Tuesday, May 14th 2019

Yet Another Speculative Malfunction: Intel Reveals New Side-Channel Attack, Advises Disabling Hyper-Threading Below 8th, 9th Gen CPUs

Ouch doesn't even begin to describe how much that headline hurt. As far as speculative execution goes, it's been well covered by now, but here's a refresher. Speculative execution essentially means that your CPU tries to think ahead of time on what data may or may not be needed, and processes it before it knows it's needed. The objective is to take advantage of concurrency in the CPU design, keeping processing units that would otherwise be left idle to process and deliver results on the off-chance that they are indeed required by the system: and when they are called for, the CPU saves time by not having to process them on the fly and already having them available.

The flaws have been announced by Intel in coordination with Austrian university TU Graz, Vrije Universiteit Amsterdam, the University of Michigan, the University of Adelaide, KU Leuven in Belgium, Worcester Polytechnic Institute, Saarland University in Germany and security firms Cyberus, BitDefender, Qihoo360 and Oracle. While some of the parties involved have named the four identified flaws with names such as "ZombieLoad", "Fallout", and RIDL, or "Rogue In-Flight Data Load", Intel is using the PEGI-13 "Microarchitectural Data Sampling (MDS)" name.
Update May 15th: Intel has released benchmarks that show the performance impact of the MDS mitigations.
Update May16th: Apparently Intel tried to swipe the issue under the rug with a generous donation to the researchers.

The issue at hand here, defined by Intel's pretty tame MDS, is that like other side-channel attacks, exploits may allow hackers to obtain information that was otherwise deemed secure, had it not been run through the CPU's speculative execution processes. While Meltdown read sensitive information that was being stored in memory due to the speculative execution functions on Intel's CPUs, MDS attacks read the data on the CPU's various buffers - between threads, along the way to the CPU cache, and others. The researchers say that this flaw can be used to siphon data from the CPU at a rate that can approach real-time, and can be used to selectively pull what information is deemed important: whether it's passwords or what websites the user is visiting at the moment of the attack, it's all fair game.


Intel says that significant software changes will be needed to harden systems against this exploit, not only from themselves, but from operating system vendors and third party app creators. One of the proposed solutions is that every time a processor would switch from one third-party app to another, from a Windows process to a third-party app, or even from less trusted Windows processes to more trusted ones, the buffers have to be cleared or overwritten. This means a whole new cycle of data gathering and writing beings every time you call up a different process - and you bet that carries a performance penalty, which Intel is putting at a "minimal" up to 9%.

Intel detailed the vulnerability in its whitepaper and admitted that disabling HT might be warranted as a protection against MDS attacks - and you can imagine how much the company must have loathed to publish such a thing. Intel's HT has been heavily hit by repeated speculative execution flaws found on Intel processors, with mitigations usually costing some sort of performance on Intel's concurrent processing technology. Intel says its engineers discovered the MDS vulnerabilities last year, and that it has now released fixes for the flaw in both hardware and software. Although obviously, the software fixes will have to be deployed either on microcode updates or will have to be implemented by every operating system, virtualization vendor, and other software makers.

Intel also said that its 8th and 9th generation processors already include the hardware mitigations that defeat the exploitation of MDS, but previous architectures back to Nehalem are vulnerable. But why play it on expectations: you can take a test that has been published by the researchers right here.

The CVE codes for the vulnerabilities stand as such:
  • CVE-2018-12126 Microarchitectural Store Buffer Data Sampling (MSBDS)
  • CVE-2018-12130 Microarchitectural Fill Buffer Data Sampling (MFBDS)
  • CVE-2018-12127 Microarchitectural Load Port Data Sampling (MLPDS)
  • CVE-2019-11091 Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
Sources: Wired, MDS Attacks Test
Add your own comment

100 Comments on Yet Another Speculative Malfunction: Intel Reveals New Side-Channel Attack, Advises Disabling Hyper-Threading Below 8th, 9th Gen CPUs

#51
Ibotibo01
[ATTACH type="full" alt="Ekran Alıntısı.PNG"]123016[/ATTACH]
[ATTACH type="full" alt="Ekran Alıntısı1.PNG"]123017[/ATTACH]

I will change to AMD Zen2. I don't rely on Intel anymore.
Posted on Reply
#52
Xuper
FAQ:

1) How did you test it on all this hardware?

