Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsDesktop computingIntel Kernel Memory Vulnerability
View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9
436 posts

Ultimate Geek
Inactive user


  #1931132 6-Jan-2018 08:38
Send private message

Batman:

 

djtOtago:

 

Why is this being blamed on the hardware (Intel/AMD/ARM) when it appears to be a problem with the way the OS is managing memory access?

 

 

Presumably (no I didn't take computer science at uni lol) it's a matter of time before people discover a similar "bug" with other things eg routers, ATMs, bank computers, power companies, traffic management, etc (that may use other CPUs)?

 

 

 

 

Hardware appliances such as routers/firewalls/switches don't usually run 3rd party apps - so even if their CPUs would be vulnerable you could not take advantage of it. ATMs/bank computers usually run a locked down OS like Windows, and traffic management systems usually do the same controlling SCADA devices.

 

For desktop operations antivirus solutions will be the usual line of defense against this vulnerability. And there are already AV signatures out for such code.

 

The real concern is for cloud and virtualized systems. Say you had some services deployed in cloud, and you had a malicious "neighbour" running on the same infrastructure - they may run this code to snoop on your system.

710 posts

Ultimate Geek


  #1931596 7-Jan-2018 07:59
Send private message

A good summary of the companies technical responses from Peter Bright at Ars, including white papers etc

https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-heres-what-intel-apple-microsoft-others-are-doing-about-it/

Clint

 
 
 
 


683 posts

Ultimate Geek


  #1931749 7-Jan-2018 15:08
Send private message

There is quite a good explanation here (although most of this appears to be limited to Meltdown):

 

https://arstechnica.com/gadgets/2018/01/whats-behind-the-intel-design-flaw-forcing-numerous-patches/

 

The solution that both the Windows and Linux developers have picked is substantially the same, and derived from that KAISER work: the kernel page table entries are no longer shared with each process. In Linux, this is called Kernel Page Table Isolation (KPTI).

 

The impact of this will vary depending on the workload. Every time a program makes a call into the kernel—to read from disk, to send data to the network, to open a file, and so on—that call will be a little more expensive, since it will force the TLB to be flushed and the real kernel page table to be loaded. Programs that don't use the kernel much might see a hit of perhaps 2-3 percent—there's still some overhead because the kernel always has to run occasionally, to handle things like multitasking.

 

But workloads that call into the kernel a ton will see much greater performance drop off.

 

While Intel systems are the ones known to have the defect, they may not be the only ones affected. Some platforms, such as SPARC and IBM's S390, are immune to the problem, as their processor memory management doesn't need the split address space and shared kernel page tables; operating systems on those platforms have always isolated their kernel page tables from user mode ones.

 

For people running VMs:

 

https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html

 

Result of exploitation may allow for information disclosure from one Virtual Machine to another Virtual Machine that is running on the same host. The remediation listed in the table below is for the known variants of the Bounds Check Bypass and Branch Target Injection issues.

 

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2017-5753 (Bounds Check bypass) and CVE-2017-5715 (Branch Target Injection) to these issues.

 

Running a cloud/vm infrastructure without patching would be irresponsible, but if a significant percentage of cloud/vm workloads are databases (perhaps the most likely to be affected), then the total performance degradation on a huge cloud/vm environment might be significant.




#include <standard.disclaimer>

636 posts

Ultimate Geek


  #1931953 8-Jan-2018 09:23
Send private message

djtOtago:

 

Just updated my older laptop.

 

Similar result.

 

 

Edit: Just re-encoded one of my test videos.
Took exactly the same time to encode as before the update.  

 

 

As far as I can tell you will not get a 100% positive result on this test without both the windows patch and a BIOS update. You will also need a post-Haswell CPU for PCID optimisation (not required for security, but mitigates the performance loss somewhat).

 

My Haswell laptop is fully protected after a BIOS update.

 

BDFL - Memuneh
66334 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  #1932005 8-Jan-2018 09:59
Send private message

BIOS or microcode/firmware update?




