Personal computing discussed

Moderators: Flying Fox, morphine

 
Shobai
Gerbil First Class
Topic Author
Posts: 148
Joined: Sat Sep 03, 2005 1:18 am

"Foreshadow" speculative execution attacks outlined

Tue Aug 14, 2018 9:24 pm

Intel has released an advisory regarding another speculative-execution-type attack, in multiple forms and affecting many processors.

Hackaday has an write up about it, also.
Last edited by Shobai on Tue Aug 14, 2018 11:38 pm, edited 1 time in total.
 
DancinJack
Maximum Gerbil
Posts: 4108
Joined: Sat Nov 25, 2006 3:21 pm
Location: Kansas

Re: "Foreshadow" attacks outlined

Tue Aug 14, 2018 9:28 pm

You might put something in the title about Meltdown. Might get some more interest that way.
i7 6700K - Z170 - 16GiB DDR4 - GTX 1080 - 512GB SSD - 256GB SSD - 500GB SSD - 3TB HDD- 27" IPS G-sync - Win10 Pro x64 - Ubuntu/Mint x64 :: 2015 13" rMBP Sierra :: Canon EOS 80D/Sony RX100
 
just brew it!
Gold subscriber
Administrator
Posts: 51856
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: "Foreshadow" attacks outlined

Wed Aug 15, 2018 12:38 am

DancinJack wrote:
You might put something in the title about Meltdown. Might get some more interest that way.

Except that it is more closely related to Spectre, and the researchers who discovered it did in fact name it "Foreshadow"...
Nostalgia isn't what it used to be.
 
Ummagumma
Gerbil
Posts: 39
Joined: Fri May 27, 2016 9:18 pm

Re: "Foreshadow" attacks outlined

Wed Aug 15, 2018 5:15 am

DancinJack wrote:
You might put something in the title about Meltdown. Might get some more interest that way.


Right now I think that would equate to "clickbaiting" the article.

The definitions of "meltdown" and "spectre" flaws seem to be pretty clear here:

https://meltdownattack.com
I used to do networking & network security for a living. Now I just do it for fun, but I still take it seriously.
 
DancinJack
Maximum Gerbil
Posts: 4108
Joined: Sat Nov 25, 2006 3:21 pm
Location: Kansas

Re: "Foreshadow" attacks outlined

Wed Aug 15, 2018 6:40 am

just brew it! wrote:
DancinJack wrote:
You might put something in the title about Meltdown. Might get some more interest that way.

Except that it is more closely related to Spectre, and the researchers who discovered it did in fact name it "Foreshadow"...

The reason I said Meltdown was because of this article at Ars, which I read before this thread. "What's in store today? A new Meltdown-inspired attack on Intel's SGX, given the name Foreshadow by the researchers who found it."

https://arstechnica.com/gadgets/2018/08 ... on-attack/

Ummagumma wrote:
DancinJack wrote:
You might put something in the title about Meltdown. Might get some more interest that way.


Right now I think that would equate to "clickbaiting" the article.

The definitions of "meltdown" and "spectre" flaws seem to be pretty clear here:

https://meltdownattack.com


lol "clickbaiting" ok dude
i7 6700K - Z170 - 16GiB DDR4 - GTX 1080 - 512GB SSD - 256GB SSD - 500GB SSD - 3TB HDD- 27" IPS G-sync - Win10 Pro x64 - Ubuntu/Mint x64 :: 2015 13" rMBP Sierra :: Canon EOS 80D/Sony RX100
 
just brew it!
Gold subscriber
Administrator
Posts: 51856
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: "Foreshadow" attacks outlined

Wed Aug 15, 2018 7:19 am

DancinJack wrote:
The reason I said Meltdown was because of this article at Ars, which I read before this thread. "What's in store today? A new Meltdown-inspired attack on Intel's SGX, given the name Foreshadow by the researchers who found it."

It looks like I may have been mistaken about it being more closely related to Spectre. Best I can tell from the available info, it is radically different from both Meltdown and Spectre, and only "Meltdown-inspired" in the sense that it is another type of timing-based side-channel attack (as is Spectre).
Nostalgia isn't what it used to be.
 
