New x86 micro-op vulnerability breaks all known Spectre defenses

417 点作者 DoomHotel大约 4 年前

24 条评论

akersten大约 4 年前

I've been saying this from the start: the well of issues is infinitely deep as soon as you decide that multiple tenants running on the same physical hardware inferring something about another is a vulnerability. I assert, but cannot rigorously prove, that it is not possible to design a CPU such that execution of arbitrary instructions has no observable side-effects, especially if the CPU is speculating.I don't know what that spells for cloud hosting providers - maybe they have to buy a lot more CPUs so every client can have their own, or commission a special "shared" SKU of CPU that doesn't have any speculative execution - but I know for me, if I have untrusted code running on my CPU, I've already lost. I could then care less about information leakage between threads.We're going to wind up undoing the last 20 years of performance gains in the name of 'security', and it scares me.

评论 #27001760 未加载

评论 #27004246 未加载

评论 #27001803 未加载

评论 #27003510 未加载

评论 #27013483 未加载

评论 #27002271 未加载

评论 #27004301 未加载

评论 #27003594 未加载

评论 #27006707 未加载

评论 #27005532 未加载

评论 #27012326 未加载

评论 #27006430 未加载

评论 #27005882 未加载

评论 #27006027 未加载

评论 #27004524 未加载

评论 #27008988 未加载

评论 #27009429 未加载

评论 #27002643 未加载

评论 #27003721 未加载

tester756大约 4 年前

>"Intel's suggested defense against Spectre, which is called LFENCE, places sensitive code in a waiting area until the security checks are executed, and only then is the sensitive code allowed to execute," Venkat said. "But it turns out the walls of this waiting area have ears, which our attack exploits. We show how an attacker can smuggle secrets through the micro-op cache by using it as a covert channel.">"In the case of the previous Spectre attacks, developers have come up with a relatively easy way to prevent any sort of attack without a major performance penalty" for computing, Moody said. "The difference with this attack is you take a much greater performance penalty than those previous attacks.">"Patches that disable the micro-op cache or halt speculative execution on legacy hardware would effectively roll back critical performance innovations in most modern Intel and AMD processors, and this just isn't feasible," Ren, the lead student author, said.

评论 #27004473 未加载

londons_explore大约 4 年前

The solution will be "do not share the micro-op cache between different address spaces".Which for old hardware will translate to "flush the micro op cache every time the address space changes".I would guess that can be done with a microcode update and that the performance hit wont be too massive.

评论 #27002587 未加载

评论 #27002028 未加载

CalChris大约 4 年前

The paper:I See Dead µops: Leaking Secrets via Intel/AMD Micro-Op Caches<a href="http://www.cs.virginia.edu/venkat/papers/isca2021a.pdf" rel="nofollow">http://www.cs.virginia.edu/venkat/papers/isca2021a.pdf</a>

amluto大约 4 年前

My response: <a href="https://lore.kernel.org/lkml/CALCETrXRvhqw0fibE6qom3sDJ+nOa_aEJQeuAjPofh=8h1Cujg@mail.gmail.com/" rel="nofollow">https://lore.kernel.org/lkml/CALCETrXRvhqw0fibE6qom3sDJ+nOa_...</a>I don’t think any new mitigations are needed.

floatingatoll大约 4 年前

I’d like to highlight this excellent post about x86 micro-ops “fusion” from three years ago, as it’s the reason I have any idea at all what micro-ops are:<a href="https://news.ycombinator.com/item?id=16304415" rel="nofollow">https://news.ycombinator.com/item?id=16304415</a>

baybal2大约 4 年前

You cannot realistically make a CPU invulnerable to performance analysisAnd you don't need to.There is really very few uses for real multi-system vs multi-process shared systems.Take a look on that whole "cloud" thing.All people I knew who worked in cloud hosting tell that most system are ridiculously overprovisioned, effectively nullifying any economic justification for a shared system

评论 #27001789 未加载

totallyabstract大约 4 年前

There are separate micro op caches per core however they are typically shared among hyperthreads. I wonder if this could be another good reason for cloud vendors to move away from 1vCPU = 1 hyperthread to 1vCPU = 1 core for x86 when sharing machines (not that there weren't enough good reasons already).

评论 #27001973 未加载

评论 #27006024 未加载

评论 #27001310 未加载

评论 #27001257 未加载

评论 #27001517 未加载

iam-TJ大约 4 年前

The U of V Engineering Faculty release is at<a href="https://engineering.virginia.edu/news/2021/04/defenseless" rel="nofollow">https://engineering.virginia.edu/news/2021/04/defenseless</a>

dataflow大约 4 年前

Question: How relevant are these for the average person? I know these matter for things like shared hosting, but I've yet to hear of an actual exploit in the wild that ordinary people have been attacked by, even with Spectre defenses turned off. Should normal people be worried about this?

