Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Researchers Say Software Alone Can't Mitigate Spectre Chip Flaws (siliconrepublic.com)

Posted by msmash on from the closer-look dept.

A group of researchers say that it will be difficult to avoid Spectre bugs in the future unless CPUs are dramatically overhauled. From a report: Google researchers say that software alone is not enough to prevent the exploitation of the Spectre flaws present in a variety of CPUs. The team of researchers -- including Ross McIlroy, Jaroslav Sevcik, Tobias Tebbi, Ben L Titzer and Toon Verwaest -- work on Chrome's V8 JavaScript engine. The researchers presented their findings in a paper distributed through ArXiv and came to the conclusion that all processors that perform speculative execution will always remain susceptible to various side-channel attacks, despite mitigations that may be discovered in future.

98 comments

  1. I for one am.... by fluffernutter · · Score: 1

    ....not surprised.

    --
    Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
    1. Re:I for one am.... by Anonymous Coward · · Score: 2, Funny

      ... actually quite surprised.

      Software engineers admitting something cannot be just fixed in software? Astounding.

    2. Re:I for one am.... by Darinbob · · Score: 2

      I am. Though maybe it's just bad technology reporting. When they say "all processors that perform speculative execution will always remain susceptible" there's something wrong being reported. They should add in that this does not mean ALL processors (past, present, future, and from any vendor), and should end with "unless processors are redesigned."

      Reading the summary as-is literally, it is disgreeing with itself.

    3. Re:I for one am.... by Anonymous Coward · · Score: 0

      Why even bother? I've never applied any of those performance killing patches on any of my computers and none of them have been compromised.

      The risk of leaving Spectre and Meltdown unpatched has been blown way out of proportion by the media so that they can get clicks. If you have firewalls properly configured and follow good user practices (ie. don't download and run random shit from random sites, scan everything for malware and keep regular backups), then you have practically zero chance of ever having a problem.

      Hell, I don't even run an active virus scanner. I do manual scans on anything I download with both ClamAV and VirusTotal.

    4. Re:I for one am.... by Anonymous Coward · · Score: 0

      According to the paper, the V8 team were able to leak 10B/s of protected memory via JS with 99.99% reliability. I hope part of your security routine also includes disabling JS and killing browser processes quickly. In share memory cases, an amplification technique pushed 2.5Kb/s (but with a meager 20% reliability).

      I'm quite curious how this will develop over the next few years with this continued trend on "cloud computing." I'm sure large companies can block off entire systems for layered security but the rest of the world will still be using some form of shared computing with virtualization which is susceptible to these timing attacks. It definitely kills the world of passing code off to be executed just anywhere willy nilly.

  2. Just always apply hardware access controls. by KirbyCombat · · Score: 4, Insightful

    Is my understanding not correct? I thought that these vulnerabilities were due to processors not applying memory access controls during speculative execution. For me personally, I was very surprised to find out that memory access controls could be bypassed at all. Isn't it just a matter of always applying memory access controls? Isn't that why the access control is in the hardware?

    1. Re:Just always apply hardware access controls. by kurkosdr · · Score: 2

      Well the hardware implementation was buggy, so you can bypass it after all. And since you cannot patch hardware (unless the patch is disabling speculative execution altogether and making all the affected hardware much slower) people try to find all kinds of workarounds to mitigate the issue.

    2. Re:Just always apply hardware access controls. by DontBeAMoran · · Score: 1

      Is it even possible, though? That's like trying to make a turd sandwich taste good.

      Maybe they should go back to the drawing board and find something better than speculative execution.

      --
      #DeleteFacebook
    3. Re:Just always apply hardware access controls. by msauve · · Score: 4, Interesting

      But the summary claims "...all processors that perform speculative execution will always remain susceptible...". That's a blanket statement which covers all processors, existing or future.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    4. Re:Just always apply hardware access controls. by suutar · · Score: 2

      As I recall, the problem is that speculative execution alters the state of the CPU and its cache, and there are ways to determine information about that state afterwards that don't involve violating memory access restrictions, like "hey, loading that address didn't take as long as expected, something must've pulled it into the cache already" - that sort of thing. So the question is how much can they make the state act like the speculative execution never happened without actually reaching the point that speculative execution isn't beneficial.

    5. Re:Just always apply hardware access controls. by imgod2u · · Score: 1

      The issue is that you don't *know* whether the memory being fetched is accessible until the data comes back from DRAM. So you can assume all accesses to DRAM are not accessible -- very very poor for performance -- and play it safe. Or assume it's accessible until it comes back from DRAM.

      Of course, during that time you've also launched a whole lot of other memory requests that is speculative. And it doesn't matter that you end up discarding the results from the software interface perspective -- the cache (or other non-software visible hardware states) have changed. And careful timing can reveal those changes.

    6. Re:Just always apply hardware access controls. by Anonymous Coward · · Score: 0

      > I thought that these vulnerabilities were due to processors not applying memory access controls during speculative execution.

      Wrong. That would be borderline gross negligence. Only Intel was that stupid (the associated vulnerability is called "Meltdown").

      >For me personally, I was very surprised to find out that memory access controls could be bypassed at all. Isn't it just a matter of always applying memory access controls? Isn't that why the access control is in the hardware?

      Why don't you read the paper? There's also a Wikipedia article.

      Basically it's a side channel attack. One of the worst vulnerabilities is because of bad cache invalidation in the case of a branch misprediction.

    7. Re: Just always apply hardware access controls. by Anonymous Coward · · Score: 0

      The whole speculative execution things is for people who are unable to write decent code so they whine and cry until someone makes a completely unreliable feature that probably corrupts data (anyone ever check the downsides to the damn thing? No because oh the greatest thing ever we can be sloppy and get rich!) and no serious person would use such a technique

    8. Re:Just always apply hardware access controls. by ctilsie242 · · Score: 1

      I wonder if this is can be mitigated in a hypervisor (Green Hills INTEGRITY, KVM, etc.) Maybe PC makers might be wise to have an onboard hypervisor as a way to limit damage.