[IMG height="400px"]https://mdsattacks.com/images/rack.jpg[/IMG]

2) How did you find out the sources of the leaks initially?

[IMG width="338px"]https://mdsattacks.com/images/patents.jpg[/IMG]
Posted on Reply
#53
Jism
Ibotibo01 said:

[ATTACH type="full" alt="Ekran Alıntısı.PNG"]123016[/ATTACH]
[ATTACH type="full" alt="Ekran Alıntısı1.PNG"]123017[/ATTACH]

I will change to AMD Zen2. I don't rely on Intel anymore.
Zen 2 is no holy grail. Here's my 2700X. I have to say that i have'nt updated W10 in months since install.
Posted on Reply
#54
Caring1
I'm still wondering why it's called a Speculative Malfunction, that implies something broke and it no longer works as it previously did, instead of admitting the flaw was already there.
Posted on Reply
#55
Xuper
Jism said:

Zen 2 is no holy grail. Here's my 2700X. I have to say that i have'nt updated W10 in months since install.
I checked mine and similar to yours.
Posted on Reply
#56
TheDeeGee
AMD released an official statement, and their CPUs arn't affected.
Posted on Reply
#57
remixedcat
HD64G said:

And because of another major vulnerability, i7s are becoming i5s. Imho, many servers and data centers will soon change to Zen cpus without 2nd thoughts with all those security problems.
A buncha datacenters announced Epyc systems. Interested in that myself. Wating for a decently priced server with that.
Posted on Reply
#58
P4-630
The Way It's Meant to be Played
May 14, 2019—KB4494441 (OS Build 17763.503)
Improvements and fixes

This update includes quality improvements. Key changes include:
  • Enables “Retpoline” by default if Spectre Variant 2 (CVE-2017-5715) is enabled. Make sure previous OS protections against the Spectre Variant 2 vulnerability are enabled using the registry settings described in the Windows Client and Windows Server articles. (These registry settings are enabled by default for Windows Client OS editions, but disabled by default for Windows Server OS editions). For more information about “Retpoline”, see Mitigating Spectre variant 2 with Retpoline on Windows.
  • Provides protections against a new subclass of speculative execution side-channel vulnerabilities, known as [I]Microarchitectural Data Sampling, for 64-Bit (x64) versions of Windows (CVE-2019-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130). Use the registry settings as described in the Windows Client and Windows Server articles. (These registry settings are enabled by default for Windows Client OS editions and Windows Server OS editions).[/I]
  • Adds "uk.gov" into the HTTP Strict Transport Security Top Level Domains (HSTS TLD) for Internet Explorer and Microsoft Edge.
  • Addresses an issue that may cause “Error 1309” while installing or uninstalling certain types of .msi and .msp files on a virtual drive.
  • Addresses an issue that prevents the Microsoft Visual Studio Simulator from starting.
  • Addresses an issue that may cause zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) to fail.
  • Addresses an issue that causes Simple Network Management Protocol (SNMP) Management Information Base registration to fail when the Windows Management Instrumentation (WMI) provider uses the Windows tool SMI2SMIR.exe.
  • Addresses an issue that may cause the text, layout, or cell size to become narrower or wider than expected in Microsoft Excel when using the MS UI Gothic or MS PGothic fonts.
  • Security updates to Microsoft Edge, Internet Explorer, Microsoft Scripting Engine, Windows App Platform and Frameworks, Windows Graphics, Windows Storage and Filesystems, Windows Cryptography, the Microsoft JET Database Engine, Windows Kernel, Windows Virtualization, and Windows Server .
If you installed earlier updates, only the new fixes contained in this package will be downloaded and installed on your device.
For more information about the resolved security vulnerabilities, please refer to the Security Update Guide.



https://support.microsoft.com/en-us/help/4494441/windows-10-update-kb4494441
Posted on Reply
#59
Ferrum Master
Still pretty OK... :D

[ATTACH type="full" alt="123037"]123037[/ATTACH]
Posted on Reply
#60
BorgOvermind
natr0n said:

You can disable cpu caching and etc.. in bios.
That will make your i9 a 333MHz celeron updated equivalent.
Posted on Reply
#61
Mescalamba
natr0n said:

On my xeon server I disabled all caching/prefeching and gained performance. So no idea where you got that info.
For gaming it was true that HT disabled (and caching) actually gained performance. I think it no longer applies to Win 10, but never actually measured it (might test on FC5 :D).

