Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Wednesday January 31 2018, @05:14PM   Printer-friendly
from the doesn't-raid-fix-this? dept.

Arthur T Knackerbracket has found the following story:

In 2015, Microsoft senior engineer Dan Luu forecast a bountiful harvest of chip bugs in the years ahead.

"We've seen at least two serious bugs in Intel CPUs in the last quarter, and it's almost certain there are more bugs lurking," he wrote. "There was a time when a CPU family might only have one bug per year, with serious bugs happening once every few years, or even once a decade, but we've moved past that."

Thanks to growing chip complexity, compounded by hardware virtualization, and reduced design validation efforts, Luu argued, the incidence of hardware problems could be expected to increase.

This month's Meltdown and Spectre security flaws that affect chip designs from AMD, Arm, and Intel to varying degrees support that claim. But there are many other examples.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Wednesday January 31 2018, @05:37PM (6 children)

    by Anonymous Coward on Wednesday January 31 2018, @05:37PM (#631035)

    It seems to be mostly an intel issue at this point. I really never had any opinion on cpus/gpus either way but seeing the recent PR attempt to muddy the waters has turned me anti-intel. Maybe people who matter to them aren't thinking the same, but it seems like a dangerous strategy. They are clearly not to be trusted.

  • (Score: 4, Informative) by MrGuy on Wednesday January 31 2018, @06:21PM (2 children)

    by MrGuy (1007) on Wednesday January 31 2018, @06:21PM (#631068)

    Citation needed.

    First of all, Spectre and Meltdown are different. You can read details here [meltdownattack.com]

    Spectre is a flaw where "speculative execution" can leak information (this is where a processor executes a branch of code that MIGHT be needed, but only in theory stores the result if it matters). The problem with speculative execution is that it's not checked whether a given command SHOULD be executed (for example, if the program has the right access level to execute the code). However, this security issue wasn't seen as a problem, because (in theory) the result of the speculatively executed code would be thrown away if it couldn't be used. So, it might be a mechanism to let untrusted code access core kernel memory (which is Very Bad), but it was thought to be acceptable because nobody could see the result. The problem is that CPU caching could "leak" those results and be visible to other code.

    Spectre affects pretty much ALL manufacturers chips - the official paper [spectreattack.com] explicitly references Intel, AMD, and ARM architectures as being affected.

    Meltdown is different - it's a "sideband" attack on kernel memory that relies on using the side effects of certain legal, carefully crafted code and information about the location and layout of memory to "leak" information, including kernel memory. Meltdown does not require the use of speculative execution to leak memory.

    The proof of concept attack for Meltdown detailed officially [meltdownattack.com] only works against Intel hardware, but the paper specifically cautions that there's no reason to expect that AMD wouldn't be suseptible to a similar attack.

    • (Score: 2, Insightful) by Anonymous Coward on Wednesday January 31 2018, @07:05PM

      by Anonymous Coward on Wednesday January 31 2018, @07:05PM (#631102)

      All people really care about is meltdown since patching for spectre seems to have minimal impact on performance. It is to the point where meltdown mitigations are being needlessly enabled for amd processors just to not make intel look so bad[1]. AMD says:

      GPZ Variant 3 (Rogue Data Cache Load or Meltdown) is not applicable to AMD processors.

      https://www.amd.com/en/corporate/speculative-execution [amd.com]

      I had no preference either way until I investigated this topic and saw what looks like a massive shady pro-intel propaganda campaign.

      [1] https://www.phoronix.com/scan.php?page=article&item=linux-retpoline-benchmarks&num=1 [phoronix.com]

    • (Score: 4, Interesting) by Anonymous Coward on Wednesday January 31 2018, @09:12PM

      by Anonymous Coward on Wednesday January 31 2018, @09:12PM (#631179)

      No, Meltdown is not applicable to AMD processors. AMD has already stated they do bounds checking when userland asks to read kernel memory to prevent this sort of thing. Something Intel inexplicably didn't think of or totally screwed up.

      Also, there is a "near zero" chance that Spectre variant 2 can be exploited on AMD processors. It sounds like both AMD and Intel are equally impacted regarding variant 1. Spectre is far more difficult to take advantage of in general.

      So yes, this is primarily an Intel problem.

  • (Score: 4, Informative) by HiThere on Wednesday January 31 2018, @07:23PM (1 child)

    by HiThere (866) Subscriber Badge on Wednesday January 31 2018, @07:23PM (#631107) Journal

    Depends.
    Meltdown, the currently known dangerous one, is definitely Intel and possibly a few other Intel designed chips.
    Spectre, the one that is *relative* harmless, so far, if present in both Intel and Amd...except, a few really low end models.

    Meltdown has currently known exploits that can work through the browser if you allow Javascript. It also has several other exploit modes.
    Spectre doesn't *yet* have any known useful exploits. But it almost certain will.

    P.S.: I'm not an expert here, there are several classes of Spectre, and I can't distinguish between them. If you're interested there's lots of info on the web, but unless you're working in the field distinguishing between them doesn't seem useful to me.

    --
    Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
    • (Score: 0) by Anonymous Coward on Wednesday January 31 2018, @07:28PM

      by Anonymous Coward on Wednesday January 31 2018, @07:28PM (#631109)

      The reason to distinguish between them for the average person is the performance impact of the mitigation. Everyone expects a constant stream of bugs/vulns these days anyway, but not that patching for them will slow everything down to half speed or whatever. That is where intel has the main problem (according to what I've read).

  • (Score: 3, Interesting) by Reziac on Thursday February 01 2018, @03:52AM

    by Reziac (2489) on Thursday February 01 2018, @03:52AM (#631332) Homepage

    Back when I was keeping track, and when both released Errata (functionally, the list of known bugs), AMD's errata list was generally about 3 times as long as Intel's. AMD dealt with this by not releasing any more errata lists.

    --
    And there is no Alkibiades to come back and save us from ourselves.