Chrispy_
Maximum Gerbil
Posts: 4462
Joined: Fri Apr 09, 2004 3:49 pm
Location: Europe, most frequently London.

Re: "Foreshadow" speculative execution attacks outlined

Wed Aug 15, 2018 7:27 am

We're getting to the point where I need a table of Spectre and Meltdown variants, what architectures are affected, whether there's a patch for it, which architectures are patched, whether the patch is vendor or OS, and of course what the approximate performance hit is from the patch.

That exists on the intertubes somewhere, right?
Congratulations, you've noticed that this year's signature is based on outdated internet memes; CLICK HERE NOW to experience this unforgettable phenomenon. This sentence is just filler and as irrelevant as my signature.
 
Topinio
Gerbil Jedi
Posts: 1561
Joined: Mon Jan 12, 2015 9:28 am
Location: London

Re: "Foreshadow" speculative execution attacks outlined

Wed Aug 15, 2018 11:48 am

Chrispy_ wrote:
That exists on the intertubes somewhere, right?

Sure, it's right after the page with the table of all motherboards affected and which firmware releases are patched.
Desktop: E3-1270 v5, X11SAT-F, 32GB, RX Vega 56, 500GB Crucial P1, 2TB Ultrastar, Xonar DGX, XL2730Z + G2420HDB
HTPC: i5-2500K, DH67GD, 6GB, RX 580, 250GB MX500, 1.5TB Barracuda
Laptop: MacBook6,1
 
uni-mitation
Silver subscriber
Gerbil XP
Posts: 308
Joined: Mon Feb 04, 2013 1:28 am

Re: "Foreshadow" speculative execution attacks outlined

Wed Aug 15, 2018 1:14 pm

We certainly didn't have any sort of involvement in this matter.

Rick MoarCoars
AMD PR Honcho
 
DreadCthulhu
Graphmaster Gerbil
Posts: 1018
Joined: Mon Apr 21, 2003 12:43 am
Location: R'lyeh

Re: "Foreshadow" speculative execution attacks outlined

Thu Aug 23, 2018 1:39 am

So it looks like Debian is refusing to carry the microcode update for this exploit, due to legal reasons. Intel changed the licensing terms, and included some really troublesome legal language.

3. LICENSE RESTRICTIONS. All right, title and interest in and to the Software
and associated documentation are and will remain the exclusive property of
Intel and its licensors or suppliers. Unless expressly permitted under the
Agreement, You will not, and will not allow any third party to (i) use, copy,
distribute, sell or offer to sell the Software or associated documentation;
(ii) modify, adapt, enhance, disassemble, decompile, reverse engineer, change
or create derivative works from the Software except and only to the extent as
specifically required by mandatory applicable laws or any applicable third
party license terms accompanying the Software; (iii) use or make the Software
available for the use or benefit of third parties; or (iv) use the Software on
Your products other than those that include the Intel hardware product(s),
platform(s), or software identified in the Software; or (v) publish or provide
any Software benchmark or comparison test results.


The performance hits must be pretty bad if Intel doesn't want anyone benchmarking the impact of the patches.
Violence is the last refuge of the incompetent. The competent use violence well before last resorts are necessary.

If violence isn't solving your problems, then you aren't using enough of it.
 
Shobai
Gerbil First Class
Topic Author
Posts: 148
Joined: Sat Sep 03, 2005 1:18 am

Re: "Foreshadow" speculative execution attacks outlined

Thu Aug 23, 2018 1:49 am

That's... odd. I'll have to keep an eye open to see how this resolves.
 
DragonDaddyBear
Gerbil Elite
Posts: 781
Joined: Fri Jan 30, 2009 8:01 am

Re: "Foreshadow" speculative execution attacks outlined

Thu Aug 23, 2018 6:50 am

Wow. I'm not sure how that doesn't violate the first amendment. I'd like to see Intel try to win that law suit.
 
just brew it!
Gold subscriber
Administrator
Posts: 51856
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: "Foreshadow" speculative execution attacks outlined

Thu Aug 23, 2018 7:56 am

DragonDaddyBear wrote:
Wow. I'm not sure how that doesn't violate the first amendment. I'd like to see Intel try to win that law suit.

First amendment only prohibits government interference in free speech. Intel is not the government. If first amendment protected all speech, then all NDAs would be pointless.
Nostalgia isn't what it used to be.
 
Waco
Gold subscriber
Minister of Gerbil Affairs
Posts: 2550
Joined: Tue Jan 20, 2009 4:14 pm
Location: Los Alamos, NM

Re: "Foreshadow" speculative execution attacks outlined

Thu Aug 23, 2018 9:30 am

just brew it! wrote:
DragonDaddyBear wrote:
Wow. I'm not sure how that doesn't violate the first amendment. I'd like to see Intel try to win that law suit.

First amendment only prohibits government interference in free speech. Intel is not the government. If first amendment protected all speech, then all NDAs would be pointless.

This. I'm continually impressed how many people think that the first amendment applies to random non-government entities.

That verbiage is impressively clear, though. I hope it was just added by accident, but knowing Intel (and their lawyers), that's not likely.
Desktop: Z170A Gaming Pro Carbon | 6700K @ 4.4 | 16 GB | GTX Titan Xm | XSPC RX360 | Heatkiller R3 | Samsung 4K 40" | 2048 + 240 + LSI 9207-8i (128x8) SSD
NAS: 1950X | Designare EX | 32 GB ECC | 7x8 TB RAIDZ2 | 8x2 TB RAID10 | FreeNAS | ZFS | LSI SAS
 
DreadCthulhu
Graphmaster Gerbil
Posts: 1018
Joined: Mon Apr 21, 2003 12:43 am
Location: R'lyeh

Re: "Foreshadow" speculative execution attacks outlined

Thu Aug 23, 2018 9:37 am

It is more likely that clause would be invalid under the "Fair Use" exemptions to copyright - the Commentary and Criticism portions in particular. You are allowed to use portions of copyrighted works for these purposes; what Intel is doing is akin to a book publisher shrink-wrapping their books and printing on it a license that says you can't publish a review the book.
Violence is the last refuge of the incompetent. The competent use violence well before last resorts are necessary.



If violence isn't solving your problems, then you aren't using enough of it.
 
DancinJack
Maximum Gerbil
Posts: 4108
Joined: Sat Nov 25, 2006 3:21 pm
Location: Kansas

Re: "Foreshadow" speculative execution attacks outlined

Thu Aug 23, 2018 11:56 am

Looks like WIndows 10 got the patches for these CVEs this week.
i7 6700K - Z170 - 16GiB DDR4 - GTX 1080 - 512GB SSD - 256GB SSD - 500GB SSD - 3TB HDD- 27" IPS G-sync - Win10 Pro x64 - Ubuntu/Mint x64 :: 2015 13" rMBP Sierra :: Canon EOS 80D/Sony RX100
 
Glorious
Gold subscriber
Gerbilus Supremus
Posts: 11280
Joined: Tue Aug 27, 2002 6:35 pm

Re: "Foreshadow" speculative execution attacks outlined

Thu Aug 23, 2018 12:46 pm

JBI wrote:
First amendment only prohibits government interference in free speech. Intel is not the government. If first amendment protected all speech, then all NDAs would be pointless.


True.

But as you probably agree, this is a huge jerk move by Intel.
 
Amiga500+
Gerbil
Posts: 54
Joined: Wed Sep 21, 2016 2:10 am

Re: "Foreshadow" speculative execution attacks outlined

Thu Aug 23, 2018 1:05 pm

just brew it! wrote:
DragonDaddyBear wrote:
Wow. I'm not sure how that doesn't violate the first amendment. I'd like to see Intel try to win that law suit.

First amendment only prohibits government interference in free speech. Intel is not the government. If first amendment protected all speech, then all NDAs would be pointless.


However, the judicial system would interpret things quite differently for a member of the press c.f. random Joe Public.
 
DragonDaddyBear
Gerbil Elite
Posts: 781
Joined: Fri Jan 30, 2009 8:01 am

Re: "Foreshadow" speculative execution attacks outlined

Thu Aug 23, 2018 1:55 pm

It's honestly a bit embarrassing that I made that mistake, given I correct people on the same point of the first amendment. I was caught up in the my emotions at just how silly that clause is.

My overall point is that there is no way Intel could conceivably sue someone and win. I get NDA's and all that but it's like a non-compete agreement. It's rare that people are sued over it and even more rare when they win. A clause like that must be somehow unenforceable.
 
srg86
Gerbil Team Leader
Posts: 247
Joined: Tue Apr 25, 2006 7:57 am
Location: Madison, WI

Re: "Foreshadow" speculative execution attacks outlined

Thu Aug 23, 2018 2:25 pm

https://www.theregister.co.uk/2018/08/2 ... e_license/

It appears Intel caved and is removing that clause from the License. Apparently the mitigation which hurts the most is disabling Hyper-Threading.
Intel Core i7 4790K, Z97, 16GB RAM, 128GB m4 SSD, 480GB M500 SSD, 500GB WD Vel, Intel HD4600, Corsair HX650, Fedora x64.
Thinkpad T460p, Intel Core i5 6440HQ, 8GB RAM, 512GB SSD, Intel HD 530 IGP, Fedora x64, Win 10 x64.
 
Topinio
Gerbil Jedi
Posts: 1561
Joined: Mon Jan 12, 2015 9:28 am
Location: London

Re: "Foreshadow" speculative execution attacks outlined

Thu Aug 23, 2018 2:34 pm

DancinJack wrote:
Looks like WIndows 10 got the patches for these CVEs this week.

Windows Update delivers these patches? How can Intel's new license term apply to the new microcode delivered that way?

Edit: odd KB, 4346084 there, where's Kaby Lake S and the Skylake S and Skylake SP Xeons? Is there no patch coming for the pre-1803 releases of Windows server and client?
Last edited by Topinio on Thu Aug 23, 2018 2:43 pm, edited 1 time in total.
Desktop: E3-1270 v5, X11SAT-F, 32GB, RX Vega 56, 500GB Crucial P1, 2TB Ultrastar, Xonar DGX, XL2730Z + G2420HDB
HTPC: i5-2500K, DH67GD, 6GB, RX 580, 250GB MX500, 1.5TB Barracuda
Laptop: MacBook6,1
 
Glorious
Gold subscriber
Gerbilus Supremus
Posts: 11280
Joined: Tue Aug 27, 2002 6:35 pm

Re: "Foreshadow" speculative execution attacks outlined

Thu Aug 23, 2018 2:36 pm

srg86 wrote:
It appears Intel caved and is removing that clause from the License.


I was hoping this was going to be someone in legal being ridiculously over-broad and overzealous and that Intel would quickly rectify this.

Glad it seems to have happened.
 
DancinJack
Maximum Gerbil
Posts: 4108
Joined: Sat Nov 25, 2006 3:21 pm
Location: Kansas

Re: "Foreshadow" speculative execution attacks outlined

Thu Aug 23, 2018 2:48 pm

Topinio wrote:
Windows Update delivers these patches? How can Intel's new license term apply to the new microcode delivered that way?

Edit: odd KB, 4346084 there, where's Kaby Lake S and the Skylake S and Skylake SP Xeons? Is there no patch coming for the pre-1803 releases of Windows server and client?

Skylake S is on there, but I don't see the rest.
i7 6700K - Z170 - 16GiB DDR4 - GTX 1080 - 512GB SSD - 256GB SSD - 500GB SSD - 3TB HDD- 27" IPS G-sync - Win10 Pro x64 - Ubuntu/Mint x64 :: 2015 13" rMBP Sierra :: Canon EOS 80D/Sony RX100
 
Amiga500+
Gerbil
Posts: 54
Joined: Wed Sep 21, 2016 2:10 am

Re: "Foreshadow" speculative execution attacks outlined

Thu Aug 23, 2018 2:57 pm

Glorious wrote:
srg86 wrote:
It appears Intel caved and is removing that clause from the License.


I was hoping this was going to be someone in legal being ridiculously over-broad and overzealous and that Intel would quickly rectify this.


Absolutely not.

There is no way a company like Intel makes such major changes to their Ts&Cs without serious vetting by the processes of the legal team.
This is not a case of some intern firing on an extra clause - if Intel try and indicate such - they are lying through their teeth.

