Personal computing discussed

Moderators: renee, Flying Fox, morphine

 
biffzinker
Gerbil Jedi
Topic Author
Posts: 1998
Joined: Tue Mar 21, 2006 3:53 pm
Location: AK, USA

7 more speculative execution attacks

Wed Nov 14, 2018 2:22 am

A research team—including many of the original researchers behind Meltdown, Spectre, and the related Foreshadow and BranchScope attacks—has published a new paper disclosing yet more attacks in the Spectre and Meltdown families. The result? Seven new possible attacks. Some are mitigated by known mitigation techniques, but others are not. That means further work is required to safeguard vulnerable systems.

Ars Technica - Spectre, Meltdown researchers unveil 7 more speculative execution attacks
It would take you 2,363 continuous hours or 98 days,11 hours, and 35 minutes of gameplay to complete your Steam library.
In this time you could travel to Venus one time.
 
Shobai
Gerbil First Class
Posts: 161
Joined: Sat Sep 03, 2005 1:18 am

Re: 7 more speculative execution attacks

Wed Nov 14, 2018 6:53 am

Quick, chuckula, mount your high horse! They've finally found a Meltdown variant that affects AMD processors!
 
BIF
Gold subscriber
Minister of Gerbil Affairs
Posts: 2437
Joined: Tue May 25, 2004 7:41 pm

Re: 7 more speculative execution attacks

Tue Dec 11, 2018 9:45 pm

Does this mean Intel will have to go to a one-core-per-thread ratio?

The more I think about it, the less I like virtual cores. They remind me of rice cakes. Or styrofoam cakes.

Oh, and I wonder also...will single-concurrent-user personal computer users be forced to apply yet more performance-degrading BIOS and Windows updates to address these issues that are not likely to impact us?
 
DPete27
Grand Gerbil Poohbah
Posts: 3733
Joined: Wed Jan 26, 2011 12:50 pm
Location: Wisconsin, USA

Re: 7 more speculative execution attacks

Wed May 15, 2019 1:45 pm

MORE vulnerabilities recently announced. Recommending users of 2008 or newer CPUs disable HT to protect against it (8 and 9 series are apparently ok). Congrats, your i7 just turned into an i5. The software patch required (buffer flush every time a new application is accessed) seems like it would incur a noticeable reduction in system performance.

Why is Intel's HT so vulnerable to these, but Ryzen SMT isn't?
Main: i5-3570K, ASRock Z77 Pro4-M, MSI RX480 8G, 500GB Crucial BX100, 2 TB Samsung EcoGreen F4, 16GB 1600MHz G.Skill @1.25V, EVGA 550-G2, Silverstone PS07B
HTPC: A8-5600K, MSI FM2-A75IA-E53, 4TB Seagate SSHD, 8GB 1866MHz G.Skill, Crosley D-25 Case Mod
 
Captain Ned
Gold subscriber
Global Moderator
Posts: 27929
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: 7 more speculative execution attacks

Wed May 15, 2019 1:53 pm

DPete27 wrote:
MORE vulnerabilities recently announced. Recommending users of 2008 or newer CPUs disable HT to protect against it (8 and 9 series are apparently ok). Congrats, your i7 just turned into an i5. The software patch required (buffer flush every time a new application is accessed) seems like it would incur a noticeable reduction in system performance.?

And 99.999% of home users need do nothing about it.
What we have today is way too much pluribus and not enough unum.
 
defaultluser
Gerbil
Posts: 88
Joined: Tue Feb 14, 2017 11:58 am

Re: 7 more speculative execution attacks

Wed May 15, 2019 2:16 pm

Captain Ned wrote:
DPete27 wrote:
MORE vulnerabilities recently announced. Recommending users of 2008 or newer CPUs disable HT to protect against it (8 and 9 series are apparently ok). Congrats, your i7 just turned into an i5. The software patch required (buffer flush every time a new application is accessed) seems like it would incur a noticeable reduction in system performance.?

And 99.999% of home users need do nothing about it.



Right, this is mostly a concern for Enterprise users. And for them. the impact could be lower, depending hoe hoe heavily-loaded their Servers are.
 
