Google and Microsoft Disclose New CPU Flaw, and the Fix Can Slow Machines Down (theverge.com) 83
An anonymous reader quotes a report from The Verge: Microsoft and Google are jointly disclosing a new CPU security vulnerability that's similar to the Meltdown and Spectre flaws that were revealed earlier this year. Labelled Speculative Store Bypass (variant 4), the latest vulnerability is a similar exploit to Spectre and exploits speculative execution that modern CPUs use. Browsers like Safari, Edge, and Chrome were all patched for Meltdown earlier this year, and Intel says "these mitigations are also applicable to variant 4 and available for consumers to use today." However, unlike Meltdown (and more similar to Spectre) this new vulnerability will also include firmware updates for CPUs that could affect performance. Intel has already delivered microcode updates for Speculative Store Bypass in beta form to OEMs, and the company expects them to be more broadly available in the coming weeks. The firmware updates will set the Speculative Store Bypass protection to off-by-default, ensuring that most people won't see negative performance impacts.
"If enabled, we've observed a performance impact of approximately 2-8 percent based on overall scores for benchmarks like SYSmark 2014 SE and SPEC integer rate on client 1 and server 2 test systems," explains Leslie Culbertson, Intel's security chief. As a result, end users (and particularly system administrators) will have to pick between security or optimal performance. The choice, like previous variants of Spectre, will come down to individual systems and servers, and the fact that this new variant appears to be less of a risk than the CPU flaws that were discovered earlier this year.
"If enabled, we've observed a performance impact of approximately 2-8 percent based on overall scores for benchmarks like SYSmark 2014 SE and SPEC integer rate on client 1 and server 2 test systems," explains Leslie Culbertson, Intel's security chief. As a result, end users (and particularly system administrators) will have to pick between security or optimal performance. The choice, like previous variants of Spectre, will come down to individual systems and servers, and the fact that this new variant appears to be less of a risk than the CPU flaws that were discovered earlier this year.
Perverse way to drive future CPU upgrades (Score:5, Interesting)
Re: Perverse way to drive future CPU upgrades (Score:4, Insightful)
The flaws impact the CPU's in Apple products.
Re: Perverse way to drive future CPU upgrades (Score:1)
Only if you hold it The wrong way
Re: (Score:1)
Re: (Score:1)
Just to note, commercially available computers are buggy, insecure POS's
This has been noted before, particularly in reviews for acceptable levels of security that used to require a PC have no network, keyboard or monitor, and be in a locked room in order to be considered secure.
Why this surprises anybody is beyond me, maybe the gov will slip up and let us all have the specs for whatever Multics led to
Re: (Score:3)
Close, it's a great way for Intel to marginalize used PC/server market as none of the old machines get the microcode/BIOS patches. All old servers are now for air-gapped applications only.
Re: (Score:3, Interesting)
Close, it's a great way for Intel to marginalize used PC/server market as none of the old machines get the microcode/BIOS patches. All old servers are now for air-gapped applications only.
Responding as AC but... they have provided beta microcode back to the first core processor. I've personally seen it. The people who are NOT providing microcode updates are the hardware vendors that ship your motherboard. However, there are other ways to update the microcode, such as through your operating system. From what I have seen in beta testing, the update does not seem to affect the stability of machines with old BIOS but obviously there is no way to be certain until it starts rolling out.
Re:Perverse way to drive future CPU upgrades (Score:5, Informative)
Or perhaps that's just the skeptic in me talking.
I'm replying AC because this affects my company but Intel basically says in the advisory that the one mitigation that DOES affect CPU performance is not really necessary if you have a modern OS and modern web browser. I'm not certain this is true, I am not affiliated with Microsoft, GPZ, or Intel, but I do know that this issue has been researched by Intel, Microsoft, and GPZ for many months. In fact, the initial indications suggested that it was worse than it actually is after applying January microcode updates and updating OS and browser.
That update is going to be enabled/disabled by the user based on a BIOS or OS toggle and Intel recommends it be disasbled under most circumstances. I don't know when they recommend that you enable it, but I assume it is going to be important for cloud hosting providers.
Re:Perverse way to drive future CPU upgrades (Score:4, Informative)
It's hard to take anything that Intel says seriously. Last time they said the hit would be a few percent, and people were seeing 60%.
Best to avoid them altogether. And sue in small claims court of you are already a victim.
Re:Perverse way to drive future CPU upgrades (Score:4, Insightful)
To be honest I struggle to get upset about this speculative execution business, but then I don't fall into the categories of people who need to worry. For most of these cases the exploit requires a significant chunk of privileged code to already be running. On nearly everyone's PC you have already lost. Your system is at this point no longer yours.
Where this would be scarier is on virtual machines where one OS can break the isolation that the hypervisor provides. A computer where it's function is to give strangers access to running code on your machine.
Frankly I think Intel is right about most of this and so is Microsoft and the Linux kernel devs when they made the various fixes for the various speculative execution bugs optional.
We need new benchmarks (Score:3)
The benchmark sites need to start using or disclosing speeds with the "feature" turned on.
Speed Reduction (Score:5, Interesting)
After all the speculative execution flaws are found and fixed (in hardware or software) the question won't be how much of a slowdown those fixes cause, but how much of a speedup from speculative execution remains.
Re: (Score:1)
On on any machine that uses SMM, for the matter.
Re:Speed Reduction (Score:5, Insightful)
The problem for Intel is that they sold these processors with certain features and performance, and now have found design defects in them.
That's a classic consumer protection scenario. Car engine fails catastrophically after 50k km due to badly designed part? Under EU law you should not be out of pocket.
Re:Speed Reduction (Score:5, Insightful)
Intel has been getting a free pass from such consumer protections for decades now. Are we finally so enlightened that we can take away their hoard of Get Out Of Jail Free cards and make them pay for their failures rather than profit from them?
Re: (Score:2)
Yes. I took then to small claims court and won.
Re: (Score:2)
And if we individually sued them for something that is a collective wrong, we'd tie up the judicial system for decades with a waiting list encircling the globe several times, wouldn't we? I'm glad "you got yours", but that's not a solution for the societal wrong, is it?
Re: (Score:2)
I'm such cases the judges usually start fast tracking decisions based on previous cases, and then to save paying court and legal fees the company just pays out without contest in future.
It sucks but there is no other option.
Re: (Score:2)
Car engine fails catastrophically after 50k km due to badly designed part? Under EU law you should not be out of pocket.
The car engine didn't fail catastrophically. What did happen is you applied an optional fix to a problem that under a very small set of specific circumstances would cause the car door to unlock and then after you put your car with its optional fix on a dyno you discovered you actually had 10 horsepower less than you thought.
You'll be hard pressed getting that through even an EU regulator.
Re: (Score:2)
Yes and no. You could with new model cars that they knew they were going to be applying the fix to in the coming months but sold under the old numbers. Specifically that would be fraud, so anyone who bought Coffee Lake before the fixes were published is arguably entitled to a full refund.
Re: (Score:2)
so anyone who bought Coffee Lake before the fixes were published is arguably entitled to a full refund
Not really because Intel don't publish performance figures, hence it isn't fraud. Not only that but the processor itself still does exactly what it said on the box. The fact that someone else can use those feature nefariously and that Intel gives you an option for added security at the cost of performance doesn't change what the processor is now and what it will be after the optional fix gets released.
The key part here is that you still have every bit the same device that was advertised and sold to you doin
Re: (Score:3)
I see where you are going with this. Basically, we have been sold a flawed product that isn't performing as advertised.
Give Consumers The Option to Choose... (Score:3, Interesting)
... Security or Performance.
Not everyone is a gamer, video editor, etc.
Many people would gladly sacrifice 50% CPU performance, in exchange for more secure and stable processors.
But Intel and its OEMs are reluctant to even give us consumers the choice to obtain decent microcode security fixes that slow down our computers too much.
Intel already provides the NSA with the ME backdoor, so why won't they at least try harder to close the other security holes?
Re: (Score:3)
... Security or Performance.
Not everyone is a gamer, video editor, etc.
Many people would gladly sacrifice 50% CPU performance, in exchange for more secure and stable processors.
But Intel and its OEMs are reluctant to even give us consumers the choice to obtain decent microcode security fixes that slow down our computers too much.
Intel already provides the NSA with the ME backdoor, so why won't they at least try harder to close the other security holes?
Read the advisory. They DID give you the option to choose and recommend that vendors ship with it disabled as it's only needed in specific circumstances.
Re: (Score:2)
If one vendor cuts corners to improve performance the other vendors will look like their products are slower until such time as the corner cutting is identified and can be proven to be detrimental.
Again differences... (Score:2)
This time it depends on both the CPU and the OS.
This is basically a "read-after-write" situation, where the CPU tries to speculate before the write is actually known.
Depending on your CPU + OS combo, this will be limited to data you already have full read/write access to anyway.
(AMD doesn't speculated pass memory protection, Intel does(*).
Linux use a copy-on-write memory allocation scheme, that grantees that all memory page seen by an application are magically pre-filled with zero, meaning that an applicati
Re: (Score:2)
It should not effect kernel or hypervisor.
I know for a fact that Intel notified VMWare of these vulnerabilities and told them they needed to patch ESXi. These can be exploited through a hypervisor.
Re: (Score:2)
Google and Microsoft are shielding Intels reputational damage, Intel should be making these announcements, and with detail.
Intel has no right to announce this. Microsoft and Google both found the issue. They reported it to Intel. Intel did make a disclosure, albeit not a very detailed one. Microsoft and Google receive the accolades for telling the world about this problem. This is how it always works in the world of security research. The researcher agrees to postpone publishing while the issue is mitigated and the company they reported to agrees to keep the research in the strictest confidentiality until they publish. I
Re: (Score:1)
But who doesn't re-edit their porn to match their own stroke rate?
Re: (Score:2)
The market was not given a choice. No one said "Intel chips are 50% faster, but possibly vulnerable to security exploits". NO ONE, if they were informed, would have made this choice.
Re: (Score:2)
Not everyone is a gamer, video editor, etc.
Pfft amateurs. What do they need a decent CPU for. Real men need Real CPUs for Real workloads like running McAfee.
Re: (Score:2)
This will never be in OpenBSD. Back in 2005, Theo de Raadt would not give any ground when I implored him to build with position independent executables. He maintained that PIE was "very expensive"--the overall impact on x86 is about 0.06% additional CPU usage, so about 2.16 seconds lost per hour pegged at 100% CPU usage, minus any time spent not at 100% CPU usage.
8%? He'll never accept that. It's way too performance-expensive.
Re: Give Consumers The Option to Choose... (Score:1)
You are right, but rgere are far more intel costumers thst care about performance than gamers and wideo editors, SaAS providers, metreologists, intel sells to other costumers than consumers. i would imagine rhat googlebwould not be thrilled if the 1000s of servers they run in a Dc dropped even 1% in performance, that would potenttionsly mean 100s of extra servers to do the same amount of work wit extra switchports power an cooling, not cheap
And he laughed... (Score:2)
And my professor laughed when I held the single-cycle CPU design to be the holy grail of the industry...
Re: (Score:2)
Great! (Score:1)
When this is all done and dusted I will be left with a z80
Re: Great! (Score:1)
I have several tubes of Z80s and two working systems that use that processor.
Re: (Score:2)
Newspeak (Score:1)
> The firmware updates will set the Speculative Store Bypass protection to off-by-default, ensuring that most people won't see negative performance impacts.
Devices will remain insecure by default to protect our brand image and shareholders. How the f* do you think it is a good idea to set a security patch as off-by-default?
Re: (Score:1)
cpuid (Score:3)
Re: (Score:3)
ARE YOU A ROBOT
Re:cpuid (Score:4, Informative)
> So, in the future CPU makers don't need to invent new names. We'll just identify CPUs with the name of the newest vulnerabilities they have :)
--You joke, but the Linux kernel already does this when you do ' cat /proc/cpuinfo ':
model name : Intel(R) Core(TM) i5-x400 CPU @ 2.70GHz
bugs : cpu_meltdown spectre_v1 spectre_v2
Where is Firefox? (Score:2)
Fixes should be called Melter and SpecDown (Score:2)