Wednesday, March 11th 2020

Intel Processors Hit with LVI Security Vulnerabilities, Mitigation Hits Performance Hard

A new class of security vulnerabilities affect Intel processors, which can cause them to leak out sensitive information if probed in a certain way, but that's not the worst news for Intel and its users. The software- or firmware-level mitigation for this vulnerability can inflict performance reductions "ranging from 2x to 19x," according to a report by The Register. A full mitigation for the new Load Value Injection (LVI) class of vulnerabilities requires Intel to redesign software compilers. The vulnerability is chronicled under CVE-2020-0551 and Intel-SA-00334. It is not a remote code execution threat, however, it puts multi-tenant machines, such as physical servers handling multiple tenants via virtual servers.

"LVI turns previous data extraction attacks around, like Meltdown, Foreshadow, ZombieLoad, RIDL and Fallout, and defeats all existing mitigations. Instead of directly leaking data from the victim to the attacker, we proceed in the opposite direction: we smuggle — "inject" — the attacker's data through hidden processor buffers into a victim program and hijack transient execution to acquire sensitive information, such as the victim's fingerprints or passwords," the reasearchers write in the abstract of their paper describing the vulnerability. Anti-virus manufacturer BitDefender independently discovered LVI and shared its study with Intel. The company could publish its findings in February. Additional technical details are found in the group's website here.
Many Thanks to biffzinker for the tip. Source: The Register
Add your own comment

91 Comments on Intel Processors Hit with LVI Security Vulnerabilities, Mitigation Hits Performance Hard

#26
thevoiceofreason
Ferrum Master
No the cannot be disabled already for a year+. Those are baked permanently in the kernel.
That's not really true. You can just boot with mitigations=off switch as per kernel-parameters
also, please refrain from the ”security through obscurity” -fallacy. https://www.isaca.org/resources/isaca-journal/issues/2017/volume-5/exposing-the-fallacies-of-security-by-obscurity-full-disclosure
Nice advertisement. Hint: see who wrote the "article", what is his affiliation, and who publishes the "journal".
Posted on Reply
#27
Dredi
btarunr
i concede to that argument. But those black hats now have a steady stream of ideas with which to build malware and target unpatched machines.
There are a lot easier attack vectors that can be utilized for unpatched systems. For example the openSSL vuneralbilities from a year ago. Do you think that should have been left unpatched as well?
Posted on Reply
#28
Ferrum Master
thevoiceofreason
That's not really true.
Few CVE's are hard baked without options to switch off. That kernel.org documentation conflicts with Microsoft published info. Who's telling the truth then?

Posted on Reply
#29
Vya Domus
There is something bewildering about the way these things are made public :



The hell is this supposed to be ?

btarunr
AMD is safer only because its market footprint is too small in the datacenter space
No, AMD is safer, that's the end of it.
Posted on Reply
#30
Ned Flanders
btarunr
AMD is safer only because its market footprint is too small in the datacenter space, most of these side-channel attacks affect datacenters, and you can't hack AMD processors for rich bounties (it's similar to the "Macs don't get viruses" fallacy of the 1990s and 2000s).
@btarunr
Whats your opinion on the fact that Meltdown doesn't work on AMD CPUs because the AMD µarch does not (and apparently never did) allow speculative execution across privilege domains (Userspace - Kernelspace). This doesn't sound to me as a question of market share. If AMD was at 80% marketshare, they would still not allow speculative execution across privilege domains while Intels µarch does.
Posted on Reply
#31
mtcn77
btarunr
At this point I think the only way Intel can fight these vulnerability discoveries is by killing the bug bounty program, or significantly reducing the bounty. The program has clearly sprung up a cottage industry of security researchers (uni professors and their college grad minions) bruteforcing Intel processors for vulnerabilities that they can write papers on (earn citations), report back to Intel, and claim the cash bounties. The BBP has become a fountainhead of headache for CTOs and CIOs.