Caring1 said:

I'm still wondering why it's called a Speculative Malfunction, that implies something broke and it no longer works as it previously did, instead of admitting the flaw was already there.
Cause its based on prediction mechanism, which gave Intel CPU that "edge" over AMD. Prediction is sorta speculative, isnt it? :D Its just a guess (naming, not how it works).
Posted on Reply
#62
Frick
Fishfaced Nincompoop
Assimilator said:

I've long given up on expecting basic editorial standards from TPU.
To be fair no one has editors or proofreaders these days. Or know how to spell "hippothetical".
Posted on Reply
#63
Captain_Tom
Manu_PT said:

Glad I jumped straight from an i5 4690 to a 9700k wich doesnt have HT.
Yeah after all of the constant Security Vulnerabilities... you decided to buy Intel again. What a "smart" decision...
Posted on Reply
#64
cdawall
where the hell are my stars
Captain_Tom said:

Yeah after all of the constant Security Vulnerabilities... you decided to buy Intel again. What a "smart" decision...
AMD isn't going to be immune to everything at this point they are just having massive issues with Intel for this. Unfortunately bad press builds more bad press and more reasons for people to hunt for more failures. It is interesting how many of these are being addressed by M$ and as mere software fixes. This begs curiosity that yet the CPU has a vulnerability, but so does the OS. Each and every one of the issues thus far has been a hole in the OS and a hole in the CPU security. Relying on hardware level security for every single threat is an ignorant view of the world, if that was the case software level things like antivirus's shouldn't even exist.
Posted on Reply
#65
trparky
cdawall said:
AMD isn't going to be immune to everything at this point they are just having massive issues with Intel for this.
Intel's architecture is what? Ten years old? Ten years worth of possible mistakes. Meanwhile AMD has one thing on its side, the Zen architecture is new; they've not had the time to make the same mistakes Intel made.

I've been reading up on this as of late and all of the public relations news that's been released about this all has one thing in common... They're all too afraid to mention the I-word aka Intel. They all say "we will work with effected hardware manufacturers" but they don't say Intel.

If I were a marketing person at AMD I would be putting out ads that read like this... "Buy AMD today. We don't have those vulnerabilities that those other guys have. You know who they are."
Posted on Reply
#66
londiste
trparky said:
Intel's architecture is what? Ten years old? Ten years worth of possible mistakes. Meanwhile AMD has one thing on its side, the Zen architecture is new; they've not had the time to make the same mistakes Intel made.
It is worth reading the Spectre/Meltdown documents and references to earlier research that led to this. Research into speculative execution issues has been going on for decade or more. This was not a sudden discovery but a series of small discoveries over many years. Processor parts involved have largely stayed the same throughout the entire Core lifetime. Intel generally has pretty decent detailed documentation of the functionality of most things as well.

It is possible and not that unlikely that AMD while avoiding mistakes currently plaguing Intel has made different mistakes. Finding stuff like this takes years worth of research even in a well-known architecture.
Posted on Reply
#67
trparky
londiste said:
Processor parts involved have largely stayed the same throughout the entire Core lifetime.
Yeah, and because the architecture is that old all of the skeletons are coming out of the closet. Ten years of the same stuff, ten years of mistakes, ten years of cutting corners all in the name of profit.
londiste said:
It is possible and not that unlikely that AMD while avoiding mistakes currently plaguing Intel has made different mistakes.
Oh, I'm sure that AMD has issues as well but considering that the Zen architecture is newer and based upon more modern ways of thinking fixes might not erode quite so badly into the performance of said chips.
Posted on Reply
#68
Konceptz
damn...was getting ready to come back to the blue side after 8 years....oh well
Posted on Reply
#69
MyTechAddiction
You know at some point ( like today) it s getting really difficult to believe these vulnerabilities were true errors and not a intentional design feature.
Posted on Reply
#70
trparky
MyTechAddiction said:
You know at some point ( like today) it s getting really difficult to believe these vulnerabilities were true errors and not a intentional design feature.
I'm leaning more towards the latter in the sense that Intel knew that it could blow up in their faces but they did it anyways.
Posted on Reply
#71
RichF
trparky said:

Yeah, and because the architecture is that old all of the skeletons are coming out of the closet. Ten years of the same stuff, ten years of mistakes, ten years of cutting corners all in the name of profit.

