• Competitor rules

    Please remember that any mention of competitors, hinting at competitors or offering to provide details of competitors will result in an account suspension. The full rules can be found under the 'Terms and Rules' link in the bottom right corner of your screen. Just don't mention competitors in any way, shape or form and you'll be OK.

Another Intel CPU vulnerability

voidshatter said:
It doesn't change the fact that OpenBSD disabled SMT by default since 6.4.
Click to expand...

  • Because Simultaneous MultiThreading (SMT) uses core resources in a shared and unsafe manner
This is a blanket statement, they have removed all SMT as a precaution, only intel CPU have been seen to have the vulnerability at this time. i would think there is a lot of testing going on.
Google as disable MultiThreading in chrome for both AMD and Intel, because of vulnerability found in intel CPU's

  • Google is releasing an update to Chrome OS 74 disabling Hyper-Threading, Intel's implementation of symmetric multithreading (SMT), following the public disclosure of the Microarchitectural Data Sampling (MDS) vulnerability class, including attacks such as Fallout and Zombieload
 
MaXxBoulton said:
  • Because Simultaneous MultiThreading (SMT) uses core resources in a shared and unsafe manner
This is a blanket statement, they have removed all SMT as a precaution, only intel CPU have been seen to have the vulnerability at this time. i would think there is a lot of testing going on.
Google as disable MultiThreading in chrome for both AMD and Intel, because of vulnerability found in intel CPU's

  • Google is releasing an update to Chrome OS 74 disabling Hyper-Threading, Intel's implementation of symmetric multithreading (SMT), following the public disclosure of the Microarchitectural Data Sampling (MDS) vulnerability class, including attacks such as Fallout and Zombieload
Click to expand...

Something that probably should have been done from the start and I believe is possible to implement is whitelisting so only approved applications can access resources in a way that their threads can existing alongside other domains on the same core.
 
MaXxBoulton said:
Google as disable MultiThreading in chrome for both AMD and Intel, because of vulnerability found in intel CPU's
Click to expand...

My observation is that they (OpenBSD, Google etc) don't really trust AMD Ryzen to be completely immune to these vulnerabilities and future exploits in the same class, otherwise they would have chosen to whitelist Ryzen by default.
 
voidshatter said:
My observation is that they (OpenBSD, Google etc) don't really trust AMD Ryzen to be completely immune to these vulnerabilities and future exploits in the same class, otherwise they would have chosen to whitelist Ryzen by default.
Click to expand...

testing will be ongoing but there as be no report yet that AMD is affected, in fact AMD said there NOT affected.
 
darael said:
The last time my Asus ROG Strix H270F Gaming motherboard saw a BIOS update was v1205, 25/05/2018 - exactly a year ago. :(
Click to expand...
Yeah unfortunately if you want to actually be secured in good time you have to learn how to inject microcode into BIOS files. Hopefully the industry learns from what Google eventually did with Android. Initially it was up to manufacturers to provide updates, which included security fixes. Once they realised that manufacturers were useless at doing so in a timely manner (Samsung often being a YEAR behind) and were abandoning devices within 2-3 years, they decided to provide security updates themselves. They are agnostic to device manufacturer and separate from the main OS updates. AMD and Intel basically need to work with Microsoft and the Linux foundation to implement a similar method of updating CPU microcode without the motherboard manufacturers getting involved, if they want to take these security issues seriously.
 
MaXxBoulton said:
testing will be ongoing but there as be no report yet that AMD is affected, in fact AMD said there NOT affected.
Click to expand...
Wikipedia is not a proper source for quotes but whatever these are, to some extents they aren't fully immune to some of those ****.
AMD originally acknowledged vulnerability to one of the Spectre variants (GPZ variant 1), but stated that vulnerability to another (GPZ variant 2) had not been demonstrated on AMD processors, claiming it posed a "near zero risk of exploitation" due to differences in AMD architecture. In an update nine days later, AMD said that "GPZ Variant 2…is applicable to AMD processors" and defined upcoming steps to mitigate the threat. Several sources took AMD's news of the vulnerability to GPZ variant 2 as a change from AMD's prior claim, though AMD maintained that their position had not changed.[60][61][62]
Click to expand...
Zen 2 is planned to include hardware mitigations to the Spectre security vulnerability.[7]
Click to expand...
 
Yes, AMD was vulnerable to one or two of the original three Spectre/Meltdown vulnerabilities. In terms of raw numbers, HT is a lot more vulnerable than SMT right now.
 
Is Fallout something new? I've lost track of all these flaws now:

"Recently, out-of-order execution, an important performance optimization in modern high-end processors, has been revealed to pose a significant security threat, allowing information leaks across security domains. In particular, the Meltdown attack leaks information from the operating system kernel to user space, completely eroding the security of the system. To address this and similar attacks, without incurring the performance costs of software countermeasures, Intel includes hardware-based defenses in its recent Coffee Lake R processors.
In this work, we show that the recent hardware defenses are not sufficient. Specifically, we present Fallout, a new transient execution attack that leaks information from a previously unexplored microarchitectural component called the store buffer. We show how unprivileged user processes can exploit Fallout to reconstruct privileged information recently written by the kernel. We further show how Fallout can be used to bypass kernel address space randomization. Finally, we identify and explore microcode assists as a hitherto ignored cause of transient execution.
Fallout affects all processor generations we have tested. However, we notice a worrying regression, where the newer Coffee Lake R processors are more vulnerable to Fallout than older generations."

https://arxiv.org/abs/1905.12701

https://www.bleepingcomputer.com/ne...fallout-attacks-impact-all-modern-intel-cpus/
 
For my msi z270 I raised a support ticket and they have sent me a beta version of latest bios with mds amendments. Gonna apply this, turn back on ht and just get on with living my life dammit.
 
As an i7 8700K owner the only place I've seen any performance loss is a 3.5% loss in the CPU-Z benchmark. Annoying but not worth losing sleep over as a home user.
 
Sweetloaf said:
As an i7 8700K owner the only place I've seen any performance loss is a 3.5% loss in the CPU-Z benchmark. Annoying but not worth losing sleep over as a home user.
Click to expand...

if you don't disable HT i don't see how there would be a performance loss? and even if you did its a 6c i still don't think you would have problems
 
MaXxBoulton said:
if you don't disable HT i don't see how there would be a performance loss? and even if you did its a 6c i still don't think you would have problems
Click to expand...

There have been repeated performance losses since Spectre and Meltdown were announced, especially in relation to speculative/prediction and side channel attack mitigations. It's 'only 3% here' and 'only 4% there', but they add up. These performance sapping patches come in the form of microcode updates, IME updates, BIOS updates and OS patches. That's quite separate from the HT/SMT issue.
 
You must log in or register to reply here.
Back
Top Bottom