CacheOut is the Latest Speculative Execution Attack for Intel Processors

moproblems99 · Jan 28, 2020

Steevo said:
If I had to guess at the possibility of Intel knowing these exploits existed and they made the conscious decision to ignore the risk for some performance.... 99% sure they knew and just didn't and don't care.

Honestly, I don't suspect they did. In having been employed in both sectors (development and security), engineers don't always have the thought process of the 'other side'. Additionally, these were largely a new class of vulnerabilities that might not have even been conceptualized when Intel was creating the initial architecture. I surmise, that initial architecture has not changed much over the last two decades considering how far back some of these exploits work. Also, considering that some of them work on AMD as well, it seems to be an inherent risk in specific algorithms or components (ie: speculative execution) to some extent.

lexluthermiester · Jan 28, 2020

Steevo said:
99% sure they knew and just didn't and don't care.

I'm not buying that. Such would mean that every maker of IC's that has ever had a vulnerability had a high probability of knowing of such and just not caring. Not only would that be extremely irresponsible, but it would also be highly libelous. No legal team is going to let such fly.

None of these vulnerabilities are intentional. Hackers are hackers and they will always find new ways to do weird things with technology that the makers never intended or even dreamed of.

moproblems99 said:
In general, sitting in front of the box or SSH is no different.

It is on a Kernel level.

moproblems99 · Jan 28, 2020

lexluthermiester said:
Such would mean that every maker of IC's that has ever had a vulnerability had a high probability of knowing of such and just not caring.

A little overzealous but, essentially, yeah. Most vulnerabilities are vulnerabilities because the repercussions were not known in advance. Most companies don't like repercussions.

lexluthermiester said:
None of these vulnerabilities are intentional. Hackers are hackers and they will always find new ways to do weird things with technology that the makers never intended or even dreamed of

Which to me is the beauty of it.

R-T-B · Jan 28, 2020

londiste said:
Still reading the paper but:
- They do seem to mount an attack from unprivileged users.
- HT helps the attack but it works without HT as well.
- They recommend turning off TSX as that is effective against CacheOut.

Edit:
OK, it seems that TAA is an integral step in CacheOut, so they are attacking a different target but still using TAA to get the data out. Makes sense that disabling TSX would work against this.

Spot on what I am getting out of this as well. Good summary.

lexluthermiester said:
So even on Linux, you have to be at the system in question.

or have a simple ssh login, which is common as hell in linux land. Windows users wouldn't care much though. And you can mitigate this by just turning off tsx, which most security minded folks and nearly all windows installs have already done.

lexluthermiester said:
It is on a Kernel level.

What? No, they are both just terminal shells. The kernel doesn't know or care that's just a userland process. I mean yeah, the kernel can shut down the network to mitigate this, I guess, but that's about all the kernel has to do with this...

Mind you, same end result. This isn't much a big deal. Nothing really uses TSX anymore anyways... Meaning the performance impact will be like, nothing.

KarymidoN · Jan 29, 2020

R0H1T said:
Also, just in case you forgot about this
Intel is patching its Zombieload CPU security flaw for the third time

you know the saying right? "Third time is the charm" :roll:

EarthDog · Jan 29, 2020

KarymidoN said:
you know the saying right? "Third time is the charm"

you know the saying right? "haters gonna hate" :roll:

Sashleycat · Jan 29, 2020

I'm not sure if anyone has mentioned this already, but a fairly good portion of the reason why intel's architecture appears to be 'full of holes' is because exploiters/researchers are:

A) Targeting Intel: Whilst Zen is a fantastic arch, and will be more popular going forward, Intel's marketshare is significantly larger. It makes more sense because more machine are affected so the fix is arguably more important to prioritise Intel.

B) Intel has an active 'bug bounty' program that rewards researchers with cash (afaik) if they find flaws in Intel's silicon.

I'm not huge Intel fan, but the way I see it is; a CPU architecture is a hugely complex piece of micro-scale engineering, nothing created by human beings can ever be perfect, but we can come close.

It is highly likely there are flaws in Zen1/+ and maybe Zen2, they just have yet to be found (if they ever will - who knows). Until AMD has 50%+ marketshare and everyone starts trying to break open Zen, we don't really know if this is just a huge engineering fail from Intel. IMHO, I think Intel might have sacrificed security in some areas for performance, looking at some of the vulnerabilities, it seems so.

Going forward, they should use this to make their future architecture more secure.

It's not quite fair to say "Well, AMD isn't affected by these issues, so their arch is better", While there is some truth to this in the current vulnerabilities, it would be prudent to understand that researchers are most likely actively trying to break Skylake: it's been on the market for ages (lol) and is a well known, established design. In 5 years when Zen (hopefully) establishes itself in the same way, I guess we will see if AMD made better choices.

moproblems99 · Jan 29, 2020

lexluthermiester said:
It is on a Kernel level.

And do tell what that has to do with anything?

R-T-B said:
or have a simple ssh login

Which means it could be done remotely, even though it would likely be more complicated than, say, social engineering. So saying it can't be done remotely is simply not true. Likeliness not withstanding.

$ReaPeR$ · Jan 29, 2020

EarthDog said:
Cant say I'm a fanboy but owning an Intel ID(ont)GAF.

The overwhelming majority of these dont really affect most home users in the first place (and then most are elevated access, no?). I guess some would call it perspective...

Nice crack at flamebait, though...

so.. he was "flamebaiting" here..

EarthDog said:
you know the saying right? "haters gonna hate"

but you are being the king of objectivity here.. seems legit, in some universe..

as for intel and the way they do business, anyone can read their history, its online after all. companies exist to make money, nothing more nothing less, and they will use literally anything and anyone in order to reach that green goal. so, either intel engineers are morons, extremely unlikely, or they knew the problems of their arch from the beginning but they calculated the risks and benefits and went with the vulnerabilities because it gave them an advantage. after all, all the vulnerabilities that have been discovered affect the vast majority of users very little, just like using 4 cores for almost a decade affected the vast majority of users very little.

oh, and btw, amd would do the same thing if they were in intels position. human "nature" is the problem, not the name of the company.

HTC · Jan 29, 2020

Dunno if it was mentioned but there was another flaw discovered shortly before this one: This one affected Intel's iGPU and it's performance impact is quite severe, though it's directed @ the GPU portion of the CPU, so those laptops that don't have a discreet GPU ... those are gonna be hit HARD ...

The good news is that this doesn't affect newer CPUs as hard as older ones. so there's that ...

Intel's Mitigation For CVE-2019-14615 Graphics Vulnerability Obliterates Gen7 iGPU Performance - Phoronix

www.phoronix.com

R-T-B · Jan 29, 2020

Sashleycat said:
I'm not sure if anyone has mentioned this already, but a fairly good portion of the reason why intel's architecture appears to be 'full of holes' is because exploiters/researchers are:

A) Targeting Intel: Whilst Zen is a fantastic arch, and will be more popular going forward, Intel's marketshare is significantly larger. It makes more sense because more machine are affected so the fix is arguably more important to prioritise Intel.

B) Intel has an active 'bug bounty' program that rewards researchers with cash (afaik) if they find flaws in Intel's silicon.

I'm not huge Intel fan, but the way I see it is; a CPU architecture is a hugely complex piece of micro-scale engineering, nothing created by human beings can ever be perfect, but we can come close.

It is highly likely there are flaws in Zen1/+ and maybe Zen2, they just have yet to be found (if they ever will - who knows). Until AMD has 50%+ marketshare and everyone starts trying to break open Zen, we don't really know if this is just a huge engineering fail from Intel. IMHO, I think Intel might have sacrificed security in some areas for performance, looking at some of the vulnerabilities, it seems so.

Going forward, they should use this to make their future architecture more secure.

It's not quite fair to say "Well, AMD isn't affected by these issues, so their arch is better", While there is some truth to this in the current vulnerabilities, it would be prudent to understand that researchers are most likely actively trying to break Skylake: it's been on the market for ages (lol) and is a well known, established design. In 5 years when Zen (hopefully) establishes itself in the same way, I guess we will see if AMD made better choices.

I've said it before but no one seems to care. If somone is going to make a fanboyish claim facts aren't going to stop them anyways, so I stopped trying.

HTC said:
Dunno if it was mentioned but there was another flaw discovered shortly before this one: This one affected Intel's iGPU and it's performance impact is quite severe, though it's directed @ the GPU portion of the CPU, so those laptops that don't have a discreet GPU ... those are gonna be hit HARD ...

The good news is that this doesn't affect newer CPUs as hard as older ones. so there's that ...

Intel's Mitigation For CVE-2019-14615 Graphics Vulnerability Obliterates Gen7 iGPU Performance - Phoronix

www.phoronix.com

50% performance hit to the IGPU in linux... noice!

moproblems99 said:
Which means it could be done remotely, even though it would likely be more complicated than, say, social engineering. So saying it can't be done remotely is simply not true. Likeliness not withstanding.

I've been over that with him before. He seems to consider anything that isn't able to worm it's way in automagically ala that old SMB stack exploit "not remotely."

It's an interesting take on the terms, but I don't argue them anymore.

moproblems99 · Jan 29, 2020

HTC said:
Dunno if it was mentioned but there was another flaw discovered shortly before this one: This one affected Intel's iGPU and it's performance impact is quite severe, though it's directed @ the GPU portion of the CPU, so those laptops that don't have a discreet GPU ... those are gonna be hit HARD ...

The good news is that this doesn't affect newer CPUs as hard as older ones. so there's that ...

Intel's Mitigation For CVE-2019-14615 Graphics Vulnerability Obliterates Gen7 iGPU Performance - Phoronix

www.phoronix.com

Ouch.

That said, I won't be applying any of the patches to my laptop. I'm boring.

R-T-B said:
I've been over that with him before. He seems to consider anything that isn't able to worm it's way in automagically ala that old SMB stack exploit "not remotely."

I mean, it really can be pretty automagic. Even through the browser, if it happens to be the delivery method for the shell script that phones home the activation via dns.

R-T-B said:
It's an interesting take on the terms, but I don't argue them anymore.

Come now. It is good mental exercise.

trparky · Jan 29, 2020

HTC said:
Dunno if it was mentioned but there was another flaw discovered shortly before this one: This one affected Intel's iGPU and it's performance impact is quite severe, though it's directed @ the GPU portion of the CPU, so those laptops that don't have a discreet GPU ... those are gonna be hit HARD ...

The good news is that this doesn't affect newer CPUs as hard as older ones. so there's that ...

Intel's Mitigation For CVE-2019-14615 Graphics Vulnerability Obliterates Gen7 iGPU Performance - Phoronix

www.phoronix.com

Damn!

R-T-B · Jan 29, 2020

moproblems99 said:
Come now. It is good mental exercise.

Not when it's just "my definition is my definition." It gets stupid to argue points like that.

moproblems99 · Jan 29, 2020

I mean hey, we are watching our tax dollars at work arguing about "my definition is my definition" lol Think of it as job training.

I mean, really, just like all the other exploits only matter if: you are extremely interesting, a government, a defense contractor, data center, or iaas company. So the fact this sparks such a debate is kinda funny.

EarthDog · Jan 29, 2020

$ReaPeR$ said:
you are being the king of objectivity here.. seems legit, in some universe..

Touche.

A dog always runs to the end of his leash.

Jism · Jan 29, 2020

Any CPU vendor designs a big portion of the CPU using automated resources, and a part of it is done manually. I think intel relied too much on the automated part, now that left and right exploits and all that coming around. There's no recall being done because that would be very bad PR, instead it's choosing to fix it using a microcode update thats inserted upon every (re)boot of the system, and a sideeffect is the performance being hurt.

For a consumer; these exploits dont mean alot. I mean you could still happy game on and nothing really would happen. But for enterprise markets, i.e hiring out VPS servers or cloud sollutions, this is where it could get dangerous, as i could rent / hire a part of a server, and start nuking it apart with exploits all over the place, able to obtain data that normally would be secured in the first place.

there's sollution to turn off HT, there's microcode updates and all that, but if you have a huge farm of intel based CPU's, your not going to see 1 to 5% performance decrease, but more like in 20 up to 40% of your capable compute power. Even I/O is being affected by this stuff. I really hope AMD does'nt contain so many exploits and their security thing inside the CPU is really solid as it looks by now.

R-T-B · Jan 29, 2020

moproblems99 said:
I mean, really, just like all the other exploits only matter if: you are extremely interesting, a government, a defense contractor, data center, or iaas company. So the fact this sparks such a debate is kinda funny.

That increases your value as a target sure. However, this is the information age man... everyone is worth something. The threshholds are all over the place and it really isn't that simple.

lexluthermiester · Jan 29, 2020

R-T-B said:
What? No, they are both just terminal shells. The kernel doesn't know or care that's just a userland process.

Was referring to the code level, but I digress.

londiste · Jan 29, 2020

Steevo said:
99% sure they knew and just didn't and don't care.

Extremely unlikely. Most of these recent vulnerabilities are not difficult to fix. It takes a long time due to both testing/validation and production cycles but the fix itself is not difficult (by logic design standards, at least). If they knew about the vulnerabilities fixes would have been added in the next generation of CPUs.

Companies tend to really not like liabilities.

InVasMani · Jan 29, 2020

WTF Intel... :banghead:

lexluthermiester · Jan 29, 2020

londiste said:
Extremely unlikely. Most of these recent vulnerabilities are not difficult to fix. It takes a long time due to both testing/validation and production cycles but the fix itself is not difficult (by logic design standards, at least). If they knew about the vulnerabilities fixes would have been added in the next generation of CPUs.

Companies tend to really not like liabilities.

This is exactly correct. No company wants to be liable for damages, not to mention the damage it does to their reputation. These kinds of vulnerabilities are just that, vulnerabilities. They are not mistakes, they are accidental nothing more.

Steevo · Jan 30, 2020

lexluthermiester said:
I'm not buying that. Such would mean that every maker of IC's that has ever had a vulnerability had a high probability of knowing of such and just not caring. Not only would that be extremely irresponsible, but it would also be highly libelous. No legal team is going to let such fly.

None of these vulnerabilities are intentional. Hackers are hackers and they will always find new ways to do weird things with technology that the makers never intended or even dreamed of.

It is on a Kernel level.

How much does Intel spend on R&D again compared to secure AMD products that now match and exceed their performance?

So if AMD can do it with a tenth the budget does that make them awesome or Intel that shitty?

R0H1T · Jan 30, 2020

londiste said:
Companies tend to really not like liabilities.

Well they get away with it, the vast majority of the times so I would say no ~ they do so (shady stuff) constantly especially considering the risk vs reward.
Heck Intel's done that more than once, so has Nvidia!

R-T-B · Jan 30, 2020

Steevo said:
So if AMD can do it with a tenth the budget does that make them awesome or Intel that shitty?

It makes them the little elephant in the security scene.

System Name	Wut?
Processor	3900X
Motherboard	ASRock Taichi X570
Cooling	Water
Memory	32GB GSkill CL16 3600mhz
Video Card(s)	Vega 56
Storage	2 x AData XPG 8200 Pro 1TB
Display(s)	3440 x 1440
Case	Thermaltake Tower 900
Power Supply	Seasonic Prime Ultra Platinum

System Name	Wut?
Processor	3900X
Motherboard	ASRock Taichi X570
Cooling	Water
Memory	32GB GSkill CL16 3600mhz
Video Card(s)	Vega 56
Storage	2 x AData XPG 8200 Pro 1TB
Display(s)	3440 x 1440
Case	Thermaltake Tower 900
Power Supply	Seasonic Prime Ultra Platinum

System Name	Pioneer
Processor	Ryzen 9 9950X
Motherboard	MSI MAG X670E Tomahawk Wifi
Cooling	Noctua NH-D15 + A whole lotta Sunon, Phanteks and Corsair Maglev blower fans...
Memory	64GB (2x 32GB) G.Skill Flare X5 @ DDR5-6200(Running 1T no GDM)
Video Card(s)	XFX RX 7900 XTX Speedster Merc 310
Storage	Intel 5800X Optane 800GB boot, +2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs, 1x 2TB Seagate Exos 3.5"
Display(s)	55" LG 55" B9 OLED 4K Display
Case	Thermaltake Core X31
Audio Device(s)	TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply	FSP Hydro Ti Pro 850W
Mouse	Logitech G305 Lightspeed Wireless
Keyboard	WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software	Gentoo Linux x64, other office machines run Windows 11 Enterprise

System Name	KarymidoN TitaN
Processor	AMD Ryzen 7 5700X
Motherboard	ASUS TUF X570
Cooling	Custom Watercooling Loop
Memory	2x Kingston FURY RGB 16gb @ 3200mhz 18-20-20-39
Video Card(s)	MSI GTX 1070 GAMING X 8GB
Storage	Kingston NV2 1TB\| 4TB HDD
Display(s)	4X 1080P LG Monitors
Case	Aigo Darkflash DLX 4000 MESH
Power Supply	Corsair TX 600
Mouse	Logitech G300S

System Name	ashpc-3950x
Processor	Ryzen 9 3950X 16-core @ 105W ppt
Motherboard	Asrock X570M Pro4
Cooling	Be Quiet Shadow Rock TF2
Memory	32 GB (4x8) 3600 MHz 16-16-16-36
Video Card(s)	ASUS RTX 2070 Dual EVO
Storage	Aorus 1TB NVMe Gen4, Corsair MP510 480GB NVMe, 2x SATA HDD, 2x SATA SSD
Display(s)	Acer ED242QR-A 24" 144Hz 1920x1080
Case	Silverstone RedLine RL08 (red) Micro ATX
Audio Device(s)	Onboard + Creative T40 V2
Power Supply	Seasonic Focus+ 850W Gold
Mouse	Sharkoon Fireglider
Keyboard	Logitech G413 Carbon
Software	Windows 10 Pro
Benchmark Scores	idc

System Name	Ryzen/Laptop/htpc
Processor	R9 3900X/i7 6700HQ/i7 2600
Motherboard	AsRock X470 Taichi/Acer/ Gigabyte H77M
Cooling	Corsair H115i pro with 2 Noctua NF-A14 chromax/OEM/Noctua NH-L12i
Memory	G.Skill Trident Z 32GB @3200/16GB DDR4 2666 HyperX impact/24GB
Video Card(s)	TUL Red Dragon Vega 56/Intel HD 530 - GTX 950m/ 970 GTX
Storage	970pro NVMe 512GB,Samsung 860evo 1TB, 3x4TB WD gold/Transcend 830s, 1TB Toshiba/Adata 256GB + 1TB WD
Display(s)	Philips FTV 32 inch + Dell 2407WFP-HC/OEM/Sony KDL-42W828B
Case	Phanteks Enthoo Luxe/Acer Barebone/Enermax
Audio Device(s)	SoundBlasterX AE-5 (Dell A525)(HyperX Cloud Alpha)/mojo/soundblaster xfi gamer
Power Supply	Seasonic focus+ 850 platinum (SSR-850PX)/165 Watt power brick/Enermax 650W
Mouse	G502 Hero/M705 Marathon/G305 Hero Lightspeed
Keyboard	G19/oem/Steelseries Apex 300
Software	Win10 pro 64bit

System Name	HTC's System
Processor	Ryzen 5 5800X3D
Motherboard	Asrock Taichi X370
Cooling	NH-C14, with the AM4 mounting kit
Memory	G.Skill Kit 16GB DDR4 F4 - 3200 C16D - 16 GTZB
Video Card(s)	Sapphire Pulse 6600 8 GB
Storage	1 Samsung NVMe 960 EVO 250 GB + 1 3.5" Seagate IronWolf Pro 6TB 7200RPM 256MB SATA III
Display(s)	LG 27UD58
Case	Fractal Design Define R6 USB-C
Audio Device(s)	Onboard
Power Supply	Corsair TX 850M 80+ Gold
Mouse	Razer Deathadder Elite
Software	Ubuntu 20.04.6 LTS

System Name	My Ryzen 7 7700X Super Computer
Processor	AMD Ryzen 7 7700X
Motherboard	Gigabyte B650 Aorus Elite AX
Cooling	DeepCool AK620 with Arctic Silver 5
Memory	2x16GB G.Skill Trident Z5 NEO DDR5 EXPO (CL30)
Video Card(s)	XFX AMD Radeon RX 7900 GRE
Storage	Samsung 980 EVO 1 TB NVMe SSD (System Drive), Samsung 970 EVO 500 GB NVMe SSD (Game Drive)
Display(s)	Acer Nitro XV272U (DisplayPort) and Acer Nitro XV270U (DisplayPort)
Case	Lian Li LANCOOL II MESH C
Audio Device(s)	On-Board Sound / Sony WH-XB910N Bluetooth Headphones
Power Supply	MSI A850GF
Mouse	Logitech M705
Keyboard	Steelseries
Software	Windows 11 Pro 64-bit
Benchmark Scores	https://valid.x86.fr/liwjs3

Processor	Ryzen 7800X3D
Motherboard	ROG STRIX B650E-F GAMING WIFI
Memory	2x16GB G.Skill Flare X5 DDR5-6000 CL36 (F5-6000J3636F16GX2-FX5)
Video Card(s)	INNO3D GeForce RTX™ 4070 Ti SUPER TWIN X2
Storage	2TB Samsung 980 PRO, 4TB WD Black SN850X
Display(s)	42" LG C2 OLED, 27" ASUS PG279Q
Case	Thermaltake Core P5
Power Supply	Fractal Design Ion+ Platinum 760W
Mouse	Corsair Dark Core RGB Pro SE
Keyboard	Corsair K100 RGB
VR HMD	HTC Vive Cosmos

System Name	Compy 386
Processor	7800X3D
Motherboard	Asus
Cooling	Air for now.....
Memory	64 GB DDR5 6400Mhz
Video Card(s)	7900XTX 310 Merc
Storage	Samsung 990 2TB, 2 SP 2TB SSDs, 24TB Enterprise drives
Display(s)	55" Samsung 4K HDR
Audio Device(s)	ATI HDMI
Mouse	Logitech MX518
Keyboard	Razer
Software	A lot.
Benchmark Scores	Its fast. Enough.