Critical Flaws in Computers Leave Millions of PCs Vulnerable

Discussion in 'Hardware Components and Aftermarket Upgrades' started by Dr. AMK, Nov 21, 2017.

  1. Papusan

    Papusan JOKEBOOK's Sucks! Dont waste your $$$ on FILTHY

    Reputations:
    23,503
    Messages:
    23,965
    Likes Received:
    41,669
    Trophy Points:
    931
    Yet Another Speculative Malfunction: Intel Reveals New Side-Channel Attack, Advises Disabling Hyper-Threading Below 8th, 9th Gen CPUs Techpowerup.com | May 14, 2019

    Ouch doesn't even begin to describe how much that headline hurt. As far as speculatrive execution goes, it's been well covered by now, but here's a refresher. Speculative execution essentially means that your CPU tries to think ahead of time on what data may or may not be needed, and processes it before it knows it's needed. The objective is to take advantage of concurrency in the CPU design, keeping processing units that owuld otherwise be left idle to process and deliver results on the off-chance that they are indeed required by the system: and when they are called for, the CPU saves time by not having to process them on the fly and already having them available.

    The flaws have been announced by intel in coordination with Austrian university TU Graz, Vrije Universiteit Amsterdam, the University of Michigan, the University of Adelaide, KU Leuven in Belgium, Worcester Polytechnic Institute, Saarland University in Germany and security firms Cyberus, BitDefender, Qihoo360 and Oracle. While some of the aprts involved have named the four identified flaws with names such as "ZombieLoad", "Fallout", and RIDL, or "Rogue In-Flight Data Load", Intel is taking the PEGI-13 Microarchitectural Data Sampling (MDS) name.
     
  2. Robbo99999

    Robbo99999 Notebook Prophet

    Reputations:
    3,993
    Messages:
    6,577
    Likes Received:
    5,653
    Trophy Points:
    681
    I have a feeling this is more applicable to cloud server PC's, because Microsoft have released some patches for this but the protections are only activated on Windows 10 Server (IIRC from reading the patch release notes yesterday). There are still easier ways for attackers to steal data, so I think these exploits are mostly gonna be used in very specific targeted high value attacks (e.g. cloud servers). That's my impression, so I'm not about to disable hyperthreading.
     
  3. TANWare

    TANWare Just This Side of Senile, I think. Super Moderator

    Reputations:
    2,520
    Messages:
    9,474
    Likes Received:
    4,893
    Trophy Points:
    431
    I have to wonder. Since the 8th and 9th gen CPU's are supposedly ok it means now there is a great reason to upgrade. This creates a huge pool of systems to be replaced at a time where there is little CPU enhancement to demand an upgrade reason.
     
    Papusan and hmscott like this.
  4. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    6,649
    Messages:
    20,013
    Likes Received:
    24,837
    Trophy Points:
    931
    New Zombieload + Fallout + RIDLx2 Updates posted here:

    http://forum.notebookreview.com/thr...atches-and-more.812424/page-124#post-10910951

    http://forum.notebookreview.com/thr...atches-and-more.812424/page-123#post-10910928

    http://forum.notebookreview.com/thr...atches-and-more.812424/page-123#post-10910828
     
  5. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    6,649
    Messages:
    20,013
    Likes Received:
    24,837
    Trophy Points:
    931
    I don't think there is a safe Intel CPU yet, some of the mitigations are included in the new generation, but not all of the vulnerabilities are patched.

    Intel has previously said to disable HT for other vulnerabilities, so disbling HT is still a standing recommendation from Intel.

    Intel's HT comments specifically for Zombieload + Fallout + RIDLx2 is that disabling HT *won't* completely solve it.

    This statement from Intel that disabling HT doesn't solve Zombieload + Fallout + RIDLx2 shouldn't be taken to suggest we leave HT on in general.

    Intel isn't being forward informing about what is still not mitigated in the 8th / 9th gen in each piece of advertising that mentions those new CPU's solve some issues, but Intel doesn't list what they haven't fixed.

    We shouldn't lull ourselves into thinking that Intel has solved the Intel CPU architecture vulnerabilities issues in the 8th and 9th gen, Intel haven't done this yet. Intel have only moved some microcode fixes over into the CPU hardware, but the matching OS patches are still needed.

    Intel needs to come out with a complete re-architecture for their CPU's - computationally different - not "chipletting" or "FOVOSing" the same design. That's simply re-architecting the physical implementation, not re-architecting the currently flawed computational methodology.

