Theo de Raadt Details Intel Core 2 Bugs

Eukariote writes "Recently, Intel patched bugs in its Core 2 processors. Details were scarce; soothing words were spoken to the effect that a BIOS update is all that is required. OpenBSD founder Theo de Raadt has now provided more details and analysis on outstanding, fixed, and non-fixable Core 2 bugs. Some choice quotes: 'Some of these bugs... will *ASSUREDLY* be exploitable from userland code... Some of these are things that cannot be fixed in running code, and some are things that every operating system will do until about mid-2008.'"

Good stuff.

[AltGrendel]

I always find Mr. De Raadt's comments an interesting read. He's like a geek version of Harlan Ellison.

Patches

[suv4x4]

outstanding, fixed, and non-fixable Core 2 bugs

Well, in these days of fast-paced business, business at the blink of an eye, at the speed of light, at the speed of spooky action at distance kinda speed, it's normal that companies would release products prematurely and then patch later.

Thankfully, software is very easy to patch post-release.

Now, the only thing left to do, is someone tell Intel that they're selling hardware.

Re:Time for RISC?

[Viv]

The market resoundingly rejected that idea when Intel tried to hoist IA64 on it.

Re:Intentional?

[Slashcrap]

There seem to be intentional modifications in there.

Unprovable conjecture. Why would Intel make this public if they were?

Could that be a backdoor and a good reason for countries like China to develop their own CPUs?

Are you the same freak that posted on KernelTrap about how every CPU since the 486 has been bugged by the NSA and can be monitored by satellites? If so, please carry out the recommended course of action that I detailed to you on that occasion. Namely that you set fire to yourself outside the UN building in order to draw attention to your cause. Thanks in advance.

Re:How hard is it to get right?

[imgod2u]

Yes and no. There are limitations to HDL's (and Intel, last I heard, was all Verilog). For one, it is *very* difficult, if not impossible in certain situations, to describe asynchronous signals. With something as complicated as a microprocessor that is so aggressively designed for both power and speed, I would guess that they didn't go with a completely synchronous design (hell, no one does anymore). Locally synchronous, globally asynchronous design has been in use for a while. It helps when you want to be able to shut off, or slow down, only parts of the chip that aren't being used very much.

It is not possible to describe such things (let alone voltage islands, voltage scaling) in an HDL language and they must either be a special feature built into synthesis (with an extra set of constraints) or done by hand at the transistor/gate level.

Then there's the point of verification. Every software release since about the mid-1990's has almost been immediately followed by patches. Just because it's "1's and 0's" does not mean that it doesn't get harder to detect corner cases as complexity grows. And it's much more difficult if you have to simulate on a cycle-accurate model (boot-up for an operating system, in simulation, would take a day on a nice cluster on something as big as the Core 2).

Then there's post-synthesis/layout issues. Timing analysis do best on sequential logic (completely synchronous). When you throw in clock gating, multiple voltage islands, dynamic voltage scaling (meaning dynamic gate delays), not to mention the plethora of other techniques that those folks might be doing, what you see in simulation at the RTL level will not match what you see in reality. First rule they ever teach in any ASIC design class is never trust simulation.

The point is that abstraction, like how it's "vhdl", does not mean that it's not difficult to get right and even sometimes impossible to be certain.

Comment removed

[account_deleted]

Comment removed based on user account deletion

VHDL for voting machines

[martyros]

So perhaps the NY law requiring software for voting machines to be held in escrow should include the chip layout as well...

Re:Yay AMD

[Tony+Hoyle]

You'd be surprised - there are all sorts of gotchas on different platforms... different OS library support, different word length, different byte orders, alignment issues, etc. then at the OS level you have path separators (/,\,.,:,whatever plus existence of drives eg SYS$SYSTEM:[00000] is a path on VMS, C:\ is a path on Windows - and not all filesystems support paths in the sense Unix does anyway, Character set assumptions (you can't assume the platform supports utf8, or even ASCII), Case sensitivity, Character set sensitivity, etc.

No code (except assembler) is CPU specific.. you can compile an average (well written) C app on pretty much anything with a C compiler, but it's often unknowningly architecture /OS specific - until you've been through the pain of translating to an entirely different OS (HPUX is fun, VMS is even more fun, or for *lots* of fun try OS/360) it's difficult to know - and that goes for any language, including Java (which mitigates some of the issues but by no means all of them.. not to mention the jvm isn't available on many platforms).

Theo-bashing is so passe.

[peacefinder]

"Hasn't anyone noticed these terrible bugs?"

Apparently they have, and now we know too.

Look, I know Theo-bashing is a traditional bit of fun, so I hate to rain on your parade. But you should keep in mind that the OpenBSD team is uniquely (or nearly so) positioned to discover and publicize the security implications this sort of flaw. The whole project is security oriented; they don't accept "binary blobs" into security-sensitive roles, which means they look more closely at hardware than most; they operate in a very transparent manner; their user base is supportive of any security-related moves by the devs; their installed base is heavy in security-sensitive roles; and the project is notorious for not giving a damn about political considerations.

"But they're rarely very serious, they rarely actually affect anything in remotely realistic scenarios."

OpenBSD is heavily used in the perimeter security role, and in security-sensitive roles generally. As its OS security gets better, OpenBSD's sensitivity to hardware security flaws gets higher. If there's an architectural flaw that the OS can't cover, OpenBSD's user base needs to know that so they can evaluate their overall security and spec hardware accordingly.

