Google Researchers Say Software Alone Can't Mitigate Spectre Chip Flaws

A group of researchers say that it will be difficult to avoid Spectre bugs in the future unless CPUs are dramatically overhauled. From a report: Google researchers say that software alone is not enough to prevent the exploitation of the Spectre flaws present in a variety of CPUs. The team of researchers -- including Ross McIlroy, Jaroslav Sevcik, Tobias Tebbi, Ben L Titzer and Toon Verwaest -- work on Chrome's V8 JavaScript engine. The researchers presented their findings in a paper distributed through ArXiv and came to the conclusion that all processors that perform speculative execution will always remain susceptible to various side-channel attacks, despite mitigations that may be discovered in future.

I for one am....

[fluffernutter]

....not surprised.

Re:I for one am....

... actually quite surprised.

Software engineers admitting something cannot be just fixed in software? Astounding.

Re:I for one am....

[Darinbob]

I am. Though maybe it's just bad technology reporting. When they say "all processors that perform speculative execution will always remain susceptible" there's something wrong being reported. They should add in that this does not mean ALL processors (past, present, future, and from any vendor), and should end with "unless processors are redesigned."

Reading the summary as-is literally, it is disgreeing with itself.

Just always apply hardware access controls.

[KirbyCombat]

Is my understanding not correct? I thought that these vulnerabilities were due to processors not applying memory access controls during speculative execution. For me personally, I was very surprised to find out that memory access controls could be bypassed at all. Isn't it just a matter of always applying memory access controls? Isn't that why the access control is in the hardware?

Re:Just always apply hardware access controls.

[kurkosdr]

Well the hardware implementation was buggy, so you can bypass it after all. And since you cannot patch hardware (unless the patch is disabling speculative execution altogether and making all the affected hardware much slower) people try to find all kinds of workarounds to mitigate the issue.

Re:Just always apply hardware access controls.

[DontBeAMoran]

Is it even possible, though? That's like trying to make a turd sandwich taste good.

Maybe they should go back to the drawing board and find something better than speculative execution.

Re:Just always apply hardware access controls.

[msauve]

But the summary claims "...all processors that perform speculative execution will always remain susceptible...". That's a blanket statement which covers all processors, existing or future.

Re:Just always apply hardware access controls.

[suutar]

As I recall, the problem is that speculative execution alters the state of the CPU and its cache, and there are ways to determine information about that state afterwards that don't involve violating memory access restrictions, like "hey, loading that address didn't take as long as expected, something must've pulled it into the cache already" - that sort of thing. So the question is how much can they make the state act like the speculative execution never happened without actually reaching the point that speculative execution isn't beneficial.

Re:Just always apply hardware access controls.

[imgod2u]

The issue is that you don't *know* whether the memory being fetched is accessible until the data comes back from DRAM. So you can assume all accesses to DRAM are not accessible -- very very poor for performance -- and play it safe. Or assume it's accessible until it comes back from DRAM.

Of course, during that time you've also launched a whole lot of other memory requests that is speculative. And it doesn't matter that you end up discarding the results from the software interface perspective -- the cache (or other non-software visible hardware states) have changed. And careful timing can reveal those changes.

Re:Just always apply hardware access controls.

[ctilsie242]

I wonder if this is can be mitigated in a hypervisor (Green Hills INTEGRITY, KVM, etc.) Maybe PC makers might be wise to have an onboard hypervisor as a way to limit damage.

Re:Just always apply hardware access controls.

[K.+S.+Kyosuke]

For now, separate processes into security domains and never let two processes from different domains run on the same core. In the future, get rid of that thing and design computer systems that don't require squeezing out every drop of sequential execution speed you possibly can. There doesn't really seem to be a lot of ways of getting rid of that problem.

Re: Just always apply hardware access controls.

[pchasco]

I am looking forward to your upcoming book on how to write useful, high-performing programs without using conditional branch instructions.

Re:Just always apply hardware access controls.

Technically it might be possible to fix but would require the state of all caches and buffers to be restored to the state before speculation started which would defeat the performance gain of speculation.
So yes, it's impossible.
The memory access is meltdown and has nothing to do with spectre.

Re:Just always apply hardware access controls.

