Naked Science Forum
Non Life Sciences => Geek Speak => Topic started by: smart on 06/01/2018 10:32:31
-
Virtually all moderns PCs and smartphones are vulnerable by theses low-level CPU flaws.
Why Intel did not released a security advisory when they become aware of the design flaw in June 2017?
See:
https://meltdownattack.com/
https://react-etc.net/page/javascript-spectre-meltdown-faq
-
AMD as well, just not as well known. All CPU's that do predicitive and speculative execution are vunerable to it.
-
How is the threat deployed against the host computer? Presumably to make the hardware do this it must tinker with the bios?
-
How is the threat deployed against the host computer? Presumably to make the hardware do this it must tinker with the bios?
Javascript...
-
You need to be able to run script on the host with some access to software timers, so just a web page will do, using javascript to run the attacks on the host computer. All it needs is the means to run code and read the built in OS timers, which all code will be allowed to do, as they all look at the system clock for time, and often also need to use the other high speed counters. That the difference between guessing wrong and guessing right is around 200 times the delay is a very easy thing to pull out of the system, and thus the program script can slowly pull out data it wants, provided it knows where the data is, even if it is nominally blocked from reading it, it can guess the data by multiple tries with all possible values of the target, the good one has a time difference that shows up.
Plenty of info online about this at the moment.
-
How can it be mitigated?
-
How can it be mitigated?
Ensure the browser and operating-system are up-to-date ... https://spectreattack.com/
These vulnerabilities were not found "in the wild".
-
AMD as well, just not as well known. All CPU's that do predicitive and speculative execution are vunerable to it.
Thanks, I'll correct that. My understanding is that AMD CPUs are vulnerable to Spectre-class hardware timing attacks but not to Meltdown.
-
Bad news regarding Spectre / Meltdown fix for older PC owners: Microsoft says it will slow down your computer (https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/?ranMID=24542&ranEAID=nOD/rLJHOac&ranSiteID=nOD_rLJHOac-0BvaqQnfhAKWeHcm0ft.mA&tduid=(9a91604a36bf2e42a2f74b67007e4bbd)(256380)(2459594)(nOD_rLJHOac-0BvaqQnfhAKWeHcm0ft.mA)()) But doesn't Windows do that anyway? Will I even notice?
An independent write-up (https://www.engadget.com/2018/01/09/microsoft-meltdown-spectre-performance-hit/?utm_source=Daily+Email&utm_campaign=aed6b00dfe-EMAIL_CAMPAIGN_2018_01_10&utm_medium=email&utm_term=0_03a4a88021-aed6b00dfe-248782605) is here in this article.
-
Little more here.
https://www.grc.com/sn/sn-645-notes.pdf
If you want you can watch the whole show as well at www.twit.tv/sn look for ep 645.
-
Bad news regarding Spectre / Meltdown fix for older PC owners: Microsoft says it will slow down your computer (https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/?ranMID=24542&ranEAID=nOD/rLJHOac&ranSiteID=nOD_rLJHOac-0BvaqQnfhAKWeHcm0ft.mA&tduid=(9a91604a36bf2e42a2f74b67007e4bbd)(256380)(2459594)(nOD_rLJHOac-0BvaqQnfhAKWeHcm0ft.mA)()) But doesn't Windows do that anyway? Will I even notice?
An independent write-up (https://www.engadget.com/2018/01/09/microsoft-meltdown-spectre-performance-hit/?utm_source=Daily+Email&utm_campaign=aed6b00dfe-EMAIL_CAMPAIGN_2018_01_10&utm_medium=email&utm_term=0_03a4a88021-aed6b00dfe-248782605) is here in this article.
I don't install security patches for my AMD Windows 7 laptop since a long time ago...
-
Are theses severe CPU design flaws evidences that Intel is corrupted to the bone??
-
No, more that making a modern CPU is hard. The decisions made years ago to increase speed had some unanticipated side effects.
-
No, more that making a modern CPU is hard. The decisions made years ago to increase speed had some unanticipated side effects.
Seriously?
A Spectre-class exploit/bug was not introduced automagically in Intel hardware. Theses things only happens in real life because Intel engineers carefully developed their products with specific design guidelines.
-
A Spectre-class exploit/bug was not introduced automagically in Intel hardware. Theses things only happens in real life because Intel engineers carefully developed their products with specific design guidelines.
Your conspiracy-theory (https://rationalwiki.org/wiki/Conspiracy_theory#Exposure) will have to include software engineers too : javascript (https://en.wikipedia.org/wiki/JavaScript#Server-side_JavaScript) and multiple web browsers.
-
Your conspiracy-theory (https://rationalwiki.org/wiki/Conspiracy_theory#Exposure) will have to include software engineers too : javascript (https://en.wikipedia.org/wiki/JavaScript#Server-side_JavaScript) and multiple web browsers.
Yes. But calling this a "conspiracy theory" is incorrect. Do you really think we should not hold Intel accountable for theses severe CPU design flaws?