    So far I haven't seen Intel mention anything in those new breakup's of function to "improve" implementation to indicate that these changes are being done as security vulnerability solutions.
     
    Last edited: May 16, 2019
    jclausius, Vasudev and Kyle like this.
  6. Talon

    Talon Notebook Virtuoso

    Reputations:
    1,172
    Messages:
    3,216
    Likes Received:
    3,728
    Trophy Points:
    331
    https://www.intel.com/content/www/us/en/architecture-and-technology/mds.html

    Is Intel recommending that I disable HT?
    No. Intel is not recommending that users disable Intel® Hyper threading. It’s important to understand that doing so does not alone provide protection against MDS, and may impact workload performance or resource utilization that can vary depending on the workload.

    Well according to their public statement from today, they are in fact not recommending you disable HT. Alone doing that does not provide protection. Instead you need to update windows and likely wait for further patching. I've already done the update from Windows myself and according to the MDS website I have patched against certain vulnerabilities or am "not affected". This is of course with a 9900K. "Certain" 8th and 9th gen are not susceptible to these vulnerabilities. More importantly these exploits are not easy to pull off like previous exploits. According to Intel's documentation "Exploiting MDS outside the controlled conditions of a research environment is a complex undertaking and Intel is not aware of any reported real-world usage of these security issues".

    https://www.pcworld.com/article/3395439/intel-hyper-threading-zombieload-cpu-exploit.html

    Intel: You don't need to disable Hyper-Threading to protect against the ZombieLoad CPU exploit

    Have we heard of a single case of Spectre or Meltdown in the wild? I haven't seen a single documented case. This is a similar exploitation/situation and we will likely never see or hear of a single case in the wild after patching occurs. It's definitely not an ideal situation, but knowing that 8th and 9th gen already have hardware fixes, we can be somewhat assured going forward that most hardware will no longer offer the same level of exploitation. Fix it, learn from it, and move on. Nothing and no company is perfect. The silver lining for Intel is that out of this they have refined and reformed their hardware security department. Hardware exploitation is a relatively new field and Intel will absolutely tighten the screws going forward.
     
  7. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    6,649
    Messages:
    20,013
    Likes Received:
    24,837
    Trophy Points:
    931
    Apple's Zombieload + Fallout + RIDLx2 mitigation recommendations include disabling HT (hyperthreading):

    How to enable full mitigation for Microarchitectural Data Sampling (MDS) vulnerabilities

    This option is available for macOS Mojave, High Sierra, and Sierra after installing security updates.
    https://support.apple.com/en-us/HT210108
    "Intel has disclosed vulnerabilities called Microarchitectural Data Sampling (MDS) that apply to desktop and notebook computers with Intel CPUs, including all modern Mac computers.

    Although there are no known exploits affecting customers at the time of this writing, customers who believe their computer is at heightened risk of attack can use the Terminal app to enable an additional CPU instruction and disable hyper-threading processing technology, which provides full protection from these security issues.

    This option is available for macOS Mojave, High Sierra and Sierra and may have a significant impact on the performance of your computer.

    Performance impact of disabling hyper-threading
    The full mitigation, which includes disabling hyper-threading, prevents information leakage across threads and when transitioning between kernel and user space, which is associated with the MDS vulnerabilities for both local and remote (web) attacks.

    Testing conducted by Apple in May 2019 showed as much as a 40 percent reduction in performance with tests that include multithreaded workloads and public benchmarks.

    Performance tests are conducted using specific Mac computers. Actual results will vary based on model, configuration, usage, and other factors.

    How to enable full mitigation for MDS in macOS
    To enable full mitigation of MDS after installing security updates, start your Mac in macOS Recovery and then enter commands in the Terminal app.
    1. Turn on or restart your Mac and immediately press and hold Command (⌘)-R or one of the other macOS Recovery key combinations on your keyboard.
    2. From the Utilities menu in the menu bar, choose Terminal.
    3. Type the following two commands, one at a time, at the Terminal prompt. Press Return after each one.
      nvram boot-args="cwae=2"

      nvram SMTDisable=%01

    4. From the Apple menu , choose Restart.
    How to revert the mitigation and reenable hyper-threading
    To revert the mitigation and reenable hyper-threading processor technology, reset NVRAM and restart your Mac.