    9. Re:Just always apply hardware access controls. by K.+S.+Kyosuke · · Score: 1

      For now, separate processes into security domains and never let two processes from different domains run on the same core. In the future, get rid of that thing and design computer systems that don't require squeezing out every drop of sequential execution speed you possibly can. There doesn't really seem to be a lot of ways of getting rid of that problem.

      --
      Ezekiel 23:20
    10. Re: Just always apply hardware access controls. by Anonymous Coward · · Score: 0

      You can't "avoid" spectre. If you exist in the modern world, even if you stay away from every computing device, your banks and governments still use them. A lot.

    11. Re:Just always apply hardware access controls. by Anonymous Coward · · Score: 0

      You do know if memory is accessible. The hardware memory management that has been available since the 386 (for Intel), knows what physical addresses are mapped to the logical address space. It also has read/write/execute permissions. In modern processors, there is a no-execute bit, etc etc etc. Fundamentally, a process (software) is prevented from reading outside of its address space by the hardware.

    12. Re: Just always apply hardware access controls. by pchasco · · Score: 1

      I am looking forward to your upcoming book on how to write useful, high-performing programs without using conditional branch instructions.

    13. Re:Just always apply hardware access controls. by Anonymous Coward · · Score: 1

      Technically it might be possible to fix but would require the state of all caches and buffers to be restored to the state before speculation started which would defeat the performance gain of speculation.
      So yes, it's impossible.
      The memory access is meltdown and has nothing to do with spectre.

    14. Re:Just always apply hardware access controls. by Anonymous Coward · · Score: 1

      Computers would be slow as dirt. Even branch prediction would have to be thrown out.

    15. Re:Just always apply hardware access controls. by AuMatar · · Score: 1

      Do you want to go back to the computer you used in the early 90s? Because that's what you're going to get if you remove it entirely.As for the idea of not letting different apps share the same core- so you want to get rid of mutltasking? Because you have very few cores compared to the number of processes running. Sharing cores is basically how all multitasking works.

      --
      I still have more fans than freaks. WTF is wrong with you people?
    16. Re:Just always apply hardware access controls. by Anonymous Coward · · Score: 0

      Technically it might be possible to fix but would require the state of all caches and buffers to be restored to the state before speculation started which would defeat the performance gain of speculation..

      Couldn't it simply be flushed to all zeros?

      Why does it need to match what it was before, as long as it isn't what it shouldn't be? All zeros would be enough to prevent data leaks I would think.

    17. Re:Just always apply hardware access controls. by Anonymous Coward · · Score: 0

      It's not that easy: in the name of performance, they perform speculation BEFORE they have the data available to know if the memory can be accessed by the process. If they have to wait until they know if memory can be accessed, they cannot perform speculation in many cases, and that would kill performance.

    18. Re:Just always apply hardware access controls. by Anonymous Coward · · Score: 1

      Not all. Less powerful processors such as the ones in the Raspberry Pi devices, do not perform speculative accesses, and are thus not affected by Spectre.

    19. Re: Just always apply hardware access controls. by Anonymous Coward · · Score: 0

      Writing with zeroes between every access means you havenâ(TM)t cached anything.

    20. Re: Just always apply hardware access controls. by Anonymous Coward · · Score: 0

      The only downside is that some code runs faster. That is exactly the advantage that the security hole exploits.

    21. Re:Just always apply hardware access controls. by radarskiy · · Score: 2

      You have assumed a multicore CPU that does not share the last level cache between cores, which is not necessarily true.

      While I have not a description of a Spectre exploit that specifically involves a multilevel cache, and I have not seen that case specifically rejected either.

    22. Re:Just always apply hardware access controls. by radarskiy · · Score: 1

      "bad cache invalidation"

      Except the "valid" state of a cache line has an actual definition, and the cache line in question actually is valid. No one had ever defined a "Forget we were ever here" request.

      You might think you could just add a method to mark every line you touched during a mispredict as invalid, but now you are open to timing attacks based on cache misses on which lines got evicted in the first place.

    23. Re:Just always apply hardware access controls. by Miamicanes · · Score: 4, Informative

      It's hard to explain without getting EXTREMELY technical, but here's a SOMEWHAT technical explanation:

      Back in "the old days" (6502, 68000, 8086, etc), a specific machine language instruction took a precise, deterministic amount of time to execute... 1 cycle, 2 cycles, 3 cycles, whatever. Always, and without exception.

      Sometime around the AMD K5 (late 90s), we got to a point where the combination of cache and execution-time optimizations used by processors (speculative & out of order execution, cache, etc) made it SEEM like the days of deterministic execution timing were over. You could predict best-case and worst-case execution times for a given block of code, but ACTUAL runtime execution times had become seemingly random when you tried to measure them on an operating system like Windows or Linux.

      It turns out, we were wrong. Execution times were as deterministic as ever... it's just that making sense of their timing had become too complex for humans to understand, so it SEEMED random. Then, "big data" and "machine learning" became common, and people discovered that execution timings weren't nearly as random as humans had come to believe they were.

      Problem #2: due to the state various performance optimizations leave the CPU and its cache in, the amount of time it takes an attempt to do something prohibited to fail varies in subtle ways depending upon the values being protected.

      So... taking advantage of analytics, machine learning, and lots of brute-force hammering & observation, it's possible for attackers to gradually discover the likely values of protected ram and registers. They can't necessarily do it with a single hit... but if they hammer away at something a million times and discover that a particular bit's value seems to be '0' ~70% of the time, and '1' the other 30% of the time... well, the bit's value is probably 0.

      Here's another roughly analogous example: suppose you're attempting to discover the combination to a safe. Suppose the lock is designed to frustrate attempts to listen for pins falling into place by ensuring that EVERY dial position results in the lowering of one pin and the rising of another. HOWEVER... someone discovers that certain unsuccessful combinations produce a slightly different sound than others. Using deep learning techniques, the algorithm predicts that sound #1 indicates a combination that's almost right, while sound #2 indicates a combination that's completely wrong. By rapidly performing a few million experiments with different combinations, the algorithm is able to eliminate 99% of possible combinations, and focus on the 1% it believes are likely to work... and as it continues to experiment, it discovers a THIRD sound variant that appears to exist whenever the third number is equal to 17. By successively setting aside unlikely combinations, it eventually stumbles upon the correct combination to open the safe.

