Intel FUBAR ... again - Kernel memory leak in nearly every Intel CPU of the last decade (Spectre hits everyone, Meltdown still Intel exclusive)

flazza · January 5, 2018, 2:33pm

I did think at one point that amd might have a hand in this… (the leak I mean) simply as its an nvidia playbook move (and amd are learning from nvidia )

e.g do something that is harmful to everyone, but harms you the least e.g tesselation nonsense

Leaving it until the 9th so that intel could control the message (the medium is the message) would have not been in amd’s best interests.

Freaksmacker · January 5, 2018, 2:41pm

I keep seeing this in my head so I made it.

kewldude007 · January 5, 2018, 2:47pm

not sure what Stallman has to do with this

Freaksmacker · January 5, 2018, 2:48pm

I believe I have seen him maintain that the hardware itself is developed to spy on you.

catsay · January 5, 2018, 2:50pm

Their filler response from corporate.

https://www.amd.com/en/corporate/speculative-execution

When AMD learned that researchers had discovered a new CPU attack targeting the speculative execution functionality used by multiple chip companies’ products, we immediately engaged across the ecosystem to address the teams’ findings.

As the security landscape continues to evolve, a collaborative effort of information sharing in the industry represents the strongest defense.

Total protection from all possible attacks remains an elusive goal and this latest example shows how effective industry collaboration can be.

TLDR: AMD didn’t finish their report in time and posted a short form blurb instead while deferring to details already published by others. It’s kind of a lazy thing to do. But I don’t run AMD.

flazza · January 5, 2018, 2:51pm

It’s true that AMD didn’t actually reveal the details of the flaw before the embargo was up, but one of the company’s developers came very close. Just after Christmas, an AMD developer contributed a Linux patch that excluded AMD chips from the Meltdown mitigation. In the note with that patch, the developer wrote, “The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault.”

It was this specific information—that the flaw involved speculative attempts to access kernel data from user programs—that arguably led to researchers figuring out what the problem was. The message narrowed the search considerably, outlining the precise conditions required to trigger the flaw.

For a company operating under an embargo, with many different players attempting to synchronize and coordinate their updates, patches, whitepapers, and other information, this was a deeply unhelpful act. While there are certainly those in the security community that oppose this kind of information embargo and prefer to reveal any and all information at the earliest opportunity, given the rest of the industry’s approach to these flaws, AMD’s action seems, at the least, reckless.

so… they should have tried to commit to git repo WITHOUT leaving developer comments on what the code is actually there for?

yeah, like that would have gone down well and not caused equal suspicion.

Ironically he is blaming ‘pesky open source and good developer practice’, least that is how it feels like.

catsay · January 5, 2018, 2:52pm

Man if they had access to some of the pre-disclosure mailing lists…

But seriously is nobody going to call me out for unassumingly leading everyone around by the nose, feeding you info in nibbles since the start of this thread?

Freaksmacker · January 5, 2018, 2:59pm

I kind of did

but I also understand why something like this does not need to be public so that every 12 year old on the planet does not go on a hacking spree.

Klingon00 · January 5, 2018, 3:03pm

I would think that would be more appropriate for the Intel Management Engine. While these vulnerabilities could certainly be used for spying, I’ve seen no evidence so far that this was intentional, nor anywhere near as convenient for such use like IME.

Freaksmacker · January 5, 2018, 3:04pm

Agreed. Better used for that. I believe Amd has their own version of that, also.

flazza · January 5, 2018, 3:31pm

That Ars Technica one really bugs me

having a go at amd because they did things properly? (the git entry I mean).

I mean properly documented code that anyone can go in and look at?

HOW DARE THEY

meh, inhale… exhale… and move on.

Goalkeeper · January 5, 2018, 4:01pm

can the title be fixed. this affects amd and arm too

catsay · January 5, 2018, 4:02pm

Just call it Spectre_Meltdown

Perfect title.

Spectre will basically affect anything under the sun with speculative execution / branch predict.
Meltdown - Intel & ARM. AMD unknown but strongly believed by AMD not to be affected. (Internal testing)

flazza · January 5, 2018, 4:18pm

I think amd should put their money where their mouth is and offer a bounty to anyone who can successfully demonstrate an attack.

catsay · January 5, 2018, 4:18pm

In Video Form

Grim_Reaper · January 5, 2018, 4:21pm

Do you know the code for Windows 7. Those you linked are only for Win 10.

mihawk90 · January 5, 2018, 4:24pm

https://support.microsoft.com/en-in/help/4056897/windows-7-update-kb4056897

https://support.microsoft.com/en-us/help/4056898/windows-81-update-kb4056898

The catalog links in there don’t seem to work for me though for some reason Some certificate error ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY

Grim_Reaper · January 5, 2018, 4:36pm

There are 2 of them. Is it one patch for each exploit?

mihawk90 · January 5, 2018, 4:41pm

One is x86 (top), one is x64 (bottom).

catsay · January 5, 2018, 4:46pm

Spectre PoC runs really fast on Ryzen

EDIT: Meh it’s only twice as fast as a potato Intel Atom.

 time ./spectre 
Reading 23 bytes:
Reading at malicious_x = 0xffffffffffdfedc8... Success: 0x54=’T’ score=2 
Reading at malicious_x = 0xffffffffffdfedc9... Success: 0x68=’h’ score=2 
Reading at malicious_x = 0xffffffffffdfedca... Success: 0x65=’e’ score=2 
Reading at malicious_x = 0xffffffffffdfedcb... Success: 0x20=’ ’ score=2 
Reading at malicious_x = 0xffffffffffdfedcc... Success: 0x70=’p’ score=2 
Reading at malicious_x = 0xffffffffffdfedcd... Success: 0x61=’a’ score=2 
Reading at malicious_x = 0xffffffffffdfedce... Success: 0x73=’s’ score=2 
Reading at malicious_x = 0xffffffffffdfedcf... Success: 0x73=’s’ score=2 
Reading at malicious_x = 0xffffffffffdfedd0... Success: 0x77=’w’ score=2 
Reading at malicious_x = 0xffffffffffdfedd1... Success: 0x6F=’o’ score=2 
Reading at malicious_x = 0xffffffffffdfedd2... Success: 0x72=’r’ score=2 
Reading at malicious_x = 0xffffffffffdfedd3... Success: 0x64=’d’ score=2 
Reading at malicious_x = 0xffffffffffdfedd4... Success: 0x20=’ ’ score=2 
Reading at malicious_x = 0xffffffffffdfedd5... Success: 0x69=’i’ score=2 
Reading at malicious_x = 0xffffffffffdfedd6... Success: 0x73=’s’ score=2 
Reading at malicious_x = 0xffffffffffdfedd7... Success: 0x20=’ ’ score=2 
Reading at malicious_x = 0xffffffffffdfedd8... Success: 0x72=’r’ score=2 
Reading at malicious_x = 0xffffffffffdfedd9... Success: 0x6F=’o’ score=2 
Reading at malicious_x = 0xffffffffffdfedda... Success: 0x6F=’o’ score=2 
Reading at malicious_x = 0xffffffffffdfeddb... Success: 0x74=’t’ score=2 
Reading at malicious_x = 0xffffffffffdfeddc... Success: 0x6B=’k’ score=2 
Reading at malicious_x = 0xffffffffffdfeddd... Success: 0x65=’e’ score=2 
Reading at malicious_x = 0xffffffffffdfedde... Success: 0x61=’a’ score=2

real    0m0.003s
user    0m0.003s
sys     0m0.000s