CacheOut is the Latest Speculative Execution Attack for Intel Processors

[moproblems99]

If I had to guess at the possibility of Intel knowing these exploits existed and they made the conscious decision to ignore the risk for some performance.... 99% sure they knew and just didn't and don't care.

Honestly, I don't suspect they did. In having been employed in both sectors (development and security), engineers don't always have the thought process of the 'other side'. Additionally, these were largely a new class of vulnerabilities that might not have even been conceptualized when Intel was creating the initial architecture. I surmise, that initial architecture has not changed much over the last two decades considering how far back some of these exploits work. Also, considering that some of them work on AMD as well, it seems to be an inherent risk in specific algorithms or components (ie: speculative execution) to some extent.

 

[lexluthermiester]

99% sure they knew and just didn't and don't care.

I'm not buying that. Such would mean that every maker of IC's that has ever had a vulnerability had a high probability of knowing of such and just not caring. Not only would that be extremely irresponsible, but it would also be highly libelous. No legal team is going to let such fly.

None of these vulnerabilities are intentional. Hackers are hackers and they will always find new ways to do weird things with technology that the makers never intended or even dreamed of.

In general, sitting in front of the box or SSH is no different.

It is on a Kernel level.

 

[moproblems99]

Such would mean that every maker of IC's that has ever had a vulnerability had a high probability of knowing of such and just not caring.

A little overzealous but, essentially, yeah. Most vulnerabilities are vulnerabilities because the repercussions were not known in advance. Most companies don't like repercussions.

None of these vulnerabilities are intentional. Hackers are hackers and they will always find new ways to do weird things with technology that the makers never intended or even dreamed of

Which to me is the beauty of it.

 

[R-T-B]

Still reading the paper but:
- They do seem to mount an attack from unprivileged users.
- HT helps the attack but it works without HT as well.
- They recommend turning off TSX as that is effective against CacheOut.

Edit:
OK, it seems that TAA is an integral step in CacheOut, so they are attacking a different target but still using TAA to get the data out. Makes sense that disabling TSX would work against this.

Spot on what I am getting out of this as well. Good summary.

So even on Linux, you have to be at the system in question.

or have a simple ssh login, which is common as hell in linux land. Windows users wouldn't care much though. And you can mitigate this by just turning off tsx, which most security minded folks and nearly all windows installs have already done.

It is on a Kernel level.

What? No, they are both just terminal shells. The kernel doesn't know or care that's just a userland process. I mean yeah, the kernel can shut down the network to mitigate this, I guess, but that's about all the kernel has to do with this...

Mind you, same end result. This isn't much a big deal. Nothing really uses TSX anymore anyways... Meaning the performance impact will be like, nothing.

 

[KarymidoN]

Also, just in case you forgot about this
Intel is patching its Zombieload CPU security flaw for the third time

you know the saying right? "Third time is the charm"

 

[EarthDog]

you know the saying right? "Third time is the charm"

you know the saying right? "haters gonna hate"

 

[Sashleycat]

I'm not sure if anyone has mentioned this already, but a fairly good portion of the reason why intel's architecture appears to be 'full of holes' is because exploiters/researchers are:

A) Targeting Intel: Whilst Zen is a fantastic arch, and will be more popular going forward, Intel's marketshare is significantly larger. It makes more sense because more machine are affected so the fix is arguably more important to prioritise Intel.

B) Intel has an active 'bug bounty' program that rewards researchers with cash (afaik) if they find flaws in Intel's silicon.

I'm not huge Intel fan, but the way I see it is; a CPU architecture is a hugely complex piece of micro-scale engineering, nothing created by human beings can ever be perfect, but we can come close.

It is highly likely there are flaws in Zen1/+ and maybe Zen2, they just have yet to be found (if they ever will - who knows). Until AMD has 50%+ marketshare and everyone starts trying to break open Zen, we don't really know if this is just a huge engineering fail from Intel. IMHO, I think Intel might have sacrificed security in some areas for performance, looking at some of the vulnerabilities, it seems so.

Going forward, they should use this to make their future architecture more secure.

It's not quite fair to say "Well, AMD isn't affected by these issues, so their arch is better", While there is some truth to this in the current vulnerabilities, it would be prudent to understand that researchers are most likely actively trying to break Skylake: it's been on the market for ages (lol) and is a well known, established design. In 5 years when Zen (hopefully) establishes itself in the same way, I guess we will see if AMD made better choices.

 

[moproblems99]

It is on a Kernel level.

And do tell what that has to do with anything?

or have a simple ssh login

Which means it could be done remotely, even though it would likely be more complicated than, say, social engineering. So saying it can't be done remotely is simply not true. Likeliness not withstanding.

