CPU Vulnerabilities, Meltdown and Spectre, Kernel Page Table Isolation Patches, and more

Discussion in 'Hardware Components and Aftermarket Upgrades' started by hmscott, Jan 2, 2018.

  1. Robbo99999

    Robbo99999 Notebook Prophet

    Reputations:
    3,492
    Messages:
    5,949
    Likes Received:
    4,747
    Trophy Points:
    431
    I wrote a post about this over on Guru3d saying:

    "From what I know about the Spectre exploits - for everyday users at home on their PC it's not really a big thing: if you don't click on silly links in e-mails and maintain 'safe' computer practices then you'll be protected from Spectre - they have to compromise your PC first before they can launch the Spectre style attack. In other words, I think that if you know from past experience that your computer never gets infected with anything, then I think it's extremely unlikely to fall victim to a Spectre style attack, and therefore I believe the Spectre microcode protection to be not particularly important for savvy everyday PC users. That's my take on it. (And it follows that if your PC gets infected with stuff on a regular basis, then I think it's wise to ensure Spectre protection too)."

    This is where the discussion was taking place: https://forums.guru3d.com/threads/e...ntel-discovered-four-of-them-critical.420826/

    I've also enabled "Strict Site Isolation" in Google Chrome browser when I first heard about Spectre/Meltdown, so that's another layer of protection:
    https://support.google.com/chrome/answer/7623121?hl=en-GB
    https://www.chromium.org/Home/chromium-security/site-isolation
     
    hmscott likes this.
  2. Jarip

    Jarip Notebook Enthusiast

    Reputations:
    10
    Messages:
    10
    Likes Received:
    16
    Trophy Points:
    6
    Did we already forget that Wannacry attack spread so fast just because of unpatched computers ?
     
    alexhawker and hmscott like this.
  3. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    5,081
    Messages:
    17,829
    Likes Received:
    21,879
    Trophy Points:
    931
    Exactly. We can't know when a known vulnerability will be available and used on us through simply browsing a site we think is safe - many "safe" sites have been compromised over time and delivered malware - even ad's deliver malware.

    It's better to be patched, and put up with a little performance loss, until the next generation CPU's arrive and the problem is mitigated in design - with no performance loss.

    It's also good to consider carefully how to spend new $ on new hardware between now and then, maybe put it off or go with AMD instead of Intel for the lower incidence of fixes required - and less performance loss.

    And, if you do get Intel, be sure to disable always on HPET timers, or face serious performance hits, as found by Anandtech's review comparing Intel vs AMD CPU's recently. If you must have HPET for your application or VM work, then AMD / Epyc would be a good alternative.

    IDK why people would want to buy known broken CPU's now given the performance hit, wait till Intel releases fixed architecture (not just onboard microcode updates) next year or after if you must have Intel over AMD.

    Spectre NT is now coming too, and we don't know what that entails as far as performance hit's, and how far back Intel will patch CPU's, they've already shown they don't care about CPU's 10 years back, maybe Spectre NT will make the cut off 5 years back, or even 3 years.

    Patch and be safe, while you can. :)
     
    alexhawker likes this.
  4. Robbo99999

    Robbo99999 Notebook Prophet

    Reputations:
    3,492
    Messages:
    5,949
    Likes Received:
    4,747
    Trophy Points:
    431
    Spectre isn't something that spreads per say, Spectre is just a way of exploiting branch prediction of Intel CPU to read supposedly protected data: so things like passwords, account information could be stolen. A Spectre attack would have to be the payload, and some other type of attack would have to 'get into your system' first. So the risk of spread and infection of Spectre style attacks isn't any higher than any other form of 'classic' attack, because the Spectre part is not the means of spread & infection, just the means of gleaning protected information once the machine has been compromised. This is my understanding of it, so to me risk of being infected with Spectre isn't any higher than being infected with anything else - in fact it's probably a lot lower chance of being infected with Spectre because it's supposedly very hard to use effectively, there are probably easier ways for hackers/people to glean information from your system. Hence protecting your PC from the initial infiltration is the most important part of system protection, the Spectre mitigations/microcodes only help once your PC is actually infected (and only against Spectre style attacks of course).
     
    Last edited: May 5, 2018
    hmscott likes this.
  5. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    5,081
    Messages:
    17,829
    Likes Received:
    21,879
    Trophy Points:
    931
    IDK, maybe I am missing your POV here, but what makes any exploit once done and shared amongst hackers any harder than another exploit from their library of exploits?

    Getting there may be more difficult, but once the hack is done, and made into a package for "use", it's going to be just as easy to use as any other "tool" in their repertoire.

    And, the payload is only part of the "spread", it's the package that is built into that spreading virus / malware that delivers the payload, so we don't talk about the exploit as the delivery mechanism, though it can be part of it, usually the payload is independent of the spreading tool.

    These vulnerabilities are just as exploitable as any other, and should be patched just the same.
     
  6. Robbo99999

    Robbo99999 Notebook Prophet

    Reputations:
    3,492
    Messages:
    5,949
    Likes Received:
    4,747
    Trophy Points:
    431
    My POV is that the Spectre Protection is a second line of defence against one very specific type of attack, whereas making your PC secure to initial infiltration is the first line of defense against all exploits (not just Spectre). Spectre Protection has a performance cost and only protects against one exploit as a second line of defense, by ramping up your first line of defense you can likely reduce your chances of being infected with anything (including Spectre) to very small probabilities - at which point the performance cost of Spectre protection (second line of defense) is not worth it given the now already very small possibility of being infected with anything (let alone a very specific Spectre style attack which is an even lower probability again). I've basically just re-worded my previous post effectively.

    If you find that your PC often gets infected with stuff, then you should absolutely apply the Spectre patch, because you have a poor first line of defense, and would therefore need to rely on that second line of defense, but at this point you already have other problems if your PC is getting infected all the time. Also, if you've found that the performance cost of Spectre protection is not a big deal - it's not a massive performance hit (not on a general usage level), then feel happy to install the Spectre patch to feel more secure.
     
    KY_BULLET and hmscott like this.
  7. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    5,081
    Messages:
    17,829
    Likes Received:
    21,879
    Trophy Points:
    931
    Again, not seeing your POV :)

    There are plenty of PC's that are protected from known exploits that get infiltrated by unknown exploits.

    It is absurd to recommend people not patch a vulnerability because all their other patches *have been* protecting them.

    Patch a vulnerability *before* it's exploited, it can't get much simpler than that. :)
     
  8. Robbo99999

    Robbo99999 Notebook Prophet

    Reputations:
    3,492
    Messages:
    5,949
    Likes Received:
    4,747
    Trophy Points:
    431
    That's fine, I personally can't explain my POV any clearer, so we'll have to leave it at that.
     
    hmscott likes this.
  9. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    5,081
    Messages:
    17,829
    Likes Received:
    21,879
    Trophy Points:
    931
    I think what you are missing in your POV is that you can't perfectly time the exploit incursion.

    Even a PC that is protected against exploits known, getting updates frequently to block them, is going to be infiltrated by an unknown exploit if the vulnerability it uses hasn't been patched.

    It's really indefensible to tell people to not patch a known vulnerability just because they don't know of an exploit "right now".

    You can't do "just in time" patching to avoid the performance hit of the patch, you can only be protected by patching, or not be protected by not patching, there is no middle ground.

    It's better to be patched and get used to the performance hit, than to one day "wish" you had patched. :)
     
    tilleroftheearth likes this.
  10. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    5,081
    Messages:
    17,829
    Likes Received:
    21,879
    Trophy Points:
    931
    Meltdown patch made the headlines again, it can be bypassed in Windows 10
    May 4, 2018 By Pierluigi Paganini
    https://securityaffairs.co/wordpress/72122/security/meltdown-patch-flaw.html

    "The problems with the mitigations for the Meltdown flaw continue a security researcher has demonstrated that the Meltdown patch in Windows 10 can be bypassed.

    The Windows Internals expert Alex Ionescu discovered that a Meltdown patch issued for Windows 10 is affected by a severe vulnerability that could be exploited to bypass it.

    “Calling NtCallEnclave returned back to user space with the full kernel page table directory, completely undermining the mitigation,” reads a tweet wrote on Twitter.

    "Welp, it turns out the #Meltdown patches for Windows 10 had a fatal flaw: calling NtCallEnclave returned back to user space with the full kernel page table directory, completely undermining the mitigation. This is now patched on RS4 but not earlier builds — no backport?? pic.twitter.com/VIit6hmYK0 "
    — Alex Ionescu (@aionescu) May 2, 2018

    Ionescu explained that Microsoft addressed the flaw with the release of the Windows 10 version 1803, also known as April 2018 Update.

    Microsoft acknowledged the issue reported by the expert and is currently working to provide a fix to include in the Windows 10 version 1790 (Fall Creators Update) that is the only version affected.

    The Meltdown and Spectre attacks could be exploited by attackers to bypass memory isolation mechanisms and access target sensitive data.

    The Meltdown attack (CVE-2017-5754 vulnerability) could allow attackers to read the entire physical memory of the target machines stealing credentials, personal information, and more.

    The Meltdown exploits the speculative execution to breach the isolation between user applications and the operating system, in this way any application can access all system memory.

    The good news is that Meltdown attacks are not easy to conduct and the risk of exploitation is considered low.

    Unfortunately, the timeline for Meltdown patch is full of problems, the first release was promptlysuspended by Microsoft in January due to instability issues observed for AMD processors

    A week ago, the security researcher Ulf Frisk reported that some of Meltdown and Spectre securityupdated Windows introduces severe flaws.

    He noticed that Meltdown and Spectre security updates released by Microsoft in January and February for Windows 7 and Windows Server 2008 R2 patch Meltdown are affected by a vulnerability that could be exploited by attackers to easily read from and write to memory.

    According to the expert, an attacker can exfliltrate gigabytes of data per second by exploiting the vulnerability."
     
    Riley Martin likes this.
Loading...

Share This Page