Wednesday, March 11th 2020
Intel Processors Hit with LVI Security Vulnerabilities, Mitigation Hits Performance Hard
A new class of security vulnerabilities affect Intel processors, which can cause them to leak out sensitive information if probed in a certain way, but that's not the worst news for Intel and its users. The software- or firmware-level mitigation for this vulnerability can inflict performance reductions "ranging from 2x to 19x," according to a report by The Register. A full mitigation for the new Load Value Injection (LVI) class of vulnerabilities requires Intel to redesign software compilers. The vulnerability is chronicled under CVE-2020-0551 and Intel-SA-00334. It is not a remote code execution threat, however, it puts multi-tenant machines, such as physical servers handling multiple tenants via virtual servers.
"LVI turns previous data extraction attacks around, like Meltdown, Foreshadow, ZombieLoad, RIDL and Fallout, and defeats all existing mitigations. Instead of directly leaking data from the victim to the attacker, we proceed in the opposite direction: we smuggle — "inject" — the attacker's data through hidden processor buffers into a victim program and hijack transient execution to acquire sensitive information, such as the victim's fingerprints or passwords," the reasearchers write in the abstract of their paper describing the vulnerability. Anti-virus manufacturer BitDefender independently discovered LVI and shared its study with Intel. The company could publish its findings in February. Additional technical details are found in the group's website here.Many Thanks to biffzinker for the tip.
Source:
The Register
"LVI turns previous data extraction attacks around, like Meltdown, Foreshadow, ZombieLoad, RIDL and Fallout, and defeats all existing mitigations. Instead of directly leaking data from the victim to the attacker, we proceed in the opposite direction: we smuggle — "inject" — the attacker's data through hidden processor buffers into a victim program and hijack transient execution to acquire sensitive information, such as the victim's fingerprints or passwords," the reasearchers write in the abstract of their paper describing the vulnerability. Anti-virus manufacturer BitDefender independently discovered LVI and shared its study with Intel. The company could publish its findings in February. Additional technical details are found in the group's website here.Many Thanks to biffzinker for the tip.
92 Comments on Intel Processors Hit with LVI Security Vulnerabilities, Mitigation Hits Performance Hard
The hell is this supposed to be ? No, AMD is safer, that's the end of it.
Whats your opinion on the fact that Meltdown doesn't work on AMD CPUs because the AMD µarch does not (and apparently never did) allow speculative execution across privilege domains (Userspace - Kernelspace). This doesn't sound to me as a question of market share. If AMD was at 80% marketshare, they would still not allow speculative execution across privilege domains while Intels µarch does.
AMD is safe because 'meltdown' does not work on the AMD platform. This is not a personal opinion. It just doesn't. I encourage you to find this observation and report as necessary.
Don't skew the argument.
If you read the impact of this, they say somewhere Intel will have to serialize accesses to its ports, effectively turning off speculative execution in some cases.
I cannot even believe this was posted a moment back:
The reality is that a lot of these exploits (not all of them,) are so hard to use that their usefulness is almost non-existent. Spectre is a great example of a vulnerability that is susceptible to academic papers, but not real users. Making a PoC that can sometimes leak tiny amounts of data under the right conditions doesn't amount to a usable vector for attack, particularly if how you exploit it requires you to give away that you're trying to break the system (like putting it under full load.)
My 4770K... i mean Pentium 3 by now is ready!
www.techpowerup.com/forums/threads/share-your-cpuz-benchmarks.216765/post-3470714
Think of it this way: Which would you rather have? A world where facebook gets hacked, they say it was an "unexpected and little known vulnerability" and everyone believes them because only Project 0 and Krebsonsecurity ever posted about it?
Or a world where facebook gets hacked, everyone knows the name of the exploit and facebook has to cough up a good reason they weren't secured against it from the day the vulnerability was made public because it was on Techradar, Gizmodo and TPU?
also - Presumably you accidentally missed out the words "at risk" ?
Dude, how many times you going to stick your tongue on the stove before you figure out the stove is hot? Quit with these side arguments that security through obscurity is a good thing. Windows exploits are constantly made public knowledge, and as a result is harder to get into then the likes of MacOs that hid their exploits for years and as a result are leakier then a rusty sieve.
Despite all those patches "costing" performance, intel is still on top for gaming performance, and AMD already humiliated them in everything else. Your average end user doesnt notice significant differences from these patches. You cant, because they were patched by intel thanks to their bounty program making them aware of issues.
just one swing and a miss after another today eh?