      In security, this kind of problem is well known, and has a solution that generally works well: limit the rate at which an attacker can attempt different combinations. The problem is, that solution goes completely at odds against everything modern CPUs have attempted to accomplish for the past 50 years -- achieve better performance.

      Ultimately, Intel and others are probably going to start making CPUs with a security gradient:

      * The high-performance no-security portion that is designed to maximize performance, but makes no guarantees about security. Basically, "gamer" oriented CPUs will dedicate most of their silicon to this portion.

      * High-performance with minimal security... designed to avoid blatantly leaking data to other processes, but still totally vulnerable to Spectre-type attacks. CPUs targeted to enterprise users will probably dedicate most of their silicon to THIS mode.

      * The slow, separate, secure fortress. Totally separate, with no cache or optimizations at all, designed to guarantee absolutely deterministic execution times from the perspective of an outside observer. Basically, an 80386

    24. Re: Just always apply hardware access controls. by Anonymous Coward · · Score: 1

      The ARMv8 in the rPi most definitly do speculative execution

    25. Re:Just always apply hardware access controls. by K.+S.+Kyosuke · · Score: 1

      Still remember that old joke about Intel and Motorola CPUs? Time to dust if off, perhaps?

      --
      Ezekiel 23:20
    26. Re:Just always apply hardware access controls. by K.+S.+Kyosuke · · Score: 1

      Do you want to go back to the computer you used in the early 90s? Because that's what you're going to get if you remove it entirely

      I'm not really sure that the computer I used in the early 90s had thousands of cores enabled by sub-20nm lithography.

      --
      Ezekiel 23:20
    27. Re: Just always apply hardware access controls. by Anonymous Coward · · Score: 0

      Obviously it will include homomorphic encryption, block chain, and AI.

    28. Re:Just always apply hardware access controls. by Darinbob · · Score: 1

      The side channel attacks do things like measure how long a set of operations take to execute, which gives extra information about what the operations actually did. That can tell you if some relevant data was already in the cache or whether it had to be loaded from RAM. Do the appropriate magic and you can start to deduce things about the contents of memory that you can't see.

      That is, it's a side-channel attack. They're still treating the processor a a black box that you can't peek inside of, but you can still get some information to leak out (shake the box and listen).

      This is complicated stuff though, and some of these things are estimating maybe you can figure out the contents of 2000 bytes a second. The details of the attacks are highly depending upon the exact processor being used.

    29. Re: Just always apply hardware access controls. by Darinbob · · Score: 1

      The Spectre and Meltdown attack proof-of-concepts were for Intel processors, presumably also the clones, and the attacks are based on knowing internal specifics of their highly speculative execution engines. Ie, if you don't use a PC you're automatically a lot safe (though not completely), and if you're using a processor without a speculative execution engine then these attack vectors won't do anything at all. The chips that are vulnerable are very high end CPUs, not the stuff in your microwave or wifi router. Though of course, those processors undoubtedly have their own vulnerabilities, they're just not Spectre or Meltdown.

      The other thing that's important in security is if an attacker can get close or not. I don't worry much about my automobile being hacked because it's not on the internet and would require physical access to compromise it. Similarly, if you're on a PC and you have 100% control over any and all code running on it, then it will be pretty safe (ie, it's not plugged into the internet, you're not shoving in thumbdrives, etc).

      Things start becoming much more susceptible to Spectre or Meltdown once you start letting your browser run random Javascript from the internet, or if you put your product up in the cloud running on just one of many VMs residing on the same physical server.

    30. Re:Just always apply hardware access controls. by ras · · Score: 1

      I thought that these vulnerabilities were due to processors not applying memory access controls during speculative execution.

      Not really. First of all, Spectre is not about the hardware letting you access memory it thinks you don't have permission to access, so memory access controls aren't relevant here. That variant did exist and has another name: Meltdown. Meltdown was a disaster. An Intel hardware bug meant an unprivileged program you could use the Spectre method to read all of kernel memory, even though the Intel CPU manuals said in black and white the hardware would allow that. However, most CPU's (including most Intel CPU's) didn't have this bug.

      Spectre merely allows a program to read it's own memory, which is something every program does and depends on. No hardware I'm aware offers any mechanism for hardware protection inside of what an operating system calls a "process". This is hardly surprising given a process is the finest grain unit of protection offered by both the hardware and operating systems: you can't divide it down any further.

      But that doesn't stop programmers from wanting finer grained protection. An all too common example is when a web browser executes javascript. As the browser doesn't trust the javascript, the software effectively emulates a stripped down "virtual computer" that has been completely defanged and executes the javascript in there. Spectre translates to: despite this javascript being executed in a virtual machine it could potentially read all of the browsers memory that isn't protected by hardware access controls. This paper now says that is impossible to write the software emulators to stop this. In reality its so hard pull off no one has done it so far, so what the paper is really saying is despite how hard it looks now we can never offer an iron clad guarantee someone will not find a way to make javascript access all your web pages and passwords the browser knows about in the future.

      When I read the Spectre paper my first thought was "this means we are going to add hardware features so software can execute untrusted programs securely". Given I thought that I'm pretty sure most people who read and understood it came to the same conclusion as a few minutes of navel gazing. But it was just a guess. Now someone has put in hard yards and confirmed that guess is right.

      There isn't much choice about fixing it. These virtual machines are very common. We depend on them. PHP scripts executing in Apache2, WSGI in a python interpreter, Java apps running in Tomcat, the kernel executing BPF programs, the shell running shell scripts - it's everywhere. The usual approach of the hardware guys is "if it shipped, it's a software problem". The paper is saying: not this time guys.

