibility.

Conclusion:
To me it looks like there could be a 0.3 to 0.4% CPU performance hit with the latest bug patch on operations that are purely CPU limited, but gaming doesn't seem to be affected. In fact, you could almost go as far to say that there has been no performance loss anywhere as 0.3% differences are pretty close to the margin of error I'd say.

 

I'm still good. No worries here. Still update cancer free.

 

From what I've seen, post-patch CPU-bound gaming performance is more impacted on slower CPUs and older architectures, and apparently later architectures have something called PCID to mitigate the performance loss. It doesn't help either that every media outlet is only testing this patch on the latest and greatest CPUs, so people with older hardware automatically project those results on their own systems and assume they won't lose significant performance.

 

LOL... So, the Gates of Hell haven't opened? No famine, plagues or pestilence? Nice!

Y2K v2.0. Only difference is, the chaos only lasted a couple of days instead of a year or more of dark prophecies of the doom and gloom that awaited us all at 12:01AM on 01.01.2000.

So many calories were burned by so many worrying about nothing. It sure made for some controversial headlines and lots of wild apocalyptic doomsday speculation. As I said before. Fix it. Shut up. Move on. Nothing to see here. Business as usual. But, hey, nobody makes any money on "business as usual" LOL.

 

I dont think this Y2K is over until we see the impact on data servers and such. Could still spell disastrous for Intel.

 

Maybe. Maybe not.

They also need to get started working on the patch to patch the patch that plugs the worm hole the new Windows Update created that they haven't told us about yet.

 

LMAO, Perfect explanation of the absolute mess microslop is right now! Im sure the patch will break something somewhere, as it does most of the time.

 

They're all just like a bunch of monkeys trying to be intimate with a football.

 

Maybe we should drag this out a little longer, America could stand to collectively burn a few more calories.

 

@hmscott - forgot to mention, but here is a firmware ME checker from Intel: https://downloadcenter.intel.com/download/27150

I know it passed when I used it on the P770ZM with @Prema 's bios and ME.

 

The patch does not affect pure cpu benchmarks. The hit is on syscalls to the kernel. For instance, IO is getting hit hard. Things like compiling, sql, etc are getting impacted. AWS developer forums have people complaining since December about performance loss when Amazon pushed the update without anyone’s knowledge. Things like prime95 or other synthetic benchmarks that people run here will not see a big impact.

 

I've tried mentioning that before. Just like trying to explain how necessary this update is for security. Because this doesn't impact consumer performance much or at all, depending on use case, there is no reason anyone should not be applying the fix.

 

Exactly, the real "feelz" will be in loading / switching apps, OS type overhead increases, lag and response in general for desktops / laptops.

The other hits are IO and anything that requires lots of syscalls and user space to / from protected space copying and access.

There are likely other gotchas yet to be noticed

It would be nice to have some kind of a monitoring tool / profiler that watches the flipping in and out of the fix(es) entry / exit points - keeping count in/out as well as system and clock time lost.

Google says CPU patches cause ‘negligible impact on performance’ with new technique (only addresses 1 of the 3 vulnerability variants)
Finally, some good news for chipmakers
By Russell Brandom@russellbrandom Jan 4, 2018, 4:38pm EST
https://www.theverge.com/2018/1/4/16851132/meltdown-spectre-google-cpu-patch-performance-slowdown

"Google just gave chipmakers some much needed good news. In a post on the company’s Online Security Blog, two Google engineers described a novel chip-level patch that has been deployed across the company’s entire infrastructure, resulting in only minor declines in performance in most cases. The company has also posted details of the new technique, called ReptOnline, in the hopes that other companies will be able to follow the same technique. If the claims hold, it would mean Intel and others have avoided the catastrophic slowdowns that many had predicted.

“There has been speculation that the deployment of KPTI causes significant performance slowdowns,” the post reads, referring to the company’s “Kernel Page Table Isolation” technique. “Performance can vary, as the impact of the KPTI mitigations depends on the rate of system calls made by an application. On most of our workloads, including our cloud infrastructure, we see negligible impact on performance.”

The news is particularly significant for Google Cloud, as some see cloud services as uniquely vulnerable to the new processor issues. According to the post, ReptOnline has already been deployed to the system with no significant impact on speeds.

“Of course, Google recommends thorough testing in your environment before deployment,” the post continues. “We cannot guarantee any particular performance or operational impact.”

That assessment is consistent with early reports from Intel, which had said slowdowns would be “highly workload-dependent and, for the average computer user, should not be significant.” Those claims were met with skepticism, with many seeing them as an effort by Intel to downplay the impact of the newly public vulnerabilities. At the same time, some early benchmarks saw slowdowns as high as 17 percent.