AMD is safer only because its market footprint is too small in the datacenter space, most of these side-channel attacks affect datacenters, and you can't hack AMD processors for rich bounties (it's similar to the "Macs don't get viruses" fallacy of the 1990s and 2000s).
Respected editors, can we please get past this AMD bulverism?
AMD is safe because 'meltdown' does not work on the AMD platform. This is not a personal opinion. It just doesn't. I encourage you to find this observation and report as necessary.
Don't skew the argument.
If you read the impact of this, they say somewhere Intel will have to serialize accesses to its ports, effectively turning off speculative execution in some cases.

I cannot even believe this was posted a moment back:
LVI necessitates compiler patches to insert explicit lfence speculation barriers which serialize the processor pipeline after potentially every vulnerable load instruction.
Posted on Reply
#32
Aquinus
Resident Wat-man
How many real exploits (not PoCs,) actually exist that use these vulnerabilities though?

The reality is that a lot of these exploits (not all of them,) are so hard to use that their usefulness is almost non-existent. Spectre is a great example of a vulnerability that is susceptible to academic papers, but not real users. Making a PoC that can sometimes leak tiny amounts of data under the right conditions doesn't amount to a usable vector for attack, particularly if how you exploit it requires you to give away that you're trying to break the system (like putting it under full load.)
Posted on Reply
#33
TheDeeGee
More performance reductions.

My 4770K... i mean Pentium 3 by now is ready!
Posted on Reply
#35
HwGeek
Poor Bulldozer...looks like it didn't get a fair fight back then... looks like soon even the FX 8370 could overtake the 9900K :roll:.
Posted on Reply
#36
fynxer
Starting to think Intel use these mitigations to slow down old cpu's so we will buy new ones.
Posted on Reply
#37
NukeDukem
Vayra86
I figured it out. CVE actually stands for Corona Virus for Electronics.

It gets the elderly architectures first.
BRUH
Posted on Reply
#38
eidairaman1
The Exiled Airman
Give credit to @biffzinker for posting this news yesterday.
Posted on Reply
#39
GlacierNine
btarunr
I concede to that argument. But those black hats now have a steady stream of ideas with which to build malware and target unpatched machines. We have a steady stream of patches that cost performance.
Attempting to hide security vulnerabilities both downplays the severity of the problem, and also encourages businesses people rely on to safeguard their data, to also ignore the extent of the issue as the public will not hold them sufficiently accountable.

Think of it this way: Which would you rather have? A world where facebook gets hacked, they say it was an "unexpected and little known vulnerability" and everyone believes them because only Project 0 and Krebsonsecurity ever posted about it?

Or a world where facebook gets hacked, everyone knows the name of the exploit and facebook has to cough up a good reason they weren't secured against it from the day the vulnerability was made public because it was on Techradar, Gizmodo and TPU?

also -
it puts multi-tenant machines, such as physical servers handling multiple tenants via virtual servers.
Presumably you accidentally missed out the words "at risk" ?
Posted on Reply
#40
TheinsanegamerN
btarunr
I concede to that argument. But those black hats now have a steady stream of ideas with which to build malware and target unpatched machines. We have a steady stream of patches that cost performance.
Are you really arguing that these exploits being made public knowledge is giving black hats more info then they already have?

Dude, how many times you going to stick your tongue on the stove before you figure out the stove is hot? Quit with these side arguments that security through obscurity is a good thing. Windows exploits are constantly made public knowledge, and as a result is harder to get into then the likes of MacOs that hid their exploits for years and as a result are leakier then a rusty sieve.

Despite all those patches "costing" performance, intel is still on top for gaming performance, and AMD already humiliated them in everything else. Your average end user doesnt notice significant differences from these patches.

btarunr
Name a ransomware that leverages a CPU-level vulnerability. Bonus points for one that leverages a side-channel attack vector.
You cant, because they were patched by intel thanks to their bounty program making them aware of issues.

just one swing and a miss after another today eh?
Posted on Reply
#41
R0H1T
GlacierNine
Think of it this way: Which would you rather have? A world where facebook gets hacked, they say it was an "unexpected and little known vulnerability" and everyone believes them because only Project 0 and Krebsonsecurity ever posted about it?

