Pink Iguana

Home » Uncategorized » Spectre and Meltdown

Spectre and Meltdown

Advertisements

Rich Brueckner, inside HPC, Radio Free HPC Looks at Diverging Chip Architectures in the Wake of Spectre and Meltdown, here. the SIFive talk video  Tech Talk by Paul Kocher on 31 Jan is not bad.

The direction that we need to go as an industry though is …We need to stop trying to build one processor architecture that is great for playing video games and doing wire transfers. We need to build architectures where there are cores and software stacks designed for security that can be slower, that can be simpler, and we need separate ones that are optimized for performance.

Lucian Armasu, tom’s Hardware, Intel Expands Bug Bounty Program To Include Side-Channel Attacks, 14 Feb, here.

  • Shifting from an invitation-only program to a program that is open to all security researchers, significantly expanding the pool of eligible researchers.

  • Offering a new program focused specifically on side channel vulnerabilities through Dec. 31, 2018. The award for disclosures under this program is up to $250,000.
  • Raising bounty awards across the board, with awards of up to $100,000 for other areas.

 

Ryan Whitwham, ExtremeTech, Emergency Windows Update Removes Intel’s Buggy Spectre Patch, 3-Jan, here.

The fallout from the Spectre and Meltdown CPU vulnerabilities continue to send ripples through the technology industry, and Intel is suffering more than most. Its chips were vulnerable to all three variants of these attacks, and its fixes have been heavily criticized for introducing new bugs and doing a poor job of protecting users. Now, Microsoft has issued a rare out-of-cycle patch for Windows systems that removes Intel’s Spectre patch. That has to be embarrassing for Intel.

When we talk about the attack “variants” we’re referring to specific vulnerabilities. Variant 3 is Meltdown, and Variant 1 and Variant 2 are Spectre. Of these three, Variant 2 (CVE-2017-5715) is proving to be quite difficult to pin down for Intel. This Spectre variant is what’s known as a branch target injection, which could allow an attacker to execute arbitrary code on a system. Needless to say, that’s a very bad thing.

When Spectre was originally discovered, researchers feared the only way to mitigate it would be to disable CPU’s “speculative execution” features, which allow CPUs to work ahead and do calculations that may be needed in the future. This would come with a big performance hit. Google managed to work out an alternative called “Retpoline,” but Intel went its own way.

According to Microsoft, the Intel patch for Spectre Variant 2 has been causing unexpected system glitches, corrupted data, and unexpected reboots. It’s shocking Intel’s patch could be this bad considering it was given advance notice of the defects months ago and had plenty of time to develop the fix. Intel also ran into problems with the Linux patches, which Linus Torvalds called “complete and utter garbage” last week. It even made the patches optional on Linux systems in apparent acknowledgment of how shabby they were.

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: