I suspect that they will, but don’t know enough to comment with authority. Calling @fearlessfrog
Oh man, this is a really interesting one. It’s interesting because of the nature of the insecurity and it’s really interesting because of how all the players (Intel etc) are reacting. In terms of security design flaws it doesn’t get much bigger. So a ‘quick as I can’ summary of what these issues are:
There are two design vulnerabilities, which are similar but not the same. There is ‘Meltdown’, which is an exploit for reading system memory using a ‘timing side-channel attack’ (more of that later) and is a design side-effect of Intel’s processor optimizations called ‘speculative execution’. There is also ‘Spectre’ which doesn’t need the Intel specific instructions and is again a way to read memory contents where you shouldn’t be allowed to - again through how CPU instructions try to optimize execution paths.
The main papers are linked here and do a good deep dive on the tech side:
If you can’t be bothered with that, the TL;DR (not that short version though) is something like:
Why Care? A program can be written that can read computer memory without detection that it shouldn’t have access to. That includes passwords, database entries, SSL certificate private keys, even the ability to run your own malicious code. It’s possible to use this exploit from pretty much all recent web browsers, so forget the ‘I’m ok I run a virus checker and don’t run weird programs!’ answer. It impacts pretty much every processor made since 2011 on all operating systems (phones, PC’s, cloud datacenters).
So What To Do? Wait for the Operating Systems and Web Browsers to be patched and then update. The down-side is that the exploit is relying on optimizations that we’ve had for a long time, and because it’s inherent in the design it means that kernel calls (basically system operating system calls not in userspace) are going to be a little slower.
Wait - Slower, No Thanks? Well, it’s going to be hard to have a choice. Intel will update firmware where they can, Microsoft will force patch, Google/Mozilla will force upgrade web browsers. For things like Virtual Machines and Database software the impact is roughly 10%-20% slowdown in a lot of cases. For things like Gaming it really depends on how many syscalls a game makes. If it is highly disk dependant then it could be in the order of 5%-10% slow down. People are obviously testing like crazy, but it’s not really the end of the world, as game bottlenecks tend to be graphics based, or rather not intently around syscalls that are having their timing changed.
Ok, But How Does The Exploit Work? The best analogy I’ve heard is one of library books. Say you want to try to find out what book I am reading from the library as it’s top secret. You follow me around trying to get a glimpse of the book but I never show it. The book is behind a wall of secrecy that operating systems rely on for all memory protection. You then get the idea that often when I return a book to the library you could then ask the Librarian what it was. You diligently wait, follow me into the Library and then ask the Librarian - "Which book did Frog just return?’ to which the Librarian says ‘Sorry, I can’t tell you that - top secret’. You then (about six weeks ago, the big guys got a heads up to work on patches about November 4th 2017) figure it out. You ask the Librarian 'I would like book ‘Aardvark Adventures’ please and the Librarian says ‘Ok, stay here, that’s on the shelves, I need to go get it’. You then say, ah, ok, 'I’d like the book ‘Best Books’ please, but this time the Librarian says ‘Ah, ok, yes, it’s right here - here you go. I didn’t need to go to the shelves, it was on my desk all along’. You have now figured out which book I had borrowed. Oops.
How Does The Fix Work? As the bad analogy above reveals, it’s about timing, in that the execution of instruction paths are cached (or kept in faster memory) so if I just work my way through the combinations (0-255 of numbers in a memory location) and then take a note of how fast I get back an answer then I can infer too much info. The fix is to make the timing regular, and in some ways reduce the optimization. For things like Google Chrome it means that internal timers available to web pages will have less accuracy/resolution, just so it can prevent things like this.
Ok, that TL;DR turned out too long, but hopefully you get the idea. Fun stuff.
As for your original question: yes, and best guess about 10% for stuff we play here. Time will tell. (heh).
Big thanks for the explanation. That helped a lot.
I still a bit lost, and one question…
Where can i get a copy of Aardvark adventures?
Excellent, Sir Frog of the Wiki. I think Ifollowed that, at least to the point that we were waiting at the counter for your book to be returned.
One more question please. How likely is it that the chip architect would have known about this before it was exposed, or to a greater degree, willingly have ignored the threat in order to achieve greater performance? Not trying to play devil’s advocate, but I have seen some pretty reckless behavior this year from entities, like software publishers and financial institutions, whom by the way are supposed to be the stewards of safe computing, which ignore basic tenants of security. As an IT professional, whom will in all likelihood, get thrown under the bus by both client and regulatory agency at the first opportunity should there be a data breach, this kind of thing gets in my craw.
In that the original chip design team would have known? In my opinion, unlikely, as optimization paths like this have been around since CISC became mainstream and academically since around the 90’s. For ‘Meltdown’ it is more on Intel (and will be fascinating to how they respond to the inevitable class actions), but for Spectre, and the general use of the exploit, (which is inherent in pretty much every device we have today) it’s just more a case that the specialists that design these things were never the sort of people to look at security attack vectors methodically.
It then becomes a question of if Intel or anyone else thought of this but then decided not to say. Given Skylake/KabyLake and recent processors could have done something but didn’t, again unlikely. They could have fuzzed it a bit, but didn’t. The way the Intel board acted when Google informed them sort of indicates that they reacted like they really didn’t know anything (other than selling stock asap).
The Google team that discovered these literally just do this sort of thing for a living. Timing side-channel as an attack vector for CPU execution paths is something they figured out probably because they already have a body of work in Web security timing attacks, so it’s the case where the security people thought about the microprocessor side rather than the microprocessor side thought about security. As Chrome as browser becomes more of an OS in itself, they realized that direct memory access and really accurate performance timers made this possible. Ironic, as the next chrome patch will take out the shared buffer memory access and reduce the accuracy of the performance timers exactly to try to stop people attempting this.
As for a nation state knowing about it, I’d bet one of @BeachAV8R’s dollars that there are enough smart people at the NSA that weaponized this if they could and might have. Very hard to tell.
So to expand on this a bit, as I tried to be succinct but sort of shortcutted too much.
The exploit is that we don’t know which book I had, but by asking the Librarian for a systematic list of books from A to Z, and then using the info of how long it takes for them to get them is the key. The fact that ‘Best Books’ was on the Librarian’s desk was because I had previously (in secret) returned it to the Library and that the ‘optimization’ that the Librarian uses is to keep recently returned books on her desk as it’s then quicker to then go loan them out to other people immediately rather than having to go all the way over to the shelves where the books are kept in neat order. We are using the ‘timing’ of systematic question/answers to reveal secret info.
The Spectre exploit is a bit like this, but good enough for an analogy. The protected memory is never revealed but the optimization of keeping recently run info in a faster area then allows unprotected users to go ask for secrets and always get a ‘no’ but a ‘no’ that varies in timing. By trying all the combinations per memory address (computers are very quick at repetition) then by the case of elimination you find your secret. Hence, a side channel exploit.
Incidentally, if you enjoyed that sort of ‘Huh, that’s neat’ aspect of how this happened then a very enjoyable (and readable) intro into cryptography book is ‘Code’.
Fascinating stuff fearless. Steve Gibson must be feeling as giddy as a school girl at a feature length Frozen sequel about now. One doesn’t have to think very hard to imagine where this could all be bad. I was going to ask at which end would the vulnerability be most effective, but I guess that it could be either. If I lock down the front end with hardware based 2FA and the rest of the industry standard cybersecurity measures, there’s the back end to worry about.
If the browsers are secure and it’s a phone or PC then it’s then a case of malware, as in downloading something naughty that does bad things. That’s more in the domain of ‘who do you trust’ rather than actual mechanical security measures in the world of Windows, but in the area of the Linux/*nix’s it’s more serious. Although I didn’t go into it, the fundamental memory model of kernel/user space memory protection is potentially broken with Spectre. If you run something under your account in Unix then it can only really impact/see within that space, but with this it’s more up for grabs.
Intel are taking the stance that ‘it is what it is, what can you do?’ as in, it’s up to compiler writers to look out for this or something. They aren’t going to update older processor firmware microcode. They might even see it as a market opportunity to sell something newer and perhaps faster (especially if your current hardware is about to get slower with an OS patch etc).
Windows update rolls out today/tonight:
Virtual machine and network heavy apps tend to be impacted the most:
If you’re curious as to your patched or unpatched state (Windows 10 kinda sneaks these in) then you can use this Intel tool for the Meltdown part:
I wouldn’t take any of the performance hits for granted, though, given the short reaction time. Surely these will become smaller as they spend more time refining the security measures.
Performance is money, so there is a strong incentive to get as close to performance pre patch as possible.
I hope so, plus in terms of desktop graphics games maybe little impact. As for refinement, the fix is to turn off the optimization as that’s the thing that leaks information. Not sure how that could be made better, but you’re right that there is a huge amount of money/liability riding on this so people will be concentrating on it.
For Chrome/Firefox, they removed features for SharedBuffer and reduced the performance.now timer resolution. I’m not even that sure that a web browser should even have that sort of OS like abilities anyway, as in, what happened to just showing web pages?
I’m certainly no expert when it comes to the low level OS memory handling stuff (not even close), but maybe there is some leeway to cache some stuff intelligently without making the system vulnerable.
Yes, let’s make the cache the size of your SSD/HDD.
This was the first thing I expected Intel to do honestly, they don’t have a very good trackrecord imho.
All of this is competing with DCS patches and my new build to create the perfect storm. I went to fly last night SP to unwind from the stress and strain of everyday life. OMG stutters like hello wtf… troubleshooting followed and it stopped when I disabled ccleaner running in the background. This was fine to have running prior to the previously mentioned coinciding. Now I don’t know who to blame but at least it is an easy fix
Sue them all, I say…