DPete27
Grand Gerbil Poohbah
Posts: 3733
Joined: Wed Jan 26, 2011 12:50 pm
Location: Wisconsin, USA

Re: 7 more speculative execution attacks

Wed May 15, 2019 2:37 pm

That was my concern with the Specre/Meltdown patches. How much of a risk does this pose to the average home computer, and yet everyone gets pushed the patch that slows their PC down.
Main: i5-3570K, ASRock Z77 Pro4-M, MSI RX480 8G, 500GB Crucial BX100, 2 TB Samsung EcoGreen F4, 16GB 1600MHz G.Skill @1.25V, EVGA 550-G2, Silverstone PS07B
HTPC: A8-5600K, MSI FM2-A75IA-E53, 4TB Seagate SSHD, 8GB 1866MHz G.Skill, Crosley D-25 Case Mod
 
Waco
Gold subscriber
Grand Gerbil Poohbah
Posts: 3158
Joined: Tue Jan 20, 2009 4:14 pm
Location: Los Alamos, NM

Re: 7 more speculative execution attacks

Wed May 15, 2019 2:49 pm

Yet another thing eating aways Intel's advantages in the data center...
Desktop: X570 Gaming X | 3900X | 32 GB | Alphacool Eisblock Radeon VII | Heatkiller R3 | Samsung 4K 40" | 1 TB NVME + 2 TB SATA + LSI (128x8) RAID
NAS: 1950X | Designare EX | 32 GB ECC | 7x8 TB RAIDZ2 | 8x2 TB RAID10 | FreeNAS | ZFS | LSI SAS
 
Bauxite
Gerbil Elite
Posts: 788
Joined: Sat Jan 28, 2006 12:10 pm
Location: electrolytic redox smelting plant

some real wise guys here

Wed May 15, 2019 3:24 pm

Yeah, because home users never run javascript :roll: and browsers always magically update perfectly, never after things are out in the wild.

Perhaps reading before knee-jerking is a thing.
TR RIP 7/7/2019
 
Waco
Gold subscriber
Grand Gerbil Poohbah
Posts: 3158
Joined: Tue Jan 20, 2009 4:14 pm
Location: Los Alamos, NM

Re: some real wise guys here

Wed May 15, 2019 3:47 pm

Bauxite wrote:
Yeah, because home users never run javascript :roll: and browsers always magically update perfectly, never after things are out in the wild.

Perhaps reading before knee-jerking is a thing.

:shrug: Home users aren't targets like enterprise users are. There are generally much easier routes into consumer machines.
Desktop: X570 Gaming X | 3900X | 32 GB | Alphacool Eisblock Radeon VII | Heatkiller R3 | Samsung 4K 40" | 1 TB NVME + 2 TB SATA + LSI (128x8) RAID
NAS: 1950X | Designare EX | 32 GB ECC | 7x8 TB RAIDZ2 | 8x2 TB RAID10 | FreeNAS | ZFS | LSI SAS
 
The Egg
Gold subscriber
Minister of Gerbil Affairs
Posts: 2905
Joined: Sun Apr 06, 2008 4:46 pm

Re: 7 more speculative execution attacks

Wed May 15, 2019 3:58 pm

My board has had seven (7) BIOS updates in the past year'ish, with 3 specifically mentioning CPU microcode (not just adding support for new processors). I would expect that something in at least one of those was for speculative execution mitigation (because they certainly haven't been fixing the fan controls). At least the updates are coming though.

I've also been seeing frequent security updates for the Intel Management Engine, which almost seems like a 2nd BIOS now. Looks like just another attack vector once the updates stop when motherboards go EOL.
 
jackbomb
Gerbil XP
Posts: 363
Joined: Tue Aug 12, 2008 10:25 pm

Re: 7 more speculative execution attacks

Wed May 15, 2019 10:29 pm

Looks like Google and Apple(!) are recommending users to disable hyper-threading.
https://www.tomshardware.com/news/disab ... 39348.html
Like a good neighbor jackbomb is there.
 
jihadjoe
Gerbil Elite
Posts: 834
Joined: Mon Dec 06, 2010 11:34 am

Re: 7 more speculative execution attacks

Wed May 15, 2019 10:46 pm

I'm with Waco that this mostly affects datacenter and not home users.