Computers would be slow as dirt. Even branch prediction would have to be thrown out.

Re:Just always apply hardware access controls.

[AuMatar]

Do you want to go back to the computer you used in the early 90s? Because that's what you're going to get if you remove it entirely.As for the idea of not letting different apps share the same core- so you want to get rid of mutltasking? Because you have very few cores compared to the number of processes running. Sharing cores is basically how all multitasking works.

Re:Just always apply hardware access controls.

Not all. Less powerful processors such as the ones in the Raspberry Pi devices, do not perform speculative accesses, and are thus not affected by Spectre.

Re:Just always apply hardware access controls.

[radarskiy]

You have assumed a multicore CPU that does not share the last level cache between cores, which is not necessarily true.

While I have not a description of a Spectre exploit that specifically involves a multilevel cache, and I have not seen that case specifically rejected either.

Re:Just always apply hardware access controls.

[radarskiy]

"bad cache invalidation"

Except the "valid" state of a cache line has an actual definition, and the cache line in question actually is valid. No one had ever defined a "Forget we were ever here" request.

You might think you could just add a method to mark every line you touched during a mispredict as invalid, but now you are open to timing attacks based on cache misses on which lines got evicted in the first place.

Re:Just always apply hardware access controls.

[Miamicanes]

It's hard to explain without getting EXTREMELY technical, but here's a SOMEWHAT technical explanation:

Back in "the old days" (6502, 68000, 8086, etc), a specific machine language instruction took a precise, deterministic amount of time to execute... 1 cycle, 2 cycles, 3 cycles, whatever. Always, and without exception.

Sometime around the AMD K5 (late 90s), we got to a point where the combination of cache and execution-time optimizations used by processors (speculative & out of order execution, cache, etc) made it SEEM like the days of deterministic execution timing were over. You could predict best-case and worst-case execution times for a given block of code, but ACTUAL runtime execution times had become seemingly random when you tried to measure them on an operating system like Windows or Linux.

It turns out, we were wrong. Execution times were as deterministic as ever... it's just that making sense of their timing had become too complex for humans to understand, so it SEEMED random. Then, "big data" and "machine learning" became common, and people discovered that execution timings weren't nearly as random as humans had come to believe they were.

Problem #2: due to the state various performance optimizations leave the CPU and its cache in, the amount of time it takes an attempt to do something prohibited to fail varies in subtle ways depending upon the values being protected.

So... taking advantage of analytics, machine learning, and lots of brute-force hammering & observation, it's possible for attackers to gradually discover the likely values of protected ram and registers. They can't necessarily do it with a single hit... but if they hammer away at something a million times and discover that a particular bit's value seems to be '0' ~70% of the time, and '1' the other 30% of the time... well, the bit's value is probably 0.

Here's another roughly analogous example: suppose you're attempting to discover the combination to a safe. Suppose the lock is designed to frustrate attempts to listen for pins falling into place by ensuring that EVERY dial position results in the lowering of one pin and the rising of another. HOWEVER... someone discovers that certain unsuccessful combinations produce a slightly different sound than others. Using deep learning techniques, the algorithm predicts that sound #1 indicates a combination that's almost right, while sound #2 indicates a combination that's completely wrong. By rapidly performing a few million experiments with different combinations, the algorithm is able to eliminate 99% of possible combinations, and focus on the 1% it believes are likely to work... and as it continues to experiment, it discovers a THIRD sound variant that appears to exist whenever the third number is equal to 17. By successively setting aside unlikely combinations, it eventually stumbles upon the correct combination to open the safe.

In security, this kind of problem is well known, and has a solution that generally works well: limit the rate at which an attacker can attempt different combinations. The problem is, that solution goes completely at odds against everything modern CPUs have attempted to accomplish for the past 50 years -- achieve better performance.

Ultimately, Intel and others are probably going to start making CPUs with a security gradient:

* The high-performance no-security portion that is designed to maximize performance, but makes no guarantees about security. Basically, "gamer" oriented CPUs will dedicate most of their silicon to this portion.

* High-performance with minimal security... designed to avoid blatantly leaking data to other processes, but still totally vulnerable to Spectre-type attacks. CPUs targeted to enterprise users will probably dedicate most of their silicon to THIS mode.

* The slow, separate, secure fortress. Totally separate, with no cache or optimizations at all, designed to guarantee absolutely deterministic execution times from the perspective of an outside observer. Basically, an 80386

Re: Just always apply hardware access controls.

The ARMv8 in the rPi most definitly do speculative execution

Re:Just always apply hardware access controls.

[K.+S.+Kyosuke]

Still remember that old joke about Intel and Motorola CPUs? Time to dust if off, perhaps?

Re:Just always apply hardware access controls.

[K.+S.+Kyosuke]

Do you want to go back to the computer you used in the early 90s? Because that's what you're going to get if you remove it entirely

I'm not really sure that the computer I used in the early 90s had thousands of cores enabled by sub-20nm lithography.

Re:Just always apply hardware access controls.

[Darinbob]

The side channel attacks do things like measure how long a set of operations take to execute, which gives extra information about what the operations actually did. That can tell you if some relevant data was already in the cache or whether it had to be loaded from RAM. Do the appropriate magic and you can start to deduce things about the contents of memory that you can't see.

That is, it's a side-channel attack. They're still treating the processor a a black box that you can't peek inside of, but you can still get some information to leak out (shake the box and listen).

This is complicated stuff though, and some of these things are estimating maybe you can figure out the contents of 2000 bytes a second. The details of the attacks are highly depending upon the exact processor being used.

Re: Just always apply hardware access controls.

[Darinbob]

The Spectre and Meltdown attack proof-of-concepts were for Intel processors, presumably also the clones, and the attacks are based on knowing internal specifics of their highly speculative execution engines. Ie, if you don't use a PC you're automatically a lot safe (though not completely), and if you're using a processor without a speculative execution engine then these attack vectors won't do anything at all. The chips that are vulnerable are very high end CPUs, not the stuff in your microwave or wifi router. Though of course, those processors undoubtedly have their own vulnerabilities, they're just not Spectre or Meltdown.

The other thing that's important in security is if an attacker can get close or not. I don't worry much about my automobile being hacked because it's not on the internet and would require physical access to compromise it. Similarly, if you're on a PC and you have 100% control over any and all code running on it, then it will be pretty safe (ie, it's not plugged into the internet, you're not shoving in thumbdrives, etc).

Things start becoming much more susceptible to Spectre or Meltdown once you start letting your browser run random Javascript from the internet, or if you put your product up in the cloud running on just one of many VMs residing on the same physical server.

Re:Just always apply hardware access controls.

[ras]

I thought that these vulnerabilities were due to processors not applying memory access controls during speculative execution.

Not really. First of all, Spectre is not about the hardware letting you access memory it thinks you don't have permission to access, so memory access controls aren't relevant here. That variant did exist and has another name: Meltdown. Meltdown was a disaster. An Intel hardware bug meant an unprivileged program you could use the Spectre method to read all of kernel memory, even though the Intel CPU manuals said in black and white the hardware would allow that. However, most CPU's (including most Intel CPU's) didn't have this bug.

Spectre merely allows a program to read it's own memory, which is something every program does and depends on. No hardware I'm aware offers any mechanism for hardware protection inside of what an operating system calls a "process". This is hardly surprising given a process is the finest grain unit of protection offered by both the hardware and operating systems: you can't divide it down any further.

But that doesn't stop programmers from wanting finer grained protection. An all too common example is when a web browser executes javascript. As the browser doesn't trust the javascript, the software effectively emulates a stripped down "virtual computer" that has been completely defanged and executes the javascript in there. Spectre translates to: despite this javascript being executed in a virtual machine it could potentially read all of the browsers memory that isn't protected by hardware access controls. This paper now says that is impossible to write the software emulators to stop this. In reality its so hard pull off no one has done it so far, so what the paper is really saying is despite how hard it looks now we can never offer an iron clad guarantee someone will not find a way to make javascript access all your web pages and passwords the browser knows about in the future.

When I read the Spectre paper my first thought was "this means we are going to add hardware features so software can execute untrusted programs securely". Given I thought that I'm pretty sure most people who read and understood it came to the same conclusion as a few minutes of navel gazing. But it was just a guess. Now someone has put in hard yards and confirmed that guess is right.