    If you previously set custom boot-args, you will need to add those boot-args to the nvram command.

    Note: The full mitigation is not enabled while using Boot Camp to run Windows on a Mac.

    How to check the status of hyper-threading in macOS
    You can check if hyper-threading is enabled or disabled in the System Information app.

    Choose Apple menu  > About This Mac, then click the System Report button. Then select Hardware in the sidebar. If the processor in your Mac supports hyper-threading, Hyper-Threading Technology is shown as either Enabled or Disabled.

    Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Risks are inherent in the use of the Internet. Contact the vendor for additional information. Other company and product names may be trademarks of their respective owners.
    Published Date: May 14, 2019

    Intel ZombieLoad flaw forces OS patches with up to 40% performance hits
    JEREMY HORWITZ@HORWITZ MAY 14, 2019 11:58 AM
    https://venturebeat.com/2019/05/14/...es-os-patches-with-up-to-40-performance-hits/

    "When security researchers disclosed a series of major vulnerabilities impacting Intel processors back in January 2018, it was clear that “Meltdown” and “Spectre” were indeed serious — and wouldn’t be the only exploits of multi-threading chips.

    Now a new Intel chip vulnerability nicknamed “ZombieLoad” has been revealed to the public, and though it’s already being patched by three major operating system makers, there’s some bad news: full protection could reduce your CPU’s performance by up to 40%.
    Referred to by the more technical name “Microarchitectural Data Sampling,” the ZombieLoad exploit enables an attacker to access privileged data across trust boundaries. In a cloud hosting environment, it could enable one virtual machine to improperly access information from another; researchers also showed that it could be used for app surveillance and password acquisition. The vulnerability broadly impacts operating systems that run on Intel chips, including Android, Chrome, Linux, macOS, and Windows.

    In a just-published support document, Apple suggests that full ZombieLoad mitigation will require Intel chip users to disable Intel’s hyper-threading processing feature — a major selling point of the chipmaker’s CPUs. During testing this month, Apple says that it found “as much as a 40 percent reduction in performance with tests that include multithreaded workloads and public benchmarks,” though actual performance impacts will vary between machines.

    Because of that steep performance drop, Apple has implemented a partial mitigation in macOS Mojave 10.14.5, leaving users to decide whether they want to disable hyper-threading for full protection. If so, the support document provides Terminal commands to turn the feature off and on, notably including a requirement that the machine boot in recovery mode to disable the chip feature.

    Google and Microsoft (via TechCrunch) have also started the process of patching their Intel-based operating systems. In Google’s case, Chrome OS devices have already received some protections and will receive more in the next OS release; Intel-only Android devices are rare, but will receive OS patches once device makers deploy them. Microsoft is releasing patches for Windows today, and has already protected Azure users. Some microcode processor updates will come from Microsoft directly, and others from device makers.

    The ZombieLoad issue was apparently disclosed to Intel one month ago, and impacts all Intel processors produced since 2011. Chips from AMD and ARM are not believed to be susceptible to this flaw. According to vendors, there are no known real-world exploits of the vulnerability at this point, though the researchers simply say that they don’t know if it’s been abused in the wild.
    Update at 12:45 p.m. Pacific: An Intel page discussing the vulnerabilities downplays the performance impacts, suggesting that the performance impact is small: up to 3% without disabling hyper-threading, and up to 8-9% with hyper-threading disabled, though included charts show tinier changes using the latest, high-end Intel Core i9-9900K processors.

    Intel underscores that disabling hyper-threading isn’t really necessary for some users: consequently, unless it’s necessary for a given customer’s workloads and security environment, it says that it’s “not recommending that Intel HT be disabled, and it’s important to understand that doing so does not alone provide protection against MDS.
     
    Last edited: May 16, 2019
    Vasudev and Kyle like this.
  8. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    6,649
    Messages:
    20,013
    Likes Received:
    24,837
    Trophy Points:
    931
    Chrome OS 74 disables CPU hyperthreading to mitigate Intel vulnerabilities
    May 14, 2019 Kevin C. Tofel
    https://www.aboutchromebooks.com/ne...threading-intel-mds-vulnerabilities-security/

    "If you’ve noticed your Chromebook performance to be a little slower with Chrome OS 74, it’s could be due to a change in how your Chromebook handles CPU hyperthreading. More precisely, Chrome OS 74 disables CPU hyperthreading to mitigate security risks due to Microarchitectural Data Sampling (MDS) vulnerabilities.

    Google has a Chrome OS support page with full details, but here’s the key aspect:

    "Microarchitectural Data Sampling (MDS) is a group of vulnerabilities that allow an attacker to potentially read sensitive data. If Chrome processes are attacked, these sensitive data could include website contents as well as passwords, credit card numbers, or cookies. The vulnerabilities can also be exploited to read host memory from inside a virtual machine, or for an Android App to read privileged process memory (e.g. keymaster).

    To protect users, Chrome OS 74 disables Hyper-Threading by default. For the majority of our users, whose workflows are primarily interactive, this mitigates the security risk of MDS without a noticeable loss of responsiveness. Chrome OS 75 will contain additional mitigations.
    "

    If you want the details on MDS, you can read more about the vulnerabilities at their respective pages here: CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091. Keep in mind if you have an ARM processor in your Chromebook, you’re not affected.

    This kind of response, while unfortunate, is probably the best way to handle open vulnerabilities. And to be clear: They don’t apply simply to Chromebooks: They apply to any computer or device running on an Intel processor.

    And frankly, while it may not be obvious to Chromebook device users if their machine is using hyperthreading for a particular use, typical usage likely doesn’t take advantage of hyperthreading anyway. In which case, there’s either a minimal or no impact.

    While I don’t recommend it, you can re-enable hyperthreading on your Chrome OS device by browsing tochrome://flags#scheduler-configuration and enabling the “performance” setting."
     
    Vasudev likes this.
  9. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    6,649
    Messages:
    20,013
    Likes Received:
    24,837
    Trophy Points:
    931
    So far it looks like all of the OS vendors recommend disabling SMT / HT as part of the Intel MDS mitigations...here's Ubuntu's wiki instructions for Intel MDS:

    Microarchitectural Data Sampling (MDS)
    CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091

    It was discovered that memory contents previously stored in microarchitectural buffers of an Intel CPU core may be exposed to a malicious process that is executing on the same CPU core via a speculative execution side-channel.

    A local attacker could access the stale contents of store buffers, load ports, and fill buffers which may contain data belonging to another process or data that originated from a different security context.

    As a result, unintended memory exposure can occur between userspace processes, between the kernel and userspace, between virtual machines, or between a virtual machine and the host environment.

    MDS differs from other recent speculative execution side-channel attacks in that the attacker cannot target specific data.

    The attacker can periodically sample the contents in the buffers but does not have control over the data that is present in the buffers when the sample is taken.

    Therefore, additional work is required to fully collect and reconstruct the data into a meaningful data set.

    Processors from other vendors are not known to be affected by MDS. [Intel only vulnerability]
    Four CVEs have been assigned to cover different variations of the data sampling flaw:
    • CVE-2018-12126 for Microarchitectural Store Buffer Data Sampling (MSBDS)

    • CVE-2018-12127 for Microarchitectural Load Port Data Samping (MLPDS)

    • CVE-2018-12130 for Microarchitectural Fill Buffer Data Sampling (MFBDS)

    • CVE-2019-11091 for Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
    This document will refer to the general set of data sampling flaws as MDS. The specific acronym will be used when referring to one of the individual data sampling flaws, such as MFBDS.

    Mitigations
    Intel has provided microcode updates which, in conjunction with updated kernels, mitigate the vulnerabilities in some situations. The underlying technique used to remediate all four issues is the same. The kernel executes a specific instruction which causes all affected microarchitectural buffers to be cleared. The kernel must execute the instruction at different times for each data sampling vulnerability. In some situations, clearing the buffers will prevent adversaries from accessing the data that was present.

    The kernel and corresponding intel-microcode package updates fully address the MDS flaws if your processor does not support Hyper-Threads, also known as Symmetric Multi-Threading (SMT).

    MDS is not fully mitigated if your processor supports Hyper-Threads and Hyper-Threads are enabled.

    Ubuntu recommends disabling Hyper-Threads on affected systems if the system is used to execute untrusted or potentially malicious code. Some example workloads that warrant the need to disable Hyper-Threads are:
    • A multi-user system with a potentially malicious user. A malicious user could leverage MDS to extract secrets from other users on the system.
    • A system that runs programs which come from questionable sources. This could occur if a user on the system regularly makes use of new versions of programs that are published by an individual or group that they don't fully trust. A malicious software publisher could leverage MDS to extract secrets from the system.
    • A system that hosts virtual machines from varying security domains and/or that the system owner does not fully trust. A malicious program in one virtual machine could extract secrets from other virtual machines or from the virtualization host itself.
    Please see the Configuration section below for configuration details, including how to disable Hyper-Threads.