Home users aren't running publicly accessible VMs that require mixed security domain all the time. If javascript is a concern it's very easy to close your browser (modern ones save your tabs anyway) and open a lone incognito window before doing your banking or online ordering. I wouldn't even open Newegg if I know a bunch of ads are running in tabs in the background.

Gonna be a big win for EPYC though. Lisa Su's promise of double digit marketshare in the datacenter might well come true before the year ends.
 
qmacpoint
Gold subscriber
Gerbil Team Leader
Posts: 263
Joined: Wed Mar 14, 2018 12:56 pm

Re: 7 more speculative execution attacks

Wed May 15, 2019 11:28 pm

This effectively kills my Macbook Pro 2009 :(
 
jihadjoe
Gerbil Elite
Posts: 834
Joined: Mon Dec 06, 2010 11:34 am

Re: 7 more speculative execution attacks

Thu May 16, 2019 8:48 am

MDS patch benchmark data from Intel. Again it looks like desktop users will be minimally impacted by the mitigations, but that IO hit will be a possible killer for datacenter stuff.

https://www.pcgamer.com/intel-posts-ben ... cpu-flaws/

Image

Image
 
Waco
Gold subscriber
Grand Gerbil Poohbah
Posts: 3158
Joined: Tue Jan 20, 2009 4:14 pm
Location: Los Alamos, NM

Re: 7 more speculative execution attacks

Thu May 16, 2019 1:32 pm

Yet another reason to dedicate time to documenting why this doesn't affect certain types of servers. We don't run Spectre/Meltdown patches because of the dramatic impact even on the storage server side of the house. The hit on client nodes is not negligible, but we're forced to enable the mitigations anyway.

We have a group of students doing a full storage-focused investigation on the impacts of spectre/meltdown/zombieload mitigations this coming summer (and comparing to modern AMD systems). Hopefully that'll be interesting, if anyone would like results I can post them up once the summer is over. :)
Desktop: X570 Gaming X | 3900X | 32 GB | Alphacool Eisblock Radeon VII | Heatkiller R3 | Samsung 4K 40" | 1 TB NVME + 2 TB SATA + LSI (128x8) RAID
NAS: 1950X | Designare EX | 32 GB ECC | 7x8 TB RAIDZ2 | 8x2 TB RAID10 | FreeNAS | ZFS | LSI SAS
 
DragonDaddyBear
Silver subscriber
Gerbil Elite
Posts: 982
Joined: Fri Jan 30, 2009 8:01 am

Re: 7 more speculative execution attacks

Thu May 16, 2019 1:56 pm

Waco wrote:
Yet another reason to dedicate time to documenting why this doesn't affect certain types of servers. We don't run Spectre/Meltdown patches because of the dramatic impact even on the storage server side of the house. The hit on client nodes is not negligible, but we're forced to enable the mitigations anyway.

We have a group of students doing a full storage-focused investigation on the impacts of spectre/meltdown/zombieload mitigations this coming summer (and comparing to modern AMD systems). Hopefully that'll be interesting, if anyone would like results I can post them up once the summer is over. :)

I'm shocked they forced you to patch anyways. If a system can't have code run by users then it's really not a big deal. I'd patch user workstations before I patch servers simply because computers run unauthenticated external code in the form of JavaScript. The one place I'd say it's REALLY needed is virtual machines because the risk is so much higher because the impact of powning multiple server systems at once.
 
Waco
Gold subscriber
Grand Gerbil Poohbah
Posts: 3158
Joined: Tue Jan 20, 2009 4:14 pm
Location: Los Alamos, NM

Re: 7 more speculative execution attacks

Thu May 16, 2019 3:02 pm

Clients in my case are compute nodes running user code. A user getting root would be bad. :)
Desktop: X570 Gaming X | 3900X | 32 GB | Alphacool Eisblock Radeon VII | Heatkiller R3 | Samsung 4K 40" | 1 TB NVME + 2 TB SATA + LSI (128x8) RAID
NAS: 1950X | Designare EX | 32 GB ECC | 7x8 TB RAIDZ2 | 8x2 TB RAID10 | FreeNAS | ZFS | LSI SAS
 
MileageMayVary
Gerbil XP
Posts: 370
Joined: Thu Dec 10, 2015 9:18 am
Location: Baltimore

Re: 7 more speculative execution attacks

Thu May 16, 2019 6:50 pm

Waco wrote:
We have a group of students doing a full storage-focused investigation on the impacts of spectre/meltdown/zombieload mitigations this coming summer (and comparing to modern AMD systems). Hopefully that'll be interesting, if anyone would like results I can post them up once the summer is over. :)


Do keep us informed!
Main rig: Ryzen 3600X, R9 290@1100MHz, 16GB@2933MHz, 1080-1440-1080 Ultrasharps.
 
ozzuneoj
Gerbil Elite
Posts: 539
Joined: Tue Jan 21, 2014 1:27 pm

Re: 7 more speculative execution attacks

Thu May 16, 2019 7:21 pm

Great! Seven more reasons for perfectly good computers to be artificially slowed down even though these vulnerabilities have existed (apparently un-exploited) for 10 years.

The last time I asked how malicious code exploiting these vulnerabilities could actually reach a PC, the answers were Javascript (which browsers have patched up to make this highly unlikely) and physical access (like, corporate espionage being committed by a spy dressed as a janitor or something).

Has anything changed? Also, has anyone heard of any users or businesses being affected by any of these things in the last couple years since the media started raving about them?

It's nice that they've been "discovered" so that improvements can be made to future designs and high profile targets can be protected, but I sincerely hope that end users are able to choose whether to opt in or out when it comes to any performance degrading mitigations that are released. If I have a PC that primarily needs as much CPU horsepower as possible, I don't see why I should be forced to lose performance to patch an exploit that will never be exploited on my machine.
Desktop - i5 2500K@4.2Ghz - MSI P67A-G43 - 16GB DDR3-2133 - PNY GTX 970
HTPC - i7 4790 - Asus B85 - 16GB DDR3-1600 - XFX RX 570 8GB
Selling lots of cool PC stuff on Mercari. Use code VBGQMM for a $10 sign up credit!
 
qmacpoint
Gold subscriber
Gerbil Team Leader
Posts: 263
Joined: Wed Mar 14, 2018 12:56 pm

Re: 7 more speculative execution attacks

Thu May 16, 2019 11:41 pm

DragonDaddyBear wrote:
I'm shocked they forced you to patch anyways. If a system can't have code run by users then it's really not a big deal. I'd patch user workstations before I patch servers simply because computers run unauthenticated external code in the form of JavaScript. The one place I'd say it's REALLY needed is virtual machines because the risk is so much higher because the impact of powning multiple server systems at once.


I would not say it's not a big deal. I would say those servers need to be contained and secured appropriately if they are going to work without those mitigations. Ultimately depends how much money your business wants to throw at the problem
 
JustAnEngineer
Gold subscriber
Gerbil God
Posts: 18916
Joined: Sat Jan 26, 2002 7:00 pm
Location: The Heart of Dixie

Re: 7 more speculative execution attacks

Fri May 17, 2019 3:42 am

https://www.techpowerup.com/255563/inte ... nerability
https://www.nrc.nl/nieuws/2019/05/14/ha ... t-a3960208 (in Dutch)
Marc Hijink wrote:
Intel initially failed to notify Google and Mozilla, two major browser manufacturers.
i7-9700K, NH-D15, Z390M Pro4, 32 GiB, RX Vega64, Define Mini-C, SSR-850PX, C32HG70+U2407, RK-9000BR, MX518
 
DragonDaddyBear
Silver subscriber
Gerbil Elite
Posts: 982
Joined: Fri Jan 30, 2009 8:01 am

Re: 7 more speculative execution attacks

Fri May 17, 2019 7:10 am

qmacpoint wrote:
DragonDaddyBear wrote:
I'm shocked they forced you to patch anyways. If a system can't have code run by users then it's really not a big deal. I'd patch user workstations before I patch servers simply because computers run unauthenticated external code in the form of JavaScript. The one place I'd say it's REALLY needed is virtual machines because the risk is so much higher because the impact of powning multiple server systems at once.


I would not say it's not a big deal. I would say those servers need to be contained and secured appropriately if they are going to work without those mitigations. Ultimately depends how much money your business wants to throw at the problem

One of the failings of the information security profession is that every patch is an edict and must be pushed. It seems to stem from large companies that can just throw money at the problem. For those of us that work with smaller, more sane companies it should, and is, much more on an intellectual decision. I can tell you that we have patches that break stuff. We most certainly don't just "deal with it." We look at mitigations and other operations if there's real impact. It's a balance of risk. If we can mitigate the the impact or likelihood of a threat to a reasonable level vs breaking something that's what we do.

I was at a conference this week where someone was talking about vulnerability management. You can't patch everything. And sometimes you shoulnd't. there's only so much time and resources. The focus needs to be on what is being exploited and going to get your company in trouble (*cough* user workstations *cough*). I wish I had the slide I saw so I could link it that showed a method on how to balance it.

In Waco's case I don't know just how bad the impact was. I know I've seen stories of up to 40% with all the mitigations applied. That said, I'd suggest FIM and enhanced logging and using enhanced logging and custom alerting in a SIEM to ensure only authorized commands were being executed. If a person must be authorized admin to run code at all in the first place, so there are no other users on the system, the vulnerability of speculative execution is really just not going to happen. Last I checked, storage systems don't typically have regular users.
 
Waco
Gold subscriber
Grand Gerbil Poohbah
Posts: 3158
Joined: Tue Jan 20, 2009 4:14 pm
Location: Los Alamos, NM

Re: 7 more speculative execution attacks

Fri May 17, 2019 7:27 am

To be clear, we don't run patches that protect against local exploits on our *servers*. I spend far too much time characterizing and proving to the security folks how every CVE doesn't need to be fixed for non-user systems. The client nodes are the ones we have to patch since users do directly run code on them.

We've measured upwards of 40% degredation on latency sensitive operations with Spectre/Meltdown. The student project I mentioned will hopefully characterize the impacts fully.
Desktop: X570 Gaming X | 3900X | 32 GB | Alphacool Eisblock Radeon VII | Heatkiller R3 | Samsung 4K 40" | 1 TB NVME + 2 TB SATA + LSI (128x8) RAID
NAS: 1950X | Designare EX | 32 GB ECC | 7x8 TB RAIDZ2 | 8x2 TB RAID10 | FreeNAS | ZFS | LSI SAS
 
DragonDaddyBear
Silver subscriber
Gerbil Elite
Posts: 982
Joined: Fri Jan 30, 2009 8:01 am

Re: 7 more speculative execution attacks

Fri May 17, 2019 8:03 am

Waco wrote:
To be clear, we don't run patches that protect against local exploits on our *servers*. I spend far too much time characterizing and proving to the security folks how every CVE doesn't need to be fixed for non-user systems. The client nodes are the ones we have to patch since users do directly run code on them.

We've measured upwards of 40% degredation on latency sensitive operations with Spectre/Meltdown. The student project I mentioned will hopefully characterize the impacts fully.

Wow, that's bad. I wonder why Intel seems to be hit so much harder than AMD.

I'd still patch where you can. They typically don't hurt. I'd mostly be worried about privilege escalation attacks, in the event there was a remote code execution (RCE) exploit on that could be leveraged. If you can run as ANY user, then your next step is escalation. Still, good on you and your team because a lot of companies tell people to just deal with it.
 
qmacpoint
Gold subscriber
Gerbil Team Leader
Posts: 263
Joined: Wed Mar 14, 2018 12:56 pm

Re: 7 more speculative execution attacks

Fri May 17, 2019 11:50 am

DragonDaddyBear wrote:
One of the failings of the information security profession is that every patch is an edict and must be pushed. It seems to stem from large companies that can just throw money at the problem. For those of us that work with smaller, more sane companies it should, and is, much more on an intellectual decision. I can tell you that we have patches that break stuff. We most certainly don't just "deal with it." We look at mitigations and other operations if there's real impact. It's a balance of risk. If we can mitigate the the impact or likelihood of a threat to a reasonable level vs breaking something that's what we do.

