• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

"Downfall" Intel CPU Vulnerability Can Impact Performance By 50%

Joined
Jun 29, 2018
Messages
544 (0.23/day)
Lets hope you can disable the mitigations under Windows.
Microsoft's documentation for client Windows version is not good. It lists 2 recent AMD vulnerabilities and registry keys to enable mitigations for them, but no statement whether the mitigation is enabled by default. The Microsoft CVE page for Inception suggests that some mitigations are enabled by default and you can enable more for "intra-process disclosure vectors". This would mirror what Linux has implemented with default "light" mode and heavier modes for when you have untrusted users or VMs.

The registry keys are, as far as I understand, also mutually exclusive since they toggle different bits in the FeatureSettingsOverride value.
Their PowerShell module doesn't support AMD vulnerabilities either.

I hope that I'm interpreting this wrong, otherwise it's quite disappointing.
 
Joined
Jul 5, 2013
Messages
28,318 (6.75/day)
Antivirus has anti-exploit protection
Sadly, not against things like this. For things like this, you can't just fix the software running on the target machine, you must also fix the way the software interacts with that machine. Antivirus suites can't do that.

But they can't turn off something already active - that defeats the purpose of the mitigations because then a virus can just turn them off, too.
Then there is this.

However, I would like to remind everyone that this problem is NOT, repeat NOT something the general public needs to worry about. This exploit REQUIRES admin authorities. If you already have admin authorities, you don't need the exploit because you already have complete direct access to the system in question.

So let's have done with the bickering & arguing, eh?
 
Joined
Nov 26, 2021
Messages
1,705 (1.51/day)
Location
Mississauga, Canada
Processor Ryzen 7 5700X
Motherboard ASUS TUF Gaming X570-PRO (WiFi 6)
Cooling Noctua NH-C14S (two fans)
Memory 2x16GB DDR4 3200
Video Card(s) Reference Vega 64
Storage Intel 665p 1TB, WD Black SN850X 2TB, Crucial MX300 1TB SATA, Samsung 830 256 GB SATA
Display(s) Nixeus NX-EDG27, and Samsung S23A700
Case Fractal Design R5
Power Supply Seasonic PRIME TITANIUM 850W
Mouse Logitech
VR HMD Oculus Rift
Software Windows 11 Pro, and Ubuntu 20.04
Microsoft's documentation for client Windows version is not good. It lists 2 recent AMD vulnerabilities and registry keys to enable mitigations for them, but no statement whether the mitigation is enabled by default. The Microsoft CVE page for Inception suggests that some mitigations are enabled by default and you can enable more for "intra-process disclosure vectors". This would mirror what Linux has implemented with default "light" mode and heavier modes for when you have untrusted users or VMs.

The registry keys are, as far as I understand, also mutually exclusive since they toggle different bits in the FeatureSettingsOverride value.
Their PowerShell module doesn't support AMD vulnerabilities either.

I hope that I'm interpreting this wrong, otherwise it's quite disappointing.
One of the pages you linked says

To enable the mitigation for CVE-2023-20569 on AMD processors:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 67108928 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

These seem to be two different registry keys.
 
Joined
Aug 20, 2007
Messages
21,560 (3.40/day)
System Name Pioneer
Processor Ryzen R9 9950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage Intel 5800X Optane 800GB boot, +2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software Gentoo Linux x64 / Windows 11 Enterprise IoT 2024
Ryzen also being hit up to 50% performance loss in some workflow with Inception mitigations. This is a catastrophe.
That isn't really what the benches say, I don't think, but I could have missed a point or two. I'll go reread the phoronix coverage now.
 
Joined
Feb 1, 2019
Messages
3,669 (1.70/day)
Location
UK, Midlands
System Name Main PC
Processor 13700k
Motherboard Asrock Z690 Steel Legend D4 - Bios 13.02
Cooling Noctua NH-D15S
Memory 32 Gig 3200CL14
Video Card(s) 4080 RTX SUPER FE 16G
Storage 1TB 980 PRO, 2TB SN850X, 2TB DC P4600, 1TB 860 EVO, 2x 3TB WD Red, 2x 4TB WD Red
Display(s) LG 27GL850
Case Fractal Define R4
Audio Device(s) Soundblaster AE-9
Power Supply Antec HCG 750 Gold
Software Windows 10 21H2 LTSC
What I do know is when I tested AMD branch confusion mitigation enabled, it was like wow.

Things that were taking a fraction of a second suddenly took over a second, I soon turned it off again. :)

What I have assumed with the registry value is as you pick a higher value it also enables any mitigations for lower values as well, however I havent verified that, it could be using an addition system, where would add the values together if you want to enable multiple mitigations.
 
