Friday, January 5th 2018

Intel Released "Coffee Lake" Knowing it Was Vulnerable to Spectre and Meltdown

By the time Intel launched its 8th generation Core "Coffee Lake" desktop processor family (September 25, 2017, with October 5 availability), the company was fully aware that the product it is releasing was vulnerable to the three vulnerabilities plaguing its processors today, the two more publicized of which, are "Spectre" and "Meltdown." Google Project Zero teams published their findings on three key vulnerabilities, Spectre (CVE-2017-5753 and CVE-2017-5715); and Meltdown (CVE-2017-5754) in mid-2017, shared with hardware manufacturers under embargo; well before Intel launched "Coffee Lake." Their findings were made public on January 3, 2018.

Intel's engineers would have had sufficient time to understand the severity of the vulnerability, as "Coffee Lake" is essentially the same micro-architecture as "Kaby Lake" and "Skylake." As one security researcher puts it, this could affect Intel's liability when 8th generation Core processor customers decide on a class-action lawsuit. As if that wasn't worse, "Skylake" and later micro-architectures could require micro-code updates in addition to OS kernel patches to work around the vulnerabilities. The three micro-architectures are expected to face a performance-hit, despite Intel extracting colorful statements from its main cloud-computing customers that performance isn't affected "in the real-world." The company was also well aware of Spectre and Meltdown before its CEO dumped $22 million in company stock and options (while investors and the SEC were unaware of the vulnerabilities).
Add your own comment

111 Comments on Intel Released "Coffee Lake" Knowing it Was Vulnerable to Spectre and Meltdown

#1
Vayra86
lexluthermiester said:
You'd think, but the reality is most companies and researchers do not release vulnerability findings like this to the pubic without giving those affected by it a chance to research it themselves. Just throwing out to the public willy-nilly would be an act of gross irresponsibility. So yes, companies like Microsoft, Apple, Google, Intel, AMD, Nvidia, etc., etc. will keep such info confidentual until they have time to solve the problem. Intel and the researchers were being responsible, not secretive or sneaky. Meltdown is effectively solved and that solution will be refined in the coming months. And this is why we have a fix for within days instead of weeks or months.
This.

You all have to keep in mind that if someone finds a leak in your CPU architecture, there is no realistic way to adjust that on a hardware design level anyway, any fix like that is one or two years ahead of us at best. The fact they found this in June, only months before CFLs release, is proof of that in itself. Yes, they knew it was in there, and yes, they were already testing and finding fixes for Meltdown back then. I think its safe to say that we won't see a hardware adjustment until Ice Lake, or beyond.

Communicating leaks before you have solutions is possibly much worse than announcing them days prior to a fix. The entire industry works with that premise, its really telling that people here think otherwise - its a clear sign you have no clue of how this industry functions. While not the best layer of security, Security by Obscurity still is a layer of defense, and it was utilized here.

On the other side of the fence, even AMD releases their CPUs with knowledge of Spectre's existence, and even after official announcements were to be found on Intel's website, AMD's website did not contain a SINGLE TRACE of Spectre's existence. This is a strategy, too, and it shows in everything AMD has put out regarding this issue: they want to silence the issue ASAP, they are making it 'small and inconsequential' if you read their PR. I'll leave it up to each individual to decide what's better...

The bottom line remains: both Intel and AMD had this knowledge around the same time, and the decision to keep this quiet until now has been a unanimous one across ALL related companies. Any alternative decision is much more damaging: to end users, to the industry, to the overall level of trust in every PC we use, and all of the data we handle.
Posted on Reply
#2
lexluthermiester
Vayra86 said:
This is a strategy, too, and it shows in everything AMD has put out regarding this issue: they want to silence the issue ASAP, they are making it 'small and inconsequential' if you read their PR. I'll leave it up to each individual to decide what's better...
I don't think that's what AMD is doing at all. The public knows how serious this is. AMD knows they have nothing to add because, at this moment, there is no real solution for Spectre. Like everyone else, they're working the problem and they're not going to say anything until they have something to say.

There real thing with Meltdown and Spectre is this, there are no villains in this matter. Not one manufacturer in their right mind would engineer such a pervasive problem into their products. And the fact that Spectre affects every CPU in existence for the past 25+ years, regardless of architecture, is evidence enough that it was not foreseen and has caught everyone almost equally off-guard. Laying blame at anyone is a waste of time and effort because we'd have to blame everyone equally. Even old games systems like the Playstation and N64 are vulnerable. So let's all stop the blame game, focus on the details of the problems and solving it, shall we?