    31. Re: Just always apply hardware access controls. by Mspangler · · Score: 1

      A 3 GHz Apple IIgs would still be pretty useful. Extend it to 64 bits and add a graphics coprocessor. If these attacks do turn out to be serious issues we might have to take a step back from the current levels of complexity.

    32. Re:Just always apply hardware access controls. by kurkosdr · · Score: 1

      Then the hypervisor might have a bug.

    33. Re:Just always apply hardware access controls. by kurkosdr · · Score: 1

      But until that happens they just have to... sell slower hardware? Good luck explaining to Joe at Best Buy why his new laptop will be slower than the one he has (despite similar form factor and thickness) because something called "vulnerabilities".

    34. Re:Just always apply hardware access controls. by ctilsie242 · · Score: 1

      True. However, it is about risk management. A hypervisor has a smaller attack surface than a general purpose OS. Yes, there are bugs in hypervisors, but generally a lot fewer.

    35. Re:Just always apply hardware access controls. by DontBeAMoran · · Score: 1

      Because "Security". Joe at Best Buy knows that security always slows things down (driving, airport, etc).

      --
      #DeleteFacebook
    36. Re:Just always apply hardware access controls. by kurkosdr · · Score: 1

      Still, good luck convincing Joe that an ultrabook should revert to running like a 386, when someone else (be it Via or some Chinese company, if both Intel and AMD hypothetically agree to not use speculative execution or use it in significantly diminished capability) offers the performance Joe has come to expect or close to it. Which begs the question, should the government regulate on such things?

    37. Re:Just always apply hardware access controls. by Anonymous Coward · · Score: 0

      Thank you sir. This was truly enlightening

  3. Sounds false, overconfident, and trendy & chil by Seven+Spirals · · Score: 1

    Some people are always trying to poo-poo old technology. I suspect this is a play to act like every CPU made before yesterday is no good. "Sorry folks, you're going to have to turn on all those old computers we can't control^H^H^H Uh, I mean, those vulnerable systems for your own safety." That or so some smug security weenie can sit and smirk pointing to some ridiculous "researcher" saying "it's impossible to prevent". I just think there may be more going on here than just "old stuff sucks"

  4. gimme that old 6502 by fat+man's+underwear · · Score: 2

    maybe make it run at a few 100 MHz, or upgrade to the 65816 architecture.... I think I'd rather have that.

    1. Re:gimme that old 6502 by DontBeAMoran · · Score: 1

      Isn't the 68000 series immune to all this bullshit? The 68040 is better than the 65816, isn't it?

      --
      #DeleteFacebook
    2. Re:gimme that old 6502 by Seven+Spirals · · Score: 1

      Not in the 040 but in the 060, yes. Check out how the branch cache works and the timings for branches. The branch prediction is like the static prediction in the 68040 where previous branch targets are assumed occupied because they are probably loops and new targets are assumed unoccupied. When the 060 sees a branch for the first time in order to aid in dynamic prediction it creates an entry in the branch cache. However, I don't know enough about the engineering they did to know if it's definitely vulnerable. Speculative execution as a concept is a bit risky anyway if you ask me.

    3. Re:gimme that old 6502 by Rockoon · · Score: 1

      65816 is only a 16 bit processor. Famous for a variant used in old nintendo consoles, first appearance is actually the Apple IIgs.

      Several IIgs technologies had re-emerged after the IIgs faded, the first being the 65816 CPU used in later consoles, and the other was the Ensoniq DOC2 audio chipset which eventually found itself in the Gravis UltraSound (GUS) as the GF1 (actually based on the DOC3 chipset)

      But honestly, 16-bit... is a non-starter, and in fact 32-bit is also a non-starter.

      I would gladly trade the speculative execution die area for directly useful instructions. Modulo-2 8x8 matrix (64 bits) and 8x1 vector (8 bits) multiplication / transformation are instructions every 64-bit architecture should have, but seemingly only theoretical ones do (MMIX)

      --
      "His name was James Damore."
    4. Re:gimme that old 6502 by Seven+Spirals · · Score: 1

      I agree, gimme more SIMD and you can kept branch prediction.

    5. Re:gimme that old 6502 by Anonymous Coward · · Score: 0

      Congratulations, you already have one! It sounds like you want a GPU so just look on your graphics card and get the CPU you always wanted.

      dom

    6. Re:gimme that old 6502 by dryeo · · Score: 1

      Work did start on the 65832, but with Apples disinterest, stopped.

      --
      https://en.wikipedia.org/wiki/Inverted_totalitarianism
    7. Re:gimme that old 6502 by Seven+Spirals · · Score: 1

      Too late, Coward. I've already discovered that (hence my comment about DSL languages and shaders), but thanks for the snide remark, assface.

  5. Re:Sounds false, overconfident, and trendy & c by Fly+Swatter · · Score: 1

    I just think there may be more going on here than just "old stuff sucks"

    Arrogance.

  6. It's not a problem if you don't run unsigned code by slashkitty · · Score: 1, Insightful

    We need to get away from this unsigned, unreviewed, wild code (like javascript) running on your machines. Lock it down and stuff like this won't be a problem.

    --
    -- these are only opinions and they might not be mine.
  7. INTEL OWES ME MONEY by Anonymous Coward · · Score: 0

    Until I get a cheque for the hundreds of Intel chips I paid for with wide open backdoors for the NSA and nowhere near the promised speed - INTEL OWES ME MONEY.

    PAY UP YOU FUCKERS!

  8. Oooh breaking news by Anonymous Coward · · Score: 0

    Well Duh, its a CPU hardware flaw, can't redesign a CPU with firmware or a OS fix. You can mitigate a threat of which I know of no threat around as yet. Eventually I figure CPU's will overcome this by not requiring it because they will add more cores, and make speculative execution something that won't be needed.

    1. Re:Oooh breaking news by AuMatar · · Score: 3, Informative

      Inifinite cores wouldn't make speculative execution not needed. Speculative execution exists because you're trying to do things sequentially. Putting another core in there won't speed it up in any fashion- to avoid speculation you have to wait until the branch is determined. You could remove speculative execution and the optimization it provides, but yo'll end up with a FAR slower processor as your core will be idle from the beginning of a branch statement until its done- putting in a lot of noops into the pipeline. The deeper the pipeline in the architecture, the worse it will be.