Joined
Jul 5, 2013
Messages
28,318 (6.75/day)
That isn't really what the benches say, I don't think, but I could have missed a point or two. I'll go reread the phoronix coverage now.
It's a good read, but doesn't tell the whole story. The performance hit is only present in certain situations and then it's not as bad as 50%. Like all the other exploits of this type, it's very situational.
 
Joined
Jun 29, 2018
Messages
544 (0.23/day)
One of the pages you linked says

These seem to be two different registry keys.

I meant the registry keys for Phantom Speculation also known as Branch Type Confusion (CVE-2022-23825) and Inception (CVE-2023-20569):

CVE-2022-23825:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 16777280 /f
CVE-2023-20569:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 67108928 /f

Both are modifying the same value and both change different bits:
Code:
CVE-2022-23825: 0000001000000000000000001000000
CVE-2023-20569: 0000100000000000000000001000000

I am wondering if enabling both mitigations at the same time requires setting the value to 83886144 instead. The documentation isn't clear about this.
 
Joined
Aug 20, 2007
Messages
21,560 (3.40/day)
System Name Pioneer
Processor Ryzen R9 9950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage Intel 5800X Optane 800GB boot, +2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software Gentoo Linux x64 / Windows 11 Enterprise IoT 2024
Seems to be a thing with both companies.

The only place I saw close to a 50% drop on amd was running mariadb with both firmware and kernelside mitigations, other dbs were fine ironically.

I don't think its as big a deal as affecting AVX workloads but admitedly its worse than I expected.
 
Joined
Jun 10, 2014
Messages
2,996 (0.78/day)
Processor AMD Ryzen 9 5900X ||| Intel Core i7-3930K
Motherboard ASUS ProArt B550-CREATOR ||| Asus P9X79 WS
Cooling Noctua NH-U14S ||| Be Quiet Pure Rock
Memory Crucial 2 x 16 GB 3200 MHz ||| Corsair 8 x 8 GB 1333 MHz
Video Card(s) MSI GTX 1060 3GB ||| MSI GTX 680 4GB
Storage Samsung 970 PRO 512 GB + 1 TB ||| Intel 545s 512 GB + 256 GB
Display(s) Asus ROG Swift PG278QR 27" ||| Eizo EV2416W 24"
Case Fractal Design Define 7 XL x 2
Audio Device(s) Cambridge Audio DacMagic Plus
Power Supply Seasonic Focus PX-850 x 2
Mouse Razer Abyssus
Keyboard CM Storm QuickFire XT
Software Ubuntu
Planned obsolescence at its finest ladies and gentlemen
Don't we all wonder that from time to time?
But then I realize that intentionally sabotaging your own product would only drive your customer to the competition.
(And don't many enterprise customers usually switch out hardware regularily anyways? Like when the warranty is expired?)

However, there are things both could do to decrease the vulnerability of their CPUs to errors like these. Rather than sharing structures dynamically in SMT, they could define a static split, i.e. 1/2 of each structure for a thread.
I've argued for years that we should drop SMT outright. It made a lot of sense back when CPUs had few cores and a lot more pipeline stalls than today. But as the CPUs have become more advanced, the real-world benefits has shrunk, while the complexity to implement it has risen immensely. At this point the engineering effort and transistor budget cost of SMT could probably have been better spent on something else to increase IPC instead. Hopefully the rumors of dropping SMT in Arrow Lake is true.

Antivirus has anti-exploit protection
That's not how antivirus works, that's just marketing nonsense.
 
Joined
Oct 27, 2009
Messages
1,195 (0.22/day)
Location
Republic of Texas
System Name [H]arbringer
Processor 4x 61XX ES @3.5Ghz (48cores)
Motherboard SM GL
Cooling 3x xspc rx360, rx240, 4x DT G34 snipers, D5 pump.
Memory 16x gskill DDR3 1600 cas6 2gb
Video Card(s) blah bigadv folder no gfx needed
Storage 32GB Sammy SSD
Display(s) headless
Case Xigmatek Elysium (whats left of it)
Audio Device(s) yawn
Power Supply Antec 1200w HCP
Software Ubuntu 10.10
Benchmark Scores http://valid.canardpc.com/show_oc.php?id=1780855 http://www.hwbot.org/submission/2158678 http://ww
Seems to be a thing with both companies.

It is not the default settings and its on 1 database. the other databases are ~13% hit.
Under most workloads there is sub 1% hit, some 5-15% not the sensational 54% wccftech is publishing and everyone is chatterboxing.
As MariaDB was such a huge outlier, I expect there to be an update in the future that will lessen the impact.
https://www.phoronix.com/review/amd-inception-benchmarks/4 see for yourself.
1692224300537.png


Intel appears to have published a GCC patch to lessen the AVX impact... but disabling the avx path for gather...?
I guess the performance impact decreased it to the point that the non-avx code path was faster? idk.

@rtb how are you reading that?
 
Last edited:
Joined
Jun 18, 2019
Messages
130 (0.06/day)
Don't we all wonder that from time to time?
But then I realize that intentionally sabotaging your own product would only drive your customer to the competition.
(And don't many enterprise customers usually switch out hardware regularily anyways? Like when the warranty is expired?)


I've argued for years that we should drop SMT outright. It made a lot of sense back when CPUs had few cores and a lot more pipeline stalls than today. But as the CPUs have become more advanced, the real-world benefits has shrunk, while the complexity to implement it has risen immensely. At this point the engineering effort and transistor budget cost of SMT could probably have been better spent on something else to increase IPC instead. Hopefully the rumors of dropping SMT in Arrow Lake is true.


That's not how antivirus works, that's just marketing nonsense.
I want evidence for anti exploit protection being just "marketing nonsense"
 
Joined
Jul 5, 2013
Messages
28,318 (6.75/day)
I want evidence for anti exploit protection being just "marketing nonsense"
How about that fact that it's near impossible to pull off? Just throwing it out there. If you has read up on the technical details, you would already had your answer. The "theory" @efikkan and others have offered might seem a bit "out there", however given market conditions and the fact that microsoft KNOWS that systems made in the late 2000's and early 2010's can STILL run Windows well, there is merit to the suggestions made.

I happen to think that there is some merit to the idea that companies, like microsoft, know they're in trouble and want to find a way to force people to upgrade. Finding vulnerabilities like this is one of them. Limiting what hardware Windows can run on while killing off existing fully functional OSes is another. It's a multi-pronged approach, which is almost painfully obvious. Should be, and technically is, illegal.
 
Joined
Jun 10, 2014
Messages
2,996 (0.78/day)
Processor AMD Ryzen 9 5900X ||| Intel Core i7-3930K
Motherboard ASUS ProArt B550-CREATOR ||| Asus P9X79 WS
Cooling Noctua NH-U14S ||| Be Quiet Pure Rock
Memory Crucial 2 x 16 GB 3200 MHz ||| Corsair 8 x 8 GB 1333 MHz
Video Card(s) MSI GTX 1060 3GB ||| MSI GTX 680 4GB
Storage Samsung 970 PRO 512 GB + 1 TB ||| Intel 545s 512 GB + 256 GB
Display(s) Asus ROG Swift PG278QR 27" ||| Eizo EV2416W 24"
Case Fractal Design Define 7 XL x 2
Audio Device(s) Cambridge Audio DacMagic Plus
Power Supply Seasonic Focus PX-850 x 2
Mouse Razer Abyssus
Keyboard CM Storm QuickFire XT
Software Ubuntu
I want evidence for anti exploit protection being just "marketing nonsense"
Antivirus works by identifying malware using known signatures. Viruses works by exploiting an underlying vulnerability, until this is fixed there is a potential to create an endless stream of new viruses, which is why every such occurrence is a game of whack-a-mole until the vulnerability is eventually fixed or mitigated in some way. Antivirus can't fix a vulnerability in another piece of software or hardware, nor can it analyze "intent" of unknown software.

The "theory" @efikkan and others have offered might seem a bit "out there"…
Excuse me, which "theory" did I offer? Did you misread me perhaps?
 
Joined
Jun 20, 2005
Messages
80 (0.01/day)
Location
Leeds, UK
System Name My PC
Processor 6700K @ 4.5GHz
Motherboard GigaByte GA-Z170XP-SLI
Cooling Pure Rock 2 + 4 Fans
Memory 2 x 16GB Corsair 3200MHz DDR4
Video Card(s) MSI RX 6900 XT Gaming X Trio
Storage PNY CS3030 NVMe 1TB, MX500 2TB x 2, 3TB WD Blue
Display(s) 27" curved 165Hz VA 1080p (Gigabyte)
Case Corsair 200R
Audio Device(s) Creative X4, AVR + Monitor Audio MASS 5.1
Power Supply Corsair RM750
Mouse Deathadder 2
Keyboard Xtrfy K4
Software W10 Pro
Benchmark Scores 14k1 (ish) Timespy (20k2 gfx 5k2 cpu)
I'm still "rocking" a 6700K, using InSpectre to turn off what I can. They need to be in my house! If the spooks want my Steam library I'm damn sure they can get it whatever, however the local sink estate chavs prolly want my monitor or mouse/kb.
 
