[RndTbl] Horrific CPU flaws (Meltdown / Spectre)

Thu Jan 4 02:36:27 CST 2018

As most of you probably know, new CPU bugs have just been found (1 
affecting mostly Intel, 1 affecting Intel + AMD; both potentially 
affecting phones).

I wouldn't mind a MUUG discussion about this.  News on the net seems to be 
pretty low-caliber.  Some are better than others.

https://spectreattack.com/  seems to be good... but I wouldn't hit that 
site without a JS blocker.  Apparently (could be a myth) these bugs can be 
triggered by JS in a web page!!!

CVE/NVD doesn't seem to have ratings for this yet (still "reserved").  

The good news:
>From what I read, it's a read-only attack, apparently they can dump your 
entire RAM without root access.  Not great, but better than a RW attack!

KPTI/Kaiser/Meltdown appears to all reference the same thing.  Intel only 
(so far... maybe add ARM), definitely not AMD (so far).  Fix can't be done 
in microcode or firmware.  So it'll be patched in kernels (all OS's).  OK, 
great, who cares.  But... the patch causes 5-30% performance hit across 
the board; the more syscalls the program makes, the worse your hit.  Fun.  
The fix is basically move kernel page tables out of RAM when executing 
user code.  Then swap it back in.  Joy.  Hmmm, by coincidence, Intel's 
very latest CPUs (unsure on definition of "latest") are rumoured to have 
an instruction to make this less painful... hmmmmmmm.

Spectre seems to be more of a mystery.  Apparently it allows progs to read 
other prog's memory, but not kernel RAM.  And no OS fix planned yet?  
Affects all CPUs with out-of-order exec, which is basically everything in 
the last, what, 15 years?  This one worries me more.  However, they say 
it's harder to implement the hack, so maybe it'll turn out to be a red 
herring in reality.  If it's as scary as some make it sound, we could be 
seriouly fskc'd because there isn't a syscall boundary to easily insert a 
nice page table swap into.

Going back to my university days and my hardware architecture classes, I 
find the technical side of this to be fascinating.  It looks like they are 
preying upon weaknesses in CPU handling of speculative loads, indirect 
addressing, and long pipelines.  The fact that the CPUs weren't properly 
designed to not allow such insane access is quite shocking to me.  
Pipelines are supposed to be thrown away after an incorrect guess.  
Nothing should be leaking.  Saying "we did it for performance reasons" is 
quite lame.  If anyone finds some good mid- / mid-high-level technical 
explanations of the on-chip flaws, please post links.

It'll be interesting to see what the next gen(s) of CPUs do to 
specifically address this.  Given design/fab lifecycles it could be years 
before new CPUs have this fixed.  Surely pipelines / OOE aren't going 
away.  Heck, even RISC wouldn't have saved us, as they are monga pipeline 
dependent.  My hunch is PPC is Spectre vulnerable, but it'll be 
interesting to find out more.

The above is all just my take on things after binge-reading about 8 
different articles on it.  If I'm wrong on something, please correct me.  
Supposedly Linus has ranted on it already, but I can't find it anywhere, 
so if you have a link to a Linus rant, please share.

In the meantime, get ready for all your newer/supported devices to get 5%+ 
slower, and all your older devices to get p0wned.  Me, I'm going to jump 
on that new ECC workstation I've been eyeing... I won't be able to handle 
any slowdown on my current, ancient box.

Final thought... why didn't anyone figure this flaw out earlier in the 
last 10 years it existed?  Wonder who was exploiting it this whole time... 
wonder how long Intel knew (not the "official" version).  Anyone laying 
bets on class-actions and/or CPU recalls?  Not sure Intel could make 
enough CPUs (or afford it) to replace every CPU it sold in the last 10 
years.