      --
      I still have more fans than freaks. WTF is wrong with you people?
    2. Re:Oooh breaking news by Anonymous Coward · · Score: 0

      More cores and ALL RAM onboard. This would kill most if not all timing attacks since the ram would be running at speed with the core and be right there. Do away with L2/L3 cache, and problem solved.

    3. Re:Oooh breaking news by dryeo · · Score: 1

      Running every process on its own core, with its own cache might help. Could even have each process with a few cores sharing cache for multiple threads.

      --
      https://en.wikipedia.org/wiki/Inverted_totalitarianism
    4. Re:Oooh breaking news by AuMatar · · Score: 1

      No, it absolutely wouldn't. Because you'd still have to wait for the result of every possibly branching instruction in order to execute the next. Having a billion cores per app won't fix that.

      --
      I still have more fans than freaks. WTF is wrong with you people?
    5. Re:Oooh breaking news by dryeo · · Score: 1

      I'm probably getting my vulnerabilities mixed up but my understanding is one process spying on anthers cache misses and hits so sandboxing would help.

      --
      https://en.wikipedia.org/wiki/Inverted_totalitarianism
  9. Software can Mitigate, it may not be able to cure. by jellomizer · · Score: 1

    Having handrails will help mitigate people from dying from falling down the stares. It doesn't stop it, or even prevent it. It is just a tool to help regain balance after you have lost your step.

    Software can Mitigate the problem, by catching the most common and easiest calls to cause the issue.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  10. Re:It's not a problem if you don't run unsigned co by bigpat · · Score: 2

    We need to get away from this unsigned, unreviewed, wild code (like javascript) running on your machines.

    Lock it down and stuff like this won't be a problem.

    Systems for whitelisting apps and websites can help. But then the problem just shifts to how much do you trust whichever app stores or website whitelists you are using which are basically the same thing as a signing system. I mean I try to be careful about which apps I download, but if you want your computer to be a general purpose computer then you have to have some flexibility to run unsigned code. As a developer that often means my own code. Otherwise it is an appliance.

  11. Re:It's not a problem if you don't run unsigned co by Rockoon · · Score: 2

    We need to get away from this unsigned, unreviewed, wild code

    As a representative of programmers everywhere, can you kindly take your idea and go fuck yourself?

    --
    "His name was James Damore."
  12. Bad time for Intel CPUs by bangular · · Score: 4, Interesting

    I'll be the first to admit this isn't my area of expertise. But after following these developments peripherally, I've been holding off buying a new desktop for awhile.

    It seems like Intel has bumbled this at every step. They've put out a lot of misinformation causing a lot consumer confusion. It seems like every time they exclaim "it's fixed!" researchers say that's not the case. I'm assuming at this point we're probably at least a couple of CPU generations away from Intel fixing this properly.

    On top of that, they've also been fighting the 10nm battle. More empty promises and missed deadlines on that front as well.

    When I compare my current aging Intel system to single thread performance of the latest generation, it just doesn't justify the cost. AMD claims Zen 2 will fix all their problems. If they deliver, I will probably switch back to AMD. Intel burned a lot of goodwill in the past few years.

    1. Re:Bad time for Intel CPUs by Fly+Swatter · · Score: 2

      So far, it has only been 'successfully' exploited in tightly controlled lab conditions. If you ask me, and no one did, it has been a way overblown risk by researchers; then fixes were hurriedly attempted with way too little testing; now researchers are saying 'it is still not fixed' and 'it can't be fixed', once again blowing the actual risk for us simple consumers way out of proportion.

      In the server and cloud world there might be a legitimate risk at some point, once we actually see an exploit in the wild then It would be time to panic - until then those of us using computers for single user tasks are burdened with all this FUD and slower performance unless we actively turn off the (according to researchers) still broken mitigation.

      If you can wait to buy until you need instead of want, that is always prudent for computer upgrades.

    2. Re:Bad time for Intel CPUs by Anonymous Coward · · Score: 1

      If they deliver, I will probably switch back to AMD. Intel burned a lot of goodwill in the past few years.

      Just keep in mind that *any* CPU design that uses speculative execution is fundamentally and unavoidably vulnerable to such attacks.
      That includes AMD as well as Intel.

      So if you're switching due to disliking Intel as a company more than AMD as a company, that's all good and well.
      If you're switching under the assumption only Intel CPUs do speculative execution and are vulnerable, you won't be solving any problems.

      The unfortunate fact of the matter is raw instruction execution speed in CPUs isn't increasing leaps and bounds like in the recent past. Very little so in the past decade.
      So other means are employed to run software faster.

      Parallelism helps a great deal when the task is suitable to be split up, or when you just have a very large number of different tasks.

      For tasks that don't naturally split well, or a programmer just didn't make it that way, lots of tricks and hacks are used so parallelism can help speed up a traditional single-threaded single-process step by step sort of task.

      Speculative execution, and more a specific type of it called branch prediction, is one of those tricks.
      The hardware knows the road up ahead can go many directions, but which path to take depends on a result it doesn't know yet, it uses parallelism to walk down many of those paths all at the same time, and once it does have said result and knows which path was right, it already has a huge head start.

      In some cases it takes all the non-correct paths it went down and just forgets that ever happened.
      Not cleaning up after itself was a big problem but an easy one to fix.
      Turns out just the act of taking all these paths and which get cleaned up can also tell you (or malware) a lot about what is going on.

      Taking all those paths needs to store the results in memory, usually a cache somewhere, but even then it turns out you can 'process of elimination' figure out the right data by looking at what was discarded.

      In more rare attacks, even without trying to look at memory directly, you can tell what bits get flipped just by the timing when these paths are walked, and in other rare cases you can figure out what bits are where and right/wrong just by paying attention to the power draw being used to actually do that work.

