News Posts matching #Spectre

Return to Keyword Browsing

Intel's STORM Presents SAPM Paper on Hardware-Based Protection Against Side-Channel Execution Flaws

Intel's STrategic Offensive Research & Mitigations (STORM) department, which the company set up back in 2017 when it learned of side-channel attack vulnerabilities in its CPUs, have penned a paper detailing a proposed solution to the problem. Intel's offensive security research team counts with around 60 workers who focus on proactive security testing and in-depth investigations. Of that group, STORM is a subset of around 12 individuals who specifically work on prototyping exploits to show their practical impact. The solution proposed by this group is essentially a new memory-based hardware fix, going by the name of SAPM (Speculative-Access Protected Memory). The new solution would implement a resistant hardware fix in the CPU's memory that essentially includes blocks for known speculative-access hacks, such as the ones that hit Intel CPUs hard such as Meltdown, Foreshadow, MDS, SpectreRSB and Spoiler.

For now, the proposed solution is only at a "theory and possible implementation options" level. It will take a long time for it to find its way inside working Intel CPUs - if it ever does, really, since for now, it's just a speculative solution. A multitude of tests have to be done in order for its implementation to be approved and finally etched into good old silicon. Intel's STORM says that the SAPM approach would carry a performance hit; however, the group also calculates it to be "potentially lesser" than the current impact of all released software mitigations. Since the solution doesn't address every discovered side-channel attack specifically, but addresses the type of back-end operations that concern these attacks, the team is confident this solution would harden Intel CPUs against (most of) both known and not-yet-known speculative execution hacks.

AMD Zen 2 has Hardware Mitigation for Spectre V4

AMD in its technical brief revealed that its Zen 2 microarchitecture has hardware mitigation against the Spectre V4 speculative store bypass vulnerability. The current generation "Zen" and "Zen+" microarchitectures have OS-level mitigation. A hardware mitigation typically has less of a performance overhead than a software mitigation deployed at the OS or firmware level. In addition, just like older generations of "Zen," the new "Zen 2" microarchitecture is inherently immune to Meltdown, Foreshadow, Spectre V3a, Lazy FPU, Spoiler, and the recently discovered MDS vulnerability. In comparison, the 9th generation Core "Coffee Lake Refresh" processors still rely on software or microcode-level mitigation for Spectre V4, Spectre V3a, MDS, and RIDL.

Intel Releases ModernFW as Open Source, minimal Firmware Replacement

Today Intel announced ModernFW - an experimental approach to building a minimum viable platform firmware for machines such as cloud server platforms. The reason for this software is that, while traditional PC Firmware has evolved over time and retained its backward compatibility, it has become very big and often inefficient.

So to meet the requirements of new platforms that need to be built quickly and adapted easily, Intel decided to offer a new software package that will help with that. The new firmware package targets x86_64 from ISA standpoint and Linux kernel based OSes.

Intel to Refresh its LGA2066 HEDT Platform This Summer?

Intel is rumored to refresh its high-end desktop (HEDT) platforms this Summer with new products based on the "Cascade Lake" microarchitecture. Intel now has two HEDT platforms, LGA2066 and LGA3647. The new "Cascade Lake-X" silicon will target the LGA2066 platform, and could see the light of the day by June, on the sidelines of Computex 2019. A higher core-count model with 6-channel memory, will be launched for the LGA3647 socket as early as April. So if you've very recently fronted $3,000 on a Xeon W-3175X, here's a bucket of remorse. Both chips will be built on existing 14 nm process, and will bring innovations such as Optane Persistent Memory support, Intel Deep Learning Boost (DLBOOST) extensions with VNNI instruction-set, and hardware mitigation against more variants of "Meltdown" and "Spectre."

Elsewhere in the industry, and sticking with Intel, we've known since November 2018 of the existence of "Comet Lake," which is a 10-core silicon for the LGA1151 platform, and which is yet another "Skylake" derivative built on existing 14 nm process. This chip is real, and will be Intel's last line of defense against AMD's first 7 nm "Zen 2" socket AM4 processors, with core-counts of 12-16.