    The upstream Linux kernel community is working on process scheduling improvements that may allow existing systems with Hyper-Thread support to be fully mitigated against MDS attacks. The changes are referred to as Group, or Core, scheduling. The Ubuntu kernel may support such scheduling changes in a future release.

    IMPORTANT: There is no software fallback mechanism available for processors that have not received microcode updates from Intel. Mitigation is only possible if Intel has provided a microcode update for your processor.

    Updates
    Ubuntu users are recommended to update to the latest kernel, intel-microcode, and qemu packages. The majority of users should ensure that the following kernel packages are installed:

    Ubuntu Release Base Kernel Enablement Kernel

    19.04
    linux-image-5.0.0-15-generic 5.0.0-15.16
    N/A

    18.10

    linux-image-4.18.0-20-generic 4.18.0-20.21

    N/A

    18.04 LTS

    linux-image-4.15.0-50-generic 4.15.0-50.54

    linux-image-4.18.0-20-generic 4.18.0-20.21

    16.04 LTS

    linux-image-4.4.0-148-generic 4.4.0-148.174

    linux-image-4.15.0-50-generic 4.15.0-50.54

    14.04 ESM

    linux-image-3.13.0-170-generic 3.13.0-170.220

    linux-image-4.4.0-148-generic 4.4.0-148.174

    12.04 ESM

    linux-image-3.2.0-140-generic 3.2.0-140.186

    linux-image-3.13.0-140-generic 3.13.0-140.186

    Users of other Ubuntu kernels should consult the Ubuntu Security Notices for specific version information.

    Due to the complexity of the changes involved in mitigating this hardware vulnerability, a livepatch will not be available via the Canonical Livepatch Service.

    Ubuntu users with Intel processors should ensure that the following intel-microcode packages are installed:

    Release

    intel-microcode Version

    19.04

    intel-microcode 3.20190514.0ubuntu0.19.04.1

    18.10

    intel-microcode 3.20190514.0ubuntu0.18.10.1

    18.04 LTS

    intel-microcode 3.20190514.0ubuntu0.18.04.2

    16.04 LTS

    intel-microcode 3.20190514.0ubuntu0.16.04.1

    14.04 ESM

    intel-microcode 3.20190514.0ubuntu0.14.04.1

    12.04 ESM

    Not available; please consult your hardware vendor's website for a BIOS update containing new microcode


    Ubuntu users with Intel processors that use KVM virtualization should also ensure that the following qemu packages are installed:

    Release

    qemu Version

    19.04

    qemu 1:3.1+dfsg-2ubuntu3.1

    18.10

    qemu 1:2.12+dfsg-3ubuntu8.7

    18.04 LTS

    qemu 1:2.11+dfsg-1ubuntu7.13

    16.04 LTS

    qemu 1:2.5+dfsg-5ubuntu10.38

    14.04 ESM

    qemu 2.0.0+dfsg-2ubuntu1.46

    Ubuntu users with Intel processors that use libvirt to manage KVM virtualization should also ensure that the following libvirt packages are installed:

    Release

    libvirt Version

    19.04

    libvirt 5.0.0-1ubuntu2.1

    18.10

    libvirt 4.6.0-2ubuntu3.5

    18.04 LTS

    libvirt 4.0.0-1ubuntu8.10

    16.04 LTS

    libvirt 1.3.1-1ubuntu10.26

    Configuration

    MDS Configuration

    MDS mitigation is enabled by default after booting the system with updated kernel and intel-microcode packages. In this configuration, MDS attacks are fully prevented if the processor does not support Hyper-Threads.

    The following kernel boot option can be used to disable Hyper-Threads of affected processors. This configuration provides full mitigation on updated systems:

    mds=full,nosmt

    IMPORTANT: Whilst the above is provided as a generic solution to disable Hyper-Threads, instead it is recommended to disable Hyper-Threads in your BIOS settings rather than disabling them with the kernel boot option. The processor will not need to dedicate certain resources to multiple threads within a single processor core when Hyper-Threads are disabled in the BIOS. This could result in a small performance improvement when compared to disabling Hyper-Threads in the kernel.

    MDS mitigation does incur some performance overhead. You may use the following kernel boot option to disable MDS mitigations entirely:

    mds=off

    IMPORTANT:
    Vulnerability mitigations should only be disabled in carefully controlled environments where all of the code being executed is known and trusted. Disabling any of these mitigations in situations where untrusted code can be executed is not recommended.

    Please see the Linux kernel MDS Admin Guide for more information on configuration options.

    General CPU Mitigation Configuration
    A new boot option is included in the updated kernels that mitigate MDS. The new option allows the system administrator to configure all CPU vulnerability mitigations with a single option.

    The following kernel boot option can be used to enable all mitigations and disable Hyper-Threads for processors affected by L1TF and/or MDS:

    mitigations=auto,nosmt

    CPU side-channel mitigations do incure some performance overhead. You may use the following kernel boot option to disable all mitigations:

    mitigations=off

    IMPORTANT: Vulnerability mitigations should only be disabled in carefully controlled environments where all of the code being executed is known and trusted. Disabling any of these mitigations in situations where untrusted code can be executed is not recommended.

    Please see the Linux Kernel Parameters Admin Guide for more information on the mitigations= kernel boot option.

    Checking System Status
    Updated Ubuntu kernels have the ability to report how the system is currently affected by MDS. To check your system, read the contents of the:

    /sys/devices/system/cpu/vulnerabilities/mds file.

    You must apply kernel updates and reboot if the file does not exist as that indicates that your kernel does not have mitigations in place for MDS.

    Processors that aren't vulnerable to MDS will report the following:

    $ cat /sys/devices/system/cpu/vulnerabilities/mds
    Not affected

    You may encounter a situation where you have an updated Ubuntu kernel but you don't have updated microcode. This could occur if you've not updated to the latest intel-microcode package or if Intel has not released new microcode for your processor. You'll see the following in this situation:

    $ cat /sys/devices/system/cpu/vulnerabilities/mds
    Vulnerable: Clear CPU buffers attempted, no microcode; SMT vulnerable

    Processors that have Hyper-Threading support enabled will indicate that SMT is vulnerable:

    $ cat /sys/devices/system/cpu/vulnerabilities/mds
    Mitigation: Clear CPU buffers; SMT vulnerable

    The file will contain the following contents for processors that do not support Intel Hyper-Threading or where Hyper-Threading has been disabled:

    $ cat /sys/devices/system/cpu/vulnerabilities/mds
    Mitigation: Clear CPU buffers; SMT disabled

    The kernel is unable to reliably determine whether Hyper-Threading is enabled when running in a virtual environment. Updated host kernel packages, updated host qemu packages with proper configuration to pass through the host CPU type to the guest, and updated guest kernel packages will show the following status inside of the virtual environment:

    $ cat /sys/devices/system/cpu/vulnerabilities/mds
    Mitigation: Clear CPU buffers; SMT Host state unknown

    The examples above cover the most common situations. Please see the Linux Kernel MDS Admin Guide for additional, less common situations.

    References
    For more information on these issues, please see the following reference documents:
    Timeline
    • 2019 May 14 at 17:00 UTC: the issue is made public

    Here's an article announcing when OpenBSD gave up on Intel SMT / HT, defaulting to disabled, about a year ago...

    OpenBSD Disabling SMT / Hyper Threading Due To Security Concerns
    Written by Michael Larabel in Linux Security on 19 June 2018 at 05:41 PM EDT. 35 Comments
    https://www.phoronix.com/scan.php?page=news_item&px=OpenBSD-Disabling-SMT

    "Security oriented BSD operating system OpenBSD is making the move to disable Hyper Threading (HT) on Intel CPUs and more broadly moving to disable SMT (Simultaneous Multi Threading) on other CPUs too.

    Disabling of Intel HT and to follow with disabling SMT for other architectures is being done in the name of security. "SMT (Simultanious Multi Threading) implementations typically share TLBs and L1 caches between threads. This can make cache timing attacks a lot easier and we strongly suspect that this will make several spectre-class bugs exploitable. Especially on Intel's SMT implementation which is better known as Hypter-threading. We really should not run different security domains on different processor threads of the same core."

    OpenBSD could improve their kernel's scheduler to workaround this, but given that is a large feat, at least for now they have decided to disable Hyper Threading by default.

