Friday, January 5th 2018
Intel Released "Coffee Lake" Knowing it Was Vulnerable to Spectre and Meltdown
By the time Intel launched its 8th generation Core "Coffee Lake" desktop processor family (September 25, 2017, with October 5 availability), the company was fully aware that the product it is releasing was vulnerable to the three vulnerabilities plaguing its processors today, the two more publicized of which, are "Spectre" and "Meltdown." Google Project Zero teams published their findings on three key vulnerabilities, Spectre (CVE-2017-5753 and CVE-2017-5715); and Meltdown (CVE-2017-5754) in mid-2017, shared with hardware manufacturers under embargo; well before Intel launched "Coffee Lake." Their findings were made public on January 3, 2018.
Intel's engineers would have had sufficient time to understand the severity of the vulnerability, as "Coffee Lake" is essentially the same micro-architecture as "Kaby Lake" and "Skylake." As one security researcher puts it, this could affect Intel's liability when 8th generation Core processor customers decide on a class-action lawsuit. As if that wasn't worse, "Skylake" and later micro-architectures could require micro-code updates in addition to OS kernel patches to work around the vulnerabilities. The three micro-architectures are expected to face a performance-hit, despite Intel extracting colorful statements from its main cloud-computing customers that performance isn't affected "in the real-world." The company was also well aware of Spectre and Meltdown before its CEO dumped $22 million in company stock and options (while investors and the SEC were unaware of the vulnerabilities).
Intel's engineers would have had sufficient time to understand the severity of the vulnerability, as "Coffee Lake" is essentially the same micro-architecture as "Kaby Lake" and "Skylake." As one security researcher puts it, this could affect Intel's liability when 8th generation Core processor customers decide on a class-action lawsuit. As if that wasn't worse, "Skylake" and later micro-architectures could require micro-code updates in addition to OS kernel patches to work around the vulnerabilities. The three micro-architectures are expected to face a performance-hit, despite Intel extracting colorful statements from its main cloud-computing customers that performance isn't affected "in the real-world." The company was also well aware of Spectre and Meltdown before its CEO dumped $22 million in company stock and options (while investors and the SEC were unaware of the vulnerabilities).
111 Comments on Intel Released "Coffee Lake" Knowing it Was Vulnerable to Spectre and Meltdown
You all have to keep in mind that if someone finds a leak in your CPU architecture, there is no realistic way to adjust that on a hardware design level anyway, any fix like that is one or two years ahead of us at best. The fact they found this in June, only months before CFLs release, is proof of that in itself. Yes, they knew it was in there, and yes, they were already testing and finding fixes for Meltdown back then. I think its safe to say that we won't see a hardware adjustment until Ice Lake, or beyond.
Communicating leaks before you have solutions is possibly much worse than announcing them days prior to a fix. The entire industry works with that premise, its really telling that people here think otherwise - its a clear sign you have no clue of how this industry functions. While not the best layer of security, Security by Obscurity still is a layer of defense, and it was utilized here.
On the other side of the fence, even AMD releases their CPUs with knowledge of Spectre's existence, and even after official announcements were to be found on Intel's website, AMD's website did not contain a SINGLE TRACE of Spectre's existence. This is a strategy, too, and it shows in everything AMD has put out regarding this issue: they want to silence the issue ASAP, they are making it 'small and inconsequential' if you read their PR. I'll leave it up to each individual to decide what's better...
The bottom line remains: both Intel and AMD had this knowledge around the same time, and the decision to keep this quiet until now has been a unanimous one across ALL related companies. Any alternative decision is much more damaging: to end users, to the industry, to the overall level of trust in every PC we use, and all of the data we handle.
There real thing with Meltdown and Spectre is this, there are no villains in this matter. Not one manufacturer in their right mind would engineer such a pervasive problem into their products. And the fact that Spectre affects every CPU in existence for the past 25+ years, regardless of architecture, is evidence enough that it was not foreseen and has caught everyone almost equally off-guard. Laying blame at anyone is a waste of time and effort because we'd have to blame everyone equally. Even old games systems like the Playstation and N64 are vulnerable. So let's all stop the blame game, focus on the details of the problems and solving it, shall we?
Because of the way these vulnerabilities work, they take advantage of a very useful set of functions within CPU's that help them work faster and more efficiently. Engineering that out of CPU's is going to take us back at least a decade, performance-wise, and even more than that for some forms of software. Instead, it might be better to find a way to isolate those functions from direct high-level software access, which would mitigate the problems without removing them.
Asus 1203
The NDA was over on the 9th and if it wasn't for an AMD linux patch leading to the general public disclosure of this. It would still be hush, hush. We wouldn't know how this would have played it out and how Intel would react or have treated it.
In case anyone missed Microsoft's post :
cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/?ranMID=24542&ranEAID=nOD/rLJHOac&ranSiteID=nOD_rLJHOac-0BvaqQnfhAKWeHcm0ft.mA&tduid=(9a91604a36bf2e42a2f74b67007e4bbd)(256380)(2459594)(nOD_rLJHOac-0BvaqQnfhAKWeHcm0ft.mA)()
Techspot's benchmark:
www.techspot.com/article/1556-meltdown-and-spectre-cpu-performance-windows/
The only set of benchmarks that stand out as anything more than "statistical margin of error" is the storage benchmarks. And based on the rumblings coming out of variously locations, those performance problems will likely have a fix soon.
enjoying my new i7 8700k build.
I guess when I get hit in the head by a piece of falling sky, I'll know to panic. But until then...I think I'll go play some BF1.