Windows 10 1H-2019 Update to Reduce Performance Impact of Spectre V2 Mitigations

Microsoft is working to reduce the performance impact of "Spectre" V2 security vulnerability software mitigation with its next major update to Windows 10. The major update that's scheduled for the first half of 2019, will feature the "Retpoline" mitigation enabled on the operating system's kernel by default. Retpoline will be enabled in addition something Microsoft's OS kernel developer Mehmet Iyigun calls "import optimization." Together, the two reduce the impact of Spectre V2 software mitigation to "noise-level" (i.e. that which can be discounted for random variation, or minimal).

MIT Researches Find a New Way to Fix Spectre and Meltdown, Isolation Is Key

The Meltdown and Spectre vulnerabilities have been a real nightmare throughout this year. Those affected were quick (maybe too much) to mitigate the problems with different solutions, but months later even the most recent Intel chips aren't completely safe. Hardware fixes only work for certain Meltdown variants, while the rest are still mitigated with firmware and OS updates that have certain impact on performance.

Intel will have to redesign certain features on their future processors to finally forget Meltdown and Spectre, but meanwhile others have jumped to give some options. MIT researchers have developed a way to partition and isolate memory caches with 'protection domains'. Unlike Intel's Cache Allocation Technology (CAT), MIT's technology, called DAWG (Dynamically Allocated Way Guard) disallows hits across those protection domains. This is important, because attackers targeting this vulnerabilities take advantage of 'cache timing attacks' and can get access to sensible, private data.

Intel Fixes Spectre & Meltdown on New Desktop Processors, Core-X Will Have to Wait

The new 9th generation Intel Core processors arrived yesterday with a series of improvements made to entice gamers and content creators. These improvements, however, join others that go beyond pure performance. Intel has introduced several architectural changes to fix the infamous Spectre & Meltdown vulnerabilities, and the new processors mitigate most of the variants of these attacks through a combination of hardware, firmware and OS fixes.

The big changes come to two of the six variants of those vulnerabilities. In both "Rogue Data Cache Load" (Meltdown, variant 3) and "L1 Terminal Fault" (Meltdown, Variant 5) vulnerabilities these new processors have hardware fixes that are new and not present on the rest of the current portfolio of Intel chips. This includes the new Xeon W-3175X (Core-X Skylake-X Refresh), which still depend on firmware fixes to mitigate those problems.

Intel Explains Key Difference Between "Coffee Lake" and "Whiskey Lake"

Intel "Whiskey Lake" CPU microarchitecture recently made its debut with "Whiskey Lake-U," an SoC designed for Ultrabooks and 2-in-1 laptops. Since it's the 4th refinement of Intel's 2015 "Skylake" architecture, we wondered what set a "Whiskey Lake" core apart from "Coffee Lake." Silicon fabrication node seemed like the first place to start, with rumors of a "14 nm+++" node for this architecture, which should help it feed up to 8 cores better in a compact LGA115x MSDT environment. Turns out, the process hasn't changed, and that "Whiskey Lake" is being built on the same 14 nm++ node as "Coffee Lake."

In a statement to AnandTech, Intel explained that the key difference between "Whiskey Lake" and "Coffee Lake" is silicon-level hardening against "Meltdown" variants 3 and 5. This isn't just a software-level mitigation part of the microcode, but a hardware fix that reduces the performance impact of the mitigation, compared to a software fix implemented via patched microcode. "Cascade Lake" will pack the most important hardware-level fixes, including "Spectre" variant 2 (aka branch target injection). Software-level fixes reduce performance by 3-10 percent, but a hardware-level fix is expected to impact performance "a lot less."

Intel Updates Microcode License Deleting "No-Benchmarks" Clause

A huge controversy erupted earlier this week as the license governing Intel's latest CPU microcode updates redistribution inserted a legally-binding clause that gagged its customers from publishing benchmarks or comparative testing that showed the performance impact of microcode updates that mitigate security vulnerabilities in Intel processors. Intel has since started reaching out to media sites. "We are updating the license now to address this and will have a new version available soon. As an active member of the open source community, we continue to welcome all feedback," the opening remarks from the Intel spokesperson read. Not long after, Intel updated the license terms to have just three conditions:
Redistribution and use in binary form, without modification, are permitted, provided that the following conditions are met:
  • Redistributions must reproduce the above copyright notice and the following disclaimer in the documentation and/or other materials provided with the distribution.
  • Neither the name of Intel Corporation nor the names of its suppliers may be used to endorse or promote products derived from this software without specific prior written permission.
  • No reverse engineering, decompilation, or disassembly of this software is permitted.
"Binary form" includes any format that is commonly used for electronic conveyance that is a reversible, bit-exact translation of binary representation to ASCII or ISO text, for example "uuencode."

Insidious New "NetSpectre" Vulnerability Can Be Exploited Over Network

The "Spectre" family of vulnerability, an exploitation of the speculative execution features of modern processors (mostly Intel), was scary enough. Up until now, running malware that implements Spectre needed one to run the program on a local machine. Running it remotely was limited to well-crafted JavaScript executed on the victim's machine, or cloud hosts made to process infected files. This is about to change. Security researchers from Graz University of Technology, including one of the discoverers of the "Meltdown" vulnerability, Daniel Gruss; have discovered NetSpectre, a fully network-based exploit that can let attackers read the memory of a remote machine without executing any program on that machine.

NetSpectre works by deriving bits and bytes from the memory based on measurements of the time the processor to succeed or recover from failure in speculative execution. As a processor is executing code, it speculates what the next instruction or data is, and stores their outcomes beforehand. A successful "guess" is rewarded with tangible performance benefits, while an unsuccessful guess is penalized with having to repeat the step. By measuring the precise time it takes for the processor to perform either (respond to success or failure in speculative execution), the contents of the memory can be inferred.

Custom BIOSes Harden Intel X58 Motherboards Against Meltdown and Spectre

Legendary soft-modder Regeneration released a vast collection of motherboard BIOS updates for socket LGA1366 motherboards based on Intel X58 Express chipset, because motherboard manufacturers have abandoned the 10-year old platform (yeah, it's been a decade since "Nehalem"!). The BIOSes have been made by transplanting the latest micro-code updates by Intel, which run all the way back to the 1st generation Core micro-architecture.

These are unofficial BIOSes which you use at your own risk, but they've been made by a person with more than two decades of fanfare in the PC enthusiast community, famous for unofficial, performance-enhancing NGO VGA drivers from his now defunct blog NGOHQ.com. Find the links to the BIOS of your X58 motherboard in this thread on TechPowerUp Forums (hosted externally).

Intel Z370 Chipset Motherboards Get 8-core CPU Compatibility BIOS Updates

A variety of motherboards based on Intel Z370 Express chipset began receiving the first BIOS updates that add compatibility with upcoming Intel 8-core processors. The updates are flagged "beta" by the manufacturers. Given that only Z370 (and not other 300-series chipset models) have such updates, it's possible that Intel could restrict the first socket LGA1151 8-core processor SKUs (which could be unlocked "K" variants with higher TDP) to Z370 chipset, as the chipset has stronger VRM requirements than other chipset models that don't support CPU overclocking.

To support the upcoming processors, the BIOS needs to include the latest 06EC microcode revision. Various motherboard manufacturers, such as ASUS, ASRock, and MSI, have released beta BIOS updates with this microcode, as confirmed in AMI Aptio inspection tool screenshots. The 06EC microcode, detailed in this slide-deck from Intel, hardens the machine against newer variants of the "Spectre" vulnerability. Older revisions of this document also mentioned support for Intel Core "9000 series" processors, before Intel scampered to redact it.

New "Spectre" Variant Hits Intel CPUs, Company Promises Quarterly Microcode Updates

A new variant of the "Spectre" CPU vulnerability was discovered affecting Intel processors, by security researchers Vladimir Kiriansky and Carl Waldspurger, who are eligible to bag a USD $100,000 bounty by Intel, inviting researchers to sniff out vulnerabilities from its processors. This discovery, chronicled under CVE-2018-3693, is among 12 new CVEs Intel will publish later this week. The company is also expected to announce quarterly CPU microcode updates to allay fears of its enterprise customers.

The new vulnerability, like most other "Spectre" variants, targets the speculative execution engine of the processor, in a bounds-check bypass store attack. A malicious program already running on the affected machine can alter function pointers and return addresses in the speculative execution engine, thereby redirecting the flow of data out of protected memory address-spaces, making it visible to malware. This data could be anything, including cryptographic keys, passwords, and other sensitive information, according to "The Register." Intel chronicled this vulnerability in section 2.2.1 of its revised speculative execution side-channel attacks whitepaper. You can also catch a more detailed whitepaper from the researchers themselves.

Intel Releases "Spectre" Hardening Microcode Updates for "Ivy Bridge" thru "Westmere" Architectures

Intel today released the latest round of CPU micro-code updates for its processors, which expand support for Intel processor microarchitectures ranging all the way back to 1st generation Core "Westmere," and "Lynnfield," and including "Sandy Bridge" and "Ivy Bridge" along the way, at various stages of roll-out (beta, pre-production, and production). This update probably features hardening against "Spectre" variant 4, and perhaps even RSRR (rogue system register read) variant 3A, chronicled in CVE-2018-3640.

OpenBSD Turns Off Hyper-Threading to Combat Intel CPU Security Issues

Lead developer for OpenBSD Mark Kettenis has announced that OpenBSD will no longer enable Hyper-Threading on Intel processors by default. This move is intended to mitigate security exploits from the Spectre ecosystem as well as TLB and cache timing attacks, because important processor resources are no longer shared between threads. Their suspicion is that some of the unreleased (or yet unknown) attacks can be stopped using this approach.

This move is supported by the fact that most newer motherboards no longer provide an option to disable Hyper-Threading via BIOS. OpenBSD users who still want to use Hyper-Threading can manually enable support for it using the sysctl hw.smt. The developers are also looking into expanding this feature to other CPUs from other vendors, should they be affected, too.

ASUS Begins Rolling Out 9-series Chipset Spectre/Meltdown Hardening BIOS Updates

ASUS has silently began rolling out motherboard BIOS updates for its Intel 9-series chipset motherboards, which provide hardening against "Meltdown" and "Spectre" vulnerabilities, through a CPU microcode update. Intel, if you'll recall, released microcode updates for "Haswell" and "Broadwell" processors this March, but you were at the mercy of your motherboard manufacturer to pass them on to you. The BIOS updates pack the latest version 24 microcode for 4th generation "Haswell" and 5th generation "Broadwell" processors in the LGA1150 package.

A small catch here, is that the BIOS updates are marked "beta" by ASUS, because the understanding is that all 9-series motherboards sold through 2014-15 are EOL, and have probably lapsed warranty coverage, so the company is limiting its liabilities in case BIOS updates fail, or if the platform still ends up "vulnerable" somehow. The latest version of InSpectre confirms that the latest BIOS for the Z97-A, one of the more popular motherboards by ASUS based on the Z97 Express chipset, passes hardening against Meltdown and Spectre, coupled with Windows 10 April 2018 Update. You should find the latest BIOS updates in the "Support" tab of the product page of your motherboard on ASUS website. Here's hoping other motherboard manufacturers love their customers as much.

AMD Announces Steps, Resources for Spectre Mitigations

AMD today announced, via a security blog post penned by their own Mark Papermaster, that they're beginning deployment of mitigations and resources for AMD processors affected by the Spectre exploits. In the blog post, AMD reiterates how exploits based on version 1 of Spectre exploits (GPZ 1 - Google Project Zero Flaw 1) have already been covered by AMD's partners. At the same time, AMD reiterates how their processors are invulnerable to Meltdown exploits (GPZ3), and explains how mitigations for GPZ2 (Spectre) will occur.

These mitigations require a combination of processor microcode updates from OEM and motherboard partners, as well as running the current and fully up-to-date version of Windows. For Linux users, AMD-recommended mitigations for GPZ Variant 2 were made available to Linux partners and have been released to distribution earlier this year.