Joined
Apr 12, 2013
Messages
7,564 (1.77/day)
nor can it analyze "intent" of unknown software.
They can, sort of, by running it in a sandbox but not every "malware" can be identified that way & there's quite a few which can detect if they're being run in a sandbox.
 
Joined
Jun 18, 2019
Messages
130 (0.06/day)
Antivirus works by identifying malware using known signatures. Viruses works by exploiting an underlying vulnerability, until this is fixed there is a potential to create an endless stream of new viruses, which is why every such occurrence is a game of whack-a-mole until the vulnerability is eventually fixed or mitigated in some way. Antivirus can't fix a vulnerability in another piece of software or hardware, nor can it analyze "intent" of unknown software.


Excuse me, which "theory" did I offer? Did you misread me perhaps?
Incorrect. Antivirus also have heuristics that can detect malware without being in signatures. Anti-Exploit also works the same way. Please stop spreading misinformation.
 
Joined
Jun 10, 2014
Messages
2,996 (0.78/day)
Processor AMD Ryzen 9 5900X ||| Intel Core i7-3930K
Motherboard ASUS ProArt B550-CREATOR ||| Asus P9X79 WS
Cooling Noctua NH-U14S ||| Be Quiet Pure Rock
Memory Crucial 2 x 16 GB 3200 MHz ||| Corsair 8 x 8 GB 1333 MHz
Video Card(s) MSI GTX 1060 3GB ||| MSI GTX 680 4GB
Storage Samsung 970 PRO 512 GB + 1 TB ||| Intel 545s 512 GB + 256 GB
Display(s) Asus ROG Swift PG278QR 27" ||| Eizo EV2416W 24"
Case Fractal Design Define 7 XL x 2
Audio Device(s) Cambridge Audio DacMagic Plus
Power Supply Seasonic Focus PX-850 x 2
Mouse Razer Abyssus
Keyboard CM Storm QuickFire XT
Software Ubuntu
They can, sort of, by running it in a sandbox but not every "malware" can be identified that way & there's quite a few which can detect if they're being run in a sandbox.
Things like trying to figure out if an executable tries to access a restricted file can be done in a virtual environment, for sure. But most CPU vulnerabilities like Downfall, Meltdown, Spectre and many others require precise conditions to trigger undefined behavior of the CPUs, which is something that you can't emulate this way. Like, for instance, Spectre requires nanosecond timing, and many exploits there needs to retry code thousands if not millions of times to succeed in triggering an erroneous CPU state and extract a few bytes of data. Some bugs, like race conditions, might not happen on all hardware under all conditions, or be affected by clock speed, etc.

Incorrect. Antivirus also have heuristics that can detect malware without being in signatures. Anti-Exploit also works the same way. Please stop spreading misinformation.
This is a misconception. Usage of heuristics still require distinct signatures, known elements or something uniquely malicious to determine malware. To my knowledge, x86 assembly hasn't been extended with "evil" instructions, not yet anyways ;). Most CPU vulnerabilities, like the ones mentioned above, relies completely normal instructions for arithmetic and control flow, like any other piece of software. No programmer worth their salt would claim heuristics could tell you that one sequence of mul, mov, jmp, shr, etc. is evil, while another is completely harmless. (without a database of known evil sequences)
 
Joined
Oct 27, 2009
Messages
1,195 (0.22/day)
Location
Republic of Texas
System Name [H]arbringer
Processor 4x 61XX ES @3.5Ghz (48cores)
Motherboard SM GL
Cooling 3x xspc rx360, rx240, 4x DT G34 snipers, D5 pump.
Memory 16x gskill DDR3 1600 cas6 2gb
Video Card(s) blah bigadv folder no gfx needed
Storage 32GB Sammy SSD
Display(s) headless
Case Xigmatek Elysium (whats left of it)
Audio Device(s) yawn
Power Supply Antec 1200w HCP
Software Ubuntu 10.10
Benchmark Scores http://valid.canardpc.com/show_oc.php?id=1780855 http://www.hwbot.org/submission/2158678 http://ww
Things like trying to figure out if an executable tries to access a restricted file can be done in a virtual environment, for sure. But most CPU vulnerabilities like Downfall, Meltdown, Spectre and many others require precise conditions to trigger undefined behavior of the CPUs, which is something that you can't emulate this way. Like, for instance, Spectre requires nanosecond timing, and many exploits there needs to retry code thousands if not millions of times to succeed in triggering an erroneous CPU state and extract a few bytes of data. Some bugs, like race conditions, might not happen on all hardware under all conditions, or be affected by clock speed, etc.


