Friday, August 11th 2023

"Downfall" Intel CPU Vulnerability Can Impact Performance By 50%

by
AleksandarK
 Discuss (162 Comments)
Intel has recently revealed a security vulnerability named Downfall (CVE-2022-40982) that impacts multiple generations of Intel processors. The vulnerability is linked to Intel's memory optimization feature, exploiting the Gather instruction, a function that accelerates data fetching from scattered memory locations. It inadvertently exposes internal hardware registers, allowing malicious software access to data held by other programs. The flaw affects Intel mainstream and server processors ranging from the Skylake to Rocket Lake microarchitecture. The entire list of affected CPUs is here. Intel has responded by releasing updated software-level microcode to fix the flaw. However, there's concern over the performance impact of the fix, potentially affecting AVX2 and AVX-512 workloads involving the Gather instruction by up to 50%.

Phoronix tested the Downfall mitigations and reported varying performance decreases on different processors. For instance, two Xeon Platinum 8380 processors were around 6% slower in certain tests, while the Core i7-1165G7 faced performance degradation ranging from 11% to 39% in specific benchmarks. While these reductions were less than Intel's forecasted 50% overhead, they remain significant, especially in High-Performance Computing (HPC) workloads. The ramifications of Downfall are not restricted to specialized tasks like AI or HPC but may extend to more common applications such as video encoding. Though the microcode update is not mandatory and Intel provides an opt-out mechanism, users are left with a challenging decision between security and performance. Executing a Downfall attack might seem complex, but the final choice between implementing the mitigation or retaining performance will likely vary depending on individual needs and risk assessments.
Source: Phoronix

Related News

Add your own comment

162 Comments on "Downfall" Intel CPU Vulnerability Can Impact Performance By 50%

#51
TumbleGeorge
It affects too many generations to seem like a "monthly cycle". It still looks to me like a materialized intention to retire these generations at some moment and force customers to buy newer ones. :(
Posted on Reply
#52
Patriot
AnotherReaderDownfall also relies on SMT as the attacker should be running on the same core as the victim. These cloud providers should stop running programs from different customers on the same cores.
It's not just a different customer issue, its a about pivoting from a useless VM of one customer to a more useful VM of the same customer. Being able to pivot across VMs is highly useful for a hacker "going deep" (shrugs)
Posted on Reply
#53
GreiverBlade
CoD511But regardless, I'm not sure if this is an odd thought.. but I can't shake the feeling sometimes that Intel purposely cuts corners to increase performance while increasing security vulnerabilities...
i wrote that, since first vulnerability and first mitigation patch :laugh: "another "improvement" that made Intel the top dog turned out to be a vulerability?" :laugh:

well AMD also have some of their own ofc ... but still ...
Posted on Reply
#54
ncrs
AnotherReaderDownfall also relies on SMT as the attacker should be running on the same core as the victim.
It does not rely on SMT since it works with just context-switching. Disabling SMT is not a mitigation for this vulnerability, from the paper:
Disabling SMT, i.e., hyperthreading can partially mitigate GDS and GVI attacks in exchange for losing performance. A computer with hyperthreading is 30% faster than an identical system [7], which makes disabling SMT expensive for customers. Besides, it does not prevent data leaks across context switching.
Posted on Reply
#55
AusWolf
How does one get the microcode update?
Posted on Reply
#56
Mussels
Freshwater Moderator
These level of attacks are like those early point and click adventure games



You have to take the dog for a walk, find a stick, throw the stick, have the dog get stung by a bee so the dog runs into a lady with an umbrella who throws the umbrella that gets caught in a gust of wind and flies off to impale a pigeon flying nearby that lands on a mans lap, so he throws his briefcase right as he unlocked it and it goes past your eyes so you can get a glimpse of the contents in the reflection of the poop from the pigeon on your shoe.

Or like with ChatGPT where it wouldnt tell you certain forbidden things, but you could ask it to tell you a story about it while pretending to be your grandmother telling a bedtime story and it bypassed the security check - sometimes you just can't predict these things in advance and fixing them could break a thousand other things, or create even worse vulnerabilities.