Get a Term or Condition wrong and Intel could be looking at millions, if not billions, in fines or compensation. They are acutely aware of this. That clause likely went right to the head of legal and even into the boardroom.

You don't change those things - particularly in such a drastic way - on a whim.
 
Glorious
Gold subscriber
Gerbilus Supremus
Posts: 11280
Joined: Tue Aug 27, 2002 6:35 pm

Re: "Foreshadow" speculative execution attacks outlined

Thu Aug 23, 2018 3:09 pm

Amiga500+ wrote:
There is no way a company like Intel makes such major changes to their Ts&Cs without serious vetting by the processes of the legal team.


Uh...What?

I explicitly said someone in legal...?

Amiga500+ wrote:
Get a Term or Condition wrong and Intel could be looking at millions, if not billions, in fines or compensation. They are acutely aware of this. That clause likely went right to the head of legal and even into the boardroom


Why?

They evidently didn't even attempt to enforce this on anyone, and they changed it the moment people started making noise about it.

Amiga500+ wrote:
You don't change those things - particularly in such a drastic way - on a whim.


uhh....

what?

They changed this WITHIN A DAY of Bruce Perens noticing it.


EDIT: I mean, you're like "THIS CONSPIRACY GOES ALL THE WAY TO THE TOP I TELL YOU, THE VERY TOP!"

Really? What exactly was the nefarious plan here? People were immediately up in arms when they read it, and Intel IMMEDIATELY changed it in response. :roll:
 
Shobai
Gerbil First Class
Topic Author
Posts: 148
Joined: Sat Sep 03, 2005 1:18 am

Re: "Foreshadow" speculative execution attacks outlined

Thu Aug 23, 2018 3:12 pm

No, it seems they changed it back.
 
Glorious
Gold subscriber
Gerbilus Supremus
Posts: 11280
Joined: Tue Aug 27, 2002 6:35 pm

Re: "Foreshadow" speculative execution attacks outlined

Thu Aug 23, 2018 3:15 pm

Shobai wrote:
No, it seems they changed it back.


Which is why I'm not exactly sure Amiga500+ is going so hard about how Intel couldn't just make drastic changes like that on a whim.

I mean, eh, they ...just did?
 
Shobai
Gerbil First Class
Topic Author
Posts: 148
Joined: Sat Sep 03, 2005 1:18 am

Re: "Foreshadow" speculative execution attacks outlined

Thu Aug 23, 2018 3:23 pm

I may be misunderstanding him (Amiga500+, feel free to contradict me) but I think his contention is that:
- this clause doesn't appear to have been in any previous UELA covering Meltdown, etc
- Intel will have done all the required legwork to implement the change in UELA for this release
- Intel have now reverted that change after public outcry
- this eventuality was foreseen and accounted for, allowing for the speed of response

No whims involved.
 
Glorious
Gold subscriber
Gerbilus Supremus
Posts: 11280
Joined: Tue Aug 27, 2002 6:35 pm

Re: "Foreshadow" speculative execution attacks outlined

Thu Aug 23, 2018 3:31 pm

Shobai wrote:
this clause doesn't appear to have been in any previous UELA covering Meltdown, etc


Obviously.

Shobai wrote:
- Intel will have done all the required legwork to implement the change in UELA for this release


What would the "required legwork" even be? What on earth are you talking about?

Shobai wrote:
Intel have now reverted that change after public outcry


Obviously.

Shobai wrote:
this eventuality was foreseen and accounted for, allowing for the speed of response


WHAT?
 
Shobai
Gerbil First Class
Topic Author
Posts: 148
Joined: Sat Sep 03, 2005 1:18 am

Re: "Foreshadow" speculative execution attacks outlined

Thu Aug 23, 2018 3:45 pm

Glorious wrote:
What would the "required legwork" even be? What on earth are you talking about?


Amiga500+ wrote:
There is no way a company like Intel makes such major changes to their Ts&Cs without serious vetting by the processes of the legal team... That clause likely went right to the head of legal and even into the boardroom.


Glorious wrote:
WHAT?


Sorry, I'm on my phone - that should have been "therefore, ..." [and possibly "which enabled" rather than "allowing for"]

[Edit: typos and punctuation]

Who is online

Users browsing this forum: alloyD, chuckula and 1 guest