Wednesday, July 11th 2018
New "Spectre" Variant Hits Intel CPUs, Company Promises Quarterly Microcode Updates
A new variant of the "Spectre" CPU vulnerability was discovered affecting Intel processors, by security researchers Vladimir Kiriansky and Carl Waldspurger, who are eligible to bag a USD $100,000 bounty by Intel, inviting researchers to sniff out vulnerabilities from its processors. This discovery, chronicled under CVE-2018-3693, is among 12 new CVEs Intel will publish later this week. The company is also expected to announce quarterly CPU microcode updates to allay fears of its enterprise customers.
The new vulnerability, like most other "Spectre" variants, targets the speculative execution engine of the processor, in a bounds-check bypass store attack. A malicious program already running on the affected machine can alter function pointers and return addresses in the speculative execution engine, thereby redirecting the flow of data out of protected memory address-spaces, making it visible to malware. This data could be anything, including cryptographic keys, passwords, and other sensitive information, according to "The Register." Intel chronicled this vulnerability in section 2.2.1 of its revised speculative execution side-channel attacks whitepaper. You can also catch a more detailed whitepaper from the researchers themselves.
Source:
The Register
The new vulnerability, like most other "Spectre" variants, targets the speculative execution engine of the processor, in a bounds-check bypass store attack. A malicious program already running on the affected machine can alter function pointers and return addresses in the speculative execution engine, thereby redirecting the flow of data out of protected memory address-spaces, making it visible to malware. This data could be anything, including cryptographic keys, passwords, and other sensitive information, according to "The Register." Intel chronicled this vulnerability in section 2.2.1 of its revised speculative execution side-channel attacks whitepaper. You can also catch a more detailed whitepaper from the researchers themselves.
73 Comments on New "Spectre" Variant Hits Intel CPUs, Company Promises Quarterly Microcode Updates
Stating facts as I have is not ad hominem. Your behavior in this topic has been unacceptable and continues to be. Whatever you think you are accomplishing here it is not worth the effort you're putting into it.
Now with that said, please accept a cloying, sickly sweet and absolutely sincere apology for my conduct, if it means we can now proceed to discuss the actual substance of my post. In fact, as a show of goodwill, I will reproduce it here, as it is now on the previous page of the thread and I wouldn't want to inconvenience you with the extra clicks required to be able to respond to it appropriately.
That said, I'm really far more interested in discussing the actual topic, so please, I implore you, let's not get bogged down in these debates of what does and does not constitute ad hominem. I've already apologised for any offense I caused by referring to his post as a heap of bullshit - That includes any offense caused to him personally, and to any actual heaps of bullshit who don't wish to be unfairly tarred with the same brush, of course.
I really would like to just put this all behind us all as reasonable, astute individuals, and move on to discussing the points I made as rebuttals to the points Rich made.
Update btw - duo.com/labs/disclosure
This is Duo Lab's official disclosure policy.
And here's Symantec's - - www.symantec.com/security-center/vulnerability-management
Note that the page links to this document: www.symantec.com/security/OIS_Guidelines for responsible disclosure.pdf
And that this document references ISO Standard ISO 29417 - which you can buy a copy of here: www.iso.org/standard/45170.html
Just in case any further proof was needed that this is industry standard and that CTS Labs handling of the issue was entirely abnormal.
But all Intel 22nm and 14nm are all infected with security holes...
Means even second generation 14nm++ Coffeelake this fall with Z390 chipset still have the same security holes...
I myself have an 8700K on Maximus X FORMULA with Bios v1603...all software and firmware up to date. I don't notice any performance changes.
Older boards get the biggest hits.
Supposedly Intel was "working" on some new update which would fix the slowdowns from Spectre & Meltdown microcode updates, but knowing Intel's greediness I doubt it.
For almost all other workloads, users saw practically zero performance degradation. I certainly didn't see any issues on my 6700K, and it's certainly not performing at 3770K levels after patching.
There are quite a few reports about this update slowing down Intel CPU's, even a test made by some folks: beta.techcrunch.com/wp-content/uploads/2018/01/intel-meltdown-performance-chart.png?_ga=2.13967607.1982391869.1531903158-1943528229.1531903158
As I can tell, it definitely slowed down CPU in many synthetic benchmarks and even games. Nothing drastic, but still... Luckily you can disable this patch. Considering Intel's performance increase of ~5% from generation to generation at the same clocks, it's not far from the Ivy Bridge.
The hardest hit applications were "data/financial analysis" - which is to say, work that heavily relies on databases. That's the same sort of work that postgres does, which was expected to begin with.
Again, for most users there was no performance hit. It certainly wasn't enough to wipe out 5 core generations of IPC improvement. It barely knocked the coffee lake processors they tested back to Kaby-Lake IPC.
For the first set of Spectre patches, Intel confirmed ahead of time that a performance impact would be expected. For these patches there's no evidence of that yet. It's entirely possible that sure, they'll need patches, but that those patches won't cause any impact.
Even the patches that can be proven to have caused an impact already, in most cases (particularly for newer CPUs), didn't really do anything significant to performance for the majority of users - in particular, gamers and streamers shouldn't have noticed any differences.
However, that was the minor point of my post. The major point was about the seemingly constant struggle we've seen since the advent of Spectre and Meltdown originally. There's been multiple news stories posted about some new Spectre variant, and of course that whole mess with CTS labs. It seems like new vulnerabilities are being discovered all the time, and we're met with patches that reduce performance, or worse, render systems completely unusable. Somewhat ironically, while the patches may not affect the majority of users in the way of reduced performance, the vulnerabilities being patched also don't affect the majority of users in the first place. Nobody is going to use Spectre to obtain Bob's facebook password... unless they really hate Bob, and also have the skill to do it in the first place. No, the big target would be data centers, large corporations, that type of stuff... the same systems that the performance reducing patch is going to hurt the most.