So many of these attacks tie into SMT/hyperthreading, makes me wonder if that'll die off with E/C cores now.
Posted on Reply
#57
ncrs
AusWolfHow does one get the microcode update?
You have two choices: BIOS update from the motherboard vendor or operating system support:
Posted on Reply
#58
mkdr
Why no benchmarks for AMD Ryzen so far?
Posted on Reply
#59
freeagent
mkdrWhy no benchmarks for AMD Ryzen so far?
Because this post is about Intel. Not AMD.
Posted on Reply
#60
AusWolf
MusselsThese level of attacks are like those early point and click adventure games



You have to take the dog for a walk, find a stick, throw the stick, have the dog get stung by a bee so the dog runs into a lady with an umbrella who throws the umbrella that gets caught in a gust of wind and flies off to impale a pigeon flying nearby that lands on a mans lap, so he throws his briefcase right as he unlocked it and it goes past your eyes so you can get a glimpse of the contents in the reflection of the poop from the pigeon on your shoe.

Or like with ChatGPT where it wouldnt tell you certain forbidden things, but you could ask it to tell you a story about it while pretending to be your grandmother telling a bedtime story and it bypassed the security check - sometimes you just can't predict these things in advance and fixing them could break a thousand other things, or create even worse vulnerabilities.



So many of these attacks tie into SMT/hyperthreading, makes me wonder if that'll die off with E/C cores now.
It makes me wonder if these vulnerabilities really deserve the attention they get. I mean, sure, someone could potentially hack your PC doing the point-and-click steps you described, but why would they?

These news are way more important for businesses than for us, imo.
Posted on Reply
#61
R0H1T
There are probably a lot more vulnerabilities which aren't going to be reported, some baked in by you know who! Patching them would probably be just as easy (or hard) as Smeltdown but they won't get the press we need mostly because of vested interests. Yeah looking at you NSA o_O
Posted on Reply
#62
lexluthermiester
MarsM4NThey could bigly reduce such "unforeseen consequences" with proper QA. ;)
I presume you're being silly.
AusWolfHow does one get the microcode update?
Don't worry about it. I've been studying this. It's another one of those "It's possible but so difficult to pull off in the wild that the common user will never encounter it" kinds of things. Businesses and Corps need to worry about this. The general populace does not.

And before anyone says it, there will not be any JS based exploits one can load in a browser page. It's detailed in the description;
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40982
"Information exposure through microarchitectural state after transient execution in certain vector execution units for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access."
Admin/Root access is required in addition to local(direct physical) access to the system in question. Remote exploitation is not possible without direct user action and interaction.
R0H1TThere are probably a lot more vulnerabilities which aren't going to be reported, some baked in by you know who! Patching them would probably be just as easy (or hard) as Smeltdown but they won't get the press we need mostly because of vested interests. Yeah looking at you NSA o_O
Oh please with that tin-hat nonsense...
Posted on Reply
#63
mkdr
lexluthermiesterDon't worry about it. I've been studying this. It's another one of those "It's possible but so difficult to pull off in the wild that the common user will never encounter it" kinds of things.
what you mean with that? everyone will get the mitigation microcode updates over time, forced by Windows and Linux updates. so you should not worry about your Pc becoming super slow? im not worried about security, im worried only about performance.
Posted on Reply
#64
lexluthermiester
mkdrwhat you mean with that? everyone will get the mitigation microcode updates over time, forced by Windows and Linux updates. so you should not worry about your Pc becoming super slow? im not worried about security, im worried only about performance.
No. What I'm saying is that that like all the other "patches", you can quite safely skip it, block it, remove it, whatever and not actually effect the safety and security of your PC.

Put another way, this is very nearly nothing-sauce. The user does NOT need to worry about it.
Posted on Reply
#65
mkdr
lexluthermiestersafely skip it, block it, remove it
you cant.
Posted on Reply
#66
Ferrum Master
mkdrwhat you mean with that? everyone will get the mitigation microcode updates over time, forced by Windows and Linux updates. so you should not worry about your Pc becoming super slow? im not worried about security, im worried only about performance.
You cannot disable them all in windows, it is baked in kernel. You will not have a choice.

Don't care use linux. Add in grub mitigations=off and run it like in 2010.
Posted on Reply
#67
lexluthermiester
mkdryou cant.
Yes, you can.
Ferrum MasterYou cannot disable them all in windows, it is baked in kernel. You will not have a choice.
Totally not true.

