Lost Password?   -   Register






Post Reply 
 
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
The 2018 CPU vulnerability disaster (SPECTRE & MELTDOWN)
Author Message
 Mystik Online
Annoying Cunt™
******
Staff

Posts: 2.035
Likes Given: 483
Likes Received: 953 in 541 posts
Joined: 01 Aug 2013
Reputation: 38
Post: #1
Bug The 2018 CPU vulnerability disaster (SPECTRE & MELTDOWN)

[Image: vGmwExg.png]

SPECTRE & MELTDOWN

Here's a great start to 2018: 99% of all processors in use today have design flaws that makes them vulnerable to attacks.

Researchers have found 2 bugs/design flaws that combined impact pretty much all processors in use today. This means that your PC, laptop, server and phone ARE AFFECTED by these bugs. Both of these bugs allow hackers to read information from the memory. THIS CAN INCLUDE PASSWORDS AND OTHER PERSONAL INFORMATION. There are 3 variants (variant 3 has a sub variant) of attacks. 1) Bounds check bypass [Spectre], 2) Branch target injection [Spectre], 3) Rogue data cache load [Meltdown]. Spectre attacks affect almost ALL MODERN CPUs, while Meltdown "only" affects Intel CPUs starting from 1995 and some ARM cores... These hardware bugs are basically caused by technically a design flaw in the modern CPU architectures, where Meltdown is specifically on x86 architecture. The extra bad news is that the global fix for Meltdown that has already been implemented to all major OSs will lead to performance decreases on all Intel CPUs, especially pre-2010 models. More on this in the Meltdown section.

SPECTRE:
What? - Spectre breaks the isolation between applications. This means that a harmful application exploiting spectre could read information from memory and hence from other apps. Even though the applications are coded by today's standards for optimized security, Spectre can actually benefit from this. Spectre is harder to exploit, but also harder to fix.
Affects? - All AMD, Intel, ARM CPUs. Yes. ALL OF THEM.
Fix? - Software patches. VERY hard to fix and a 100% fix is probably impossible. Rolleyes

MELTDOWN:
What: Meltdown breaks the isolation between user applications and the operating system. This allows the exploit to read information from the memory, thus making it possible to gain information from others applications running in memory, which might include passwords etc.
Affects: All Intel CPUs from 1995-> (excluding Itanium and Atom before 2013). ARM: Cortex-A75. (Variant 3a also Cortex-A15-, A57- ja A72). AMD not affected.
Fix: KPTI (Kernel Page Table Isolation). This means that the kernel memory is completely isolated. This is done via Operating system patches / updates + microcode / firmware update. The Linux kernel has already been patched for this exploit, and an emergency Microsoft update KB4056892 has been released, that implements the first step of the fix. However this is a hardware bug/flaw, which means that Intel has to also issue some sort of microcode / firmware update to completely fix this. Note that the Windows Update is not being enabled on all PCs because it's NOT COMPATIBLE with most anti virus software. More on this as the story unfolds. And now for the worst news.
Performance degradation: The KPTI fix will lead to performance degradation on the Intel x86 platform. There are no proper tests of the amounts of performance degradations of yet, but they can be expected to range from virtually nothing to almost 30% in cases where a lot of CPU I/O calls are being made. This means that for gaming and general usage the performance degradation shouldn't be that noticeable, but for special high I/O workloads like certain SQL functions ran with the fix resulted in up to 23% performance degradation.

TL;DR
All modern CPUs have a hardware bug / design flaw that makes them vulnerable to two different exploits. The exploits can be used to (for example) read passwords from the memory. One of the bugs is easy to fix with OS patches but will result in performance degradation in Intel processors. The other exploit is hard to fix.

{Tried to write this as simply as possible. Will update when more info arises. Updates marked with heading UPDATE: (date)}


SOURCES:
https://meltdownattack.com/
https://meltdownattack.com/meltdown.pdf / https://spectreattack.com/spectre.pdf
https://www.theregister.co.uk/2018/01/02...sign_flaw/
https://googleprojectzero.blogspot.fi/20...-side.html
https://newsroom.intel.com/news/intel-re...-findings/
https://developer.arm.com/support/security-update
https://www.amd.com/en/corporate/speculative-execution
https://support.microsoft.com/en-us/help...s-released


UPDATE 11.01.2018: Intel released benchmarks detailing processor slowdowns of a few configurations.

The performance hits ON BENCHMARKS range from 7% - 8% on average.

[Image: b6028a7c6c.png]

https://newsroom.intel.com/editorials/in...t-systems/
http://www.pcgamer.com/intel-shares-more...n-patches/
https://www.engadget.com/2018/01/11/inte...-slowdown/

[Image: 1M9pGGa.png]

[Image: mystard_steam1.png]
(This post was last modified: 12 January 2018 17:10 by Mystik.)
04 January 2018 20:24
Visit this user's website Find all posts by this user Like Post Quote this message in a reply
[-] The following 2 users Like Mystik's post:
 Fury (06-01-2018),  Mac (04-01-2018)
 Renoo~* Offline
Me panda, u panda?
****
Community Friend

Posts: 423
Likes Given: 76
Likes Received: 113 in 76 posts
Joined: 04 Aug 2013
Reputation: 8
Post: #2
RE: The 2018 CPU vulnerability disaster (SPECTRE & MELTDOWN)

first post

thx for giving me this outstanding opportunity

Me panda, u panda?
05 January 2018 23:41
Visit this user's website Find all posts by this user Like Post Quote this message in a reply
[-] The following 1 user Likes Renoo~*'s post:
 Mystik (06-01-2018)
 Fury Offline
Nippuru!
*****
Community Member

Posts: 936
Likes Given: 180
Likes Received: 195 in 145 posts
Joined: 27 Apr 2014
Reputation: 5
Post: #3
RE: The 2018 CPU vulnerability disaster (SPECTRE & MELTDOWN)

Thanks, this makes it easier to understand than all those 69 page long posts on the internet!

Mystik the best

[Image: w0gdMjF.gif]
卵ニップル
06 January 2018 23:50
Find all posts by this user Like Post Quote this message in a reply
[-] The following 1 user Likes Fury's post:
 Mystik (07-01-2018)
 Mystik Online
Annoying Cunt™
******
Staff

Posts: 2.035
Likes Given: 483
Likes Received: 953 in 541 posts
Joined: 01 Aug 2013
Reputation: 38
Post: #4
RE: The 2018 CPU vulnerability disaster (SPECTRE & MELTDOWN)

3 class-action lawsuits and counting.

https://www.theguardian.com/technology/2...s-computer

[Image: 1M9pGGa.png]

[Image: mystard_steam1.png]
08 January 2018 17:47
Visit this user's website Find all posts by this user Like Post Quote this message in a reply
 Mac Offline
Frequent Poster
****
Community Friend

Posts: 420
Likes Given: 288
Likes Received: 206 in 106 posts
Joined: 01 Feb 2015
Reputation: 13
Post: #5
RE: The 2018 CPU vulnerability disaster (SPECTRE & MELTDOWN)

(08 January 2018 17:47)Mystik Wrote:  3 class-action lawsuits and counting.

https://www.theguardian.com/technology/2...s-computer

Called it
11 January 2018 22:51
Find all posts by this user Like Post Quote this message in a reply
 Mystik Online
Annoying Cunt™
******
Staff

Posts: 2.035
Likes Given: 483
Likes Received: 953 in 541 posts
Joined: 01 Aug 2013
Reputation: 38
Post: #6
RE: The 2018 CPU vulnerability disaster (SPECTRE & MELTDOWN)

UPDATE 11.01.2018: Intel released benchmarks detailing processor slowdowns of a few configurations.

The performance hits ON BENCHMARKS range from 7% - 8% on average.

[Image: b6028a7c6c.png]

https://newsroom.intel.com/editorials/in...t-systems/
http://www.pcgamer.com/intel-shares-more...n-patches/
https://www.engadget.com/2018/01/11/inte...-slowdown/

[Image: 1M9pGGa.png]

[Image: mystard_steam1.png]
12 January 2018 17:10
Visit this user's website Find all posts by this user Like Post Quote this message in a reply
Post Reply 




User(s) browsing this thread: 1 Guest(s)