There isn't much choice about fixing it. These virtual machines are very common. We depend on them. PHP scripts executing in Apache2, WSGI in a python interpreter, Java apps running in Tomcat, the kernel executing BPF programs, the shell running shell scripts - it's everywhere. The usual approach of the hardware guys is "if it shipped, it's a software problem". The paper is saying: not this time guys.

Re: Just always apply hardware access controls.

[Mspangler]

A 3 GHz Apple IIgs would still be pretty useful. Extend it to 64 bits and add a graphics coprocessor. If these attacks do turn out to be serious issues we might have to take a step back from the current levels of complexity.

Re:Just always apply hardware access controls.

[kurkosdr]

Then the hypervisor might have a bug.

Re:Just always apply hardware access controls.

[kurkosdr]

But until that happens they just have to... sell slower hardware? Good luck explaining to Joe at Best Buy why his new laptop will be slower than the one he has (despite similar form factor and thickness) because something called "vulnerabilities".

Re:Just always apply hardware access controls.

[ctilsie242]

True. However, it is about risk management. A hypervisor has a smaller attack surface than a general purpose OS. Yes, there are bugs in hypervisors, but generally a lot fewer.

Re:Just always apply hardware access controls.

[DontBeAMoran]

Because "Security". Joe at Best Buy knows that security always slows things down (driving, airport, etc).

Re:Just always apply hardware access controls.

[kurkosdr]

Still, good luck convincing Joe that an ultrabook should revert to running like a 386, when someone else (be it Via or some Chinese company, if both Intel and AMD hypothetically agree to not use speculative execution or use it in significantly diminished capability) offers the performance Joe has come to expect or close to it. Which begs the question, should the government regulate on such things?

Sounds false, overconfident, and trendy & chil

[Seven+Spirals]

Some people are always trying to poo-poo old technology. I suspect this is a play to act like every CPU made before yesterday is no good. "Sorry folks, you're going to have to turn on all those old computers we can't control^H^H^H Uh, I mean, those vulnerable systems for your own safety." That or so some smug security weenie can sit and smirk pointing to some ridiculous "researcher" saying "it's impossible to prevent". I just think there may be more going on here than just "old stuff sucks"

gimme that old 6502

[fat+man's+underwear]

maybe make it run at a few 100 MHz, or upgrade to the 65816 architecture.... I think I'd rather have that.

Re:gimme that old 6502

[DontBeAMoran]

Isn't the 68000 series immune to all this bullshit? The 68040 is better than the 65816, isn't it?

Re:gimme that old 6502

[Seven+Spirals]

Not in the 040 but in the 060, yes. Check out how the branch cache works and the timings for branches. The branch prediction is like the static prediction in the 68040 where previous branch targets are assumed occupied because they are probably loops and new targets are assumed unoccupied. When the 060 sees a branch for the first time in order to aid in dynamic prediction it creates an entry in the branch cache. However, I don't know enough about the engineering they did to know if it's definitely vulnerable. Speculative execution as a concept is a bit risky anyway if you ask me.

Re:gimme that old 6502

[Rockoon]

65816 is only a 16 bit processor. Famous for a variant used in old nintendo consoles, first appearance is actually the Apple IIgs.

Several IIgs technologies had re-emerged after the IIgs faded, the first being the 65816 CPU used in later consoles, and the other was the Ensoniq DOC2 audio chipset which eventually found itself in the Gravis UltraSound (GUS) as the GF1 (actually based on the DOC3 chipset)

But honestly, 16-bit... is a non-starter, and in fact 32-bit is also a non-starter.

I would gladly trade the speculative execution die area for directly useful instructions. Modulo-2 8x8 matrix (64 bits) and 8x1 vector (8 bits) multiplication / transformation are instructions every 64-bit architecture should have, but seemingly only theoretical ones do (MMIX)

Re:gimme that old 6502

[Seven+Spirals]

I agree, gimme more SIMD and you can kept branch prediction.

Re:gimme that old 6502

[dryeo]

Work did start on the 65832, but with Apples disinterest, stopped.

Re:gimme that old 6502

[Seven+Spirals]

Too late, Coward. I've already discovered that (hence my comment about DSL languages and shaders), but thanks for the snide remark, assface.

