New Intel vulnerability: SPOILER

[DragonQ]

Affects all Intel "Core" CPUs going back to Nehalem. Sources:

The Register article
TechRadar article
The original paper

Spoiler is not a Spectre attack. The root cause for Spoiler is a weakness in the address speculation of Intel’s proprietary implementation of the memory subsystem which directly leaks timing behavior due to physical address conflicts. Existing spectre mitigations would therefore not interfere with Spoiler.

And worryingly, the researchers believe that not only is Spoiler unaffected by any existing countermeasures for the likes of Spectre, but that it can’t be easily mitigated against without, in their words, “significant redesign work at the silicon level”.

Moghimi doubts Intel has a viable response. "My personal opinion is that when it comes to the memory subsystem, it's very hard to make any changes and it's not something you can patch easily with a microcode without losing tremendous performance," he said.

It should be noted that although these articles state that ARM and AMD CPUs seem unaffected, the paper indicates that the only AMD architecture tested was Bulldozer, so it may affect Ryzen also. I assume this'll be confirmed over the coming weeks.

 

[StriderX]

Mega oof, why is this all coming out now?

 

[ChrisD.]

Another one... wow.

 

[~>Dg<~]

" so it may affect Ryzen also " looks at title lol . almost daily mail .

 

[DragonQ]

" so it may affect Ryzen also " looks at title lol . almost daily mail .

How so? The authors of the paper suggest it doesn't affect AMD or ARM architectures, I am just being a bit more cautious after reading through parts of the paper. Ostensibly it is an Intel flaw, unless further information arises.

Mega oof, why is this all coming out now?

Cyber security has become a much bigger focus in both academia and national security institutions around the world over the past half-decade or so. The more you probe, the more you'll find I suppose. AMD has an advantage simply because their architecture is newer and thus they probably treated security more seriously when designing it. Back when Nehalem was being designed I doubt security was as high on Intel's agenda as it would be now, and because today's architectures are still based on it anything affecting Nehalem will probably affect everything up to Coffee Lake Refresh.

 

[~>Dg<~]

will you edit the title to say it effects amd at a later date ? its a scare thread yet it is clearly pointed at intel only yet you dont even know if it effects amd.

 

[DragonQ]

will you edit the title to say it effects amd at a later date ?

Anyone can ask a mod to change it if it happens.

its a scare thread yet it is clearly pointed at intel only yet you dont even know if it effects amd.

It's "pointed at Intel" (whatever that means) because it has been demonstrated on a dozen variants of Intel CPUs. If someone found a bug in Windows would you prefer the headline be "Bug found in OSs" because Linux hadn't been tested? Give it a rest.

 

[Rroff]

It should be noted that although these articles state that ARM and AMD CPUs seem unaffected, the paper indicates that the only AMD architecture tested was Bulldozer, so it may affect Ryzen also. I assume this'll be confirmed over the coming weeks.

Pretty much all CPUs with an implementation of speculative load, etc. are affected to some degree by memory disambiguation problems - I believe Zen is patchable at a software level, per application, at a performance penalty while older AMD CPUs are less affected but also part of why they don't perform that great for some tasks in the first place.

Aslong as it can be mitigated within a web-browser or similar internet facing application where a remote site can execute certain types of commands at will the vulnerability for home users is pretty much non-existent which should be possible at software level and stuff like javascript is already slow enough the performance impact isn't much of an issue. Like with other vulnerabilities of this nature for the average home user aslong as you have the appropriate browser patches if something is taking advantage of this kind of vulnerability you have bigger security issues to worry about.

For server, etc. type usage these kind of problems are becoming a potential nightmare.

 

[Journey]

At least my old Core Duo laptop is safe!

Another massive blow to Intel CPU's in the server space, how many more of these have been found but not yet reported, Intel were told about this in December I'd have expected a response from them prior to this bring released by the publisher of the exploit.

 

[Rroff]

At least my old Core Duo laptop is safe!

Another massive blow to Intel CPU's in the server space, how many more of these have been found but not yet reported, Intel were told about this in December I'd have expected a response from them prior to this bring released by the publisher of the exploit.

Intel will have to go back to making Q6600s

 

[ChrisD.]

For server, etc. type usage these kind of problems are becoming a potential nightmare.

Put your stuff in the cloud, it's safe!!!

 

[CuriousTomCat]

I wonder exactly how many corners were cut to give Intel a 15% IPC lead

 

[Rroff]

I wonder exactly how many corners were cut to give Intel a 15% IPC lead

I'm not sure it is so much cutting corners - maybe a certain underestimating how far some people would go to try and exploit stuff like this but a lot of the problem is just how long these architectures have existed for.

You see it with other hardware as well - for instance routers that for the first few years were considered pretty secure but after they've been out for a decade or so suddenly there is a flood of vulnerabilities found for the chipset used.

 

[Rannoch]

Put your stuff in the cloud, it's safe!!!

 

[DragonQ]

I'm not sure it is so much cutting corners - maybe a certain underestimating how far some people would go to try and exploit stuff like this but a lot of the problem is just how long these architectures have existed for.

You see it with other hardware as well - for instance routers that for the first few years were considered pretty secure but after they've been out for a decade or so suddenly there is a flood of vulnerabilities found for the chipset used.

Indeed, pretty much anything connected to the internet these days is getting more vulnerable by the year.

 

[Gerard]

It's "pointed at Intel" (whatever that means) because it has been demonstrated on a dozen variants of Intel CPUs. If someone found a bug in Windows would you prefer the headline be "Bug found in OSs" because Linux hadn't been tested? Give it a rest.

Just DG defending his beloved intel, as always.

 

[humbug]

" so it may affect Ryzen also " looks at title lol . almost daily mail .

https://seekingalpha.com/news/3439860-intel-minus-1_4-percent-new-security-issue-report

The researchers didn't find similar behavior in Arm and AMD processor cores.

 

[DragonQ]

https://seekingalpha.com/news/3439860-intel-minus-1_4-percent-new-security-issue-report

I already explained this in the OP: they only tested Bulldozer.

 

[humbug]

I already explained this in the OP: they only tested Bulldozer.

Its very odd that they tested all Core series Intel CPU's but only Bulldozer from AMD.

Having said that i have a suspicion they never will test Zen, i have read the original PDF, this exploit is part of the same Spectre speculative memory execution insecurity, something that was also found to be true for AMD's Bulldozer architecture but not Zen, it may explain why they tested Bulldozer but not Zen.

 

[Vince]

Yay more patches and performance regression for my Intel server estate and the potential of loads more work organising patching again. Can't wait to replace this Intel junk this year. From an Intel house to actively avoiding Intel kit within 18 months, they are doing a cracking job at killing their name in the server space.