Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsDesktop computingIntel Kernel Memory Vulnerability
View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9
vulcannz
436 posts

Ultimate Geek
Inactive user


  #1931132 6-Jan-2018 08:38
Send private message

Batman:

 

djtOtago:

 

Why is this being blamed on the hardware (Intel/AMD/ARM) when it appears to be a problem with the way the OS is managing memory access?

 

 

Presumably (no I didn't take computer science at uni lol) it's a matter of time before people discover a similar "bug" with other things eg routers, ATMs, bank computers, power companies, traffic management, etc (that may use other CPUs)?

 

 

 

 

Hardware appliances such as routers/firewalls/switches don't usually run 3rd party apps - so even if their CPUs would be vulnerable you could not take advantage of it. ATMs/bank computers usually run a locked down OS like Windows, and traffic management systems usually do the same controlling SCADA devices.

 

For desktop operations antivirus solutions will be the usual line of defense against this vulnerability. And there are already AV signatures out for such code.

 

The real concern is for cloud and virtualized systems. Say you had some services deployed in cloud, and you had a malicious "neighbour" running on the same infrastructure - they may run this code to snoop on your system.



clinty
1180 posts

Uber Geek

Lifetime subscriber

  #1931596 7-Jan-2018 07:59
Send private message

A good summary of the companies technical responses from Peter Bright at Ars, including white papers etc

https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-heres-what-intel-apple-microsoft-others-are-doing-about-it/

Clint

alexx
867 posts

Ultimate Geek


  #1931749 7-Jan-2018 15:08
Send private message

There is quite a good explanation here (although most of this appears to be limited to Meltdown):

 

https://arstechnica.com/gadgets/2018/01/whats-behind-the-intel-design-flaw-forcing-numerous-patches/

 

The solution that both the Windows and Linux developers have picked is substantially the same, and derived from that KAISER work: the kernel page table entries are no longer shared with each process. In Linux, this is called Kernel Page Table Isolation (KPTI).

 

The impact of this will vary depending on the workload. Every time a program makes a call into the kernel—to read from disk, to send data to the network, to open a file, and so on—that call will be a little more expensive, since it will force the TLB to be flushed and the real kernel page table to be loaded. Programs that don't use the kernel much might see a hit of perhaps 2-3 percent—there's still some overhead because the kernel always has to run occasionally, to handle things like multitasking.

 

But workloads that call into the kernel a ton will see much greater performance drop off.

 

While Intel systems are the ones known to have the defect, they may not be the only ones affected. Some platforms, such as SPARC and IBM's S390, are immune to the problem, as their processor memory management doesn't need the split address space and shared kernel page tables; operating systems on those platforms have always isolated their kernel page tables from user mode ones.

 

For people running VMs:

 

https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html

 

Result of exploitation may allow for information disclosure from one Virtual Machine to another Virtual Machine that is running on the same host. The remediation listed in the table below is for the known variants of the Bounds Check Bypass and Branch Target Injection issues.

 

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2017-5753 (Bounds Check bypass) and CVE-2017-5715 (Branch Target Injection) to these issues.

 

Running a cloud/vm infrastructure without patching would be irresponsible, but if a significant percentage of cloud/vm workloads are databases (perhaps the most likely to be affected), then the total performance degradation on a huge cloud/vm environment might be significant.




#include <standard.disclaimer>



allio
885 posts

Ultimate Geek


  #1931953 8-Jan-2018 09:23
Send private message

djtOtago:

 

Just updated my older laptop.

 

Similar result.

 

 

Edit: Just re-encoded one of my test videos.
Took exactly the same time to encode as before the update.  

 

 

As far as I can tell you will not get a 100% positive result on this test without both the windows patch and a BIOS update. You will also need a post-Haswell CPU for PCID optimisation (not required for security, but mitigates the performance loss somewhat).

 

My Haswell laptop is fully protected after a BIOS update.

 

freitasm
BDFL - Memuneh
79158 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #1932005 8-Jan-2018 09:59
Send private message

BIOS or microcode/firmware update?