    Those wishing to toggle the OpenBSD SMT support can use the new hw.smt sysctl setting on OpenBSD/AMD64 and is being extended to cover CPUs from other vendors and architectures.

    This may have a large impact on multi-threaded workloads, but OpenBSD developers are trying to play this down by saying, "Note that SMT doesn't necessarily have a positive effect on performance; it highly depends on the workload. In all likelyhood it will actually slow down most workloads if you have a CPU with more than two cores."

    The change was merged today ahead of the eventual OpenBSD 6.4 release."
     
    Vasudev and Kyle like this.
  10. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    6,649
    Messages:
    20,013
    Likes Received:
    24,837
    Trophy Points:
    931
    RIP Hyper-Threading? ChromeOS axes key Intel CPU feature over data-leak flaws – Microsoft, Apple suggest snub
    Plug pulled on SMT tech as software makers put security ahead of performance
    By Thomas Claburn in San Francisco 14 May 2019 at 21:14
    https://www.theregister.co.uk/2019/05/14/intel_hyper_threading_mitigations/

    "Analysis - In conjunction with Intel's coordinated disclosure today about a family of security vulnerabilities discovered in millions of its processors, Google has turned off Hyper-Threading in Chrome OS to fully protect its users.

    Meanwhile, Apple, Microsoft, IBM's Red Hat, QubesOS, and Xen advised customers that they may wish to take similar steps.

    The family of flaws are dubbed microarchitecture data sampling (MDS), and Chipzilla's official advisory is here, along with the necessary microcode updates to mitigate the data-leaking vulnerabilities and list of affected products. Installing these fixes and disabling Intel's Hyper-Threading feature is a sure fire way to kill off the bugs, though there may be a performance hit as a result.
    Background
    Hyper-Threading is Intel's implementation of simultaneous multithreading (SMT), a technique for splitting a single physical processor core into two virtual cores known as hardware threads. It's supposed to improve performance by allowing two software threads to run simultaneously through each physical core, sharing available resources on the silicon as needed. This means one physical core can juggle two threads, either in the same application or two separate applications, at the same time, improving throughput. Some workloads benefit from this, some are hindered or see no gain. You mileage may vary.

    However, one thing it does bring into the mix is the risk that side-channel surveillance techniques, such as MDS, may be able to break hardware thread isolation, and access sensitive data it shouldn't be able to see. In other words, one thread can snoop on the memory accesses of another thread sharing the same physical CPU core, and lift passwords, keys, and other secrets, potentially.

    Really, today's chip flaw disclosures cover a group of design blunders: ZombieLoad (CVE-2018-12130) can be exploited by malware or rogue users on a vulnerable system to potentially steal browser histories, website content, user keys, passwords, and system-level secrets, such as disk encryption keys from other parts of memory.

    We're told it can work across CPU protection rings and process boundaries, and against cloud and on-premises virtual machines and trusted execution environments. Proof-of-concept exploit code is available to try it out for yourself.

    There's also RIDL and Fallout (CVE-2018-12126, CVE-2018-12127, CVE-2019-11091) that can be exploited to steal confidential info from memory.

    Mitigating these security oversights in Intel's chips will require microcode updates to be installed, and operating system and hypervisor patches to utilize them, so check your OS vendor, and system manufacturer if needed, for new software and install it as soon as you're able. These fixes may introduce a performance hit depending on what kind of programs you're running.

    You can opt to turn off Hyper-Threading to fully neutralize the threat, though you may want to weigh up if it's worth the performance cost by testing your applications with the feature on and off.

    Google
    Google said it is disabling Hyper-Threading by default in Chrome OS 74, citing security concerns, and noting that Chrome OS 75 will have additional mitigations.

    "The decision to disable or enable Hyper-Threading is a security versus performance tradeoff," said the web giant's people in a vulnerability notice. "With Hyper-Threading disabled, Intel CPUs may experience reduced performance, which varies depending on the workload. But, with Hyper-Threading enabled, users could execute code, such as by visiting a website or running an Android app, that exploits MDS to read sensitive memory contents."

    Google has further details on how it's handling the bugs, from its client applications to cloud services, right here.

    BSD land
    The OpenBSD community, for one, came to that conclusion last year when it disabled Hyber-Threading in OpenBSD 6.4. In response to past Intel processor vulnerabilities (TLBleed and L1TF) that showed Hyper-Threading to be a risk, OpenBSD leader Theo de Raadt observed that Hyper-Threading is fundamentally broken because shares resources between two CPU instances without assuring secure isolation.