But I'm not getting into this silly debate/argument.
Posted on Reply
#68
mkdr
lexluthermiesterYes, you can.
The mCode will be included in the next AGESA / Intel bios update, ERGO are you forced to install it if you want the next updates too, as simple as that. You cant block mCode updates under Windows easily, you need to delete dll files in system folder which is just BAD BAD BAD, and Windows will replace them next boot. The registry mitigation toggle are not for every mitigations, just most of them, and also you dont know YET if the mitigations for Downfall and Inceptions also will get a toggle under Windows like Spectre and Meltdown.
Posted on Reply
#69
AusWolf
mkdrThe mCode will be included in the next AGESA / Intel bios update, ERGO are you forced to install it if you want the next updates too, as simple as that. You cant block mCode updates under Windows easily, you need to delete dll files in system folder which is just BAD BAD BAD, and Windows will replace them next boot. The registry mitigation toggle are not for every mitigations, just most of them, and also you dont know YET if the mitigations for Downfall and Inceptions also will get a toggle under Windows like Spectre and Meltdown.
That begs the question: do you really need the next BIOS update?
Posted on Reply
#70
lexluthermiester
mkdrThe mCode will be included in the next AGESA / Intel bios update
Perhaps.
mkdrERGO are you forced to install it if you want the next updates too, as simple as that.
You really don't understand how things really work do you? That's ok. You carry on..
Posted on Reply
#71
ncrs
lexluthermiesterAnd before anyone says it, there will not be any JS based exploits one can load in a browser page. It's detailed in the description;
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40982
"Information exposure through microarchitectural state after transient execution in certain vector execution units for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access."
Please don't spread disinformation. In CVSS v3 and newer Attack Vector: Local does not mean what you think it means.

From the CVSS v3.1 specification:
Local (L)The vulnerable component is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either:
  • the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or remotely (e.g., SSH); or
  • the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)


This means that making a user visit a compromised website is also considered "local". So potentially this vulnerability could be exploited "remotely" via a web browser.
lexluthermiesterAdmin/Root access is required in addition to local(direct physical) access to the system in question. Remote exploitation is not possible without direct user action and interaction.
That's not true. In CVSS v3 and never direct physical requirement is denoted by AV: P - Physical.
Please read the actual paper as well. It clearly states that the exploit works from non-admin accounts:
Discovered vulnerability The observed data leak confirms a critical vulnerability that is exploitable from user space.
Posted on Reply
#72
lexluthermiester
AusWolfThat begs the question: do you really need the next BIOS update?
There's an old saying, if not broken, don't fix it...
MusselsThese level of attacks are like those early point and click adventure games.

You have to take the dog for a walk, find a stick, throw the stick, have the dog get stung by a bee so the dog runs into a lady with an umbrella who throws the umbrella that gets caught in a gust of wind and flies off to impale a pigeon flying nearby that lands on a mans lap, so he throws his briefcase right as he unlocked it and it goes past your eyes so you can get a glimpse of the contents in the reflection of the poop from the pigeon on your shoe.
THIS!
Posted on Reply
#73
mkdr
AusWolfdo you really need the next BIOS update?
Yes I need them. AMD AGESA updates are needed, as shown in the last years. Every single AGESA update was a big "yes you need it" update. For Intel, not really.
Posted on Reply
#74
lexluthermiester
mkdrEvery single AGESA update was a big "yes you need it" update.
No they are not. And if you really believe that, I have a bridge in Brooklyn NYC I'd like to sell you...
Posted on Reply
#75
Denver
ncrsPlease don't spread disinformation. In CVSS v3 and newer Attack Vector: Local does not mean what you think it means.

From the CVSS v3.1 specification:
Local (L)The vulnerable component is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either:
  • the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or remotely (e.g., SSH); or
  • the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)


This means that making a user visit a compromised website is also considered "local". So potentially this vulnerability could be exploited "remotely" via a web browser.


That's not true. In CVSS v3 and never direct physical requirement is denoted by AV: P - Physical.
Please read the actual paper as well. It clearly states that the exploit works from non-admin accounts:
So do you think it is possible to get these local admin privileges through a js code in the browser, could you show how? Just for curiosity.
Posted on Reply
Add your own comment
May 15th, 2024 08:09 EDT change timezone

Latest GPU Drivers

New Forum Posts

Popular Reviews

Controversial News Posts