Spectre & Meltdown CPU vulnerabilities...

Subjects that don't have their own home
User avatar
jack
Thermionic Monk Status
Posts: 5493
Joined: Wed Dec 29, 2010 8:58 pm
Location: ɐılɐɹʇsnɐ oʇ ƃuıʌoɯ ƃuıɹǝpısuoɔ
Contact:

#1 Spectre & Meltdown CPU vulnerabilities...

Post by jack »

Gents,

We are all obviously aware of the Spectre & Meltdown issues with pretty much all current CPUs from Intel, AMD, ARM and everyone else.

Steve Gibson (very well regarded security researcher) has released a freeware too, InSpectre, which tells you if a host is vulnerable to either attack and whether the system has been patched to allow it to defeat these threats. It’s a small, lightweight, executable.

https://www.grc.com/inspectre.htm

From my PC:
Example Spectre Meltdown check.png
Vivitur ingenio, caetera mortis erunt
User avatar
Dave the bass
Amstrad Tower of Power
Posts: 12273
Joined: Tue May 22, 2007 4:36 pm
Location: NW Kent, Darn Sarf innit.

#2 Re: Spectre & Meltdown CPU vulnerabilities...

Post by Dave the bass »

jack wrote: Mon Jan 22, 2018 10:08 am Gents,

We are all obviously aware of the Spectre & Meltdown issues....
erks! We are?!
"The fat bourgeois and his doppelganger"
User avatar
jack
Thermionic Monk Status
Posts: 5493
Joined: Wed Dec 29, 2010 8:58 pm
Location: ɐılɐɹʇsnɐ oʇ ƃuıʌoɯ ƃuıɹǝpısuoɔ
Contact:

#3 Re: Spectre & Meltdown CPU vulnerabilities...

Post by jack »

Dave the bass wrote: Mon Jan 22, 2018 10:18 am
jack wrote: Mon Jan 22, 2018 10:08 am Gents,

We are all obviously aware of the Spectre & Meltdown issues....
erks! We are?!
Well, anyone with more than a gram of grey matter :)

EDIT: That was a bit unfair. Apologies. The problem has been known about in security circles for some time, but not made public. It only really reached most folks' awareness about 3 weeks ago. The problem is quite subtle and as it's an architectural issue common to almost all modern CPUs, pretty much all manufacturers are affected by it. Like everyone.

These are genuine, serious, issues which are practical to exploit - they aren't just theory. The attacks are subtle and very very tricky to resolve - basically the CPUs need new microcode. The current fixes are to simply disable the offending capabilities, however these are the very features that make modern CPUs so fast - the performance hit on CPUs is estimated at between 17% - 30%. This is a MASSIVE issue for cloud computing providers and for all with CPU-intensive workloads, e.g. database farms or those doing mathematical modelling etc.

Please see https://meltdownattack.com/ for more info...
Vivitur ingenio, caetera mortis erunt
User avatar
Nick
Site Admin
Posts: 15709
Joined: Sun May 06, 2007 10:20 am
Location: West Yorkshire

#4 Re: Spectre & Meltdown CPU vulnerabilities...

Post by Nick »

That useful app may give the indication its a windows problem, its not, its just that app is windows specific.
Whenever an honest man discovers that he's mistaken, he will either cease to be mistaken or he will cease to be honest.
User avatar
jack
Thermionic Monk Status
Posts: 5493
Joined: Wed Dec 29, 2010 8:58 pm
Location: ɐılɐɹʇsnɐ oʇ ƃuıʌoɯ ƃuıɹǝpısuoɔ
Contact:

#5 Re: Spectre & Meltdown CPU vulnerabilities...

Post by jack »

Nick wrote: Mon Jan 22, 2018 11:05 am That useful app may give the indication its a windows problem, its not, its just that app is windows specific.
A point worth emphasizing - this is a HARDWARE issue with the CPU chips from pretty much everyone - it is NOT A SOFTWARE ISSUE.

Linux/Windows/Android/IOS/MacOS/... makes no difference. This is all about the underlying tin.
Vivitur ingenio, caetera mortis erunt
User avatar
pre65
Amstrad Tower of Power
Posts: 21373
Joined: Wed Aug 22, 2007 11:13 pm
Location: North Essex/Suffolk border.

#6 Re: Spectre & Meltdown CPU vulnerabilities...

Post by pre65 »

Thanks Jack (Nick),

My main laptop passed the test.

I'll check Jeans laptop and my old PC later.
The only thing necessary for the triumph of evil is for good men to do nothing.

Edmund Burke

G-Popz THE easy listening connoisseur. (Philip)
Neal
Shed dweller
Posts: 2299
Joined: Fri Aug 03, 2007 10:57 am
Location: From the land of the Bodgers

#7 Re: Spectre & Meltdown CPU vulnerabilities...

Post by Neal »

Nick (Jack) what is the likely hood of this vulnerability being exploited from a home user point of view? I don't think there have been any reported cases of it being used to-date.
Only the Sith deal in absolutes.
User avatar
jack
Thermionic Monk Status
Posts: 5493
Joined: Wed Dec 29, 2010 8:58 pm
Location: ɐılɐɹʇsnɐ oʇ ƃuıʌoɯ ƃuıɹǝpısuoɔ
Contact:

#8 Re: Spectre & Meltdown CPU vulnerabilities...

Post by jack »

Neal wrote: Mon Jan 22, 2018 11:45 am Nick (Jack) what is the likely hood of this vulnerability being exploited from a home user point of view? I don't think there have been any reported cases of it being used to-date.
Good question. The answer is probably not likely, but PoCs have already been presented which exploit these via a website drive-by.

If you're vulnerable to these, then I'd patch. They may not be much chance of a domestic exploit now, but it will come...
Vivitur ingenio, caetera mortis erunt
Neal
Shed dweller
Posts: 2299
Joined: Fri Aug 03, 2007 10:57 am
Location: From the land of the Bodgers

#9 Re: Spectre & Meltdown CPU vulnerabilities...

Post by Neal »

Ah OK, drive by shootings are not good...
Only the Sith deal in absolutes.
User avatar
Nick
Site Admin
Posts: 15709
Joined: Sun May 06, 2007 10:20 am
Location: West Yorkshire

#10 Re: Spectre & Meltdown CPU vulnerabilities...

Post by Nick »

Also worth considering that while Intel are doing their best to conflate the two, Meltdown and Spectre are two different problems, Meltdown is Intel only and seems to have PoC out there, Spectre is industry wide and only hypothetical from what I can see. Linus has gone off on one of his normally justified rants at Intel for their attempt to fix this (or in fact shift blame) on the Linux kernel mailing list.
Whenever an honest man discovers that he's mistaken, he will either cease to be mistaken or he will cease to be honest.
User avatar
jack
Thermionic Monk Status
Posts: 5493
Joined: Wed Dec 29, 2010 8:58 pm
Location: ɐılɐɹʇsnɐ oʇ ƃuıʌoɯ ƃuıɹǝpısuoɔ
Contact:

#11 Re: Spectre & Meltdown CPU vulnerabilities...

Post by jack »

Nick wrote: Mon Jan 22, 2018 12:36 pm Meltdown is Intel only...
Not certain at all. ARM have said that they may also be vulnerable and it's currently unclear whether AMD are affected.
Vivitur ingenio, caetera mortis erunt
User avatar
Nick
Site Admin
Posts: 15709
Joined: Sun May 06, 2007 10:20 am
Location: West Yorkshire

#12 Re: Spectre & Meltdown CPU vulnerabilities...

Post by Nick »

jack wrote: Mon Jan 22, 2018 1:26 pm
Nick wrote: Mon Jan 22, 2018 12:36 pm Meltdown is Intel only...
Not certain at all. ARM have said that they may also be vulnerable and it's currently unclear whether AMD are affected.
I have not yet seen any sign of that, do you have any links?
Whenever an honest man discovers that he's mistaken, he will either cease to be mistaken or he will cease to be honest.
User avatar
jack
Thermionic Monk Status
Posts: 5493
Joined: Wed Dec 29, 2010 8:58 pm
Location: ɐılɐɹʇsnɐ oʇ ƃuıʌoɯ ƃuıɹǝpısuoɔ
Contact:

#13 Re: Spectre & Meltdown CPU vulnerabilities...

Post by jack »

Nick wrote: Mon Jan 22, 2018 1:40 pm
jack wrote: Mon Jan 22, 2018 1:26 pm
Nick wrote: Mon Jan 22, 2018 12:36 pm Meltdown is Intel only...
Not certain at all. ARM have said that they may also be vulnerable and it's currently unclear whether AMD are affected.
I have not yet seen any sign of that, do you have any links?
Yep. from https://meltdownattack.com/#faq-systems-meltdown (this site is maintained by the co-discoverers of Meltdown at the Graz University of Technology, so I'm inclined to trust it).
Which systems are affected by Meltdown? wrote:Desktop, Laptop, and Cloud computers may be affected by Meltdown. More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013). We successfully tested Meltdown on Intel processor generations released as early as 2011. Currently, we have only verified Meltdown on Intel processors. At the moment, it is unclear whether AMD processors are also affected by Meltdown. According to ARM, some of their processors are also affected.
Key thing with ARM is that they accept that some of their processors are vulnerable to cached side-channel attacks, i.e. Variant 3/CVE-2017-5754 also known as Meltdown (although ARM cheekily don't actually use that name)
Vivitur ingenio, caetera mortis erunt
User avatar
Nick
Site Admin
Posts: 15709
Joined: Sun May 06, 2007 10:20 am
Location: West Yorkshire

#14 Re: Spectre & Meltdown CPU vulnerabilities...

Post by Nick »

Ok, yes I see, so one ARM is affected by Meltdown (Cortex-A75), and a couple more of a variant of it (Cortex-A15,Cortex-A57,Cortex-A72), do you know what that variant is (ARM are calling it 3a)

I wonder if Intel will sue ARM, as I believed that the cause of Meltdown was covered by a Intel patent. Looks like ARM has a patch already in the Linux kernel for the 75, and the others seem to not need any changes. Probably good timing, as I dont think the A75 is in any end user products yet (Snapdragon 845 for example).
Whenever an honest man discovers that he's mistaken, he will either cease to be mistaken or he will cease to be honest.
User avatar
jack
Thermionic Monk Status
Posts: 5493
Joined: Wed Dec 29, 2010 8:58 pm
Location: ɐılɐɹʇsnɐ oʇ ƃuıʌoɯ ƃuıɹǝpısuoɔ
Contact:

#15 Re: Spectre & Meltdown CPU vulnerabilities...

Post by jack »

Nick wrote: Mon Jan 22, 2018 2:11 pm Ok, yes I see, so one ARM is affected by Meltdown (Cortex-A75), and a couple more of a variant of it (Cortex-A15,Cortex-A57,Cortex-A72), do you know what that variant is (ARM are calling it 3a)
Not sure what exactly the difference between 3 and 3a as it seems specific to ARM and they're not even admitting it's Meltdown.

Whilst it's generally accepted that Linus is a Git (even he admits that), he has a point regarding Intel being economical with the actualité and dissembling on these issues.

The NVD CPE database is listing 1058 different Intel CPUs being vulnerable to CVE-2017-5754 (to give Meltdown its proper name) and just 1 CPU from ARM (the A75) - none from anyone else. Yet.
Vivitur ingenio, caetera mortis erunt
Post Reply