Or a world where facebook gets hacked, everyone knows the name of the exploit and facebook has to cough up a good reason they weren't secured against it from the day the vulnerability was made public because it was on Techradar, Gizmodo and TPU?
I'd rather FB die the way of the Dodo or Myspace if we're being generous :nutkick:
Posted on Reply
#42
GlacierNine
R0H1T
I'd rather FB die the way of the Dodo or Myspace if we're being generous :nutkick:
Yeah but we're talking about things that might actually happen in the short-medium term. Facebook isn't going anywhere for at least a while.
Posted on Reply
#43
Chomiq
eidairaman1
Give credit to @biffzinker for posting this news yesterday.
He's mentioned in the footer, right above source link.
Posted on Reply
#44
John Naylor
I have seen dozens of announced vulnerabilities for both AMD and Intel CPUs ... what I have never seen is a doumented instance of any of these vulnerabilities ever being exploited. So all that's really of note here is fanboi bickering which has as much valididity as "ntel is still on top for gaming performance, and AMD already humiliated them in everything else ". The definition used for "everything else" is specious.

A PC is a tool ... a tool can only be judged at how well it does it's job, so let's define it's job.

a) Did you build a PC to run benchmarks and get your name on leader boards ?
b) Did you build a PC based upon performance in things that you might do one o do few times a year ?
c) Did you build a PC to play games and run applications on a frequent bias.
d) Did you build your PC to run apps you will never use

Practical people build the boxes based upon c) and c) only ... fanbois squawk about a) and b). Let's look aty TPUs test results. Three is no "Best CPU" .. only the best CPU for a specific set of applications. Looking at 3900X vs 9900KF


1. Cinebench - a) category ... we have yet to be asked to do a build which maximizes Cinebench performance or had a client who uses it to make a living, it's the medical equivalent of a scalpel in a Chiropractice office. We do have lots of folks who use CAD, adding all the PCs in all the offices we've been in, there's prhaps 1 rendering box for every 200 CAD boxes and AutoCAD at $5,000 per seat ($2,00 per year) is not exactly on a any significant % of PCs.

Gotta give an easy win to AMD here, but a 0.50 on market significance.

2. Game / Software Development - d) category ... again an easy win here for AMD; Again, not a lot of market significance, as above, teeny user base.

3. Web Related - c) Category ... performance is split between red and green camps but with differences of /10th of a second, who cares ? Uses can not react quick enough to take advantage of it.

4. Machine Learning \/ Physics / Brain Simulation - d) category. The size of the market here is completely insignificant, and if the % of users here who run this stuff ia mor than 0.2% Id be shocked... Another win for AMD, but not one that will matter to 99+% of the forum audience.

5. Office Suites - Finally a category c) item ... stuff most folks will use frequently enough to matter in a CPU choice. We get a 4% win for Intel in Word, a 1% win for Intel in Powerpoint and a 1% win for AMD in Excel ... the win goes to Intel but the margin is so small as to render in insignificant as "user lag" will make it unnoticable.

6, Image and Video Editing - Another category c) items and here finally one that matters. A 10% advantage to Intel here in Image Editing and a 4.5% advantage in Video Editing. While not a bit thing market share wise, it's over 100 times more significant tham machine learning, brain simulation, software development, etc. 1st significant win for either side here. Google OCR is in the test and it's significant one ... we might use it 3-4 times a year so we use Adobe OCR to do thatas do most of our clients.

7. Virtualization - As we're speaking to desktops not Server functions I'd skip this. Suffice to say Intel gets the win on VM Ware ... AMD gets significant wins in MySQL and jav ... a Bog reason to go AMD ,..if you use them. No relevance if you don't.