评论 #27003086 未加载

评论 #27001632 未加载

ForOldHack大约 4 年前

This had to come. The only fix will be to add a BIOS setting for Speculative Access or no speculative access. Gamers all turn it on, with a machine patched, that runs nothing but their game. Everyone else, like browsing the web, off. Look for a encoded binary java script exploit that will own any speculative access system. Its coming too, just like this paper would eventually come.

评论 #27015250 未加载

Causality1大约 4 年前

I expect this to be just like Spectre. The media sizes it as a tool to use fear to drive engagement, vendors partially cripple their hardware to guard against it, and literally nobody ever bothers trying to actually use it against innocent people.

评论 #27006360 未加载

PopePompus大约 4 年前

I don't understand this at all; I didn't think the mico-op cache was visible to code written for the x86 ISA at all. Can anyone explain to an idiot (me) how something in micro-op cache can become visible to the outside world?

评论 #27001007 未加载

评论 #27001047 未加载

anthk大约 4 年前

<a href="https://www.mail-archive.com/source-changes@openbsd.org/msg99141.html" rel="nofollow">https://www.mail-archive.com/source-changes@openbsd.org/msg9...</a>OpenBSD disabled HT by default.

评论 #27006982 未加载

spacemanmatt大约 4 年前

Is ARM so much better? I can migrate my AWS hosts.

评论 #27001045 未加载

评论 #27001072 未加载

1cvmask大约 4 年前

This quote from the article explains the danger quite well:"Intel's suggested defense against Spectre, which is called LFENCE, places sensitive code in a waiting area until the security checks are executed, and only then is the sensitive code allowed to execute," Venkat said. "But it turns out the walls of this waiting area have ears, which our attack exploits. We show how an attacker can smuggle secrets through the micro-op cache by using it as a covert channel."

SG2000大约 4 年前

A close reading of the paper “I see dead uOps” would seem to indicate that Intel’s static thread partitioning of their micro-op cache would confer some inherent protection against uOp cache information leakage between threads - as compared to AMD’s dynamic thread partitioning scheme which could theoretically allow threads to spy on each other using the described techniques.If true, wouldn’t this also imply that an Intel Skylake CPU mitigates against such attempted attacks by one user against another in a shared CPU/ISP/cloud environment, whereas an AMD CPU theoretically would not? If true, this would be a key point that the authors failed to mention in their concluding remarks.Anyone else read it this way? Or am I missing something?

failwhaleshark大约 4 年前

The act of loading code into memory, be it a hypervisor or a guest OS, should've been gated by sanitation and validation callbacks. Building all of these macro- and micro-op runtime defenses and mitigations in the processor and slowing down the OSes for every possible runtime edge-case are a waste of speed that can be avoided by establishing trust of code pages.The morphing of data into code pages with JITs like JS should also be subject to similar restrictions.

ineedasername大约 4 年前

undocumented features in Intel and AMD processorsWhy is this at all a thing? Why would you ever leave something out there like that without documenting its existence?

评论 #27007148 未加载

smasher164大约 4 年前

Maybe EPIC [1] architectures need a revival. Rely on compilers to take advantage of explicit instruction-level parallelism, and keep the CPU dumb.[1] <a href="https://en.wikipedia.org/wiki/Explicitly_parallel_instruction_computing" rel="nofollow">https://en.wikipedia.org/wiki/Explicitly_parallel_instructio...</a>

评论 #27003941 未加载

评论 #27004707 未加载

评论 #27005951 未加载

juancn大约 4 年前

This may sound stupid, but the commonality in all these side channel attacks is that high precision time keeping is a non privileged operation.Maybe it’s time to make clocks a privileged op as a mitigation. Even making execution time non predictable on untrusted code, such as JavaScript?If precise time keeping is unavailable these become harder to do.

评论 #27013829 未加载

vmception大约 4 年前

Out of curiosity, is Apple's M1 processor seemingly faster because it is actually more similar to a normal CPU progression but all the other common CPU's - x86 - had retroactive performance hits due to patching Spectre.And therefore M1 seems so much more faster than it otherwise would?

评论 #27023657 未加载

评论 #27023671 未加载

Woodi大约 4 年前

Simplest way around all of this is back to one-core MULTI-SOCKET systems for "civilian" computers like x86 is.

评论 #27004653 未加载

druud62大约 4 年前

The CPU needs to make the overheard signals look just like random noise. A cheap XOR-stream (compare 2FA like Google Authenticator, or the remote in your car keys) should cover that.

评论 #27005068 未加载