Intel CPUs Vulnerable To New LVI Attacks (zdnet.com) 24
A team of academics from universities across the world, along with vulnerability researchers from Bitdefender, today disclosed a new security flaw in Intel processors. From a report: Named Load Value Injection, or LVI for short, this is a new class of theoretical attacks against Intel CPUs. While the attack has been deemed only a theoretical threat, Intel has released firmware patches to mitigate attacks against current CPUs, and fixes will be deployed at the hardware (silicon design) level in future generations.
Microcode patches (Score:4, Interesting)
In theory, they should be provided in a motherboard firmware (UEFI/BIOS) upgrade.
In practice, because most motherboard vendors have probably abandoned their product a few months down the line, the OS are also able to load such microcode patches in a non permanent manner at each system start.
Under Linux look for a package named ucode-intel or something similar, it's probably going to get updated during your next 'zypper up' 'apt dist-upgrade' 'pacman -Syyu' or whatever is appropriate for you.
Under Windows 10, it's probably going to pop-up in one of the updates on next patch-day. (It might be also available for companies still paying for the special extra-extra-extended support for Windows 7).
Re: (Score:2)
In theory, they should be provided in a motherboard firmware (UEFI/BIOS) upgrade.
In practice, because most motherboard vendors have probably abandoned their product a few months down the line, the OS are also able to load such microcode patches in a non permanent manner at each system start.
Under Linux look for a package named ucode-intel or something similar, it's probably going to get updated during your next 'zypper up' 'apt dist-upgrade' 'pacman -Syyu' or whatever is appropriate for you.
Under Windows 10, it's probably going to pop-up in one of the updates on next patch-day. (It might be also available for companies still paying for the special extra-extra-extended support for Windows 7).
My understanding is that Intel claims existing microcode updates are sufficient for this particular issue as long as you are not running a hypervisor. They recommended some modifications to VMM vendors but did not indicate that Windows, Linux, or UEFI need push any new mitigations.
Re: (Score:2)
"Should" but it's not really feasible outside of the server market. Because board makers would have to retest configurations for all their previously listed ram/cpu/board certification guarantee as well. Look at your average MSI or ASUS board, you're looking at 150-250 configurations for RAM alone per CPU.
Re: (Score:3)
Intel patch day is on Tuesdays (Score:5, Insightful)
How much of last decade's progress can be attributed to shortcuts in security?
Re: (Score:2)
How much speed is AMD sacrificing for your feel good measure against theoretical attacks that have shown to be of complete irrelevance to users.
None, apparently. At least recently.
Re: (Score:2)
Re: (Score:2)
None, apparently. At least recently.
Based on what? AMD's current speed? Imagine what it would be if they took the same shortcuts Intel did. The answer is definitely "some", given how Intel's implementation is strictly faster at the expense of security for the given operation.
Car analogy, just because you got overtaken by someone with a fat engine and a flat tire, doesn't mean they wouldn't be faster if they fixed their tire.
Re: (Score:2)
The answer is definitely "some", given how Intel's implementation is strictly faster at the expense of security for the given operation.
No, it's not, because Intel's insecure chips are now overall slower that AMD's more secure ones. They're not "strictly faster" than AMD's circuits.
Re: (Score:2)
Car analogy, just because you got overtaken by someone with a fat engine and a flat tire, doesn't mean they wouldn't be faster if they fixed their tire.
A better analogy would be "you got overtaken by someone using engine-busting Nitro shot". They can't fix this and still overtake, lack of security is what allows them to overtake.
Put machine in middle of room (Score:2)
Put machine in middle of room.
Surround by Armed Guards
Shoot unauthorized attackers in head until dead
Problem solved.
Re: (Score:2)
You failed to account for the floor.
Re:Put machine in middle of room (Score:4, Funny)
He did say to put the machine in the middle of the room, not the floor. Unless the machine and room are the same height this will leave the machine not touching the floor. The exact method for keeping the machine there is left as an exercise for the user. I'm more concerned about the "Shoot unauthorized attackers in head until dead" line, as it implies there might be authorized attackers. It also assumes any unauthorized attackers have discernible heads, and offers no alternative directions if they don't.
Re: (Score:2)
I suggest using "vertical-align: middle", maybe?
Re: (Score:2)
He did say to put the machine in the middle of the room, not the floor. Unless the machine and room are the same height this will leave the machine not touching the floor. The exact method for keeping the machine there is left as an exercise for the user. I'm more concerned about the "Shoot unauthorized attackers in head until dead" line, as it implies there might be authorized attackers. It also assumes any unauthorized attackers have discernible heads, and offers no alternative directions if they don't.
To be fair, the lack of a head would introduce a huge barrier to any attack, authorized or not. Last I looked, any biological being with the right implements to launch an attack (i.e. fingers, voice, etc.) requires a head for direction.
Of course, a robot or drone doesn't have to have a head so maybe this is what leads to the eventual rise of Skynet...
Re: (Score:2)
The key was "discernible" head. This would include tiny heads, disguised heads, guards bad at seeing heads, etc. Just trying to cover all the edge cases. They should have left the target as center of mass. Unauthorized attackers without mass will not be affected by bullets.
Re: (Score:1)
You could still have an authorized attacker without any discernible head and a bulletproof center of mass...
Re: (Score:2)
Authorized attackers are not to be shot, regardless of the status of their head. Guards would ideally be additionally equipped with a non-ballistic weapon to defend against more types of unauthorized attacker. But I didn't make the original rules.
VM host shearing is what can make use of this (Score:2)
VM host shearing is what can make use of this not not local inputs.