More recently, Intel announced it had deployed patches that would render chips immune to the new attacks, and restated that the performance impact was not significant. It’s difficult to confirm Google and Intel’s claims until the patches are deployed, but it’s significant that Google has joined the chipmaker in reporting minimal slowdowns.

Notably, the new technique only applies to one of the three variants involved in the new attacks. However, it’s the variant that is arguably the most difficult to address. The other two vulnerabilities — “bounds check bypass” and “rogue data cache load” — would be addressed at the program and operating system level, respectively, and are unlikely to result in the same system-wide slowdowns."

 

For instance just now I can feel my games are loading slower but fps wise no change.

 

So those that went with Intel because it was "snappier"... LOL

@hmscott - Just saw some more horrible information of people trying to say that just because the code needs executed locally to run one of the exploits they pretty much have to be at your keyboard! LMAO! This was WaPo comments section so not surprised.

My thought on how this can be used is to do the man-in-the-middle attack for injection of code with using the automatic update feature with a redirect and setting it up where the leaked kernel information, such as passwords, is put into the packets sent back for the connection, and just owning someone hard that way. Tell me if I'm thinking incorrectly on an easy way to do this exploit allowing for later remote admin access, etc.

 

Not going into "how to exploit" discussions

 

Got ya. Understandable! I just cannot believe people don't understand the nature or gravity of what can be done with something like this. SMDH!

Edit: LMFAO at that comic!!!

 

Early reports on SA-00086 were that the exploit could only be run in this manner.

You're describing what is generally called a context switch, which was expensive (in CPU cycles) to begin with.

However, I thought the original issue was that the CPU was not enforcing memory rules/security when executing instructions within in a branch prediction. Maybe I misread that somewhere.

 

You didn't mis-read, there are several vulnerabilities, and above you're discussing Spectre:

Spectre (security vulnerability)
https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)

"Spectre is a hardware vulnerability with implementations of branch prediction that affects modern microprocessors with speculative execution,[1] by allowing malicious processes access to the contents of other programs' mapped memory.[2][3][4] Two Common Vulnerabilities and Exposures IDs related to Spectre, CVE-2017-5753 and CVE-2017-5715, have been issued."

The other is Meltdown:

Kernel page-table isolation
https://en.wikipedia.org/wiki/Kernel_page-table_isolation

" Kernel page-table isolation ( KPTI, previously called KAISER) [1] is mitigation for the Meltdown security vulnerability in Intel's x86 CPUs.

It works by better isolating user space and kernel space memory. [2] [3] KPTI was merged into Linux kernel version 4.15, [4] to be released in early 2018, and backported to Linux kernel 4.14.11. [5] Windows [6] and macOS [7] released similar updates. KPTI does not address the related Spectre vulnerability. [8]

...The KPTI patches were based on KAISER, an earlier mitigation for a much less severe issue, published in June 2017 back when Meltdown was not known yet.

...Without KPTI enabled, whenever executing user-space code (applications), Linux would also keep its entire kernel memory mapped in page tables, although protected from access. The advantage is that when the application makes a system call into the kernel or an interrupt is received, kernel page tables are always present, so most context switching-related overheads ( TLB flush, page-table swapping, etc) can be avoided. [2]

...KPTI fixes these leaks by separating user-space and kernel-space page tables entirely. On processors that support the process context identifiers (PCID) feature, a TLB flush can be avoided,[2] but even then it comes at a significant performance cost, particularly in syscall-heavy and interrupt-heavy workloads.

The overhead was measured to be 0.28% according to KAISER's original authors; [3] a Linux developer measured it to be roughly 5% for most workloads and up to 30% in some cases, even with the PCID optimization; [2] for database engine PostgreSQL the impact on read-only tests on an Intel Skylake processor was 7-17% (or 16-23% without PCID), [15] while a full benchmark lost 13-19% ( Coffee Lake vs. Broadwell-E). [16] Redis slowed by 6-7%. [16]

KPTI can partially be disabled with the "nopti" kernel boot option. Also provisions were created to disable KPTI if newer processors fix the information leaks. [1]"

 

Flushing the Translation Lookaside Buffer, clearing the registers, loading items back into memory, and loading a new address space are all pieces which make context switches expensive. If an assigned piece of memory can be left in place that is definitely a time saver.

Thx for outlining the other issues!

 

Intel Released "Coffee Lake" Knowing it Was Vulnerable to Spectre and Meltdown
"Intel's engineers would have had sufficient time to understand the severity of the vulnerability, as "Coffee Lake" is essentially the same micro-architecture as "Kaby Lake" and "Skylake." As one security researcher puts it, this could affect Intel's liability when 8th generation Core processor customers decide on a class-action lawsuit."