 

Geekzone broadband switch | Backblaze backup (Geekzone aff) | Amazon (Geekzone aff) | MightyApe (Geekzone aff) | Sharesies (ref code) | My technology disclosure 

636 posts

Ultimate Geek


  #1932017 8-Jan-2018 10:08
Send private message

freitasm:

 

BIOS or microcode/firmware update?

 

 

Either, I suppose. I should have said you will need updates from both Microsoft and your motherboard/system manufacturer. As I understand it the latter could be either a microcode update (via Windows Update) or a BIOS update.

BDFL - Memuneh
66334 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  #1932018 8-Jan-2018 10:13
Send private message

Yes, this was expanded in the previous page. AFAIK it is a microcode update. In the case of Surface it will he delivered as a firmware update. Other manufacturers may call it BIOS but really BIOS and firmware are different things.




 

Geekzone broadband switch | Backblaze backup (Geekzone aff) | Amazon (Geekzone aff) | MightyApe (Geekzone aff) | Sharesies (ref code) | My technology disclosure 

 
 
 
 


1307 posts

Uber Geek

Trusted
Nurse (R)
Lifetime subscriber

  #1932990 9-Jan-2018 17:15
Send private message

Apple has today released their security supplemental updates to High Sierra 10.13.2 & El Capitan and iOS to address this issue. Though on my iMac High Sierra the size was  only 148Mb but it took approx ½ hour, after download , to install with 3 restarts.




iMac 27" (late 2013), Airport Time Capsule + Airport Express, iPhone7, iPad6, iPad Mini2

 

Panasonic Blu-ray PVR DMR-BWT835 + Panasonic Viera TH-L50E6Z, Chromecast Ultra, Yamaha AVR RX-V1085

BDFL - Memuneh
66334 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  #1935371 10-Jan-2018 10:18
Send private message

Microsoft has posted "Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems".

 

From the blog:

 

 

  • With Windows 10 on newer silicon (2016-era PCs with Skylake, Kabylake or newer CPU), benchmarks show single-digit slowdowns, but we don’t expect most users to notice a change because these percentages are reflected in milliseconds.
  • With Windows 10 on older silicon (2015-era PCs with Haswell or older CPU), some benchmarks show more significant slowdowns, and we expect that some users will notice a decrease in system performance.
  • With Windows 8 and Windows 7 on older silicon (2015-era PCs with Haswell or older CPU), we expect most users to notice a decrease in system performance.
  • Windows Server on any silicon, especially in any IO-intensive application, shows a more significant performance impact when you enable the mitigations to isolate untrusted code within a Windows Server instance. This is why you want to be careful to evaluate the risk of untrusted code for each Windows Server instance, and balance the security versus performance tradeoff for your environment.

For context, on newer CPUs such as on Skylake and beyond, Intel has refined the instructions used to disable branch speculation to be more specific to indirect branches, reducing the overall performance penalty of the Spectre mitigation. Older versions of Windows have a larger performance impact because Windows 7 and Windows 8 have more user-kernel transitions because of legacy design decisions, such as all font rendering taking place in the kernel. We will publish data on benchmark performance in the weeks ahead.

 

 

 




 

Geekzone broadband switch | Backblaze backup (Geekzone aff) | Amazon (Geekzone aff) | MightyApe (Geekzone aff) | Sharesies (ref code) | My technology disclosure 

TLD

708 posts

Ultimate Geek


  #1935671 10-Jan-2018 15:28
Send private message

Toms put this up ten minutes ago.  It's sounding like a double hit for older systems.  They will inherently have less performance than newer systems to start with, and will suffer the greater slow down.

 

http://www.tomshardware.com/news/microsoft-intel-slowdown-old-chips,36293.html

 

So for my wife who has a elderly two core AMD system, and just uses it for Internet and Office, can she ignore the updates/patches?  It only has to hold together till my 7900X system arrives, after which she will use my old 3930K system.

 

[EDIT]  In fact it's even worse than a slow down, because Toms also put this up at lunch time which says the patch are making some old AMD systems unbootable!  Methinks I'll turn off auto updates on her old system.