Re:Sounds false, overconfident, and trendy & c

[Fly+Swatter]

I just think there may be more going on here than just "old stuff sucks"

Arrogance.

It's not a problem if you don't run unsigned code

[slashkitty]

We need to get away from this unsigned, unreviewed, wild code (like javascript) running on your machines. Lock it down and stuff like this won't be a problem.

Software can Mitigate, it may not be able to cure.

[jellomizer]

Having handrails will help mitigate people from dying from falling down the stares. It doesn't stop it, or even prevent it. It is just a tool to help regain balance after you have lost your step.

Software can Mitigate the problem, by catching the most common and easiest calls to cause the issue.

Re:It's not a problem if you don't run unsigned co

[bigpat]

We need to get away from this unsigned, unreviewed, wild code (like javascript) running on your machines.

Lock it down and stuff like this won't be a problem.

Systems for whitelisting apps and websites can help. But then the problem just shifts to how much do you trust whichever app stores or website whitelists you are using which are basically the same thing as a signing system. I mean I try to be careful about which apps I download, but if you want your computer to be a general purpose computer then you have to have some flexibility to run unsigned code. As a developer that often means my own code. Otherwise it is an appliance.

Re:It's not a problem if you don't run unsigned co

[Rockoon]

We need to get away from this unsigned, unreviewed, wild code

As a representative of programmers everywhere, can you kindly take your idea and go fuck yourself?

Bad time for Intel CPUs

[bangular]

I'll be the first to admit this isn't my area of expertise. But after following these developments peripherally, I've been holding off buying a new desktop for awhile.

It seems like Intel has bumbled this at every step. They've put out a lot of misinformation causing a lot consumer confusion. It seems like every time they exclaim "it's fixed!" researchers say that's not the case. I'm assuming at this point we're probably at least a couple of CPU generations away from Intel fixing this properly.

On top of that, they've also been fighting the 10nm battle. More empty promises and missed deadlines on that front as well.

When I compare my current aging Intel system to single thread performance of the latest generation, it just doesn't justify the cost. AMD claims Zen 2 will fix all their problems. If they deliver, I will probably switch back to AMD. Intel burned a lot of goodwill in the past few years.

Re:Bad time for Intel CPUs

[Fly+Swatter]

So far, it has only been 'successfully' exploited in tightly controlled lab conditions. If you ask me, and no one did, it has been a way overblown risk by researchers; then fixes were hurriedly attempted with way too little testing; now researchers are saying 'it is still not fixed' and 'it can't be fixed', once again blowing the actual risk for us simple consumers way out of proportion.

In the server and cloud world there might be a legitimate risk at some point, once we actually see an exploit in the wild then It would be time to panic - until then those of us using computers for single user tasks are burdened with all this FUD and slower performance unless we actively turn off the (according to researchers) still broken mitigation.

If you can wait to buy until you need instead of want, that is always prudent for computer upgrades.

Re:Bad time for Intel CPUs

If they deliver, I will probably switch back to AMD. Intel burned a lot of goodwill in the past few years.

Just keep in mind that *any* CPU design that uses speculative execution is fundamentally and unavoidably vulnerable to such attacks.
That includes AMD as well as Intel.

So if you're switching due to disliking Intel as a company more than AMD as a company, that's all good and well.
If you're switching under the assumption only Intel CPUs do speculative execution and are vulnerable, you won't be solving any problems.

The unfortunate fact of the matter is raw instruction execution speed in CPUs isn't increasing leaps and bounds like in the recent past. Very little so in the past decade.
So other means are employed to run software faster.

Parallelism helps a great deal when the task is suitable to be split up, or when you just have a very large number of different tasks.

For tasks that don't naturally split well, or a programmer just didn't make it that way, lots of tricks and hacks are used so parallelism can help speed up a traditional single-threaded single-process step by step sort of task.

Speculative execution, and more a specific type of it called branch prediction, is one of those tricks.
The hardware knows the road up ahead can go many directions, but which path to take depends on a result it doesn't know yet, it uses parallelism to walk down many of those paths all at the same time, and once it does have said result and knows which path was right, it already has a huge head start.

In some cases it takes all the non-correct paths it went down and just forgets that ever happened.
Not cleaning up after itself was a big problem but an easy one to fix.
Turns out just the act of taking all these paths and which get cleaned up can also tell you (or malware) a lot about what is going on.