 

[$ReaPeR$]

Cant say I'm a fanboy but owning an Intel ID(ont)GAF.

The overwhelming majority of these dont really affect most home users in the first place (and then most are elevated access, no?). I guess some would call it perspective...

Nice crack at flamebait, though...

so.. he was "flamebaiting" here..

you know the saying right? "haters gonna hate"

but you are being the king of objectivity here.. seems legit, in some universe..

as for intel and the way they do business, anyone can read their history, its online after all. companies exist to make money, nothing more nothing less, and they will use literally anything and anyone in order to reach that green goal. so, either intel engineers are morons, extremely unlikely, or they knew the problems of their arch from the beginning but they calculated the risks and benefits and went with the vulnerabilities because it gave them an advantage. after all, all the vulnerabilities that have been discovered affect the vast majority of users very little, just like using 4 cores for almost a decade affected the vast majority of users very little. oh, and btw, amd would do the same thing if they were in intels position. human "nature" is the problem, not the name of the company.

 

[HTC]

Dunno if it was mentioned but there was another flaw discovered shortly before this one: This one affected Intel's iGPU and it's performance impact is quite severe, though it's directed @ the GPU portion of the CPU, so those laptops that don't have a discreet GPU ... those are gonna be hit HARD ...

The good news is that this doesn't affect newer CPUs as hard as older ones. so there's that ...

Intel's Mitigation For CVE-2019-14615 Graphics Vulnerability Obliterates Gen7 iGPU Performance - Phoronix

www.phoronix.com

 

[R-T-B]

I'm not sure if anyone has mentioned this already, but a fairly good portion of the reason why intel's architecture appears to be 'full of holes' is because exploiters/researchers are:

A) Targeting Intel: Whilst Zen is a fantastic arch, and will be more popular going forward, Intel's marketshare is significantly larger. It makes more sense because more machine are affected so the fix is arguably more important to prioritise Intel.

B) Intel has an active 'bug bounty' program that rewards researchers with cash (afaik) if they find flaws in Intel's silicon.

I'm not huge Intel fan, but the way I see it is; a CPU architecture is a hugely complex piece of micro-scale engineering, nothing created by human beings can ever be perfect, but we can come close.

It is highly likely there are flaws in Zen1/+ and maybe Zen2, they just have yet to be found (if they ever will - who knows). Until AMD has 50%+ marketshare and everyone starts trying to break open Zen, we don't really know if this is just a huge engineering fail from Intel. IMHO, I think Intel might have sacrificed security in some areas for performance, looking at some of the vulnerabilities, it seems so.

Going forward, they should use this to make their future architecture more secure.

It's not quite fair to say "Well, AMD isn't affected by these issues, so their arch is better", While there is some truth to this in the current vulnerabilities, it would be prudent to understand that researchers are most likely actively trying to break Skylake: it's been on the market for ages (lol) and is a well known, established design. In 5 years when Zen (hopefully) establishes itself in the same way, I guess we will see if AMD made better choices.

I've said it before but no one seems to care. If somone is going to make a fanboyish claim facts aren't going to stop them anyways, so I stopped trying.

Dunno if it was mentioned but there was another flaw discovered shortly before this one: This one affected Intel's iGPU and it's performance impact is quite severe, though it's directed @ the GPU portion of the CPU, so those laptops that don't have a discreet GPU ... those are gonna be hit HARD ...

The good news is that this doesn't affect newer CPUs as hard as older ones. so there's that ...

Intel's Mitigation For CVE-2019-14615 Graphics Vulnerability Obliterates Gen7 iGPU Performance - Phoronix

www.phoronix.com

50% performance hit to the IGPU in linux... noice!

Which means it could be done remotely, even though it would likely be more complicated than, say, social engineering. So saying it can't be done remotely is simply not true. Likeliness not withstanding.

I've been over that with him before. He seems to consider anything that isn't able to worm it's way in automagically ala that old SMB stack exploit "not remotely."

It's an interesting take on the terms, but I don't argue them anymore.

 

[moproblems99]

Dunno if it was mentioned but there was another flaw discovered shortly before this one: This one affected Intel's iGPU and it's performance impact is quite severe, though it's directed @ the GPU portion of the CPU, so those laptops that don't have a discreet GPU ... those are gonna be hit HARD ...

The good news is that this doesn't affect newer CPUs as hard as older ones. so there's that ...

Intel's Mitigation For CVE-2019-14615 Graphics Vulnerability Obliterates Gen7 iGPU Performance - Phoronix

www.phoronix.com

Ouch.

That said, I won't be applying any of the patches to my laptop. I'm boring.

I've been over that with him before. He seems to consider anything that isn't able to worm it's way in automagically ala that old SMB stack exploit "not remotely."