I was at a conference this week where someone was talking about vulnerability management. You can't patch everything. And sometimes you shoulnd't. there's only so much time and resources. The focus needs to be on what is being exploited and going to get your company in trouble (*cough* user workstations *cough*). I wish I had the slide I saw so I could link it that showed a method on how to balance it.

In Waco's case I don't know just how bad the impact was. I know I've seen stories of up to 40% with all the mitigations applied. That said, I'd suggest FIM and enhanced logging and using enhanced logging and custom alerting in a SIEM to ensure only authorized commands were being executed. If a person must be authorized admin to run code at all in the first place, so there are no other users on the system, the vulnerability of speculative execution is really just not going to happen. Last I checked, storage systems don't typically have regular users.


I agree. To me, in this particular case, it sounds that the systems in scope are used exclusively for processing, and should have security measures in place for protecting them from foreign data sets or extraneous code in this case (i.e. MDS-related code):
  • Network access is restricted (potentially, I know it depends on a case by case basis)
  • Remote login is restricted to authorized personnel
  • Logging and monitoring
  • etc etc etc...
Perhaps the context should be "reducing the risk to a reasonable level" rather than applying patches front left and center, right?

Also afaik: SIEM monitoring and FIM can be ultra expensive (i.e. monitoring use cases, custom rules, team to respond to detection) to be implemented correctly, and to a comfortable level. It's easier to lock down network zones and restrict access and then think of monitoring. But once again, it depends on how much money your business [can/wants to] throw at the problem.

Edit: was saying throw money at the money... obviously you gotta spend money to make money :)
Last edited by qmacpoint on Fri May 17, 2019 1:48 pm, edited 1 time in total.
 
Waco
Gold subscriber
Grand Gerbil Poohbah
Posts: 3158
Joined: Tue Jan 20, 2009 4:14 pm
Location: Los Alamos, NM

Re: 7 more speculative execution attacks

Fri May 17, 2019 1:16 pm

It's not possible to vet every single bit of code that runs on compute clusters, so yes, we absolutely do need to patch user accessible systems. Even on our airgapped networs that's a requirement.

Auditing and monitoring does not replace prevention of escalation.
Desktop: X570 Gaming X | 3900X | 32 GB | Alphacool Eisblock Radeon VII | Heatkiller R3 | Samsung 4K 40" | 1 TB NVME + 2 TB SATA + LSI (128x8) RAID
NAS: 1950X | Designare EX | 32 GB ECC | 7x8 TB RAIDZ2 | 8x2 TB RAID10 | FreeNAS | ZFS | LSI SAS
 
DragonDaddyBear
Silver subscriber
Gerbil Elite
Posts: 982
Joined: Fri Jan 30, 2009 8:01 am

Re: 7 more speculative execution attacks

Fri May 17, 2019 2:52 pm

Additional monitoring gets you better time to response and time to detection. That's what a fence or a lock does. It doesn't stop anyone. You just need a big enough fence or lock to slow them down enough to be able to see them and get to them before they get in.

SIEM is spendy, but not as bad as the resources to properly manage it. If you're a relatively large-ish company you really need one. Especially if you have any kind of oversight (PCI, HIPAA, SOX, etc.), then you must have one.
 
Waco
Gold subscriber
Grand Gerbil Poohbah
Posts: 3158
Joined: Tue Jan 20, 2009 4:14 pm
Location: Los Alamos, NM

Re: 7 more speculative execution attacks

Sat May 18, 2019 7:32 pm

I didn't mean to imply we don't do monitoring and auditing. I'm saying it's not enough to simply catch them when it's too late. :)

We already have a 24/7 team for monitoring.
Desktop: X570 Gaming X | 3900X | 32 GB | Alphacool Eisblock Radeon VII | Heatkiller R3 | Samsung 4K 40" | 1 TB NVME + 2 TB SATA + LSI (128x8) RAID
NAS: 1950X | Designare EX | 32 GB ECC | 7x8 TB RAIDZ2 | 8x2 TB RAID10 | FreeNAS | ZFS | LSI SAS

Who is online

Users browsing this forum: No registered users and 3 guests
GZIP: On