      Speculative execution is pretty flawed, with new ones found seemingly every day.
      But getting rid of it entirely would set us back to the Pentium 1 and 2 days, where a 400mhz chip was priced out of most peoples reach and was the peak of performance, where most of our $1k usd processors ran 100mhz.

      That's a HUGE cost. One not everyone would even be willing to pay.

      But if you are wanting to build a new PC without speculative execution vulnerabilities in it, go fish a 486 or sparc out of the trash and go to town. Waiting may only give you less options as such hardware becomes more rare.

    3. Re:Bad time for Intel CPUs by thegarbz · · Score: 2

      Let me start by defending Intel before turning this around. Speculative execution attacks are extremely difficult to execute in any constructive way without detailed targeted knowledge and access to the machine. As yet there's no known case of it actually being used and with very good reason: Pretty much every other security exploit is easier and more effective to execute with the exception being attacking a VM from another VM. Spectre / Meltdown really shouldn't come into consideration when buying a CPU unless you're running a cloud VM service or securing your country against a foreign state.

      Now on the flip side there already is no reason to go Intel, not when cost plays any part. The performance difference between Intel and AMD do not justify the costs. Where Intel exceeds in single thread performance you need an extreme edge case (e.g. pro gaming) to justify the cost. Where Intel exceeds in multi-core there pretty much is zero justification to chose Intel over a Ryzen or a Threadripper for cost, again edge cases such as a requirement to process AVX heavy loads not withstanding.

      On the high end threadripper even offers far more in terms of I/O including on core RAID and enough PCIX lanes to actually make a difference, something that Intel will offer on Xeons only if you spend even more money on additional frigging dongles.

    4. Re:Bad time for Intel CPUs by lkcl · · Score: 3, Insightful

      I'm assuming at this point we're probably at least a couple of CPU generations away from Intel fixing this properly.

      unfortunately, it's much wose than the press is making out. i've had to investigate this in-depth as part of the design of the libre-riscv soc, because we criically rely on out-of-order execution for the vectorisation. i was shocked to learn that even in-order systems are potentially vulnerable to timing attacks.

      the first thing that people need to get absolutely clear: spectre was *just the first* in a *class* of timing attacks that opened researchers and hardware designers eyes to a blind-spot in computing architectures.

      the definition of a timing attack is as follows: one instruction may affect the completion time of past OR future instructions through resource starvation / contention, OR through state not being reset after use to a known uniform initial state.

      the FIRST spectre attacks were against memory and caches, on speculative designs.

      however it is perfectly possible, for example, for a multi-issue IN-ORDER system to have insufficient numbers of register ports, such that a certain unique combination of instructions may be arranged by an attacker to starve future instructions of the ability to complete instructions in a uniform time... and REQUIRE that they stall.

      by forcing instructions to stall, that is the very DEFINITION of a timing attack.

      against an *IN-ORDER* design.

      now, it is possible to put in place certain speculation mitigation barriers in hardware, however these barriers *ONLY* occur at interrupts, exceptions and, at a software / OS level, on "context switches". hence the reason why this paper says that no matter what hardware designers try to do, *intra-process* attacks simply CANNOT be mitigated without moving to an *INTER*-process software security model.

      FastCGI is toast, basically.

      there is a solution, and it's going to require a massive world-wide campaign to introduce a concept to the entire computing software world: the creation of intra-process speculation barriers. if we wish to keep using FastCGI, and if we wish to keep using Firefox and python-gevent (the single-process paradigm), we *need* a hardware instruction that "quiesces" internal state *AS IF* the hardware had just made a context-switch, terminating all speculative execution, resetting all internal state and so on.

      one way in which that may be possible to do in an out-of-order system that does not have such hardware-assisted in-process speculation barrier instructions is to issue about a hundred NOPs. the back-lash against doing so will be extreme, however it's not like there's much of a choice, here.

      bottom line is: this has been a major, major oversight by the entire computing industry for over 25 years. it's a problem *across the entire industry*, not just Intel, not just AMD, it's *everybody*. it's not going to be fixed in a couple of hardware revisions by one company.

    5. Re:Bad time for Intel CPUs by dryeo · · Score: 1

      Speculative execution is pretty flawed, with new ones found seemingly every day.
      But getting rid of it entirely would set us back to the Pentium 1 and 2 days, where a 400mhz chip was priced out of most peoples reach and was the peak of performance, where most of our $1k usd processors ran 100mhz.

      That's a HUGE cost. One not everyone would even be willing to pay.

      But if you are wanting to build a new PC without speculative execution vulnerabilities in it, go fish a 486 or sparc out of the trash and go to town. Waiting may only give you less options as such hardware becomes more rare.

      The first generation Atom had no speculative execution and while it did dispatch executions at about the same speed as a Pentium, it ran much faster, had simd instructions and was cheap.

      --
      https://en.wikipedia.org/wiki/Inverted_totalitarianism
    6. Re:Bad time for Intel CPUs by Anonymous Coward · · Score: 0

      Thanks, well-phrased.

  13. Google just wants UNIX out of their cloud by old_dirty_unidef · · Score: 1

    They want GOOGLE Cloud not FreeBSD cloud or Linus' Cloud Spectre can be mitigated by implementing a move operation that moves central data to a cloud then fails, then recovers using self repairing techniques, then defaults back to a node. I dont know much about hacking though

  14. Re:It's not a problem if you don't run unsigned co by Anonymous Coward · · Score: 0

    Why? Why do you need to run code on my machine? Why should I be required to trust you to run code when it's not necessary?

    The web worked just fine - better, in fact - before JavaScript infected browsers. You didn't have to worry about "drive-by malware" in the old days of the web, because it just wasn't possible.

    Why should I allow unsigned, unreviewed, unverified, and ultimately untrusted code on my browser? Because Rockoon says so?

  15. Not entirely true but mostly true. by Gravis+Zero · · Score: 1

    If you are executing someone else's code natively on the CPU then it's true that it cannot be fully secured. However, if you execute (JavaScript) code through an interpreter engine rather than using JIT/dynamic recompilation engine then it is by default that spectre cannot be accessed. However, this would be throwing years of effort away in making JavaScript fast so that advertisers can exploit you easier without you noticing the slower execution speed. For this reason, the safest and simplest JavaScript engine is out of our reach which in turn has lead to the internet becoming a horrible mess of evil JavaScript, exploiting us at every turn.