"The company was also well aware of Spectre and Meltdown before its CEO dumped $22 million in company stock and options (while investors and the SEC were unaware of the vulnerabilities)."

 

There are indeed uses where the performance hit's will be higher:

This is bad: performance hit from PTI on the du -s benchmark on an AMD EPYC 7601 is 49%.
https://twitter.com/grsecurity/status/947439275460702208

The more intense the % of use hits the PTI overhead, the worse the performance penalty of an operation overall.

Of course that Intel only bug won't affect AMD CPU's now that the PTI patch is turned off for Linux.

heads up: Fix for intel hardware bug will lead to performance regressions
7%-23% transation performance penalties for Postgres with PTI patch.
https://www.postgresql.org/message-id/[email protected]

Initial Benchmarks Of The Performance Impact Resulting From Linux's x86 Security Changes
https://www.phoronix.com/scan.php?page=article&item=linux-415-x86pti&num=2

Further Analyzing The Intel CPU "x86 PTI Issue" On More Systems
https://www.phoronix.com/scan.php?page=article&item=linux-more-x86pti&num=1

Under real work loads, Guest VM's running PTI patches on top of Hosts running PTI patches with high syscall + interrupt - IO work loads will see greater hits to performance. On heavily subscribed VM servers this could require reducing resource allocations per VM and redistributing loads across more servers - costing $$$.

There is some performance % mitigation on the VM Guest side due to the overhead / slowness in general of the virtual disk access, but that isn't going to reduce the cumulative effect of many VM's all hitting the same bottleneck at once - it's going to be interesting to see how far the fall off the cliff of IO / memory resources limits will move.

It should be interesting to see how this plays out as user VM's are restarted... coming soon. With many overloading Guest VM's / Host server playing on the edge of load, this will likely require pushing off VM's onto other (new) servers.

"Messing around" with benchmarks on gaming laptops isn't one of the use cases with much impact - interactive performance would be affected more than side by side benchmarks of single threaded non-IO-intensive benchmark or gaming comparisons, so there likely won't be much of a hit on what the typical NBR benchmarker / gamer comes across.

Update: It looks like performance hits against VM's are already been seen now that the instances have been restarted:

Degraded performance after forced reboot due to AWS instance maintenance
https://forums.aws.amazon.com/thread.jspa?threadID=269858

Re: Degraded performance after forced reboot due to AWS instance maintenance
Posted by: miljesse2 Posted on: Jan 4, 2018 1:58 PM in response to: ajnaware

It's was around 4 AM (UTC) last night that we started seeing problems. I have 2 c3.large (PV) instances behind an ELB, both of them were peaking at most 50% CPU usage (over 1 hour) at peak hours, now I'm having spikes of 83% (over 1 hour!) so they've been close to 100% many times. The load averages (from 'top') they are reporting have been past 10 multiple times!
Needles to say they're pretty sluggish to even access.

Is there going to be any relief? There's no larger instance type for these AMI:s.

I also have multiple m1.small instances (for development mostly), they're nearly unusable.

Re: Degraded performance after forced reboot due to AWS instance maintenance
Posted by: ramj Posted on: Jan 4, 2018 9:08 PM in response to: ajnaware

We were hit by this issue and saw a 50% spike in some of our i3 nodes. And we can almost see the spikes happen in waves across different AZ's. Maybe they correlate with when the patches we being applied.

Do we know if AWS is done patching all their nodes, or is there still more to come ?

Re: Degraded performance after forced reboot due to AWS instance maintenance
Posted on: Jan 4, 2018 9:30 PM in response to: ramj

I thought we were the only one to have this issue and trying to fix and re-look at our DB queries, etc.
Our CPU load has gone up 10 times and hovering at around 100% all the time.

We have r4.2xlarge - Instance ID : XXXX

Can Amazon team pls take a look and help us out ?"

Degraded performance on Amazon Linux instances
https://forums.aws.amazon.com/thread.jspa?threadID=270729&tstart=0

Instance high load and SSH console hanging - not created by user processes
https://forums.aws.amazon.com/thread.jspa?threadID=270635&tstart=0

r4.2xlarge - Very high CPU usage/load average
https://forums.aws.amazon.com/thread.jspa?threadID=270766&tstart=0

This is the catastrophe part for some beginning now...

Windows Vulnerability CPU Meltdown Patch Benchmarked
by Hilbert Hagedoorn on: 01/04/2018 05:18 PM
http://www.guru3d.com/articles-pages/windows-vulnerability-cpu-meltdown-patch-benchmarked,1.html

"A lot of stuff has happened ever since hell pretty much opened up on the web yesterday. Two new vulnerabilities on the processor level need to be patched up for security reasons, meanwhile, some media have claimed that the fix/bypasses would result into losses of anywhere from 5 to 30% of your performance.

