Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Spectre 1.1 and Spectre 1.2 CPU Flaws Disclosed (bleepingcomputer.com)

Posted by msmash on from the security-woes dept.

Two security researchers have revealed details about two new Spectre-class vulnerabilities, which they've named Spectre 1.1 and Spectre 1.2. From a report: Just like all the previous Meltdown and Spectre CPU bugs variations, these two take advantage of the process of speculative execution -- a feature found in all modern CPUs that has the role of improving performance by computing operations in advance and later discarding unneeded data. According to researchers, a Spectre 1.1 attack uses speculative execution to deliver code that overflows CPU store cache buffers in order to write and run malicious code that retrieves data from previously-secured CPU memory sections. Spectre 1.1 is very similar to the Spectre variant 1 and 4, but the two researchers who discovered the bug say that "currently, no effective static analysis or compiler instrumentation is available to generically detect or mitigate Spectre 1.1." As for Spectre 1.2, researchers say this bug can be exploited to write to CPU memory sectors that are normally protected by read-only flags.

23 of 109 comments (clear)

  1. Not many CPU designs are by AHuxley · · Score: 4, Funny

    as safe as expected anymore. So many thought some designs would be. That their fav brand would be ok.
    Lets create a software layer over the CPU to make it all safe. Get that fast speed way down.

    --
    Domestic spying is now "Benign Information Gathering"
    1. Re:Not many CPU designs are by AHuxley · · Score: 2

      Someone is actually going to have to design a new CPU then? The quick OS software fix wont work and save existing CPU brands and designs?
      Got some experts ready for years of testing and hard work? Experts who can design an entire new way of thinking about a CPU and can think about past security flaws?
      Make a CPU go faster is not going to be the only skill needed.

      --
      Domestic spying is now "Benign Information Gathering"
    2. Re:Not many CPU designs are by Eravnrekaree · · Score: 3, Interesting

      There have been mitigation being implemented for the bugs to reduce the severity of the problem, so that hopefully will keep current CPUs out of too much trouble. There are too many CPUs around of course to replace them all right away, so the software fixes have to suffice. Eventually new CPU generations will have more fixes built into the CPU. Many spectre variants are a long shot to exploit anyway.

      From what I understand is that the flaws result from being able to tell what another process is doing through how fast some code runs. If another process is running the same code as your process, the behaviour of the other process can be gleaned by watching how fast code runs in your process. The CPU learns by watching code execute what code paths are most likely to be taken. So the learning from watching another process can affect other processes.

      One solution for a CPU fix is to isolate processes so the CPU isolates its learning and predictions to within each process, one process will not affect the performance of other processes. Processes can not benefit from each other, thats the downside, but no more leaking of state between processes.

      It could also be made so the Operating System can configure all of this in more detail about how much should be shared between process, if it all, what kind of optimizations should be done , or none at all, etc, so the user can make their own decisions about security/performance trade offs.

      Perhaps the Operating System could be allowed to turn off hardware based optimizations and control the speculative execution scheduling itself which would make it easier to address bugs and security concerns with software updates.

      It all requires some changes to the CPU, but from what I understand, its not all that of a big deal to add to CPUs.

    3. Re:Not many CPU designs are by viperidaenz · · Score: 5, Informative

      ARM Cortex A8, 9, 12, 15, 17, 57, 72, 73, 75... all of those implement speculative execution are are all vulnerable to Spectre v1 and v2. Some also v3, v3a and v4
      The A76 is only vulnerable to v1 and v4
      https://developer.arm.com/supp...

      IBM Power CPUs do speculative execution. IBM aren't fixing Power 6 and earlier.
      Power 7, 8 and 9 have been patched apparently (requires both firmware and OS updates to mitigate)

      I'm sure there's more.

    4. Re:Not many CPU designs are by drinkypoo · · Score: 3, Interesting

      Do you know anything about the cost of mitigation on POWER? We've known for a long time that those architectures were vulnerable, but I haven't heard anything about the performance impact of ibm's fix.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    5. Re:Not many CPU designs are by Anonymous Coward · · Score: 2, Informative

      Power6 is very high frequency, but essentially in order. It does not speculate very far and is likely very hard to exploit. Power4 and 5 are really old now, although G5 are essentially a Power4 with Altivec.

    6. Re:Not many CPU designs are by OneHundredAndTen · · Score: 4, Interesting

      The much-maligned Itanium remains impervious to all these attacks. Just saying.