    TL;DR: STOP REQUIRING JIT, YOU ASSHOLES BECAUSE IT'S FUCKING UP EVERYTHING.

    --
    Anons need not reply. Questions end with a question mark.
    1. Re:Not entirely true but mostly true. by Anonymous Coward · · Score: 0

      getting rid of jit would also allow disabling execution from writable pages.

  16. Intel chips broken by design by Anonymous Coward · · Score: 0

    This is an INTEL flaw, introduced when Intel was way behind AMD (AMD had just invented true dual core and AMD64, now x64 used by all current x86 chips from both Intel and AMD). Intel had Netburst, a very long pipeline architecture shilled by outltes like Slashdot at the time (the race to 10GHz).

    Intel hd to go back to the architecture of the Pentium 3, which it merged with AMD's (then) latest tech (legal via cross patent agreements). But Intel deliberately missed out thread memory access protection- the LOCK and KEY hardware that gives each thread a unique id used to 'unlock' access to memory belonging to that thread- hence SPECTRE and other problems today.

    By refusing to implement thread security, Intel chips used less power, could clock faster, and have lower memory latency- ALL advantages that meant Intel CPUs ruled over AMD ones till AMD Ryzen.

    AMD always implemented hardware 'lock and key' thread security.

    Today Slashdot shills the idea of a 'universal' CPU problem that in reality only applies to Intel (AMD's Ryzen parts have no proven practical vulnerabilities that can actually work in the real world). Intel pays generously for this shilling.

    AMD's coming Zen2 (not to be confused with the already released Ryzen 2) later this year finishes off Intel for good- but Intel still sits on a mountain of cash which will be used to pay for more fake news articles of this form.

    1. Re:Intel chips broken by design by viperidaenz · · Score: 1

      The shills Intel pay at AMD?
      https://www.amd.com/en/corpora...
      They admit there are hardware issues and that page describes which software mitigations are required.
      ARM have also admitted all of their speculative execution cores are vulnerable to some of the spectre attacks.

    2. Re:Intel chips broken by design by AHuxley · · Score: 1

      But we needed that CPU power for 4K and 6K and 8K games.

      --
      Domestic spying is now "Benign Information Gathering"
  17. Re:It's not a problem if you don't run unsigned co by Anonymous Coward · · Score: 0

    Spoken like a truly computer illiterate.

  18. Re:Software can Mitigate, it may not be able to cu by RuiFRibeiro · · Score: 1

    If the examples of the successive failed patches are anything to judge, software it not the solution. But any person with half a brain knows that from day one.

  19. So, one computer per user then by presidenteloco · · Score: 1

    or more precisely, per security principal.

    I for one welcome our new architectural overlords, that is, whoever can make an efficient multi-core, multi-cache,.... multi-everything architecture, perhaps that only shares over high-level interfaces over fibre connections, or whatever.

    And I guess those high-level physical interfaces will have to include timing randomization "chaff".

    --

    Where are we going and why are we in a handbasket?
    1. Re: So, one computer per user then by Anonymous Coward · · Score: 0

      Actually need one computer per process. That stops the sideband attack.

  20. Re:It's not a problem if you don't run unsigned co by Anonymous Coward · · Score: 0

    He's right, even if you don't like it.

  21. The irony by OneHundredAndTen · · Score: 3, Interesting

    And the much-maligned, all-but-dead Itanium is immune to Spectre. Fancy that.

    1. Re:The irony by thereddaikon · · Score: 1

      Spectre effects any processor with branch prediction. Itanium has branch prediction therefor it isn't immune.

    2. Re:The irony by Anonymous Coward · · Score: 0

      Not true, but even if it were, as if that gives everything else that was wrong with IA-64 a pass.

  22. The Cloud has rained by KlomDark · · Score: 1

    Best for security if everyone backs off from multi-tenant cloud servers for now. It was a nice try, but too insecure.

  23. Re:It's not a problem if you don't run unsigned co by Anonymous Coward · · Score: 0

    Why? Why do you need to run code on my machine?

    Because otherwise my website's adverts won't render right on your computer.

    Why should I be required to trust you to run code when it's not necessary?

    Go on, turn off javascript in your browser. I agree that it ought not be necessary, but in current practice, it is.

    The web worked just fine - better, in fact - before JavaScript infected browsers.

    Marginally better. Browsers were very shitty before javascript, but it certainly hasn't made them less shitty.

    You didn't have to worry about "drive-by malware" in the old days of the web, because it just wasn't possible.

    That's not automatically true. It's not exactly difficult to cause an entity bomb and hey maybe your browser happens to have a buffer overflow that can be triggered that way. I would guess that if you went and looked for them, you can find plenty of exploitable holes in old browsers. And there's the exploits in various libraries browsers tend to use, like those used to decode pictures in various formats. Some of those have had vulnerabilities in them too.

    Why should I allow unsigned, unreviewed, unverified, and ultimately untrusted code on my browser? Because Rockoon says so?

    Signing is no guarantee of review, verification, or trust. All it does is give the keys to your kingd^Wcomputer away to some third party and provide a nice goose with golden eggs to the rootCA operators.

    Review is no guarantee either, see "underhanded C contest". Verification means what, exactly? Someone held up a photo to a phone running a "verification app" that caused some shmuck faraway to take a look, squint a little, and push an "approved" button? Does this "trust" thing hold up to anything in your world?

    So I agree that javascript in the browser is a bad idea, as are many similar ideas like java or flash in the browser or VBA in redmond office documents, autostart files on external media, and so on, and so forth.

    I violently disagree that code signing will solve anything here. The correct fix is to simply stop executing code from untrusted sources, and "random website" or "incoming file" are both untrusted sources. So turn off that javascript in your browser and complain to each and every webmaster that their shitty website doesn't work properly or at all in javascript-free browsers. Then get all of your friends to do the same. But for $DEITY's sake, forget about that signing boondoggle.