Taking all those paths needs to store the results in memory, usually a cache somewhere, but even then it turns out you can 'process of elimination' figure out the right data by looking at what was discarded.

In more rare attacks, even without trying to look at memory directly, you can tell what bits get flipped just by the timing when these paths are walked, and in other rare cases you can figure out what bits are where and right/wrong just by paying attention to the power draw being used to actually do that work.

Speculative execution is pretty flawed, with new ones found seemingly every day.
But getting rid of it entirely would set us back to the Pentium 1 and 2 days, where a 400mhz chip was priced out of most peoples reach and was the peak of performance, where most of our $1k usd processors ran 100mhz.

That's a HUGE cost. One not everyone would even be willing to pay.

But if you are wanting to build a new PC without speculative execution vulnerabilities in it, go fish a 486 or sparc out of the trash and go to town. Waiting may only give you less options as such hardware becomes more rare.

Re:Bad time for Intel CPUs

[thegarbz]

Let me start by defending Intel before turning this around. Speculative execution attacks are extremely difficult to execute in any constructive way without detailed targeted knowledge and access to the machine. As yet there's no known case of it actually being used and with very good reason: Pretty much every other security exploit is easier and more effective to execute with the exception being attacking a VM from another VM. Spectre / Meltdown really shouldn't come into consideration when buying a CPU unless you're running a cloud VM service or securing your country against a foreign state.

Now on the flip side there already is no reason to go Intel, not when cost plays any part. The performance difference between Intel and AMD do not justify the costs. Where Intel exceeds in single thread performance you need an extreme edge case (e.g. pro gaming) to justify the cost. Where Intel exceeds in multi-core there pretty much is zero justification to chose Intel over a Ryzen or a Threadripper for cost, again edge cases such as a requirement to process AVX heavy loads not withstanding.

On the high end threadripper even offers far more in terms of I/O including on core RAID and enough PCIX lanes to actually make a difference, something that Intel will offer on Xeons only if you spend even more money on additional frigging dongles.

Re:Bad time for Intel CPUs

[lkcl]

I'm assuming at this point we're probably at least a couple of CPU generations away from Intel fixing this properly.

unfortunately, it's much wose than the press is making out. i've had to investigate this in-depth as part of the design of the libre-riscv soc, because we criically rely on out-of-order execution for the vectorisation. i was shocked to learn that even in-order systems are potentially vulnerable to timing attacks.

the first thing that people need to get absolutely clear: spectre was *just the first* in a *class* of timing attacks that opened researchers and hardware designers eyes to a blind-spot in computing architectures.

the definition of a timing attack is as follows: one instruction may affect the completion time of past OR future instructions through resource starvation / contention, OR through state not being reset after use to a known uniform initial state.

the FIRST spectre attacks were against memory and caches, on speculative designs.

however it is perfectly possible, for example, for a multi-issue IN-ORDER system to have insufficient numbers of register ports, such that a certain unique combination of instructions may be arranged by an attacker to starve future instructions of the ability to complete instructions in a uniform time... and REQUIRE that they stall.

by forcing instructions to stall, that is the very DEFINITION of a timing attack.

against an *IN-ORDER* design.

now, it is possible to put in place certain speculation mitigation barriers in hardware, however these barriers *ONLY* occur at interrupts, exceptions and, at a software / OS level, on "context switches". hence the reason why this paper says that no matter what hardware designers try to do, *intra-process* attacks simply CANNOT be mitigated without moving to an *INTER*-process software security model.

FastCGI is toast, basically.

there is a solution, and it's going to require a massive world-wide campaign to introduce a concept to the entire computing software world: the creation of intra-process speculation barriers. if we wish to keep using FastCGI, and if we wish to keep using Firefox and python-gevent (the single-process paradigm), we *need* a hardware instruction that "quiesces" internal state *AS IF* the hardware had just made a context-switch, terminating all speculative execution, resetting all internal state and so on.

one way in which that may be possible to do in an out-of-order system that does not have such hardware-assisted in-process speculation barrier instructions is to issue about a hundred NOPs. the back-lash against doing so will be extreme, however it's not like there's much of a choice, here.

bottom line is: this has been a major, major oversight by the entire computing industry for over 25 years. it's a problem *across the entire industry*, not just Intel, not just AMD, it's *everybody*. it's not going to be fixed in a couple of hardware revisions by one company.