Intel Stops Development, Deployment of Spectre Microcode Update for Several CPU Families

Intel on their latest Microcode Revision Guidance Guide has apparently stopped development of mitigations for some of its processor families that still haven't been updated to combat the threat of Spectre. The odyssey for the return to form of security on Intel products has been a steep, and a slow one, as the company has struggled to deploy mitigations for speculative code execution on its processor families that run it. Updates for some families of products, however - such as Penryn, Wolfdale, Bloomfield and Yorkfield, among others - are apparently not going to get an update at all.

Microsoft Rolling Out New "Speculative Execution" Bug Bounty Program

In a blog post, Microsoft has announced that it has decided to take the matter of finding critical bugs of similar nature to the Spectre/Meltdown flaws into its own hands - at least partially. Adding to its bug bounty programs, the company has now announced that a new pot of up to $250,000 is up for grabs until at least December 31st of this year.

The new bug bounty program is divided into four different severity/compensation tiers, with tier 1 flaws (New categories of speculative execution attacks) granting up to $250,000 in rewards for the "coordinated disclosure" of such vulnerabilities. The idea here is Microsoft is employing the knowledge and will of the capable masses that might find ways of exploiting vulnerabilities, and would choose to disclose them to Microsoft - getting the prize money, helping the tech industry in providing a timely, coordinated defense against these exploits, and saving vast amounts of funding (and time), by not having to do the bug bounty themselves.

CTS Labs Sent AMD and Other Companies a Research Package with Proof-of-Concept Code

CTS Labs, the Israel-based IT security research company behind Tuesday's explosive AMD Ryzen security vulnerabilities report, responded to questions posed by TechPowerUp. One of the biggest of these, which is also on the minds of skeptics, is the ominous lack of proof-of-concept code or binaries being part of their initial public report (in contrast to the Meltdown/Spectre reports that went into technical details about the exploit). CTS Labs stated to TechPowerUp that it has sent AMD, along with other big tech companies a "complete research package," which includes "full technical write-ups about the vulnerabilities," "functional proof-of-concept exploit code," and "instructions on how to reproduce each vulnerability." It stated that besides AMD, the research package was sent to Microsoft, HP, Dell, Symantec, FireEye, and Cisco Systems, to help them develop patches and mitigation.

An unwritten yet generally accepted practice in the IT security industry upon discovery of such vulnerabilities, is for researchers to give companies in question at least 90 days to design a software patch, harden infrastructure, or implement other mitigation. 90 days is in stark contrast to the 24 hours AMD got from CTS Labs. CTS Labs confirmed to TechPowerUp that it indeed shared its research package with AMD (and the other companies) just 24 hours prior to making its report public, but urged those disgruntled with this decision to look at the situation objectively. "If you look at the situation in the following way: right now the public knows about the vulnerabilities and their implications, AMD is fully informed and developing patches, and major security companies are also informed and working on mitigation."

Microsoft Pushes New Software-Based Spectre, Meltdown Mitigation Patches

The Spectre/Meltdown road is long and pocked with lawsuits and security holes as it is, and Microsoft is one of the players that's trying to put the asphalt back to tip-top, Autobahn-worth shape. The company has already improved users' security to the Meltdown and Spectre exploits on its OS side; however, hardware patches, and specifically BIOS-editing ones are much harder to deploy and distribute by the PC chain. That may be one of the reasons why Microsoft is now again stepping up with software-based mitigations for Intel-based systems, specifically.

The new updates introduce a software-based CPU microcode revision update, and work at the OS-level to plug some security holes on your Intel processors that might otherwise remain unpatched. The reasons for them remaining unpatched can be many: either Intel taking even more time to deploy patches to the still vulnerable systems; your OEMs not deploying the Intel CPU microcode revisions via a BIOS update; or the good old "I forgot I could do it" user story. Of course, being software based means these Microsoft patches will have to be reapplied should users format their Windows system. The update can for now only be manually downloaded and installed, and can only be applied to version 1709 (Fall Creators Update) and Windows Server version 1709 (Server Core), but that's definitely better than the alternative of forcing less knowledgeable users to try and find their way through BIOS updates. Of course, that is assuming OEMs will ever push BIOS updates to their products.

Intel Finally Ready With Security Microcode Updates for Broadwell, Haswell

Via updated documents on its Microcode Revision guide, Intel has revealed that they have finally developed and started deploying microcode security updates for their Broadwell and Haswell-based microprocessors. The microcode update comes after a flurry of nearly platform-specific updates that aimed to mitigate known vulnerabilities in Intel's CPUs to the exploits known as Spectre and Meltdown.

While that's good news, Intel's patching odyssey still isn't over, by any means. According to Intel's documentation, the Spectre fixes for Sandy Bridge and Ivy Bridge are still in beta and are being tested by hardware partners, so that's two other architectures that still remain vulnerable. Of course, this discussion of who's vulnerable and isn't really can't be reduced to which architectures Intel has released its updates to. Users have to remember that the trickle-down process from Intel's patch validation and distribution through manufacturers to end users' systems is a morose one, and is also partially in the hands of sometimes not too tech-savy users. Time will tell if these flaws will have any major impact in some users or businesses.

SEC Warns Tech Execs Not to Trade Stock When Investigating Security Flaws

The United States Securities and Exchange Commission (SEC) came down hard on silicon valley executives trading company stock when their companies were investigating security or design flaws that could potentially bring down stock value; as something like that borders on insider-trading, a felony under US law. This comes in the wake of senior executives of credit rating company Equifax, and chipmaker Intel, dumping company stock while their companies were investigating security flaws in their products or services. Intel CEO Brian Kraznich raised quite a stink when reports emerged that he sold $39 million worth Intel stock while the company was investigating the Meltdown and Spectre vulnerabilities in its processors (which hadn't been made public while he dumped the stock).

The SEC has come up with a far-reaching new guideline to keep tech execs from exhibiting similar borderline-insider-trading behavior. "Directors, officers, and other corporate insiders must not trade a public company's securities while in possession of material nonpublic information, which may include knowledge regarding a significant cybersecurity incident experienced by the company," the new guideline reads. "There is no doubt that the cybersecurity landscape and the risks associated with it continue to evolve," said SEC Chairman Jay Clayton. "I have asked the Division of Corporation Finance to continue to carefully monitor cybersecurity disclosures as part of their selective filing reviews. We will continue to evaluate developments in this area and consider feedback about whether any further guidance or rules are needed."

Updated Firmware Available for 6th, 7th and 8th Generation Intel Core Processors

Intel today shared in a blog post that they are deploying microcode solutions that have been developed and validated over the last several weeks. These updates aim to patch security vulnerabilities recently found in Intel processors, and will be distributed, mostly, via OEM firmware updates - users who want to have their system hardened against Spectre and Meltdown exploits will have to ensure that their system manufacturer of choice makes these microcode updates available. If they don't do it in a timely fashion, users have no choice but to be vocal about that issue - Intel has now done its part in this matter.

This is the second wave of Intel's patches to mitigate the Spectre and Meltdown vulnerabilities, after the first, hasty patch sent users on towards unstable, crashing systems and the inevitable update rollback. Security had already been reinstated, of sorts, for Intel's Skylake processors, but left users of any other affected Intel CPU family out in the cold. Here's hoping this is the one update that actually sticks after thorough testing and validation.

Intel Expands Bug Bounty Program in Wake Of Spectre, Meltdown Flaws

(Editor's Note: This move by Intel aims to expand their bug-bounty program to specifically include side-channel attacks, such as those that can be leverage on the Spectre and Meltdown exploits. The company is also increasing the rewards it will give the researchers who find new flaws, a move that aims to employ the masses' knowledge and ingenuity to try and reach the hard-earned bonus at the end of the vulnerability - all while saving Intel much more money than it's paying to bug hunters.)

At Intel, we believe that working with security researchers is a crucial part of identifying and mitigating potential security issues in our products. Similar to other companies, one of the ways we've made this part of our operating model is through a bug bounty program. The Intel Bug Bounty Program was launched in March 2017 to incentivize security researchers to collaborate with us to find and report potential vulnerabilities. This, in turn, helps us strengthen the security of our products, while also enabling a responsible and coordinated disclosure process.
Return to Keyword Browsing