    7. Re:Not many CPU designs are by psergiu · · Score: 2

      WAS more secure.
      For example Power 8 CPUs are affected badly by Specter & Meltdown variants.
      IBM put out a mandatory* update for firmware, microcode, PowerVM & AIX to fix this. Problem is that it introduces a huge slowdown in Java & Oracle DB workloads - We've seen things running up to 30% slower in our tests.

      * = mandatory as in all future AIX updates have a dependency on those being installed.

      --
      1% APY, No fees, Online Bank https://captl1.co/2uIErYq Don't let your $$$ sit in a no-interest acct.
    8. Re:Not many CPU designs are by psergiu · · Score: 3, Informative

      We did tests on a Power 8 frame with real-life Java application and Oracle DB workloads.
      - up to ~30% slower for Java
      - up to ~15% slower for Oracle DB

      It's ... bad ...

      --
      1% APY, No fees, Online Bank https://captl1.co/2uIErYq Don't let your $$$ sit in a no-interest acct.
    9. Re:Not many CPU designs are by imgod2u · · Score: 2

      Cross-process isolation can be somewhat simpler. The problem with Spectre specifically is that many programs (your browser opening /. for example) are within the same process running external -- interpreted -- code).

  2. Re:So by Eravnrekaree · · Score: 2

    The variants AMD are affected by are the low risk hard to exploit ones that are a long shot. The intel only one is more trivial to exploit.

  3. Re:Advanced Micro Devices IMMUNE by Eravnrekaree · · Score: 5, Insightful

    Do you work for Intel? AMD is not vulnerable to the newly announced exploits. Also the ones AMD is vulnerable too are low risk and hard to exploit, far lower risk than Intel only ones, which are trivial to exploit. Bottom line: AMD is VASTLY safer.

  4. Re:So by gweihir · · Score: 5, Interesting

    We will see whether this holds up, but at the moment Intel is the one that played it fast and loose in order to have a few percent more performance, while AMD was far more careful and conservative and is now far less at risk and maybe not at all due to massively higher effort to exploit the subset of these vulnerabilities where they are affected. It is still possible that an easy to exploit variant will eventually be found for AMD too, but at the moment there is none.

    Given that AMD has already done some additional things against this class of exploits in Zen 2, it may be that Intel CPUs will be a continued problem for the next years, while the same things may be more of an annoyance on AMD or not even present. Well, market dominance is never a good thing. Quality almost always suffers and prices get inflated. It would be a good thing if Intel got cut down quite a bit in size.

    Of course, many people now have do defend their bad decision to not even have looked at AMD and they are intent to muddy the waters.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  5. Re:Quick - Panic! by Anonymous Coward · · Score: 5, Insightful

    1) Ridiculously difficult to implement.

    It only has to be implemented once and copied. Re: Life.

    2)Beyond trial code that is ALL based on the original POC distributed by virus vendors, etc. there is NO known implementation in the wild.

    Until viruses use it. Viruses were original POC.

    3) This requires the virus to be running ON your fucking computer!! If you are running ANY virus on your computer, you're hosed.

    Re: Javascript

    4) Derived from 3), for the forseeable future ANY virus on your system is about 28Giga-times more likely to be a standard, run-of-the-mill virus.

    And one based on Meltdown and/or Spectre could potentially bypass all security without any possible generic fix. So, obviously it'd be nice to know about it.

    Meantime, everyone is running around wanting to burn their CPUs because they are "vulnerable". FFS!! Does NO ONE have ANY perspective left anymore?!? /rant

    Yes, /rant. Who's going around burning their CPUs? The point is to find out as many of the vulnerabilities now to start introducing fixes in hardware. And knowing there are more varied variants means the fix needs to be more generic. It also means that we have to start honestly considering the possibility that javascript can be an attack vector against CPU bugs, so that's something to mitigate against where reasonable.

    But, yea, let's not point out the potential scope of this or light an impetus to change CPUs to mitigate these risk! We should just not really cover it. Then if/when the attacks do come because people find out how to make them more doable, we're then really boned. I mean, it's not like it takes years for CPU designs to be developed and deployed to replace current CPUs.

  6. Re:Quick - Panic! by nuckfuts · · Score: 2

    3) This requires the virus to be running ON your fucking computer!! If you are running ANY virus on your computer, you're hosed.