Please support Geekzone by subscribing, or using one of our referral links: Samsung | AliExpress | Wise | Sharesies | Hatch | GoodSyncBackblaze backup

allio
885 posts

Ultimate Geek


  #1932017 8-Jan-2018 10:08
Send private message

freitasm:

 

BIOS or microcode/firmware update?

 

 

Either, I suppose. I should have said you will need updates from both Microsoft and your motherboard/system manufacturer. As I understand it the latter could be either a microcode update (via Windows Update) or a BIOS update.

freitasm
BDFL - Memuneh
79158 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #1932018 8-Jan-2018 10:13
Send private message

Yes, this was expanded in the previous page. AFAIK it is a microcode update. In the case of Surface it will he delivered as a firmware update. Other manufacturers may call it BIOS but really BIOS and firmware are different things.




Please support Geekzone by subscribing, or using one of our referral links: Samsung | AliExpress | Wise | Sharesies | Hatch | GoodSyncBackblaze backup

 
 
 
 

Trade NZ and US shares and funds with Hatch (affiliate link).
FineWine
2979 posts

Uber Geek

Trusted
Nurse (R)
Lifetime subscriber

  #1932990 9-Jan-2018 17:15
Send private message

Apple has today released their security supplemental updates to High Sierra 10.13.2 & El Capitan and iOS to address this issue. Though on my iMac High Sierra the size was  only 148Mb but it took approx ½ hour, after download , to install with 3 restarts.




Whilst the difficult we can do immediately, the impossible takes a bit longer. However, miracles you will have to wait for.

freitasm
BDFL - Memuneh
79158 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #1935371 10-Jan-2018 10:18
Send private message

Microsoft has posted "Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems".

 

From the blog:

 

 

  • With Windows 10 on newer silicon (2016-era PCs with Skylake, Kabylake or newer CPU), benchmarks show single-digit slowdowns, but we don’t expect most users to notice a change because these percentages are reflected in milliseconds.
  • With Windows 10 on older silicon (2015-era PCs with Haswell or older CPU), some benchmarks show more significant slowdowns, and we expect that some users will notice a decrease in system performance.
  • With Windows 8 and Windows 7 on older silicon (2015-era PCs with Haswell or older CPU), we expect most users to notice a decrease in system performance.
  • Windows Server on any silicon, especially in any IO-intensive application, shows a more significant performance impact when you enable the mitigations to isolate untrusted code within a Windows Server instance. This is why you want to be careful to evaluate the risk of untrusted code for each Windows Server instance, and balance the security versus performance tradeoff for your environment.

For context, on newer CPUs such as on Skylake and beyond, Intel has refined the instructions used to disable branch speculation to be more specific to indirect branches, reducing the overall performance penalty of the Spectre mitigation. Older versions of Windows have a larger performance impact because Windows 7 and Windows 8 have more user-kernel transitions because of legacy design decisions, such as all font rendering taking place in the kernel. We will publish data on benchmark performance in the weeks ahead.

 

 

 




Please support Geekzone by subscribing, or using one of our referral links: Samsung | AliExpress | Wise | Sharesies | Hatch | GoodSyncBackblaze backup

TLD

TLD
902 posts

Ultimate Geek


  #1935671 10-Jan-2018 15:28
Send private message

Toms put this up ten minutes ago.  It's sounding like a double hit for older systems.  They will inherently have less performance than newer systems to start with, and will suffer the greater slow down.

 

http://www.tomshardware.com/news/microsoft-intel-slowdown-old-chips,36293.html

 

So for my wife who has a elderly two core AMD system, and just uses it for Internet and Office, can she ignore the updates/patches?  It only has to hold together till my 7900X system arrives, after which she will use my old 3930K system.

 

[EDIT]  In fact it's even worse than a slow down, because Toms also put this up at lunch time which says the patch are making some old AMD systems unbootable!  Methinks I'll turn off auto updates on her old system.

 

http://www.tomshardware.com/news/meltdown-spectre-update-amd-unbootable,36291.html

 

 

 

 

 

 




Trevor Dennis
Rapaura (near Blenheim)

TwoSeven
1615 posts

Uber Geek

Subscriber

  #1935687 10-Jan-2018 15:41
Send private message


allio:

freitasm:


BIOS or microcode/firmware update?