Because of the way these vulnerabilities work, they take advantage of a very useful set of functions within CPU's that help them work faster and more efficiently. Engineering that out of CPU's is going to take us back at least a decade, performance-wise, and even more than that for some forms of software. Instead, it might be better to find a way to isolate those functions from direct high-level software access, which would mitigate the problems without removing them.
Posted on Reply
#3
Vayra86
lexluthermiester said:
I don't think that's what AMD is doing at all. The public knows how serious this is. AMD knows they have nothing to add because, at this moment, there is no real solution for Spectre. Like everyone else, they're working the problem and they're not going to say anything until they have something to say.

There real thing with Meltdown and Spectre is this, there are no villains in this matter. Not one manufacturer in their right mind would engineer such a pervasive problem into their products. And the fact that Spectre affects every CPU in existence for the past 25+ years, regardless of architecture, is evidence enough that it was not foreseen and has caught everyone almost equally off-guard. Laying blame at anyone is a waste of time and effort because we'd have to blame everyone equally. Even old games systems like the Playstation and N64 are vulnerable. So let's all stop the blame game, focus on the details of the problems and solving it, shall we?

Because of the way these vulnerabilities work, they take advantage of a very useful set of functions within CPU's that help them work faster and more efficiently. Engineering that out of CPU's is going to take us back at least a decade, performance-wise, and even more than that for some forms of software. Instead, it might be better to find a way to isolate those functions from direct high-level software access, which would mitigate the problems without removing them.
You're right, but its not a mistake to think there hasn't gone serious thought over what to publish or what not to publish / say. That, is strategy :)
Posted on Reply
#4
mcraygsx
I wonder for how long Government agencies and hackers alike have been exploiting bug on systems with INTEL's processors. Intel was aware of this bug well in advance when they released Skylake X and Coffee lake processors and yet they continue to market/sell these processors to consumers and business. It seems as if ethical and moral values hold no value in IT industry any longer. There goes resale value of anyone who purchased these processors.

Asus 1203
Posted on Reply
#5
lexluthermiester
Vayra86 said:
You're right, but its not a mistake to think there hasn't gone serious thought over what to publish or what not to publish / say. That, is strategy :)
Agreed, they're being strategic, but not in any nefarious way.
Posted on Reply
#6
Xzibit
lexluthermiester said:
Agreed, they're being strategic, but not in any nefarious way.
The only thing wrong is waiting until the last minute while others were already patching their cloud servers. Intel was sitting on their hands for the general public.

The NDA was over on the 9th and if it wasn't for an AMD linux patch leading to the general public disclosure of this. It would still be hush, hush. We wouldn't know how this would have played it out and how Intel would react or have treated it.
Posted on Reply
#7
lexluthermiester
Xzibit said:
The only thing wrong is waiting until the last minute while others were already patching their cloud servers. Intel was sitting on their hands for the general public.

The NDA was over on the 9th and if it wasn't for an AMD linux patch leading to the general public disclosure of this. It would still be hush, hush. We wouldn't know how this would have played it out and how Intel would react or have treated it.
Ok.
Posted on Reply
#8
I No
Microsoft's thoughts on the matter. Apparently the Specter mitigation puts a dent into performance aka Variant 2 which requires a microcode update (BIOS flash) . Techspot even has a benchmark on it.


In case anyone missed Microsoft's post :
https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/?ranMID=24542&ranEAID=nOD/rLJHOac&ranSiteID=nOD_rLJHOac-0BvaqQnfhAKWeHcm0ft.mA&tduid=(9a91604a36bf2e42a2f74b67007e4bbd)(256380)(2459594)(nOD_rLJHOac-0BvaqQnfhAKWeHcm0ft.mA)()


Techspot's benchmark:
https://www.techspot.com/article/1556-meltdown-and-spectre-cpu-performance-windows/
Posted on Reply
#9
lexluthermiester
I No said:
In case anyone missed Microsoft's post :
https://cloudblogs.microsoft.com/mi...459594)(nOD_rLJHOac-0BvaqQnfhAKWeHcm0ft.mA)()
This talked about it..
I No said:
Techspot's benchmark:
https://www.techspot.com/article/1556-meltdown-and-spectre-cpu-performance-windows/
This showed it. Kinda interesting.

The only set of benchmarks that stand out as anything more than "statistical margin of error" is the storage benchmarks. And based on the rumblings coming out of variously locations, those performance problems will likely have a fix soon.
Posted on Reply
#10
hapkiman
And here I am like thousands of others, just an average user seemingly unaffected by Meltdown and Spectre
enjoying my new i7 8700k build.

I guess when I get hit in the head by a piece of falling sky, I'll know to panic. But until then...I think I'll go play some BF1.
Posted on Reply
Add your own comment