  24. Industry bumbled, Intel is just the biggest. by Anonymous Coward · · Score: 1

    The fundamental flaw dates all the way back to the Power 1 processor/architecture from the early 1990s. Intel didn't come to the party until 1996 (the chip was in development sometime before that, likely after 1991 or 1992 when the Pentium engineering samples would've first been released.) Even in that case the problem doesn't reveal itself until you have single package cache-coherent processors, which limits practical application of these flaws to Hyperthreaded pentium 4s, Core series processors, and later. Still a major issue, but between the power guzzling of the P4s and the Intel ME of the late Core2 and later chips, it isn't that common of an issue. Furthermore any dual-package chips, like the Core2Quads can have this problem fully mitigated by only running kernel code on one pair of cores, and only running user mode code on the other physical die with pauses in place for the companion core during sensitive function calls. Alternatively at an original Celeron-like level of performance reduction, you can disable l2/l3 cache and only run with the L1, which will make cache hits much less likely and much harder to trigger. Combine these with powersaving reclocking and kernel mode process statistics and it should be easy to notice a rogue process trying to sidechannel attack and either shut it down, or reduce its process priority enough to make its chances of coherent data recovery minimal.

    Having said this, I still think it is a huge bug. I think with REAL access to Intel ME by developers/end users a lot of it could be mitigated (since you could push sensitive crypto operations to the ME core at the expense of speed, and properly isolate that data from the cache.)

    Really though, this is just a call for fully open source audited and user controlled crypto processors outside of the general purpose cpu. These attacks are primarily useful for recovering authentication materials, which are short and retained in memory in a clear format. While other sensitive data COULD be leaked, practically speaking most of it won't be retained in memory in a cache coherent form long enough for it to matter.

    As far as AMD and Ryzen goes: the same speculative execution issue applies. It *MIGHT* not apply to Power 8/9 if they really do support disabling speculative execution as one of the boot time processor straps, however Intel has never provided that feature, nor has AMD. Personally Intel ME, ARM TrustZone, and AMD's Secure Processor (Another TrustZone secure enclave implementation, along with Intel ME style motherboard or system management features) is a far bigger security concern to me. I have no way of auditing the code or mitigating the risk. With Spectre flaws, as long as you verify code running on your system or limit timing information such that the code can't get accurate timing statistics back, the problem is limited in scope. However with the proprietary management engines we are barred from looking at the inner works and from Right to Repair style replacement of the code when it is shown to be faulty and the manufacturer refuses to provide a replacement, some of which may be implementation (motherboard or cpu) specific and thus beyond the scope of their reference implementations.

    Until all our processors go back to being cryptographically unsigned, our bios chips go back to being read-only without the manual choice of enabling a bios write jumper (this was broken back at the beginning of the move to SPI bios chips, which now default to writeable unless both the software running on the system tells it to go into read only mode, as well as the strap pin on the SPI chip package... which can be voltage glitched from within many systems to reset it and allow writing, requiring either the SPI chips themselves to be fixed, or the chip interfacing to them to perform write protection itself, which is what intel did with its later chipsets, leading to the Ibex Peak and later processors having unwriteable memory ranges that could only be updated with signed bios updates that were uploaded either during system initialization or copied from the OS into an unprotected memory range and then verified and installed to the protected ranges during next boot.

  25. Internet of Things will have issues like this by shayd2 · · Score: 1

    This is the sort of thing that scares me about IoT. What happens when the processor in my desk lamp has an unpatchable hardware bug? I doubt that I'll be able to replace just the processor.

    Of course, PATCHING an IoT object has it's own issues. How do I control who (and when) does the patching.

  26. No, it's one per security principal by presidenteloco · · Score: 1

    because presumably, a security principal trusts itself not to spy on itself.

    --

    Where are we going and why are we in a handbasket?
  27. Re:It's not a problem if you don't run unsigned co by Anonymous Coward · · Score: 0

    so any site that presents a valid SSL cert can't/won't hack your machine... yeah

  28. Re:It's not a problem if you don't run unsigned co by david_thornley · · Score: 1

    Okay, use Firefox with NoScript. That prevents all scripts from running, unless you allow them by domain.

    Go ahead and use the web without enabling anything. Find anything you can use? Anything?

    If you don't want to allow unsigned, unreviewed, unverified, and untrusted code in your browser, you can. No problem.

    Now try to do anything on the web.

    --
    "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
  29. Re:Software can Mitigate, it may not be able to cu by jellomizer · · Score: 1

    Never stated it was the solution. Just mitigation.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  30. Re:It's not a problem if you don't run unsigned co by Anonymous Coward · · Score: 0

    I'm still in this mindset. I remember a time when one of the first common sense security practices was to disable JS in your browser if JS was supported.

    Now, so much is passed to the client to save server side processing/execution time, you can't even render basic views of a page without piles of JS and the vast majority of it is completely unneeded, at least for the consumer.

    While there is a certain admirable degree of convenience of running more sophisticated applications right in a browser, it's always been a security risk no matter how clever and sophisticated JS engines tried to isolate and sandbox the untrusted code. Certain modern expectations of UIs handled by JS could be extracted into CSS/HTML standards that are implemented by browsers (trusted code) without too much sacrifice.

  31. Re:It's not a problem if you don't run unsigned co by Anonymous Coward · · Score: 0

    The reason this is the case is because people accepted it. In most cases, people accepted it out of pure ignorance of the technical details behind the scene. If the vast majority of people around understood the technical details, trade offs, and then refused to run random embedded JS, you'd find the web looks quite different than it does now by simply disabling JS.

    While a situation or state of affairs may be the current circumstantial case, that situation or state of affairs is not guaranteed to remain unchanged. I feel like most the people in arms protecting JS are heavily invested in JS development. I rarely need or use JS (in a sense that I can be happy with pure HTML5/CSS3 pages, obviously I use JS constantly if you go to any modern website). However, just about everything I expect from a website can be handled entirely without JS (but instead, its littered with it).