Almost no one else needs to worry about hardware exploits in Core 2 as much as OpenBSD does, because almost every other OS for general-purpose hardware has easier exploit paths. For instance, I'm not worried about this flaw on my home iMac, because my iMac isn't in a security-sensitive role. If an attacker wants my home data, it'd be easier for the attacker to simply break in and steal the whole box.

"How does he expect Intel to respond?"

Like the professionals they are, I'd think.

Re:Theo-bashing is so passe.

[kestasjk]

Look, I know Theo-bashing is a traditional bit of fun, so I hate to rain on your parade. But you should keep in mind that the OpenBSD team is uniquely (or nearly so) positioned to discover and publicize the security implications this sort of flaw. First off I'm not "Theo-bashing", I'm bashing what Theo is doing. He acts like a vain hypocrite so often that people think we're bashing Theo and not what Theo happens to be doing.
Second; how are they uniquely positioned? Theo read the errata that's public to everyone, and says that he "bets" there may be "potential" security implications. He's in a unique position to troll and spread FUD about a company that doesn't pay attention to OpenBSD, but apparently he's not in a unique position to offer anything new.

"But they're rarely very serious, they rarely actually affect anything in remotely realistic scenarios."

OpenBSD is heavily used in the perimeter security role, and in security-sensitive roles generally. As its OS security gets better, OpenBSD's sensitivity to hardware security flaws gets higher. If there's an architectural flaw that the OS can't cover, OpenBSD's user base needs to know that so they can evaluate their overall security and spec hardware accordingly. Isn't that precisely what Intel have done? They've let the public know about the flaws, now it's up to OpenBSD to "evaluate their overall security and spec hardware accordingly". (This mail suggests they're jumping straight to "spec hardware" before properly evaluating how this affects their security.)

Almost no one else needs to worry about hardware exploits in Core 2 as much as OpenBSD does, because almost every other OS for general-purpose hardware has easier exploit paths. For instance, I'm not worried about this flaw on my home iMac, because my iMac isn't in a security-sensitive role. If an attacker wants my home data, it'd be easier for the attacker to simply break in and steal the whole box. What hardware exploits? Who said anything about hardware exploits? Intel's errata doesn't say anything like that, Theo's mail gave nothing other than a "bet" that out of 50-60 bugs in the chip "2-3" will be exploitable. You're acting like the errata details a whole bunch of critical vulnerabilities, but that's just not true.

This is exactly how Theo wants people to react to this; "now the Core 2 isn't safe", even though his mail contained no substance whatsoever.

"How does he expect Intel to respond?"

Like the professionals they are, I'd think. A professional's response to a mail that cites publicly released errata alone and concludes that no-one should buy your chips? No response, of course.
Hopefully Intel are more professional than Theo, and will be working on future products and technologies, and finding bugs in existing ones, rather than indulging in empty self righteous flamefests.

Re:Theo-bashing is so passe.

[peacefinder]

"First off I'm not "Theo-bashing", I'm bashing what Theo is doing."

So in your clause "Raving lunatics like Theo" you'd like the reader to focus on the fact that he's raving, but the reader should basically ignore that you just happen to mention in passing that you think he's a lunatic?

Right, got it. Thanks for the clarification on that.

"Theo read the errata that's public to everyone, and says that he "bets" there may be "potential" security implications."

Well - and I can only speak for myself here - the fact is that I'm an ignorant fuckwit when it comes to the security implications of Intel's hardware errata. I know just enough to know that I cannot read Intel's chip errata and produce an opinion about the security implications that ihas any statistically-significant superiority to random chance. I'd guess that it is highly likely that well in excess of 95% of the general computer-buying public is similarly ignorant.

However, I'm dead certain that Theo knows a great deal more about secure OS design and the implications of these errata than I do. I'm pretty sure he knows more about it than you do, too. (Nothing personal, but I figure there's probably under five thousand people worldwide who have similar expertise at the moment. Odds are you're not among them.) His track record thus far isn't perfect, but it's really fucking good. So if he says that it's likely that some of the flaws will prove exploitable, I'm willing to provisionally trust his predictive opinion.

And it's not like it'll stop me - or most other security-conscious people - from buying Core 2 machines. It will, however, prevent most or all security-conscious admins from deploying such machines in highly security-sensitive roles until the picture becomes more clear. This is not going to be a huge impact on Core 2 sales, because there already were better hardware solutions than Core 2 for both multi-user server roles and for perimeter security roles. The real problem with these alleged security flaws will be in the laptop and desktop markets, because Core 2 is pre-eminent there. Even so, it would only affect the segment of that market that is security-sensitive... which probably is not a huge portion of that market. (As another commenter said, though, the DoD's tech buyers are probably going to have serious headaches.)

So if Theo's goal is to wound Intel - which I doubt - this is not going to leave a big mark in sales. Theo fails it!

Overall, I don't think your theory holds much water. Sure it's possible that he's just being a dick about it just to spite intel. But it's also possible that his expertise leads him to have genuine concern, and his forthrightness leads him to say it plainly. I, for one, am not willing to bet my network security on the chance that the former possibility contains the whole truth behind this.

Re:wrong

[Sparohok]

Itanium is a lesson in how not to handle technological transitions. Itanium was picked by geeks who had no idea of what the market wanted or needed, and Intel marketing and management blindly believed what they were hearing from the geeks.

Actually, Itanium was a wildly successful product. Mere rumors of Itanium's capabilities were sufficient to kill DEC Alpha, drive SGI/MIPS out of the high end processor market and disrupt SPARC and PA-RISC development programs. Intel virtually eliminated the threat of competitive RISC architectures for years with the announcement of Itanium.

(Another company that works like that is Microsoft, which is why they keep churning out such bad software.)

To much the same effect.