 

http://www.tomshardware.com/news/meltdown-spectre-update-amd-unbootable,36291.html

 

 

 

 

 

 




Trevor Dennis
Rapaura (near Blenheim)

1426 posts

Uber Geek


  #1935687 10-Jan-2018 15:41
Send private message


allio:

freitasm:


BIOS or microcode/firmware update?



Either, I suppose. I should have said you will need updates from both Microsoft and your motherboard/system manufacturer. As I understand it the latter could be either a microcode update (via Windows Update) or a BIOS update.



From memory, an errata (the name for a change to the CPU spec) is loaded into the CPU during startup (during the init phase I think) and is stored in non-volatile memory (NVM) - I think your bios.

For an update to the OS kernel itself, this would I think be a normal windows update.

As I understand it, although not really following the issue, I think two of the three Meltdown fixes are OS updates and the third requires both an OS and Microcode update. I suspect there will be more updates at some stage as part of the usual update process.




Software Engineer
   (the practice of real science, engineering and management)

1814 posts

Uber Geek

Lifetime subscriber

  #1935698 10-Jan-2018 16:00
Send private message

Is there a simple way for your average pc user to test for the vulnerability?

 

I had a go at the powershell thing mentioned earlier but it was bit beyond my capability.




Life is too short to remove USB safely.

BDFL - Memuneh
66334 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  #1935699 10-Jan-2018 16:03
Send private message

Updated my Windows 7 dev VM today with latest security patches... And this happened:

 

 

Remember, as per above "Windows 7 and Windows 8 have more user-kernel transitions because of legacy design decisions, such as all font rendering taking place in the kernel."

 

Damn.




 

Geekzone broadband switch | Backblaze backup (Geekzone aff) | Amazon (Geekzone aff) | MightyApe (Geekzone aff) | Sharesies (ref code) | My technology disclosure 

UHD

656 posts

Ultimate Geek
Inactive user


  #1936097 11-Jan-2018 11:33
Send private message

So what are the chances of microcode updates for hardware from Intel that is 6+ years old? I think the last BIOS updates they offer are from 2014 am I right in betting engineers won't be bothering?

6615 posts

Uber Geek
Inactive user


  #1936141 11-Jan-2018 11:58
Send private message

Should I do it or should I not?
Anyone got any idea on the performance hit?

Cheers

 

 

 

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9
View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Intel introduces 10th Gen Intel Core H-series for mobile devices
Posted 2-Apr-2020 21:09

COVID-19: new charitable initiative to fund remote monitoring for at-risk patients
Posted 2-Apr-2020 11:07

Huawei introduces the P40 Series of Android-based smartphones
Posted 31-Mar-2020 17:03

Samsung Galaxy Z Flip now available for pre-order in New Zealand
Posted 31-Mar-2020 16:39

New online learning platform for kids stuck at home during COVID-19 lockdown
Posted 26-Mar-2020 21:35

New 5G Nokia smartphone unveiled as portfolio expands
Posted 26-Mar-2020 17:11

D-Link ANZ launches wireless AC1200 4G LTE router
Posted 26-Mar-2020 16:32

Ring introduces two new video doorbells and new pre-roll technology
Posted 17-Mar-2020 16:59

OPPO uncovers flagship Find X2 Pro smartphone
Posted 17-Mar-2020 16:54

D-Link COVR-2202 mesh Wi-Fi system now protected by McAfee
Posted 17-Mar-2020 16:00

Spark Sport opens its platform up to all New Zealanders at no charge
Posted 17-Mar-2020 10:04

Spark launches 5G Starter Fund
Posted 8-Mar-2020 19:19

TRENDnet launches high-performance WiFi Mesh Router System
Posted 5-Mar-2020 08:48

Sony boosts full-frame lens line-up with introduction of FE 20mm F1.8 G large-aperture ultra-wide-angle prime Lens
Posted 5-Mar-2020 08:44

Vector and Spark teamed up on smart metering initiative
Posted 5-Mar-2020 08:42


Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.