This is a misconception. Usage of heuristics still require distinct signatures, known elements or something uniquely malicious to determine malware. To my knowledge, x86 assembly hasn't been extended with "evil" instructions, not yet anyways ;). Most CPU vulnerabilities, like the ones mentioned above, relies completely normal instructions for arithmetic and control flow, like any other piece of software. No programmer worth their salt would claim heuristics could tell you that one sequence of mul, mov, jmp, shr, etc. is evil, while another is completely harmless. (without a database of known evil sequences)
Yeah Heuristics is behavior detection, the behavior still has to be in the database.
 
Joined
Jun 18, 2019
Messages
130 (0.06/day)
Things like trying to figure out if an executable tries to access a restricted file can be done in a virtual environment, for sure. But most CPU vulnerabilities like Downfall, Meltdown, Spectre and many others require precise conditions to trigger undefined behavior of the CPUs, which is something that you can't emulate this way. Like, for instance, Spectre requires nanosecond timing, and many exploits there needs to retry code thousands if not millions of times to succeed in triggering an erroneous CPU state and extract a few bytes of data. Some bugs, like race conditions, might not happen on all hardware under all conditions, or be affected by clock speed, etc.


This is a misconception. Usage of heuristics still require distinct signatures, known elements or something uniquely malicious to determine malware. To my knowledge, x86 assembly hasn't been extended with "evil" instructions, not yet anyways ;). Most CPU vulnerabilities, like the ones mentioned above, relies completely normal instructions for arithmetic and control flow, like any other piece of software. No programmer worth their salt would claim heuristics could tell you that one sequence of mul, mov, jmp, shr, etc. is evil, while another is completely harmless. (without a database of known evil sequences)
Nope.
Malwarebytes:
"These generic malware detections are due to our new automated signature system called BytesTotal and DDS engine that are based on Machine Learning technology with 100% autonomous learning which don’t require any human interaction to correctly identify malware.. These techniques are part of Malwarebytes’ Katana engine and were developed for automated mass detection of wide ranges of malware and adware."

"Malwarebytes detects unknown threats as Malware.AI by using Artificial Intelligence and Machine Learning techniques without any specific detection rules to protect users from malware that has not yet been researched and classified. This helps protect our customers against 0-day malware."

Malware.AI | Malwarebytes Labs
 
Last edited:
Joined
Sep 20, 2018
Messages
1,456 (0.64/day)
Don't we all wonder that from time to time?
But then I realize that intentionally sabotaging your own product would only drive your customer to the competition.
(And don't many enterprise customers usually switch out hardware regularily anyways? Like when the warranty is expired?)
Apple is doing it all the time
 
Joined
Jun 18, 2019
Messages
130 (0.06/day)
No. If you were not implying something then I digress..
I like how you "haha"ed my comment without explaining why. Are you a flat earther by any chance? Because your "arguments" are the same as flat earther's arguments which is "nuh uh"

How about that fact that it's near impossible to pull off? Just throwing it out there. If you has read up on the technical details, you would already had your answer. The "theory" @efikkan and others have offered might seem a bit "out there", however given market conditions and the fact that microsoft KNOWS that systems made in the late 2000's and early 2010's can STILL run Windows well, there is merit to the suggestions made.

I happen to think that there is some merit to the idea that companies, like microsoft, know they're in trouble and want to find a way to force people to upgrade. Finding vulnerabilities like this is one of them. Limiting what hardware Windows can run on while killing off existing fully functional OSes is another. It's a multi-pronged approach, which is almost painfully obvious. Should be, and technically is, illegal.
"impossible to pull off" Another claim with no evidence

 
Last edited:
Joined
Jul 5, 2013
Messages
28,318 (6.75/day)
I like how you "haha"ed my comment without explaining why.
Because it was funny. And no, I'm not going to explain.
Are you a flat earther by any chance?
Really? Personal jabs huh?
Because your "arguments" are the same as flat earther's arguments which is "nuh uh"
Look in a mirror. :slap:
"impossible to pull off" Another claim with no evidence

You seemed have missed something. Go back and read through the thread. Take it slow, no need to rush yourself. Oh and just an FYI, the MalwareBytes example is deeply flawed, which only highlights what you're missing.
 
Top