8, File Compression / Encryption - A category b) items for most. less and less as time goes by. Big Win for AMD on the compression / Bit win for Intel on encryption ... Who cares ? Not many

9, Media and Sound recording - Would be at thing for youtubers, musicans and similar sorts and similar sorts, AMD dominates the media / Intel dominates the sound... if those are your thang, pay attention ...if not like most, ignore.

10. No one argues the gaming so not worth mentioning.

In short, there is no best CPU... there's only best for you do on your PC. If office suites, gaming, Adobe products or AutoCAD are your thing, Intel is the onbviois choice. If doing brain simulation, encoding, rendering, virtualization is your thing, AMD is the obvious choice.... just look at what YOU do and decide accordingly. As to the invulberabilitoes... call me when ya ready to publish "Patient O's" story. As of yet , I have not seen any instance of theese invulnerabilities being exploited. Until that happens, I'm not paying attention.
Posted on Reply
#45
raptori
I'll be happy if there is a way to avoid fixing these Vulnerabilities , I can't afford losing anymore performance even if it's a fraction .
Posted on Reply
#46
phanbuey
Also they're not going to ramrod a security patch that drops your performance by 30% -- at that point it will be a toggle or a Windows defender app monitor feature. Just like for phishing sites or malware. It will come down to users having more control. You can easily make sure that only the code you want is running; and let the users let applications in one by one, in addition to a scan of known malware.
Posted on Reply
#47
GreiverBlade
why every time i read ... "Mitigation Hits Performance Hard" i think .... "awwww the improvements Intel implemented to make their CPU's faster turn out to be vulnerabilities, shucks ... who knew ..."
well, can also take it like that, if the CPU was faster with all the vulnerabilities ..: "Intel did take shortcuts in their design to make their CPU faster"
was it on purpose or not ... was it truly vulnerabilities they had no clue about it until some "bug-hunter" found them?

alright, alright, i know AMD has vulnerabilities too (well what... 2? oh ... ) but i think even with mitigations, their performance will keep close to their actual level without them (if they need one ofc)
Posted on Reply
#48
londiste
GreiverBlade
why every time i read ... "Mitigation Hits Performance Hard" i think .... "awwww the improvements Intel implemented to make their CPU's faster turn out to be vulnerabilities, shucks ... who knew ..."
well, can also take it like that, if the CPU was faster with all the vulnerabilities ..: "Intel did take shortcuts in their design to make their CPU faster"
Nope. This idea has been making rounds again and it is simply wrong. These vulnerabilities did not help Intel CPU to be faster. These were not shortcuts but an oversight at some level.

Mitigations are software workarounds to hardware problem and this makes them really hard on performance. If you look at the performance of Intel's newer revisions of CPUs with issues fixed, the vulnerabilities (at least the known vectors) cannot be exploited any more, software mitigations are not applied and the performance is the same as before.

Edit:
OK, performance is not quite the same as before because Spectre did make some software changes necessary. However, this 3-4% performance hit (based on Phoronix' testing) is universal across all CPUs.

phanbuey
Also they're not going to ramrod a security patch that drops your performance by 30%
They are not. Intel will deploy mitigations for SGX but consider risk of exploiting the vulnerability in other places small enough to not apply general mitigation. There will be some coordination with OS development to minimize the possibility of OS-level gadgets this type of attack could use. Researchers did seem to agree this was reasonable.
Posted on Reply
#49
TheGuruStud
Intel security article: But, but ,AyyyyMDeeeee! Reeeeee!

Take your intel love affair down a few notches. AMD chose to be safe. Intel choice IPC at all costs. Or they're completely incompetent, it's your pick.
Posted on Reply
#50
KarymidoN
Vya Domus
The hell is this supposed to be ?
probab just having fun, he realeased a full video demo later explaining in very technical and acurate data his findings
Posted on Reply
Add your own comment