Either, I suppose. I should have said you will need updates from both Microsoft and your motherboard/system manufacturer. As I understand it the latter could be either a microcode update (via Windows Update) or a BIOS update.



From memory, an errata (the name for a change to the CPU spec) is loaded into the CPU during startup (during the init phase I think) and is stored in non-volatile memory (NVM) - I think your bios.

For an update to the OS kernel itself, this would I think be a normal windows update.

As I understand it, although not really following the issue, I think two of the three Meltdown fixes are OS updates and the third requires both an OS and Microcode update. I suspect there will be more updates at some stage as part of the usual update process.




Software Engineer
   (the practice of real science, engineering and management)

 

Gender Neutral
   (a person who believes in equality and who does not believe in/use stereotypes. Examples such as gender, binary, nonbinary, male/female etc.)

 

 ...they/their/them...

kiwifidget
"Cookie"
3381 posts

Uber Geek

Lifetime subscriber

  #1935698 10-Jan-2018 16:00
Send private message

Is there a simple way for your average pc user to test for the vulnerability?

 

I had a go at the powershell thing mentioned earlier but it was bit beyond my capability.




Delete cookies?! Are you insane?!

freitasm
BDFL - Memuneh
79158 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #1935699 10-Jan-2018 16:03
Send private message

Updated my Windows 7 dev VM today with latest security patches... And this happened:

 

 

Remember, as per above "Windows 7 and Windows 8 have more user-kernel transitions because of legacy design decisions, such as all font rendering taking place in the kernel."

 

Damn.




Please support Geekzone by subscribing, or using one of our referral links: Samsung | AliExpress | Wise | Sharesies | Hatch | GoodSyncBackblaze backup

UHD

UHD
655 posts

Ultimate Geek
Inactive user


  #1936097 11-Jan-2018 11:33
Send private message

So what are the chances of microcode updates for hardware from Intel that is 6+ years old? I think the last BIOS updates they offer are from 2014 am I right in betting engineers won't be bothering?

Coil
6614 posts

Uber Geek
Inactive user


  #1936141 11-Jan-2018 11:58
Send private message

Should I do it or should I not?
Anyone got any idea on the performance hit?

Cheers

 

 

 

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9
View this topic in a long page with up to 500 replies per page Create new topic





News and reviews »

Amazfit Expands Active 2 Lineup with the New Active 2 Square
Posted 23-Jun-2025 14:49

Logitech G522 Gaming Headset Review
Posted 18-Jun-2025 17:00

Māori Artists Launch Design Collection with Cricut ahead of Matariki Day
Posted 15-Jun-2025 11:19

LG Launches Upgraded webOS Hub With Advanced AI
Posted 15-Jun-2025 11:13

One NZ Satellite IoT goes live for customers
Posted 15-Jun-2025 11:10

Bolt Launches in New Zealand
Posted 11-Jun-2025 00:00

Suunto Run Review
Posted 10-Jun-2025 10:44

Freeview Satellite TV Brings HD Viewing to More New Zealanders
Posted 5-Jun-2025 11:50

HP OmniBook Ultra Flip 14-inch Review
Posted 3-Jun-2025 14:40

Flip Phones Are Back as HMD Reimagines an Iconic Style
Posted 30-May-2025 17:06

Hundreds of School Students Receive Laptops Through Spark Partnership With Quadrent's Green Lease
Posted 30-May-2025 16:57

AI Report Reveals Trust Is Key to Unlocking Its Potential in Aotearoa
Posted 30-May-2025 16:55

Galaxy Tab S10 FE Series Brings Intelligent Experiences to the Forefront with Premium, Versatile Design
Posted 30-May-2025 16:14

New OPPO Watch X2 Launches in New Zealand
Posted 29-May-2025 16:08

Synology Premiers a New Lineup of Advanced Data Management Solutions
Posted 29-May-2025 16:04








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







RSS feeds
Main feed
Forums feed
Copyright
©2002-2025 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Affiliate links
Samsung
AliExpress
Wise
Sharesies
Hatch
GoodSync
Backblaze backup
Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright