Intel CPU Design Flaw: Fix will cause performance hit

[swiftaw]

So apparently a fundamental design flaw in Intel CPUs has been discovered. The bug has security implications, so operating systems are going to have to be patched to deal with that. Those fixes could cause performance hits of as much as 30%.

Intel chips from the past 10 years could be impacted.

More details here: https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/

 

[wade boggs chicken dinner]

AMD up 6% yesterday and up again after hours.

I had bought a bit of AMD a few years ago when I had the time to keep track of such things and sold it for a small profit when it looked like their products still weren't competitive. AMD has only quintupled since then based on its 14nm Zen architecture.

Win some lose some.

 

[wade boggs chicken dinner]

And in hopefully unrelated news, Intel's CEO sold a bunch of stock on or about December 19, in what in hindsight looks pretty fishy. More details here: https://www.fool.com/investing/2017/12/19/intels-ceo-just-sold-a-lot-of-stock.aspx

 

[lexrageorge]

And in hopefully unrelated news, Intel's CEO sold a bunch of stock on or about December 19, in what in hindsight looks pretty fishy. More details here: https://www.fool.com/investing/2017/12/19/intels-ceo-just-sold-a-lot-of-stock.aspx

The publication of the filings happened on 12/19. The actual sales happened earlier and were reported on a 11/29 filing with the SEC, which means they likely happened earlier in November. These transactions are likely in the "nothing to see here" category. CEO's have limited windows in which to sell shares, and quite a few of those shares were from stock grants. As the author notes, it is somewhat notable that Krzanich is holding onto the mandated minimum number of shares, but that doesn't seem to be new either.

It's probable that the bug is not quite a dire situation as the intern at The Register is making it out to be. O/S folks have long had a love/hate relationship with Intel's architecture. Given that this bug has supposedly existed for 10+ years and noone found out about it until recently, the safe assumption is that this is very much a corner case issue that requires a whole host of conditions to be lined up just right to be triggered, and is therefore unlikely to be found by casual hacking. Software folks understandably hate having to find those conditions, so by default they will want to take the easy way out and create a general fix that by all appearances sounds like a real sub-optimal solution. tl;dr; it's best not to draw any conclusions until the press embargo is lifted and the details of the bug and the workarounds are more generally known.

 

[wade boggs chicken dinner]

The publication of the filings happened on 12/19. The actual sales happened earlier and were reported on a 11/29 filing with the SEC, which means they likely happened earlier in November. These transactions are likely in the "nothing to see here" category. CEO's have limited windows in which to sell shares, and quite a few of those shares were from stock grants. As the author notes, it is somewhat notable that Krzanich is holding onto the mandated minimum number of shares, but that doesn't seem to be new either.

It's probable that the bug is not quite a dire situation as the intern at The Register is making it out to be. O/S folks have long had a love/hate relationship with Intel's architecture. Given that this bug has supposedly existed for 10+ years and noone found out about it until recently, the safe assumption is that this is very much a corner case issue that requires a whole host of conditions to be lined up just right to be triggered, and is therefore unlikely to be found by casual hacking. Software folks understandably hate having to find those conditions, so by default they will want to take the easy way out and create a general fix that by all appearances sounds like a real sub-optimal solution. tl;dr; it's best not to draw any conclusions until the press embargo is lifted and the details of the bug and the workarounds are more generally known.

As I said, the stock sales and the bug are hopefully unrelated.

Thanks for the word of optimism on the bug. The technical issues are way over my head and my biggest concern is how this is going to affect my laptop computer. (Glad I procrastinated in upgrading over the past few months!). Found this interesting article that attempted to describe the bug prior to the official release - note that work to mitigate the bug was showing up as early as October in Linux circles.

Good thing I have SOSH to explain all of this!

 

[Was (Not Wasdin)]

So....unless absolutely necessary, hold off on buying any computer with an intel processor until the flaw is fixed?

 

[cgori]

So....unless absolutely necessary, hold off on buying any computer with an intel processor until the flaw is fixed?

Wait until the embargo on the vulnerability lifts, then see which processors have an issue. Wouldn't be surprising if relatively new devices (Skylake? Kaby Lake?) have a fix.

 

[lexrageorge]

Intel is unsurprisingly disputing the story from The Register. Could be a vulnerability that affects most any processor that handles virtual memory in a certain way based on a novel method of exploitation. If so, it's not clear that the issue is limited to Intel processors, or should even be considered a "bug". About the only thing we can be sure about is that there's definitely been a lot of finger pointing back and forth in closed door meetings between Intel, Microsoft, the Linux community, and the big server guys (Google, Amazon, etc.).

 

[SumnerH]

Intel is unsurprisingly disputing the story from The Register. Could be a vulnerability that affects most any processor that handles virtual memory in a certain way based on a novel method of exploitation. If so, it's not clear that the issue is limited to Intel processors, or should even be considered a "bug". About the only thing we can be sure about is that there's definitely been a lot of finger pointing back and forth in closed door meetings between Intel, Microsoft, the Linux community, and the big server guys (Google, Amazon, etc.).

Ars Technica has a pretty detailed but still (*cough*) speculative write-up on the issue. If they’re correct, AMD is unaffected and the bug is specific to Intel processors from the Pentium Pro through current.

But there’s a leap of faith in the article. I'm not sure how they get from a side-channel timing attack—which is bad enough—to reading arbitrary Ring 0 memory.

 

[cgori]

As someone who worked with world-class side channel attack experts for a long time, I am no longer surprised at the relative power they can have. It's always a matter of when not if - when a researcher has a clever thought or figures out how to apply a technique across domains is usually when things tip over.

The performance penalties being thrown around are in the range of what side channel countermeasures often require.

 

[cgori]

More info available now, there are two different issues: https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-every-modern-processor-has-unfixable-security-flaws/

The guy they list as one of the independent discoverers of Spectre was my old boss - I had no idea this was something he was looking into but it does not surprise me at all.

Edit- paper for Meltdown: https://meltdownattack.com/meltdown.pdf - perhaps my boss was on this one instead, I haven't dug out the Spectre paper yet to see if he's on both.

Edit2 - Spectre paper: https://spectreattack.com/spectre.pdf

Some weird stuff in the media this morning that maybe the authors broke the embargo a week early. Not sure what to make of that but seems like keeping a lid on this at this point is pretty futile.

 

[lexrageorge]

Interesting. Still amazing that one can infer a randomized kernel memory address by just looking at the execution timing of certain accesses. Can't really fault Intel here; speculative execution has been a mainstay for decades, and I'm sure these type of security issues were completely unknown (or even unknowable) when Intel began releasing processors with their aggressive speculation. The main worry at the time with Intel's approach would have been power and cache pollution, not security.

The excellent article from arstechnica does mention that these attacks are mainly concerns for servers:

For typical desktop users, the risk is arguably less significant. While both Meltdown and Spectre can have value in expanding the scope of an existing flaw, neither one is sufficient on its own to, for example, break out of a Web browser.

So Overwatch for PC will still run fine on Intel-based PC's.