I mean, it really can be pretty automagic. Even through the browser, if it happens to be the delivery method for the shell script that phones home the activation via dns.

It's an interesting take on the terms, but I don't argue them anymore.

Come now. It is good mental exercise.

 

[trparky]

Dunno if it was mentioned but there was another flaw discovered shortly before this one: This one affected Intel's iGPU and it's performance impact is quite severe, though it's directed @ the GPU portion of the CPU, so those laptops that don't have a discreet GPU ... those are gonna be hit HARD ...

The good news is that this doesn't affect newer CPUs as hard as older ones. so there's that ...

Intel's Mitigation For CVE-2019-14615 Graphics Vulnerability Obliterates Gen7 iGPU Performance - Phoronix

www.phoronix.com

Damn!

 

[R-T-B]

Come now. It is good mental exercise.

Not when it's just "my definition is my definition." It gets stupid to argue points like that.

 

[moproblems99]

I mean hey, we are watching our tax dollars at work arguing about "my definition is my definition" lol Think of it as job training.

I mean, really, just like all the other exploits only matter if: you are extremely interesting, a government, a defense contractor, data center, or iaas company. So the fact this sparks such a debate is kinda funny.

 

[EarthDog]

you are being the king of objectivity here.. seems legit, in some universe..

Touche.

A dog always runs to the end of his leash.

 

[Jism]

Any CPU vendor designs a big portion of the CPU using automated resources, and a part of it is done manually. I think intel relied too much on the automated part, now that left and right exploits and all that coming around. There's no recall being done because that would be very bad PR, instead it's choosing to fix it using a microcode update thats inserted upon every (re)boot of the system, and a sideeffect is the performance being hurt.

For a consumer; these exploits dont mean alot. I mean you could still happy game on and nothing really would happen. But for enterprise markets, i.e hiring out VPS servers or cloud sollutions, this is where it could get dangerous, as i could rent / hire a part of a server, and start nuking it apart with exploits all over the place, able to obtain data that normally would be secured in the first place.

there's sollution to turn off HT, there's microcode updates and all that, but if you have a huge farm of intel based CPU's, your not going to see 1 to 5% performance decrease, but more like in 20 up to 40% of your capable compute power. Even I/O is being affected by this stuff. I really hope AMD does'nt contain so many exploits and their security thing inside the CPU is really solid as it looks by now.

 

[R-T-B]

I mean, really, just like all the other exploits only matter if: you are extremely interesting, a government, a defense contractor, data center, or iaas company. So the fact this sparks such a debate is kinda funny.

That increases your value as a target sure. However, this is the information age man... everyone is worth something. The threshholds are all over the place and it really isn't that simple.

 

[lexluthermiester]

What? No, they are both just terminal shells. The kernel doesn't know or care that's just a userland process.

Was referring to the code level, but I digress.

 

[londiste]

99% sure they knew and just didn't and don't care.

Extremely unlikely. Most of these recent vulnerabilities are not difficult to fix. It takes a long time due to both testing/validation and production cycles but the fix itself is not difficult (by logic design standards, at least). If they knew about the vulnerabilities fixes would have been added in the next generation of CPUs.

Companies tend to really not like liabilities.

 

[InVasMani]

WTF Intel...

 

[lexluthermiester]

Extremely unlikely. Most of these recent vulnerabilities are not difficult to fix. It takes a long time due to both testing/validation and production cycles but the fix itself is not difficult (by logic design standards, at least). If they knew about the vulnerabilities fixes would have been added in the next generation of CPUs.

Companies tend to really not like liabilities.

This is exactly correct. No company wants to be liable for damages, not to mention the damage it does to their reputation. These kinds of vulnerabilities are just that, vulnerabilities. They are not mistakes, they are accidental nothing more.

 

[Steevo]

I'm not buying that. Such would mean that every maker of IC's that has ever had a vulnerability had a high probability of knowing of such and just not caring. Not only would that be extremely irresponsible, but it would also be highly libelous. No legal team is going to let such fly.

None of these vulnerabilities are intentional. Hackers are hackers and they will always find new ways to do weird things with technology that the makers never intended or even dreamed of.


It is on a Kernel level.

How much does Intel spend on R&D again compared to secure AMD products that now match and exceed their performance?

So if AMD can do it with a tenth the budget does that make them awesome or Intel that shitty?

 

[R0H1T]

Companies tend to really not like liabilities.

Well they get away with it, the vast majority of the times so I would say no ~ they do so (shady stuff) constantly especially considering the risk vs reward.
Heck Intel's done that more than once, so has Nvidia!

 

[R-T-B]

So if AMD can do it with a tenth the budget does that make them awesome or Intel that shitty?

It makes them the little elephant in the security scene.