Re:Bad time for Intel CPUs

[dryeo]

Speculative execution is pretty flawed, with new ones found seemingly every day.
But getting rid of it entirely would set us back to the Pentium 1 and 2 days, where a 400mhz chip was priced out of most peoples reach and was the peak of performance, where most of our $1k usd processors ran 100mhz.

That's a HUGE cost. One not everyone would even be willing to pay.

But if you are wanting to build a new PC without speculative execution vulnerabilities in it, go fish a 486 or sparc out of the trash and go to town. Waiting may only give you less options as such hardware becomes more rare.

The first generation Atom had no speculative execution and while it did dispatch executions at about the same speed as a Pentium, it ran much faster, had simd instructions and was cheap.

Google just wants UNIX out of their cloud

[old_dirty_unidef]

They want GOOGLE Cloud not FreeBSD cloud or Linus' Cloud Spectre can be mitigated by implementing a move operation that moves central data to a cloud then fails, then recovers using self repairing techniques, then defaults back to a node. I dont know much about hacking though

Not entirely true but mostly true.

[Gravis+Zero]

If you are executing someone else's code natively on the CPU then it's true that it cannot be fully secured. However, if you execute (JavaScript) code through an interpreter engine rather than using JIT/dynamic recompilation engine then it is by default that spectre cannot be accessed. However, this would be throwing years of effort away in making JavaScript fast so that advertisers can exploit you easier without you noticing the slower execution speed. For this reason, the safest and simplest JavaScript engine is out of our reach which in turn has lead to the internet becoming a horrible mess of evil JavaScript, exploiting us at every turn.

TL;DR: STOP REQUIRING JIT, YOU ASSHOLES BECAUSE IT'S FUCKING UP EVERYTHING.

Re:Software can Mitigate, it may not be able to cu

[RuiFRibeiro]

If the examples of the successive failed patches are anything to judge, software it not the solution. But any person with half a brain knows that from day one.

So, one computer per user then

[presidenteloco]

or more precisely, per security principal.

I for one welcome our new architectural overlords, that is, whoever can make an efficient multi-core, multi-cache,.... multi-everything architecture, perhaps that only shares over high-level interfaces over fibre connections, or whatever.

And I guess those high-level physical interfaces will have to include timing randomization "chaff".

Re:Oooh breaking news

[AuMatar]

Inifinite cores wouldn't make speculative execution not needed. Speculative execution exists because you're trying to do things sequentially. Putting another core in there won't speed it up in any fashion- to avoid speculation you have to wait until the branch is determined. You could remove speculative execution and the optimization it provides, but yo'll end up with a FAR slower processor as your core will be idle from the beginning of a branch statement until its done- putting in a lot of noops into the pipeline. The deeper the pipeline in the architecture, the worse it will be.

Re:Intel chips broken by design

[viperidaenz]

The shills Intel pay at AMD?
https://www.amd.com/en/corpora...
They admit there are hardware issues and that page describes which software mitigations are required.
ARM have also admitted all of their speculative execution cores are vulnerable to some of the spectre attacks.

The irony

[OneHundredAndTen]

And the much-maligned, all-but-dead Itanium is immune to Spectre. Fancy that.

Re:The irony

[thereddaikon]

Spectre effects any processor with branch prediction. Itanium has branch prediction therefor it isn't immune.

The Cloud has rained

[KlomDark]

Best for security if everyone backs off from multi-tenant cloud servers for now. It was a nice try, but too insecure.

Industry bumbled, Intel is just the biggest.

