Spectre Next Generation has arrived - and its worse than last time

Skybird · 05-03-18, 05:11 PM

https://borncity.com/win/2018/05/03/...in-intel-cpus/

I read in German about it yesterday, here now is the first English translation.

At least 8 new vulnerabilities of Intel CPUs have been found by German magazine "C'T". They are kept secret in explanations about their design, so that they win some time to catch up with them, but it is said these new vulnerabilities are more dangeorus than the last ones, since they do no longer need special, hard-to-obtain and hard-to-carry-out special knowledge to make use of them. The risk to private users may be a bit smaller than for server service operators, cloud providers and others.

The CPUs by Intel are not described as having some holes, but to be "holey like Swiss cheese".

I'm so lucky that I use my Intel gaming machine on W10 only for games, and nothing else. Bought in in Nove,mbre, but wiht the revelatiosn of the past 4 months I would never buy Intel again anymore, not for the next couple of years. Too expensive for the risk-package stuff you get. If I would have waited just 6 weeks longer back then...

The German article that dropped the bomb yesterday: https://www.heise.de/ct/artikel/Supe...g-4039134.html

Skybird · 05-03-18, 05:21 PM

I see that the original German article meanwhile also has been officially translated:

https://www.heise.de/ct/artikel/Excl...s-4040648.html

Skybird · 05-03-18, 05:25 PM

Quote:

One of the Spectre-NG flaws simplifies attacks across system boundaries to such an extent that we estimate the threat potential to be significantly higher than with Spectre.
(...)
Overall, the Spectre-NG gaps show that Spectre and Meltdown were not a one-off slip-up. It is not just a simple gap that could be plugged with a few patches. Rather, it seems that for each fixed issue, two others crop up. This is the result of the fact that during the past twenty years, safety considerations have only played second fiddle to performance in processor development.

An end to patches for hardware problems of the Spectre category is not in sight. But a never-ending flood of patches is not an acceptable solution. You can't shrug off the fact that the core component of our entire IT infrastructure has a fundamental security problem that will keep leading to more problems.

Nice.

Sean C · 05-03-18, 10:47 PM

It's the end of the world!!! Aaaahhhh!!!

Seriously, though: I always take as many precautions as I can against this kind of thing, and I will certainly continue to do so. But, you'll have to forgive me if I don't run around like my hair is on fire upon hearing this. It's a serious problem - no doubt about it. I just think people tend to get a little hyperbolic when assessing these kinds of threats.

There are many dangers when it comes to your personal information online - and as far as I can tell, there always will be. But, some common sense and a few precautions can go a long way to keeping your data and your finances safer. (I doubt that they will ever be completely safe ... anywhere.)

Skybird · 05-04-18, 06:31 AM

If you think this is only about personal data theft, than you have not understood the dimension of the problem. Although personal data theft already is serious enough, when you consider login data for online shops and online banking/brokering, but also your profile: risk evaluation when you ask an insurance company for a policy, getting sniffed out when you ask an employer for a job, targetted advertisement by businesses as well as political parties, social bonus points and bad notes for you when analysis shows that you like or dislike like you should (or should not), and your typed in views being in line or not with the wanted public opinions and views... Look at China, they are doing right this now, it gets reported these days.

Think in terms of enforced remote control of IT infrastructure in cities, traffic infrastructures and institutions, hospitals, energy production - blackmailing, cyber warfare - oh wait - that hospitals get blackmailed by cyber attackers, already is a common practice now it seems.

Think in terms of taking over IT hardware - and everything that it controls. Think in terms of bot nets.

Like it is said somewhere in the articles: our complete IT infrastruture's security is rotten at the very core level already. And the easier it is to abuse these weaknesses, the more dangerous the situation becomes, and the more likely it becomes that attacks take place. Spectre NG represents such a dramatic simplification, in parts at least. I have read this morning that it got leaked that one of those eight vulnerabilities consists of only four brief lines of code injected in an environment that bases on the use of a VM. What the...? Just four lines of code to spell desaster?

It takes years to become a competent fencer and hit your opponent at 1 meter. But every every idiot can shoot and hit with a pistol at 10 meters. Thats why simplifying the execution of Meltdown- and Spectre-based attacks is so dangerous.

BarracudaUAK · 05-05-18, 09:51 PM

Read the article...

I've seen several "before and after" benchmarks for Linux and Windows.
Several processors from Intel, and AMD were tested.
Meltdown usually resulted in performance losses, which varied by task.
Spectre had performance losses, but not to the degree of Meltdown.
(both were mostly I/O task, but some other task as well.)

Except for the FX8350, which after a Spectre patch ( I forget which atm), was actually faster on several task...

Maybe this is the next performance boost for my PC.

This is the list of a search with the word "spectre".
https://www.phoronix.com/scan.php?page=search&q=spectre

I'll see if I can dig up the benchmarks.

Barracuda

05-03-18, 05:11 PM	#1
Skybird Soaring Join Date: Sep 2001 Location: the mental asylum named Germany Posts: 40,496 Downloads: 9 Uploads: 0	Spectre Next Generation has arrived - and its worse than last time https://borncity.com/win/2018/05/03/...in-intel-cpus/ I read in German about it yesterday, here now is the first English translation. At least 8 new vulnerabilities of Intel CPUs have been found by German magazine "C'T". They are kept secret in explanations about their design, so that they win some time to catch up with them, but it is said these new vulnerabilities are more dangeorus than the last ones, since they do no longer need special, hard-to-obtain and hard-to-carry-out special knowledge to make use of them. The risk to private users may be a bit smaller than for server service operators, cloud providers and others. The CPUs by Intel are not described as having some holes, but to be "holey like Swiss cheese". I'm so lucky that I use my Intel gaming machine on W10 only for games, and nothing else. Bought in in Nove,mbre, but wiht the revelatiosn of the past 4 months I would never buy Intel again anymore, not for the next couple of years. Too expensive for the risk-package stuff you get. If I would have waited just 6 weeks longer back then... The German article that dropped the bomb yesterday: https://www.heise.de/ct/artikel/Supe...g-4039134.html __________________ If you feel nuts, consult an expert. Last edited by Skybird; 05-03-18 at 05:20 PM.

05-03-18, 05:21 PM	#2
Skybird Soaring Join Date: Sep 2001 Location: the mental asylum named Germany Posts: 40,496 Downloads: 9 Uploads: 0	I see that the original German article meanwhile also has been officially translated: https://www.heise.de/ct/artikel/Excl...s-4040648.html __________________ If you feel nuts, consult an expert.

05-03-18, 10:47 PM	#4
Sean C Grey Wolf Join Date: Jun 2017 Location: Norfolk, VA Posts: 906 Downloads: 12 Uploads: 2	It's the end of the world!!! Aaaahhhh!!! Seriously, though: I always take as many precautions as I can against this kind of thing, and I will certainly continue to do so. But, you'll have to forgive me if I don't run around like my hair is on fire upon hearing this. It's a serious problem - no doubt about it. I just think people tend to get a little hyperbolic when assessing these kinds of threats. There are many dangers when it comes to your personal information online - and as far as I can tell, there always will be. But, some common sense and a few precautions can go a long way to keeping your data and your finances safer. (I doubt that they will ever be completely safe ... anywhere.) __________________ If you have a question about celestial navigation ... ask me! Celestial Navigation Spreadsheet

05-04-18, 06:31 AM	#5
Skybird Soaring Join Date: Sep 2001 Location: the mental asylum named Germany Posts: 40,496 Downloads: 9 Uploads: 0	If you think this is only about personal data theft, than you have not understood the dimension of the problem. Although personal data theft already is serious enough, when you consider login data for online shops and online banking/brokering, but also your profile: risk evaluation when you ask an insurance company for a policy, getting sniffed out when you ask an employer for a job, targetted advertisement by businesses as well as political parties, social bonus points and bad notes for you when analysis shows that you like or dislike like you should (or should not), and your typed in views being in line or not with the wanted public opinions and views... Look at China, they are doing right this now, it gets reported these days. Think in terms of enforced remote control of IT infrastructure in cities, traffic infrastructures and institutions, hospitals, energy production - blackmailing, cyber warfare - oh wait - that hospitals get blackmailed by cyber attackers, already is a common practice now it seems. Think in terms of taking over IT hardware - and everything that it controls. Think in terms of bot nets. Like it is said somewhere in the articles: our complete IT infrastruture's security is rotten at the very core level already. And the easier it is to abuse these weaknesses, the more dangerous the situation becomes, and the more likely it becomes that attacks take place. Spectre NG represents such a dramatic simplification, in parts at least. I have read this morning that it got leaked that one of those eight vulnerabilities consists of only four brief lines of code injected in an environment that bases on the use of a VM. What the...? Just four lines of code to spell desaster? It takes years to become a competent fencer and hit your opponent at 1 meter. But every every idiot can shoot and hit with a pistol at 10 meters. Thats why simplifying the execution of Meltdown- and Spectre-based attacks is so dangerous. __________________ If you feel nuts, consult an expert. Last edited by Skybird; 05-04-18 at 10:06 AM.

05-05-18, 09:51 PM	#6
BarracudaUAK Captain Join Date: Apr 2016 Posts: 520 Downloads: 31 Uploads: 0	Read the article... I've seen several "before and after" benchmarks for Linux and Windows. Several processors from Intel, and AMD were tested. Meltdown usually resulted in performance losses, which varied by task. Spectre had performance losses, but not to the degree of Meltdown. (both were mostly I/O task, but some other task as well.) Except for the FX8350, which after a Spectre patch ( I forget which atm), was actually faster on several task... Maybe this is the next performance boost for my PC. This is the list of a search with the word "spectre". https://www.phoronix.com/scan.php?page=search&q=spectre I'll see if I can dig up the benchmarks. Barracuda