Oh, I'm sure that AMD has issues as well but considering that the Zen architecture is newer and based upon more modern ways of thinking fixes might not erode quite so badly into the performance of said chips.
What we actually know is what vulnerabilities Intel and AMD CPUs have right now that have been made public and there are more on the Intel side.

Meltdown, Spoiler, and now these — all Intel exclusives.

Bulldozer is everyone's favorite whipping post so I don't know if we're going to start seeing AMD credited for "more modern ways of thinking" when it designed that CPU, versus the heaps of praise for things like Sandy. Perhaps along with the boneheaded design choices that cost performance AMD made more right choices when it came to security? I am definitely not a fan of the black box inside Zen approach, though.
Posted on Reply
#72
phanbuey
efikkan said:

As I've mentioned before, we shouldn't be surprised about new attack vectors for these timing attacks, as long as there is an underlying weakness, there is a potential for more undiscovered attack vectors.

Still, for desktop users risks will be very low as long as the malicious software has to be run locally, and for e.g. the Spectre variants where it's more like a theoretical possibility than something that would be practical to actually steal useful information.

I would advice against participating in "schadenfreude", just because these specific attack vectors are Intel specific, doesn't mean others are not affected by similar problems. We've see in the past how vulnerabilities from Intel has led to discoveries of similar problems in other designs, not only AMD, but also the huge spectrum of ARM designs in existence. We should not assume they are "invulnerable" to this class of attacks just because we haven't found anything yet, we can't know that with a reasonable certainty until they have been carefully vetted. Hopefully the last two years of discoveries will lead to more consciousness about designing for security in hardware, something which seems to be largely "lacking" until now.

Once again we see both speculative execution and SMT as elements of vulnerabilities. It's important to emphasize that none of these are flawed in principle, but have certain security implications that people have either ignored or been unaware of. Speculative execution have certain pitfalls by itself, but have magnitudes more once SMT is put into the mix. While it's still possible to actually do this securely, the pitfalls of SMT will only increase with architectural complexity, and the cost of dealing with this does too, and since the performance gains from SMT are diminishing with increasing IPC, SMT should be abandoned sooner rather than later. One interesting side-note is that recent rumors of Zen 3 claim support for 4-thread SMT, which would if true increase the potential pitfalls even more.

Most, if not all of these require the attacker to already have access to a machine, and in many cases a whole lot of additional conditions have to apply. Another unrelated example would be the much hyped AMD vulnerability of flashing unsigned BIOSes, which still required root access and/or physical access.
We should never assume a single security measure is impenetrable by itself, and instead build security in layers, where multiple vulnerabilities are required to execute a successful attack. Doing so have been established as good practices for ages, but times are now actually changing for the worse, as companies are moving more and more of their essential infrastructure into the public cloud, where a single vulnerability in either hardware, hypervisor or the cloud management is enough to bypass any security measure. All of a sudden, we have just a single line of defense against the attackers. I'm just hoping this cloud hype dies down before some major incident occurs.
</rant>
This should be added to the article lol.
Posted on Reply
#73
lemonadesoda
trparky said:

Oh, I'm sure that AMD has issues as well but considering that the Zen architecture is newer and based upon more modern ways of thinking fixes might not erode quite so badly into the performance of said chips.
Speculative!
Posted on Reply
#74
mcraygsx
trparky said:

I'm leaning more towards the latter in the sense that Intel knew that it could blow up in their faces but they did it anyways.
When you are making a good profit by selling Quad cores to consumers for over a decade, who wouldn't right?
Posted on Reply
#75
R-T-B
Mescalamba said:


Cause its based on prediction mechanism, which gave Intel CPU that "edge" over AMD. Prediction is sorta speculative, isnt it? :D Its just a guess (naming, not how it works).
Speculative execution is utilized in all modern CPUs. This is not Intel's secret "edge" sauce.

RichF said:

I am definitely not a fan of the black box inside Zen approach, though.
Me neither. The only thing I like about Intel ME over AMD pse is that one beast has been decently reverse engineered, AMDs is more or less a complete black box.

Frick said:

To be fair no one has editors or proofreaders these days. Or know how to spell "hippothetical".
You... are sadly correct. Please let me hate you for it, if only out of principle...
Posted on Reply
Add your own comment