A PC is a tool ... a tool can only be judged at how well it does it's job, so let's define it's job.
a) Did you build a PC to run benchmarks and get your name on leader boards ?
b) Did you build a PC based upon performance in things that you might do one o do few times a year ?
c) Did you build a PC to play games and run applications on a frequent bias.
d) Did you build your PC to run apps you will never use
Practical people build the boxes based upon c) and c) only ... fanbois squawk about a) and b). Let's look aty TPUs test results. Three is no "Best CPU" .. only the best CPU for a specific set of applications. Looking at 3900X vs 9900KF
1. Cinebench - a) category ... we have yet to be asked to do a build which maximizes Cinebench performance or had a client who uses it to make a living, it's the medical equivalent of a scalpel in a Chiropractice office. We do have lots of folks who use CAD, adding all the PCs in all the offices we've been in, there's prhaps 1 rendering box for every 200 CAD boxes and AutoCAD at $5,000 per seat ($2,00 per year) is not exactly on a any significant % of PCs.
Gotta give an easy win to AMD here, but a 0.50 on market significance.
2. Game / Software Development - d) category ... again an easy win here for AMD; Again, not a lot of market significance, as above, teeny user base.
3. Web Related - c) Category ... performance is split between red and green camps but with differences of /10th of a second, who cares ? Uses can not react quick enough to take advantage of it.
4. Machine Learning \/ Physics / Brain Simulation - d) category. The size of the market here is completely insignificant, and if the % of users here who run this stuff ia mor than 0.2% Id be shocked... Another win for AMD, but not one that will matter to 99+% of the forum audience.
5. Office Suites - Finally a category c) item ... stuff most folks will use frequently enough to matter in a CPU choice. We get a 4% win for Intel in Word, a 1% win for Intel in Powerpoint and a 1% win for AMD in Excel ... the win goes to Intel but the margin is so small as to render in insignificant as "user lag" will make it unnoticable.
6, Image and Video Editing - Another category c) items and here finally one that matters. A 10% advantage to Intel here in Image Editing and a 4.5% advantage in Video Editing. While not a bit thing market share wise, it's over 100 times more significant tham machine learning, brain simulation, software development, etc. 1st significant win for either side here. Google OCR is in the test and it's significant one ... we might use it 3-4 times a year so we use Adobe OCR to do thatas do most of our clients.
7. Virtualization - As we're speaking to desktops not Server functions I'd skip this. Suffice to say Intel gets the win on VM Ware ... AMD gets significant wins in MySQL and jav ... a Bog reason to go AMD ,..if you use them. No relevance if you don't.
8, File Compression / Encryption - A category b) items for most. less and less as time goes by. Big Win for AMD on the compression / Bit win for Intel on encryption ... Who cares ? Not many
9, Media and Sound recording - Would be at thing for youtubers, musicans and similar sorts and similar sorts, AMD dominates the media / Intel dominates the sound... if those are your thang, pay attention ...if not like most, ignore.
10. No one argues the gaming so not worth mentioning.
In short, there is no best CPU... there's only best for you do on your PC. If office suites, gaming, Adobe products or AutoCAD are your thing, Intel is the onbviois choice. If doing brain simulation, encoding, rendering, virtualization is your thing, AMD is the obvious choice.... just look at what YOU do and decide accordingly. As to the invulberabilitoes... call me when ya ready to publish "Patient O's" story. As of yet , I have not seen any instance of theese invulnerabilities being exploited. Until that happens, I'm not paying attention.
well, can also take it like that, if the CPU was faster with all the vulnerabilities ..: "Intel did take shortcuts in their design to make their CPU faster"
was it on purpose or not ... was it truly vulnerabilities they had no clue about it until some "bug-hunter" found them?
alright, alright, i know AMD has vulnerabilities too (well what... 2? oh ... ) but i think even with mitigations, their performance will keep close to their actual level without them (if they need one ofc)
Mitigations are software workarounds to hardware problem and this makes them really hard on performance. If you look at the performance of Intel's newer revisions of CPUs with issues fixed, the vulnerabilities (at least the known vectors) cannot be exploited any more, software mitigations are not applied and the performance is the same as before.
Edit:
OK, performance is not quite the same as before because Spectre did make some software changes necessary. However, this 3-4% performance hit (based on Phoronix' testing) is universal across all CPUs. They are not. Intel will deploy mitigations for SGX but consider risk of exploiting the vulnerability in other places small enough to not apply general mitigation. There will be some coordination with OS development to minimize the possibility of OS-level gadgets this type of attack could use. Researchers did seem to agree this was reasonable.
Take your intel love affair down a few notches. AMD chose to be safe. Intel choice IPC at all costs. Or they're completely incompetent, it's your pick.