CPU Vulnerabilities, Meltdown and Spectre, Kernel Page Table Isolation Patches, and more

Discussion in 'Hardware Components and Aftermarket Upgrades' started by hmscott, Jan 2, 2018.

  1. Vasudev

    Vasudev Notebook Nobel Laureate

    Reputations:
    8,122
    Messages:
    10,604
    Likes Received:
    7,869
    Trophy Points:
    931
    After VMware patch the performance is slowed by 2-10sec. I'm going axe my entire laptops in coming months once Ryzen 3rd gen mobile comes up.
     
    hmscott and tilleroftheearth like this.
  2. tilleroftheearth

    tilleroftheearth Wisdom listens quietly...

    Reputations:
    4,965
    Messages:
    12,347
    Likes Received:
    2,348
    Trophy Points:
    631
    What performance slows down specifically for you in your VM's?

    I'm fully prepared to take a ~10 sec hit on performance for security, but I don't think I'll gamble with driver/optimization/program and O/S updates with Ryzen 3 which could easily take minutes or hours/weeks/months to be ironed out. ;)

    Trading 'slowdowns' is not what I optimize my workloads. Especially trading for unknowns. :)

     
  3. senso

    senso Notebook Deity

    Reputations:
    366
    Messages:
    1,213
    Likes Received:
    432
    Trophy Points:
    101
    I think he is referring to using a VM to update the micro-code, but Windows already loads the micro-code at boot time..

    Dont forget about the random bug in current Ryzen CPU's that can be corrected via AGESA updates that not all mobo manufacturers are updating in time..
    Add to that that laptop BIOS see even less updates, and laptops ship with the smallest needed flash chip and you might be out of NEEDED security updates provided via BIOS/AGESA updates that wont be released or wont even fit in the original laptop flash chip..

    Intel might be bad, but laptops with AMD are always super cut down(I smell that its due in part due to Intel colusion/paying the OEM's to make them crappy), there are current Ryzen laptops using the same chassis used with Intel chips that have such a crap cooling that they cant even sustain 15Watts TDP..

    Or the Asus gl702zc that wont see a BIOS update to support newer Ryzen CPU's because Asus said so, so much for hurr durr socketed is much better..
     
    Vasudev likes this.
  4. Vasudev

    Vasudev Notebook Nobel Laureate

    Reputations:
    8,122
    Messages:
    10,604
    Likes Received:
    7,869
    Trophy Points:
    931
    I used VMware CPU flinger tool to update skylake to D4. Sustained workloads be it CPU/IO are taking a severe hit. VM in Vbox felt slower than usual CC uCode.
     
    hmscott, tilleroftheearth and joluke like this.
  5. jclausius

    jclausius Notebook Virtuoso

    Reputations:
    4,500
    Messages:
    3,070
    Likes Received:
    2,149
    Trophy Points:
    231
    Do you recall what the name is of that VMware fling?
     
    hmscott, Vasudev and joluke like this.
  6. Vasudev

    Vasudev Notebook Nobel Laureate

    Reputations:
    8,122
    Messages:
    10,604
    Likes Received:
    7,869
    Trophy Points:
    931
    hmscott and jclausius like this.
  7. jclausius

    jclausius Notebook Virtuoso

    Reputations:
    4,500
    Messages:
    3,070
    Likes Received:
    2,149
    Trophy Points:
    231
    Thanks. But perhaps I'm missing something. How is this affiliated with a VMWare fling?

    Nevermind. I got it from reading the post with a link to another post with the VMware fling. That VMware fling can also work with updating the microcode found in regular Windows. I thought the fling would update the microcode in the BIOS of the virtual machine's CPU itself.
     
    hmscott and Vasudev like this.
  8. Vasudev

    Vasudev Notebook Nobel Laureate

    Reputations:
    8,122
    Messages:
    10,604
    Likes Received:
    7,869
    Trophy Points:
    931
    We use VMware CPU uCode patcher to patch any Intel/AMD CPUs. Its easier to uninstall too!
     
    hmscott and jclausius like this.
  9. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    7,079
    Messages:
    20,412
    Likes Received:
    25,193
    Trophy Points:
    931
    Here are some details on how to disable TSX:

    Latest Intel CPUs patched against new speculative execution side-channel attacks
    https://www.bleepingcomputer.com/ne...nerabilities-in-november-2019-platform-update

    "A new speculative vulnerability called ZombieLoad 2 found in the TSX Asynchronous Abort (TAA) and targeting the Transactional Synchronization Extensions (TSX) feature in Intel processors was also fixed.

    According to Intel, the CVE-2019-11135 is caused by a TSX Asynchronous Abort condition on some CPUs that use speculative execution which may allow a locally authenticated attacker to potentially enable information disclosure via a side-channel.

    The list of affected Intel CPUs is quite extensive and it includes their Cascade Lake line of processors(the full list is available in the advisory), which are not affected by previously disclosed speculative execution attacks like RIDL and Fallout.

    Intel urges users of affected processors to immediately update to the latest firmware versions provided by the system manufacturer known to address this issue. Microsoft released security updates designed to mitigate the ZombieLoad 2 vulnerability in the Windows Server and Windows Client OS editions.

    Redmond also provides advice on how to disable the Intel TSX capability on systems with vulnerable Intel processors to block potential Zombieload 2 speculative execution side-channel attacks.

    The following command allows you to set a registry key to disable Intel TSX on your Windows machine via the Command Prompt:

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel" /v DisableTsx /t REG_DWORD /d 1 /f

    If you want to re-enable the Intel TSX capability, you can do it with this command:

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel" /v DisableTsx /t REG_DWORD /d 0 /f

    Finally, the security world has reached the inevitable conclusion, they can't trust Intel CPU's, and due to the overwhelming task at hand to replace every compromised Intel CPU in the World, until that happens they are discussing going to a "Zero Trust" philosophy.

    Security is Only as Strong as the Weakest Link
    Clif Triplett, 21 NOV 2019
    https://www.infosecurity-magazine.com/opinions/strong-weakest-link/

    "...Today another major foundational element, computer processors, are in the media and facing a similar challenge to that of Microsoft. Recently discovered defects in Intel’s computer processor chips - which make up about 90 percent of the world’s computer processors and nearly 99 percent of the server chips in the data centers serving the internet - have a vulnerability that could leave sensitive data exposed.
    ...
    Since the initial disclosure of Intel’s design flaw in January of 2018, seven total exploits have been uncovered: Meltdown, Spectre, Foreshadow, Zombieload, RIDL, Fallout, and SWAPGS Attack.

    The exploits continue to evolve and the latest variant of Zombieload was found just last week. While patches exist to address these known exploits, they have a significant negative effect on computer performance and have not been universally adopted.
    ...
    It is unlikely that consumers will ever be able to fully assume complete trust in the foundation of their systems, and thus companies and organizations must implement a “zero trust” strategy moving forward. With more and more technology participants in our systems, each bringing their own vulnerabilities, we will continue to experience security risk and not be able to fully trust our hardware or software system building blocks.
    ...
    The zero trust philosophy or approach to design incorporates the belief that each component, connection, or even system user could be potentially compromised and represents a risk. This has been a long-practiced concept for our most critical systems, but today it must become a more common practice since so many of our systems have become key to business operations, safety and our personal data security.

    Designing around potential risk unfortunately means investigating companies and their products to identify the risk they may represent, and avoiding companies with products we cannot trust, and reversely, gravitating towards those that prize both performance and security in equal measure.

    We unfortunately have seen that when these priorities are ignored, the consequences can be devastating. A zero trust philosophy can help mitigate the risks that are endemic to the technology landscape today. Today more than ever before, we must ask vendors who represent the foundation to our systems who will be targets of attack to once again significantly step up their commitment and resourcing to their cybersecurity capabilities in protecting their platforms and our businesses."

    Flood of New Advisories Expose Massive Gaps in Firmware Security
    by Eclypsium on November 19, 2019
    https://securityboulevard.com/2019/...ies-expose-massive-gaps-in-firmware-security/

    "Last week Intel and Cisco published security advisories revealing dozens of vulnerabilities in firmware and hardware that impact laptops, servers and routers. Intel disclosed an incredible 77 new vulnerabilities across a broad spectrum of components, including Intel CPUs, BMC, CSME, TXT, SGX, AMT, TPM and more.

    There were two critical and 34 high severity bugs, some of which would allow an unauthenticated user to potentially enable escalation of privileges, information disclosure or denial of service.

    Two notable vulnerabilities included a timing leakage on Intel firmware-based TPM (fTPM) and an ST Microelectronics’ TPM chip that allows an attacker to recover 256-bit private keys from digital signature schemes, and an updated Zombieload Attack disclosure from Graz University of Technology and KU Leuven that impacts more recent processors, including Intel’s line of Cascade Lake CPUs.

    Eclypsium also released an update to our research on widespread vulnerabilities in Windows drivers involving more than 40 drivers from at least 20 different vendors, adding a new disclosure about a PMX driver rated as a high severity vulnerability. Cisco added to the week’s tally with multiple vulnerabilities impacting the firmware of their small business routers.

    As a result, the listing of firmware vulnerabilities reported to the National Vulnerability Database in 2019 is up more than 30% from last year, and is six times larger than three years ago. For IT teams tasked with protecting infrastructure from attack, the challenge of keeping up with firmware updates has grown significantly, and the severity of the issues demonstrates how big the gaps are in firmware security.

    Don’t expect the rate of growth in firmware vulnerabilities to wane..."

    ...more in the article...
     
    Last edited: Nov 21, 2019
    Vasudev likes this.
  10. joluke

    joluke Notebook Deity

    Reputations:
    630
    Messages:
    1,349
    Likes Received:
    764
    Trophy Points:
    131
    So it's advisable to disable TsX?
     
    Vasudev and hmscott like this.

Share This Page