The fundamental flaw dates all the way back to the Power 1 processor/architecture from the early 1990s. Intel didn't come to the party until 1996 (the chip was in development sometime before that, likely after 1991 or 1992 when the Pentium engineering samples would've first been released.) Even in that case the problem doesn't reveal itself until you have single package cache-coherent processors, which limits practical application of these flaws to Hyperthreaded pentium 4s, Core series processors, and later. Still a major issue, but between the power guzzling of the P4s and the Intel ME of the late Core2 and later chips, it isn't that common of an issue. Furthermore any dual-package chips, like the Core2Quads can have this problem fully mitigated by only running kernel code on one pair of cores, and only running user mode code on the other physical die with pauses in place for the companion core during sensitive function calls. Alternatively at an original Celeron-like level of performance reduction, you can disable l2/l3 cache and only run with the L1, which will make cache hits much less likely and much harder to trigger. Combine these with powersaving reclocking and kernel mode process statistics and it should be easy to notice a rogue process trying to sidechannel attack and either shut it down, or reduce its process priority enough to make its chances of coherent data recovery minimal.

Having said this, I still think it is a huge bug. I think with REAL access to Intel ME by developers/end users a lot of it could be mitigated (since you could push sensitive crypto operations to the ME core at the expense of speed, and properly isolate that data from the cache.)

Really though, this is just a call for fully open source audited and user controlled crypto processors outside of the general purpose cpu. These attacks are primarily useful for recovering authentication materials, which are short and retained in memory in a clear format. While other sensitive data COULD be leaked, practically speaking most of it won't be retained in memory in a cache coherent form long enough for it to matter.

As far as AMD and Ryzen goes: the same speculative execution issue applies. It *MIGHT* not apply to Power 8/9 if they really do support disabling speculative execution as one of the boot time processor straps, however Intel has never provided that feature, nor has AMD. Personally Intel ME, ARM TrustZone, and AMD's Secure Processor (Another TrustZone secure enclave implementation, along with Intel ME style motherboard or system management features) is a far bigger security concern to me. I have no way of auditing the code or mitigating the risk. With Spectre flaws, as long as you verify code running on your system or limit timing information such that the code can't get accurate timing statistics back, the problem is limited in scope. However with the proprietary management engines we are barred from looking at the inner works and from Right to Repair style replacement of the code when it is shown to be faulty and the manufacturer refuses to provide a replacement, some of which may be implementation (motherboard or cpu) specific and thus beyond the scope of their reference implementations.

Until all our processors go back to being cryptographically unsigned, our bios chips go back to being read-only without the manual choice of enabling a bios write jumper (this was broken back at the beginning of the move to SPI bios chips, which now default to writeable unless both the software running on the system tells it to go into read only mode, as well as the strap pin on the SPI chip package... which can be voltage glitched from within many systems to reset it and allow writing, requiring either the SPI chips themselves to be fixed, or the chip interfacing to them to perform write protection itself, which is what intel did with its later chipsets, leading to the Ibex Peak and later processors having unwriteable memory ranges that could only be updated with signed bios updates that were uploaded either during system initialization or copied from the OS into an unprotected memory range and then verified and installed to the protected ranges during next boot.

Internet of Things will have issues like this

[shayd2]

This is the sort of thing that scares me about IoT. What happens when the processor in my desk lamp has an unpatchable hardware bug? I doubt that I'll be able to replace just the processor.

Of course, PATCHING an IoT object has it's own issues. How do I control who (and when) does the patching.

No, it's one per security principal

[presidenteloco]

because presumably, a security principal trusts itself not to spy on itself.

Re:It's not a problem if you don't run unsigned co

[david_thornley]

Okay, use Firefox with NoScript. That prevents all scripts from running, unless you allow them by domain.

Go ahead and use the web without enabling anything. Find anything you can use? Anything?

If you don't want to allow unsigned, unreviewed, unverified, and untrusted code in your browser, you can. No problem.

Now try to do anything on the web.

Re:Intel chips broken by design

[AHuxley]

But we needed that CPU power for 4K and 6K and 8K games.

Re:Oooh breaking news

[dryeo]

Running every process on its own core, with its own cache might help. Could even have each process with a few cores sharing cache for multiple threads.

Re:Oooh breaking news

[AuMatar]

No, it absolutely wouldn't. Because you'd still have to wait for the result of every possibly branching instruction in order to execute the next. Having a billion cores per app won't fix that.

Re:Software can Mitigate, it may not be able to cu

[jellomizer]

Never stated it was the solution. Just mitigation.

Re:Oooh breaking news

[dryeo]

I'm probably getting my vulnerabilities mixed up but my understanding is one process spying on anthers cache misses and hits so sandboxing would help.