Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Next Generation' Flaws Found on Computer Processors (reuters.com)

Posted by msmash on from the security-woes dept.

An anonymous reader shares a report: Researchers have found eight new flaws in computer central processing units that resemble the Meltdown and Spectre bugs revealed in January, a German computing magazine reported on Thursday. The magazine, called c't, said it was aware of Intel's plans to patch the flaws, adding that some chips designed by ARM Holdings, a unit of Japan's Softbank, might be affected, while work was continuing to establish whether Advanced Micro Devices chips were vulnerable. Meltdown and Spectre bugs could reveal the contents of a computer's central processing unit -- designed to be a secure inner sanctum -- either by bypassing hardware barriers or by tricking applications into giving up secret information.

8 of 144 comments (clear)

  1. not buying any more new computers & gadgets by FudRucker · · Score: 5, Insightful

    until the CPU manufacturers resolve this issue, if necessary will scour craigslist and second hand PC shops and buy used junk for cheap, no more high dollars spent on new desktops & laptops & tablets & phones until this CPU vulnerability issue is resolved in a proper and long term way

    --
    Politics is Treachery, Religion is Brainwashing
    1. Re:not buying any more new computers & gadgets by Anonymous Coward · · Score: 5, Insightful

      Nothing will ever be 100% secure, so just give up.

    2. Re:not buying any more new computers & gadgets by Anonymous Coward · · Score: 1, Insightful

      you will have to apply crippleware patches to secure it - and reduce it to half the original performance

      That "reduced performance" is actually the performance you should have had all along.

      The problem is, Intel tried to cheat. "Speculative execution" is just a marketing gimmick created so they could claim that their chips were faster than the competition. And when one company cheats, and gets away with it, everyone else has to cheat too, in order to stay competitive. So now we're stuck with hundreds of millions of CPUs with design flaws.

  2. More of an issue now by FeelGood314 · · Score: 5, Insightful

    CPUs have always had flaws and as a developer there was always an errata sheet you had to read and understand. The problem today is cloud computing and to some extent javascript. People are now running untrusted code on the same systems as their trusted programs. It was assumed that as long as your sandbox for these programs was secure and well defined that this was safe. Spectre and Meltdown proved this wasn't true.

  3. Next generation by 110010001000 · · Score: 5, Insightful

    Very possibly the next generation of Intel processors are going to be slower than the previous generation once they have to fix these architectural issues.

  4. Re: not buying any more new computers & gadget by sexconker · · Score: 2, Insightful

    A 100 percent secure computer can be turned into a military grade cipher machine by every competent computer scientist...

    Nope. A 100% secure system wouldn't let the computer scientist modify it or even determine that its hardware met milspec.

  5. Re: not buying any more new computers & gadget by ralphsiegler · · Score: 4, Insightful

    the 100% percent secure computer is one that no one can access and no one knows where it is

  6. Not a language issue by FeelGood314 · · Score: 4, Insightful

    It's not the language it's the CPU instruction pipeline. On your old 8 bit computer it would take 4 ticks to fetch the instruction, fetch the arguments, do the calculation, store the result. Then we got a pipeline where each tick you would do all 4 things, fetch instruction 4, get the arguments for instruction 3, do the calculation for instruction 2 and store the result of the instruction 1. Over the years pipelines got longer and more complex. An inefficiency in pipelines occurs when you do a branch, then have to wait for the pipeline to fill. The solution to this is to fetch both instructions and speculatively do both until you know which way the branch went. Unfortunately there were two security problems with this. Intel wasn't checking if you had permission to gather the arguments until after they were fetched and second some effects of following the branch that wasn't taken could be seen by the branch that was. So the trick was to get the speculative branch, the one your code won't take in the end, to fetch something you shouldn't have access to and then in the other branch look at that data.

    It is actually very easy to exploit Meltdown and Spectre in assembly and C and much harder in JavaScript. However, my web browser doesn't regularly download and run binary files, it does regularly load JavaScript and automatically run it.