    "DISABLE HYPERTHREADING ON ALL YOUR INTEL MACHINES IN THE BIOS," he said in a mailing list post at the time.

    Apple
    Apple has released macOS Mojave 10.14.5 to address MDS attacks via JavaScript and Safari. [Apple] says a comprehensive fix requires turning off Hyper-Threading, which comes with a potentially substantial performance cost.

    "Full mitigation requires using the Terminal app to enable an additional CPU instruction and disable hyper-threading processing technology," Apple warned in its advisory. "This capability is available for macOS Mojave, High Sierra, and Sierra in the latest security updates and may reduce performance by up to 40 per cent, with the most impact on intensive computing tasks that are highly multithreaded."

    Unfortunately for Apple customers with older Macs, Intel has not made microcode fixes available for Mac models from 2010 or earlier.

    Microsoft
    Microsoft in its MDS threat guidance does not take a firm stand but notes, "To be fully protected, customers may also need to disable Hyper-Threading." The Windows giant has released operating system updates to mitigate Intel's design flaw in conjunction with necessary microcode updates – see the aforementioned link.

    Red Hat
    Red Hat includes a link to disabling Hyper-Threading in its advisory without making a recommendation one way or another. Its Hyper-Threading (SMT) security page notes, "Various microprocessor flaws have been discovered recently. Certain issues require SMT be disabled in order to more fully mitigate the issue."

    The enterprise Linux slinger has more technical notes here and here on the cause and effects – or you can check out the vid below. Other Linux distros should be rolling out their fixes, too. Here's the state of play withUbuntu and Debian, for instance.

    Google Cloud only recommends disabling Hyper-Threading for Compute Engine users "if you are using Container Optimized OS (COS) as your Guest OS and you are running untrusted, multi-tenant workloads in your virtual machine." It makes a similar recommendation for those running untrusted code on multi-tenant services within Kubernetes Engine.

    Xen, which makes a hypervisor used by AWS (advisory) and other cloud providers others, has issued an advisory that details the risks of Hyper-Threading while refusing to disable the technology by default because doing so would be too disruptive. Mitigations and fixes are available from the aforementioned link.

    "Leakage of data from Xen or other guests can only prevented entirely by disabling hyper-threading (if available and active in the BIOS), and by applying the patches to Xen," its advisory stated.

    Qubes, which relies on Xen for virtualization, says much the same.

    Intel is fine with its technology, and leaves the decision to disable Hyper-Threading to its industry partners.

    "Intel is not recommending disabling HT," a company spokesperson told The Register in an email.

    "It’s important to understand that disabling SMT/HT does not alone provide protection against MDS, and doing so may impact workload performance or resource utilization that can vary depending on the workload.


    "After systems are updated, there are some cases where additional considerations may apply. Our software partners will provide guidance that can help customers make the right decisions for their systems and the workloads critical to their needs.""
    Comments

    What about AMD cpu's?
    The researchers did test with AMD and ARM: "they were unable to replicate any of their attack primitives"

    Buffer the Intel flayer: Chipzilla, Microsoft, Linux world, etc emit fixes for yet more data-leaking processor flaws
    Intel CPUs dating back a decade are vulnerable to latest cousin of Spectre
    By Thomas Claburn in San Francisco 14 May 2019 at 17:00
    https://www.theregister.co.uk/2019/05/14/intel_sidechannel_vulnerability/

    "The vulnerabilities appear to be limited to Intel hardware; the researchers say they were unable to replicate any of their attack primitives on Arm or AMD-designed processors."

    "The attack, the researchers say, steals secret and sensitive data from across user-space processes, CPU protection rings, virtual machines, and SGX enclaves. "We demonstrated the immense attack potential by monitoring browser behaviour, extracting AES keys, establishing cross-VM covert channels or recovering SGX sealing keys," the ZombieLoad paper explains. "Finally, we conclude that disabling hyperthreading is the only possible workaround to mitigate ZombieLoad on current processors."

    According to Gruss, the boffins also discovered that the line-fill buffer can be used to bypass Foreshadow mitigations, though that's not detailed in either paper.

    Intel disagrees about the need to disable hyperthreading, and says it plans to add additional hardware defenses to address these vulnerabilities into future processors."
     
    Last edited: May 16, 2019
    Vasudev and Kyle like this.

Share This Page