The 2018 CPU vulnerability disaster (SPECTRE & MELTDOWN)

[Mystik]

SPECTRE & MELTDOWN

Here's a great start to 2018: 99% of all processors in use today have design flaws that makes them vulnerable to attacks.

Researchers have found 2 bugs/design flaws that combined impact pretty much all processors in use today. This means that your PC, laptop, server and phone ARE AFFECTED by these bugs. Both of these bugs allow hackers to read information from the memory. THIS CAN INCLUDE PASSWORDS AND OTHER PERSONAL INFORMATION. There are 3 variants (variant 3 has a sub variant) of attacks. 1) Bounds check bypass [Spectre], 2) Branch target injection [Spectre], 3) Rogue data cache load [Meltdown]. Spectre attacks affect almost ALL MODERN CPUs, while Meltdown "only" affects Intel CPUs starting from 1995 and some ARM cores... These hardware bugs are basically caused by technically a design flaw in the modern CPU architectures, where Meltdown is specifically on x86 architecture. The extra bad news is that the global fix for Meltdown that has already been implemented to all major OSs will lead to performance decreases on all Intel CPUs, especially pre-2010 models. More on this in the Meltdown section.

SPECTRE:
What? - Spectre breaks the isolation between applications. This means that a harmful application exploiting spectre could read information from memory and hence from other apps. Even though the applications are coded by today's standards for optimized security, Spectre can actually benefit from this. Spectre is harder to exploit, but also harder to fix.
Affects? - All AMD, Intel, ARM CPUs. Yes. ALL OF THEM.
Fix? - Software patches. VERY hard to fix and a 100% fix is probably impossible.

MELTDOWN:
What: Meltdown breaks the isolation between user applications and the operating system. This allows the exploit to read information from the memory, thus making it possible to gain information from others applications running in memory, which might include passwords etc.
Affects: All Intel CPUs from 1995-> (excluding Itanium and Atom before 2013). ARM: Cortex-A75. (Variant 3a also Cortex-A15-, A57- ja A72). AMD not affected.
Fix: KPTI (Kernel Page Table Isolation). This means that the kernel memory is completely isolated. This is done via Operating system patches / updates + microcode / firmware update. The Linux kernel has already been patched for this exploit, and an emergency Microsoft update KB4056892 has been released, that implements the first step of the fix. However this is a hardware bug/flaw, which means that Intel has to also issue some sort of microcode / firmware update to completely fix this. Note that the Windows Update is not being enabled on all PCs because it's NOT COMPATIBLE with most anti virus software. More on this as the story unfolds. And now for the worst news.
Performance degradation: The KPTI fix will lead to performance degradation on the Intel x86 platform. There are no proper tests of the amounts of performance degradations of yet, but they can be expected to range from virtually nothing to almost 30% in cases where a lot of CPU I/O calls are being made. This means that for gaming and general usage the performance degradation shouldn't be that noticeable, but for special high I/O workloads like certain SQL functions ran with the fix resulted in up to 23% performance degradation.

TL;DR
All modern CPUs have a hardware bug / design flaw that makes them vulnerable to two different exploits. The exploits can be used to (for example) read passwords from the memory. One of the bugs is easy to fix with OS patches but will result in performance degradation in Intel processors. The other exploit is hard to fix.

{Tried to write this as simply as possible. Will update when more info arises. Updates marked with heading UPDATE: (date)}


SOURCES:
https://meltdownattack.com/
https://meltdownattack.com/meltdown.pdf / https://spectreattack.com/spectre.pdf
https://www.theregister.co.uk/2018/01/02...sign_flaw/
https://googleprojectzero.blogspot.fi/20...-side.html
https://newsroom.intel.com/news/intel-re...-findings/
https://developer.arm.com/support/security-update
https://www.amd.com/en/corporate/speculative-execution
https://support.microsoft.com/en-us/help...s-released


UPDATE 11.01.2018: Intel released benchmarks detailing processor slowdowns of a few configurations.

The performance hits ON BENCHMARKS range from 7% - 8% on average.



https://newsroom.intel.com/editorials/in...t-systems/
http://www.pcgamer.com/intel-shares-more...n-patches/
https://www.engadget.com/2018/01/11/inte...-slowdown/

[Thrasher]

2 researchers have unintentionally unleashed a new hackers apocalypse. 2018 is already looking great xd

[Haures]

[Mystik]

(05-01-2018 08:58 AM)Haures Wrote:  

However, this is not all that's needed to actually make the patch work. As he has commented on the video.

(04-01-2018 08:18 PM)Mystik Wrote:  an emergency Microsoft update KB4056892 has been released, that implements the first step of the fix. However this is a hardware bug/flaw, which means that Intel has to also issue some sort of microcode / firmware update to completely fix this. Note that the Windows Update is not being enabled on all PCs because it's NOT COMPATIBLE with most anti virus software.

[$ubzero]

Don't know that much about this but thanks for the information.
Is this something I should take in account for/while building a new PC or is it like you said on every CPU?

[Mystik]

(07-01-2018 02:32 PM)$ubzero Wrote:  Don't know that much about this but thanks for the information.
Is this something I should take in account for/while building a new PC or is it like you said on every CPU?

Spectre affects (almost) all CPUs. Meltdown affects (almost) all Intel CPUs.

Well you can take it in to consideration yes, Intel CPUs will get a bit slower, most likely not in a way that is visible to a normal user nor gamers. I'm still gonna buy the 8700K and invest in that stupid Z370 platform that will be supported for like 6 months or something....

You can basically expect new CPUs without these vulnerabilities in like a year or something... Maybe... As these flaws / bugs generally have to do with the entire architectures CPUs are made with

For me this won't affect my CPU purchase decision because all CPUs are vulnerable, and even with like 0,5% degradation on Intel CPUs they will still be the gaming kings.

[Mystik]

3 class-action lawsuits already in the making!

https://www.theguardian.com/technology/2...s-computer

[Mystik]

UPDATE 11.01.2018: Intel released benchmarks detailing processor slowdowns of a few configurations.

The performance hits ON BENCHMARKS range from 7% - 8% on average.



https://newsroom.intel.com/editorials/in...t-systems/
http://www.pcgamer.com/intel-shares-more...n-patches/
https://www.engadget.com/2018/01/11/inte...-slowdown/