I feel like we're in the very early stages of this. I have a lot of unanswered questions about it, questions only time can tell. The vulnerabilities we know of today, while serious, are rather difficult (but not impossible) to execute. How much worse is it going to get? How long before any script kiddie is able to easily hack Bob with minimal effort? Or will this issue eventually be totally remedied? How long is this going to be a thing for? How many iterations of hardware will we see with current vulnerabilities fixed at the hardware level, only for new ones to be found? What else could possibly carry serious vulnerabilities?
There has not been a single word uttered by Intel, Microsoft, or anyone else, about any performance impacts that future patches might cause.
The logical thing to take away from that is that clearly there is no anticipated performance impact.
The patches for these new exploits are not the same as the patches for the original exploits. There is no concrete reason why there would be any performance impact of any kind.
It was abnormal that the original patches caused a performance loss. Intel has patched vulnerabilities before without causing performance loss and will patch vulnerabilities in future without causing performance losses. Let the proof be in the pudding for this one, rather than fearmongering about performance losses that probably won't ever exist. I've seen that thread and it's a shitfest. No patch causes a drop from 178 to 100 points in a benchmark, and even if it did that would have been frontpage on every tech site for *WEEKS* afterwards. Something else is going on with that laptop and people are simply screaming at each other and blaming the patch because they want to fuel the controversy.
The benchmarks up above in this thread showed no, or very little, performance loss after the patch. Rejzor is showing a completely abnormal result, and that should be people's focus in that thread. Instead, people are just using it to bash on brands they don't like, be it Intel or AMD.
Let's also not forget that he bought a dual core AMD, non-ryzen laptop in 2018 and claims it was "as fast as my desktop Core i7 at casual office tasks down to slower than computer I've had 2 decades ago.". That right there says to me that there's a quagmire of poorly communicated ideas and expectations under the issue. Hell, that's why I didn't comment in the thread - Because it's full of completely insane assertions that simply don't line up with reality, both from the OP and the commenters.
As for Rejzor's thread... I'm not sure what you're saying there. So he bought a Bulldozer laptop in 2018... what's wrong with that? Compared to the other choice he had at the time (Atom) it seems like a good buy... and I would fully expect a Bulldozer to perform on par with any i7 chip in general tasks, such as web surfing. It's not until you run benchmarks or launch a demanding application that the difference becomes clear, and that wasn't the use case for this laptop. It was a general purpose machine his mom could use to check her email and watch youtube or whatever. There's no reason to think it should be inadequate just because it was Bulldozer.
Sure, you got the typical fanboy comments, as you do everywhere else on this site, and everywhere else in the world. Sports fans and car guys are the same way. We just do it with PC hardware cause we're nerds like that. Now, if you are someone who can see such a thread and refrain from posting comments like "AMD sux, lol faildozer", and bob and weave through other such comments made by other users... you'll see the thread is actually about a shitty patch that significantly crippled that machine's performance. It's not the first time such a claim has been made, either. Again, though, we are still in the early stages of this mess (or at least I think so) and hopefully you are right that new and better patches are coming that don't cripple performance, or worse, render machines unusable. There's been plenty of reports of machines being left unbootable after such updates...
I would be willing to bet that resetting the UEFI and reinstalling windows would resolve the issue even after all patches were reapplied. I simply do not believe that ANY of the spectre patches currently available for download, actually result in a drop in performance that severe.
As for machines having boot issues, that was in JANUARY, and those patches were pulled and subsequently replaced with different ones within 10 days.
Spectre and Meltdown patches have had some issues, yes, but bringing up issues that only existed for less than 2 weeks, and that haven't been an issue for over 6 months is just adding unnecessary FUD into the entire discussion.
There's barely any binning going on with Ryzen. All chips hit OC wall. Non-X can easily OC better than a X model. Go see owners thread on OC forums...
Not even 2nd gen Ryzen clocks much better and performance goes down in many workloads (especially games) when OC'ed manually instead of using stock boost. This is fact. Tons of reviews show this. Boost will clock higher than all-core OC.
I'm not that impressed with Ryzen. Maybe value/performance wise with B350/B450 + 1600/2600. But Threadripper is much better if you really need alot of cores, but these are not great for gaming and many "normal" workloads. Going with an AMD CPU is good for SOME workloads. Intel still delivers best performance overall.
CEMU is running terrible on my Ryzen 1700X compared to my 6700K. Alot of programs and games run much worse on an AMD CPU. Many applications are optimized for Intel or simply prefers higher clocks, better IPC on less cores and threads. 5 GHz haha, not going to happen. You'll see next year. Would be awesome tho, but forget it. We didn't go from 3.9-4.1 to 4.2-4.4. Some 1st gen did 4.2 and almost NO 2nd gen does 4.4 when we're talking 100% stable, and not just bench stable.
It's more like 200 MHz on average, from 1st to 2nd gen. Yeah. Ring bus is superior for gaming. I'll probably just crap one of Intel's new octa cores with solder and be fine for the next few years or atleast till next console gen hits in 2021ish. My Ryzen 1700X is much worse for high fps gaming than my i7-6700K. 60 fps/Hz gamers will be fine with Ryzen tho.