Initial benchmarks ran on the Linux platform indicated that there is little performance loss, aside from System IO (reading/writing on file access) as well as very specific workloads.

Fact is that all OSes will need to be patched, yours as well. For Windows, this will be done through an incremental software update, and very likely your motherboard will need to be upgraded with a new BIOS as well. On Tuesday that patch will automatically become available, and who knows perhaps it is propagating already. The new security patches for Windows 10, however, can be download as standalone already. I decided to grab it, install it and see what happens."

CPU Vulnerabilities Get names - Meltdown and Spectre
by Hilbert Hagedoorn on: 01/04/2018 10:40 AM
http://www.guru3d.com/news-story/cpu-vunerabilities-get-names-meltdown-and-spectre.html

"So after yesterdays turmoil in regards to the CPU vulnerabilities, more information is now available to get a grasp of what is going on. Basically, security experts found two major bugs in processors, which are used virtually in every computer in the world. There are two types detected, now called Meltdown and Spectre.

Researchers from the Austrian University in Graz explained their findings on the very informative website meltdownattack.com Meltdown has been known since November and specifically effects processors from Intel. Wednesday this reached the news, because of the solution to the problem, makes Intel processors slower (in very specific workloads). According to Intel, this impact would hardly be noticeable for consumers. However, the problem is not limited to Intel chips. Security researchers also found security flaws with other processors (including those from producers AMD and ARM). This vulnerability variant is called Spectre. "

There are 2 names, but 3 CVE documented vulnerabilities... lots of places will get things a little off until they pass through the learning curve, and different use case perspectives will focus on small or larger performance hits from their POV, but we shouldn't hold it against them

 

Mine seems just as snappy as before. Placebos for one of us or effects different systems in different ways. We could experience greater slow downs though with impending motherboard BIOS updates - as tested by Guru3d in their updated article, where disk IO was more significantly affected by the Asus BIOS update as opposed to the Windows Patch. I just checked on MSI website for my motherboard - no new patches, still in fact waiting for patch for CPU microcode bug (the hyper threading vulnerability)! (I solved hyperthreading bug vulnerability by software though, it loads the microcode at each log on). Yeah, so waiting for an MSI motherboard BIOS patch for 2 vulnerabilities now! I'm thinking the initial MSI BIOS patch for hyperthreading bug could have been delayed because they new about this new vulnerability and would rather release one BIOS patch rather than two - so they've been busy working on this new vulnerability is my guess.

 

It's going to get more burdensome for many trying to keep track of the OS and firmware stacked "fixes" as more variants of attacks and fixes arrive.

I'm sure many forgot about the older hyperthreading microcode fix many are still waiting to arrive, not to mention the stacked Intel ME firmware and software fixes.

I sure hope Intel are at work implementing architectural fixes these issues for future CPU releases - I'd wait till those new CPU's are available before doing any "upgrading"

 

Oh god yeah, I forgot about the ME vulnerability, that means I'm waiting for 3 (not 2) vulnerability fixes through motherboard BIOS patches!

 

Increased cpu utilization in aws boys. This is real ugh.

 

Nearly All CPUs Vulnerable: Explaining Meltdown & Spectre
https://www.gamersnexus.net/industry/3192-explaining-meltdown-spectre-intel-amd-vulnerabilities

Spectre & Meltdown - Computerphile

Meltdown & Spectre - The Worst CPU Bug Ever?

Intel release statement on CPU Flaws as Linux Creator calls their CPUs garbage

Spoiler: Sources...

[PATCH] x86/cpu, x86/pti: Do not enable PTI on AMD processors
https://lkml.org/lkml/2017/12/27/2
Project Zero team at Google - Reading privileged memory with a side-channel
https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html
Dear Intel, If a Glaring Exploit Affects Intel CPUs and Not AMD, It's a Flaw
https://www.techpowerup.com/240250/...oit-affects-intel-cpus-and-not-amd-its-a-flaw
Meltdown and Spectre
Bugs in modern computers leak passwords and sensitive data.
https://meltdownattack.com
Intel was aware of the chip vulnerability when its CEO sold off $24 million in company stock
http://uk.businessinsider.com/intel...fter-company-was-informed-of-chip-flaw-2018-1
The inventor of Linux is furious at Intel
http://www.businessinsider.com/linus-torvalds-linux-inventor-is-furious-at-intel-2018-1
AMD Looks Poised To Gain At Intel's Expense
https://www.forbes.com/sites/kenkam...oised-to-gain-at-intels-expense/#230abc1174ec

BUG | But Why Intel?

Some Intel CPUs are about to get much slower... Intel Kernel Bug