Major security flaw in intel processors

civvver

civvver

Deity
Joined
Apr 24, 2007
Messages
5,855
There has been discovered a major flaw at the hardware level of intel chips made in the last decade. In very simple terms, by searching the virtual memory on your machine a program can determine where your kernel memory is on your system. Then it's possible to queue up os operations in code that will occur at a later point called speculative execution. Apparently using this mode ignores checking user access levels to memory locations so any program if it's setup to do so can access kernel memory. Thus they could potential access all sorts of stuff like passwords and other saved OS info. That's probably a very bad synopsis of the issue, but there's more below.

The fix is going to have to be an OS level fix that basically quaranties off the kernel space but this requires a lot of additional memory transactions and can slow OS performance considerable.

http://www.popularmechanics.com/tec...ity-flaw-affects-decades-of-intel-processors/

Fortunately for gamers this shouldn't affect performance. It probably won't affect normal desktop users very much at all.

http://www.pcgamer.com/serious-inte...-but-probably-wont-affect-gaming-performance/

Where it's going to have major impact is on cloud applications, stuff that accesses OS, security applications etc. We'll have to see how bad it is in the end.

I definitely could see a class action lawsuit coming out because of this, depending on how bad the performance hits are. If cloud servers really see up to 30% decline in performance that is huge.

AMD stock is surging on this news as well since AMD processors are not affected. Will we see a bunch of enterprise servers switch to AMD now or not? I'm skeptical as it's a big investment, but maybe moving forward they will. Maybe we'll see more AMD laptops from major manufacturers like dell and hp.

It kind of shocks me that this flaw took so long to discover.
 
Chalk one up for the Stall Man.
 
This is big. The embargo is to be lifted tomorrow, iirc, so we'll have much better details then.

But as of now, it seems that any Intel system from the last decade should not be on the Internet unless the OS has been patched.

And lots of machines will take a performance impact, which will either have to be made up for with more machines, or new machines...
 
Well, time to switch to a Zilog Z80.
Zilog_Z80.jpg
 
I definitely see a big lawsuit coming though it could take years to sort out. Time to short intel stock.
 
I can't see any lawsuits regarding this going anywhere. This isn't notably different than other errata (of which there are very many) other than in severity. The only time any compensation happens is when they have flaws that are *not* solvable in software. (i.e. Those that result in premature hardware failure, like the C2000 clock signal issue, the overbiased SATA controllers on the 6-series motheboards, etc.)

Cheetah said:
But as of now, it seems that any Intel system from the last decade should not be on the Internet unless the OS has been patched.
Click to expand...

Just disable javascript. The web is really much more pleasant without it, and you become preemptively immune to a whole class of attacks.
 
I have had a look at the linux kernel patch. I am not very good at this sort of thing, but I think it means that EVERY memory call is being duplicated. This is going to have a massive performance hit, such that I am going to recommend my employed reexamine the big purchase of intel based number crunchers they have lined up. I am sure I am not the only one, this could really hurt intel.
 
Zelig said:
Just disable javascript. The web is really much more pleasant without it, and you become preemptively immune to a whole class of attacks.
Click to expand...

Ditto this.

I strongly recommend NoScript, although I'm not gonna lie, the new UI for version 10 for Firefox Quantum kinda looks like butt.
 
Zelig said:
I can't see any lawsuits regarding this going anywhere. This isn't notably different than other errata (of which there are very many) other than in severity. The only time any compensation happens is when they have flaws that are *not* solvable in software. (i.e. Those that result in premature hardware failure, like the C2000 clock signal issue, the overbiased SATA controllers on the 6-series motheboards, etc.)
Click to expand...

If it is only fixable with a massive performance penalty, there will be systems that cannot handle that penalty and will need to be replaced (so for those it is effectively not solvable with software). Companies will be able to come up with solid numbers what this will cost them. I don't think Intel will be able to avoid lawsuits here.
 
uppi said:
If it is only fixable with a massive performance penalty, there will be systems that cannot handle that penalty and will need to be replaced (so for those it is effectively not solvable with software). Companies will be able to come up with solid numbers what this will cost them. I don't think Intel will be able to avoid lawsuits here.
Click to expand...

Yep. I'm not saying there will be lawsuits due to potentially stolen data, but rather because the software fix can cause a massive performance hit, in which case you either buy new chips or more chips to get the same performance. Those numbers are easily quantified as damages.
 
Light Cleric said:
Ditto this.

I strongly recommend NoScript, although I'm not gonna lie, the new UI for version 10 for Firefox Quantum kinda looks like butt.
Click to expand...

Suggest uBlock Origin rather than NoScript and any other adblocker.

uppi said:
If it is only fixable with a massive performance penalty, there will be systems that cannot handle that penalty and will need to be replaced (so for those it is effectively not solvable with software). Companies will be able to come up with solid numbers what this will cost them. I don't think Intel will be able to avoid lawsuits here.
Click to expand...

civvver said:
Yep. I'm not saying there will be lawsuits due to potentially stolen data, but rather because the software fix can cause a massive performance hit, in which case you either buy new chips or more chips to get the same performance. Those numbers are easily quantified as damages.
Click to expand...

Again, not notably different than various other errata. All CPUs regularly have errata where the fix affects performance. This is from a few months ago: https://lists.debian.org/debian-devel/2017/06/msg00308.html AMD famously had the TLB bug with the original Phenom. You can just as easily quantify any of these as damages. CPUs aren't sold with the expectation of guaranteed performance, it would be a non-viable business model. The only real (I mean, in the sense of what I would consider to be legitimately litigious) problem is if there's a coverup, or some misrepresentation of the goods being sold.

In practice, CPU specifications are defined by what the shipping CPUs support, even if it wasn't known during the initial design. Intel regularly updates their specs to reflect this: https://www.intel.com/content/dam/w...n-updates/7th-gen-core-family-spec-update.pdf
 
Last edited:
Sophos's review of the bug:

https://nakedsecurity.sophos.com/20...ti-intel-cpu-flaw-needs-low-level-os-patches/

It has a somewhat readable description of what is going on, I like these points:
  • In theory, various Intel, AMD and ARM processors have features related to speculative execution and caching that can be exploited as described above.
  • AMD chips have so far only been exploited when using Linux with a non-default kernel feature enabled.
  • Intel chips have been exploited so that an unprivileged, logged-in user can read out kernel data slowly but steadily.
  • Intel chips have been exploited so that a root user in a guest virtual machine can read out host kernel data slowly but steadily.
(“Slowly” means that an attacker could suck out on the order of 1000 bytes per second, or approximately 100MBytes per day.)
 
You must log in or register to reply here.

Similar threads

Samson
  • Poll Poll
How do you secure your online identity?
2
Replies
26
Views
1K
warpus
warpus
P
Potential Python Optimizations for Civ4 on Intel and AMD CPUs
Replies
11
Views
2K
PurpleMelbourne
P
Larsenex
Checking in on your thoughts.
2
Replies
22
Views
1K
The_goggles_do_nothing
The_goggles_do_nothing
H
£60 and I cannot even see my units? What a joke - and it's on me
Replies
8
Views
403
The_J
The_J
Dhoomstriker
Congress, Stop Supporting Censorship! KOSA Threatens Free Speech in the US
2
Replies
23
Views
3K
Dhoomstriker
Dhoomstriker
Back
Top Bottom