    You're not thinking about the countless virtual machines running on someone else's hardware (i.e. "The Cloud"). It's not "your" computer that must be compromised. It's the hypervisor that it's running on, or possibly someone else's VM running on the same hypervisor.

  7. Re:Quick - Panic! by GerryGilmore · · Score: 2

    OK, show me a WORKING implementation where a guest OS can read anything useful out of a hypervisor's cache. Does anyone have ANY idea of how hard it must be to grab a (roughly) 16KB of cache data (presuming that it is 100% accurate, of which I am yet to be convinced) and determine exactly what that chunk represents?
    I'm still calling Shenanigans on this vulnerability being useful in any real context, until/unless someone can demonstrate: reading cache data via this vulnerability and THEN knowing just WTF that data was!

  8. Re:Advanced Micro Devices IMMUNE by drinkypoo · · Score: 4, Informative

    Mitigation of prior SPECTRE attacks is cheaper on AMD than on intel. I would be surprised to learn that was not the case again. In addition, it's more difficult to exploit on AMD, and further, AMD was NOT vulnerable to all the classes of SPECTRE attack which affected intel processors. So while you're technically correct, there are also caveats.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  9. Re:For some of us it was not a bad decision by drinkypoo · · Score: 2, Informative

    You have been doing things wrong, then. I have been using AMD processors literally since the K6, and that was literally the last processor to give me any kind of trouble. And the last K6 I owned was in a laptop and gave me literally zero trouble (although the garbage ATI rage pro lt sure did.) My current PC has an FX-8350 and a pair of Zotac GTX 950 AMP! cards in, and has literally been my most trouble-free hardware ever - and I've owned SGI, DEC, Sun, IBM, Apollo, Amiga, Macs... You name it.

    The K6 that caused me problems had a VIA chipset. Yep, there's the problem, it says VIA on it.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  10. Re:Quick - Panic! by GerryGilmore · · Score: 2

    You failed, fundamentally, do answer my largest question: Presuming that you can read a blob of data from cache (which, yes, can be done...), show me how you make sense of that data?!?
    Is it code? Is it data? How Da Hell do you know? I've heard Peter on Ars go on and on about how your passwords are leaked. Bullshit! Show me how (other than, say, running 'strings' or 'grep') on a small pile of cache data and make fucking sense out of it!
    Regular viruses KNOW what they want and grab it. This is cache-tickling looking for a needle in a tremendously large haystack!

  11. Re:Quick - Panic! by complete+loony · · Score: 3, Insightful

    If I received a dump of memory from a process there's probably a lot I could work out just from a hexdump as well as running strings or grep. I've personally reverse engineered a few proprietary binary file formats by making small changes in an application, then staring at hex dumps of the saved files.

    It's not a huge leap to do the same with the RAM of a target program. Run it in a debugger, make small changes and watch where those changes are written. Once you work out what to look for, then you automate the search in the virus.

    --
    09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
  12. Re:For some of us it was not a bad decision by Carewolf · · Score: 3, Interesting

    I too had stability issues with the K6... It turned out it was related to the VIA chipset, and more specifically the drivers.. Not that they were buggy, no no, they failed to handle buggy 3Dfx, buggy NVidia and buggy Soundblaster hardware that were all violating the PCI standard, and when you had two of them (which most gamers had), there were small but non-zero chance they would step on eachothers toes due to their abuse of the PCI standard and fuck the system state up.

    The non-VIA drivers and Intel BIOS all had work-arounds to keep those buggy hardware in check. After the issue was fixed in a VIA-driver update, there were no more crashes.

    But as often is the case. The blame lied nowhere close to whom most people blamed.

  13. Re:For some of us it was not a bad decision by gweihir · · Score: 2

    Same here, although I started with the K5.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  14. Re:For some of us it was not a bad decision by samwichse · · Score: 2

    My AMD k6 was great!

    I had trouble with my slot-A Athlon 750 back in the day.

    I bought the cheapest, trash motherboard with the even more trash Via KX133 chipset on it. The KT133/KT266 went on to be a pretty much legendary value, but that KX133 was basically beta-quality. Should have spent the extra $20 on the AMD-750 chipset instead, but you live, you learn.

    My next one was a socket A with a KT133A, ran like a top with a heavily overvolted/overclocked Duron, haven't had any trouble since (Athlon XP, Athlon64).

    Got my eye on a Ryzen 2400G for my next machine. Well, for home.

    For work, I'm looking at dual 24 core Epycs...