Some microprocessors from Intel and AMD are vulnerable to a newly discovered speculative execution attack that can covertly leak password data and other sensitive material, sending both chipmakers scrambling once again to contain what is proving to be a stubbornly persistent vulnerability.
Researchers from ETH Zurich have named their attack Retbleed because it exploits a software defense known as retpoline, which was introduced in 2018 to mitigate the harmful effects of speculative execution attacks.
Speculative execution attacks, also known as Spectre, exploit the fact that when modern CPUs encounter a direct or indirect instruction branch, they predict the address for the next instruction they're about to receive and automatically execute it before the prediction is confirmed. Spectre works by tricking the CPU into executing an instruction that accesses sensitive data in memory that would normally be off-limits to a low-privileged application. Retbleed then extracts the data after the operation is cancelled.
Retpoline works by using a series of return operations to isolate indirect branches from speculative execution attacks, in effect erecting the software equivalent of a trampoline that causes them to safely bounce. Stated differently, a retpoline works by replacing indirect jumps and calls with returns, which many researchers presumed weren't susceptible. The defense was designed to counter variant 2 of the original speculative execution attacks from January 2018. Abbreviated as BTI, the variant forces an indirect branch to execute so-called "gadget" code, which in turn creates data to leak through a side channel.
Some researchers have warned for years that retpoline isn't sufficient to mitigate speculative execution attacks because the returns retpoline used were susceptible to BTI. Linux creator Linus Torvalds famously rejected such warnings, arguing that such exploits weren't practical.
The ETH Zurich researchers have conclusively shown that retpoline is insufficient for preventing speculative execution attacks. Their Retbleed proof-of-concept works against Intel CPUs with the Kaby Lake and Coffee Lake microarchitectures and AMD Zen 1, Zen 1+, and Zen 2 microarchitectures.
(Score: 3, Interesting) by rpnx on Thursday July 14 2022, @02:52PM (4 children)
I would say we need ways to say "hey cpu, disable branch prediction and such for a bit" so we can have performance where it's needed in e.g. games and security where it's needed e.g. encryption.
(Score: 1, Insightful) by Anonymous Coward on Thursday July 14 2022, @03:12PM
But why do that when you can push performance reducing patches and promise to do better on the next CPU your customers buy.
I'm not a server so that stuff goes straight to off.
(Score: 2) by PiMuNu on Thursday July 14 2022, @03:41PM
1/ How does the software layer control the CPU and how does one prevent that from being exploited.
2/ It doesn't work for cloud.
(Score: 3, Touché) by Opportunist on Thursday July 14 2022, @03:56PM
And have the user dictate when DRM should fail because the encryption algo is predictable? That's crazy talk!
(Score: 3, Interesting) by dltaylor on Friday July 15 2022, @01:46AM
Quite a few drivers have to do exactly that
Intel used to make a chip intended for PCI target devices. To ensure exclusive access to control registers, it had a hardware "test and set" (TAS). The first reader would set a bit and that was cleared in a different register. The value read told the CPU whether, or not, it was safe to access the control registers. Using a 603 at the time for an embedded device, at first we kept seeing the device locked. Light bulb eventually came on that we had not forced the 603 to stop speculative execution, which was reading the TAS register before the "real" code path did that. The correct sequence was disable speculative execution, read the RAS, enable speculative execution.
(Score: 3, Insightful) by looorg on Thursday July 14 2022, @03:15PM (10 children)
So how many times should they put the ducttape bandaid on this cpu-architecture before they just move on and create something new and good? Are we forever doomed as slaves to the x86? We just can't get something new and good cause we have sort of painted ourselves into a corner and we don't want to give up the legacy support?
So how many versions or variants are there of the Spectre now? 3? 4? more? I kind of lost count. They discover/show one of them, it then gets "fixed" only to apparently create a new version of it, loop and repeat. If they can't actually fix this but just bandaid it until they discover that they can just take it another step further doesn't it sort show that this was the wrong path and they should move away from it, not dig the hole deeper.
(Score: 0) by Anonymous Coward on Thursday July 14 2022, @03:33PM (2 children)
i suspect its not the good old betentacled x86 that is the problem here. ARM has similar things in their errata for cpu's, i have read somewhere, no idea what or how many.
New and Good will have new and different unexpected ways to get from A to B, since everything in a electric circuit has side effects on nearby components...
Side Effects, for some reason, provide unexpected functionality, sometimes needing no addition or removal of hardware components, like this in the TFA.
I also suspect that ANY finite not too contrived (data diode like) configuration of computing elements will have at least one way to operate that Designer can not imagine, (when one modifies the Things That Designer Thinks Never Change or invents a new way of interpreting systems structure also unknown to Designer) but i've no idea how to even begin to check it.
Maybe its cos most components can potentially change state of other components, in a human made computational device?
Maybe cos security is a game where attacker always wins is he keeps trying?
Maybe x86 is cursed, that is certainly one possible explanation..
(Score: 3, Funny) by Rosco P. Coltrane on Thursday July 14 2022, @03:39PM (1 child)
What makes you think an arm is better than a tentacle?
(Score: 0) by Anonymous Coward on Thursday July 14 2022, @04:17PM
details of implementation.
ehehehe
(Score: 2) by RedGreen on Thursday July 14 2022, @04:20PM (4 children)
"So how many versions or variants are there of the Spectre now? 3? 4? more?"
Going by lscpu output I would say there are three now, then again I do not have a HT machine to test if that matters in this or the couple of others I have. Using the mitigations=off boot flag for the kernel does not affect my machine at all in the work it can do in my one heavy load, encoding video to x265 using Handbrake. For the rest of your post there are already other machines you can but that use different archs, stop being such a cheap bastard going for dirt cheap standard machines when you can get reamed for the dollars buying one of them, though not so much so when going with arm unless buying Apple's version.
zeus@9600k:~$ lscpu
Architecture: x86_64
CPU op-mode(s): 32-bit, 64-bit
Address sizes: 39 bits physical, 48 bits virtual
Byte Order: Little Endian
CPU(s): 6
On-line CPU(s) list: 0-5
Vendor ID: GenuineIntel
Model name: Intel(R) Core(TM) i5-9600K CPU @ 3.70GHz
snip...
Vulnerabilities:
Itlb multihit: KVM: Mitigation: VMX disabled
L1tf: Not affected
Mds: Mitigation; Clear CPU buffers; SMT disabled
Meltdown: Not affected
Mmio stale data: Mitigation; Clear CPU buffers; SMT disabled
Spec store bypass: Mitigation; Speculative Store Bypass disabled via prctl
and seccomp
Spectre v1: Mitigation; usercopy/swapgs barriers and __user pointer
sanitization
Spectre v2: Mitigation; Retpolines, IBPB conditional, IBRS_FW, STIB
P disabled, RSB filling
Srbds: Mitigation; Microcode
Tsx async abort: Mitigation; TSX disabled
Those people are not attacking Tesla dealerships. They are tourists showing love. I learned that on Jan. 6, 2021.
(Score: 2) by RS3 on Thursday July 14 2022, @05:55PM (3 children)
How does it do running spectre-meltdown-checker.sh?
(Score: 3, Insightful) by RedGreen on Thursday July 14 2022, @10:48PM (2 children)
"How does it do running spectre-meltdown-checker.sh?"
I'll never know I do not run random files downloaded from the internet, the output of the lscpu telling me they are in effect are good enough for me..
Those people are not attacking Tesla dealerships. They are tourists showing love. I learned that on Jan. 6, 2021.
(Score: 0) by Anonymous Coward on Friday July 15 2022, @03:01AM (1 child)
Good. Would you run random files downloaded from AOL net? Or CompuserveNet? Or any other net? Probably not, right?
OP didn't give you a link to a "random file". It's the definitive test for spectre / meltdown. It's a bash script- you can parse it and make sure it's not going to hurt you.
(Score: 2) by RS3 on Friday July 15 2022, @03:40AM
Thanks AC. Yeah, not random and I'm not sure why RedGreen is so curmudgeonly about it. Intel officially endorses the aforementioned checker script tool in this Intel developer page, so it's pretty much as not random as you can get with something like this:
https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/secure-coding/spectre-and-meltdown-checker-script.html [intel.com]
(Score: 2) by r_a_trip on Friday July 15 2022, @09:30AM
These are not problems with the ISA. These are inherent vulnerabilities with the integrated circuits. Most processors that are Out of Order and speculatively executing are affected, be they x86-64, Power, z/Architecture, Arm, etc. The "trickery" employed by modern processors to amp up the performance opens them up to attacks of this kind.
If you want a processor that isn't potentially affected, you'd be looking at an equivalent of an Intel Atom pre-2013 and probably the same performance to boot.
(Score: 0) by Anonymous Coward on Saturday July 16 2022, @09:09AM
You're barking up the wrong tree. Even the higher performance ARMs are vulnerable to such attacks: https://developer.arm.com/Arm%20Security%20Center/Speculative%20Processor%20Vulnerability [arm.com]
Speculative execution is not an x86 specific thing. It's a method used to increase performance. For example if you have multiple execution units in your processor you let them "speculatively" follow "what if" scenarios down different branches while executing code. Then if it turns out one particular branch is the actual one you pick the results of that branch.
For example a billionaire wants to impress his guest with a meal. He has multiple cooking teams and has told them to "spare no expense" the teams don't know exactly the guest will order but they have some idea of the preferences. So they speculatively execute/cook multiple potential items at the same time. If they guess right, soon after the guest decides they can serve the guest what the guest ordered.
If you don't allow such stuff then it gets harder to speed up the sequential execution of stuff even though you have billions of transistors on the CPU.
The issue is sometimes it's hard to tell what is or isn't allowed while speculatively executing code. AMD had better checks than Intel for some stuff so they weren't vulnerable to certain attacks. Also in order to speculative execute code you often actually have to read stuff in advance and you'd want to cache that stuff to speed up access. And some timing attacks test which stuff is cached and which is not in order to figure out stuff.
The lower power CPUs usually aren't affected because the priority is on lower power consumption so they won't be having extra transistors and execution units to use up extra power just to explore "what if" scenarios.
(Score: 5, Funny) by Rosco P. Coltrane on Thursday July 14 2022, @03:35PM (2 children)
Seriously, do I have to spell it out?
The solution is obvious: code all programs without conditional jumps. In this day and age, computer have so much memory, you can afford to repeat even a fairly complicated routine a few million times.
You're welcome.
(Score: 0) by Anonymous Coward on Thursday July 14 2022, @09:10PM
predictions are always wrong, no exceptions.
(Score: 4, Informative) by RamiK on Thursday July 14 2022, @09:14PM
A computer without conditional branching is a calculator.
compiling...
(Score: 1, Funny) by Anonymous Coward on Thursday July 14 2022, @03:55PM
Nuke Russia, China, Israel, North Korea and Washington DC. With all the bad actors out of the picture there will be no one left to perform speculative execution attacks and we can go about using our computers without any issues.
(Score: 3, Insightful) by SomeGuy on Thursday July 14 2022, @06:03PM
So does this mean that Windows 11 will drop support for these vulnerable CPUs? (AKA everything, go buy all new stuff again)