Reptar

Related: <a href="https:&#x2F;&#x2F;cloud.google.com&#x2F;blog&#x2F;products&#x2F;identity-security&#x2F;google-researchers-discover-reptar-a-new-cpu-vulnerability" rel="nofollow noreferrer">https:&#x2F;&#x2F;cloud.google.com&#x2F;blog&#x2F;products&#x2F;identity-security&#x2F;goo...</a><p>(via <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=38268043">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=38268043</a>, but we merged the comments hither)

Reading this makes me realize how little I know of the hardware that runs my software<p>&gt; Prefixes allow you to change how instructions behave by enabling or disabling features<p>Why do we need “prefixes” to disable or enable features? Is this for dynamically toggling feature so you don’t have to go into BIOS?

Their diagnosis reminds me of what happened when qemu ran into repz ret. <a href="https:&#x2F;&#x2F;repzret.org&#x2F;p&#x2F;repzret&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;repzret.org&#x2F;p&#x2F;repzret&#x2F;</a>

I really think HN rules should disallow titles like this. It tells me nothing about what the link is, the URL is even more confusing.<p>I think for such meaningless titles that the poster should add a small description

This is very well written. I know little about assembly programming and Intel&#x27;s ISA, let alone their microarchitectures, but I could follow the explanation and feel like I have a rough understanding of what is going on here.<p>Does anyone know if AMD CPUs are affected?

If the problem really is that the processor is confused about instruction length, I&#x27;m impressed that this problem can be fixed in microcode without a huge performance hit: my intuition (which could be totally wrong) is that computing the length of an instruction would be something synthesized directly to logic gates.<p>Actually, come to think of it, my hunch is that the uOP decoder (presumably in hardware) is actually fine and that the microcoded optimized copy routine is trying to infer things about the uOP stream that just aren&#x27;t true --- &quot;Oh, this is a rep mov, so of course I need to go backward two uOPs to loop&quot; or something.<p>I expect Intel&#x27;s CPU team isn&#x27;t going to divulge the details though. :-)

I don&#x27;t understand &quot;ERMS&quot; and &quot;FSRM&quot; and there seems to be nothing good on google about it.<p>Are these just CPUID flags that tell you that you can use a rep movsb for maximum performance instead of optimized SSE memcpy implementations? Or is it a special encoding&#x2F;prefix for rep movsb to make it faster? In case of the later, why would that be necessary? How does one make use of fsrm?

I noticed the Intel advisory [1] says the following<p>Intel would like to thank Intel employees:[...] for finding this issue internally.<p>Intel would like to thank Google Employees: [...] for also reporting this issue.<p>[1] <a href="https:&#x2F;&#x2F;www.intel.com&#x2F;content&#x2F;www&#x2F;us&#x2F;en&#x2F;security-center&#x2F;advisory&#x2F;intel-sa-00950.html" rel="nofollow noreferrer">https:&#x2F;&#x2F;www.intel.com&#x2F;content&#x2F;www&#x2F;us&#x2F;en&#x2F;security-center&#x2F;advi...</a>

See also Intel’s advisory, which has a description of impact: <a href="https:&#x2F;&#x2F;www.intel.com&#x2F;content&#x2F;www&#x2F;us&#x2F;en&#x2F;security-center&#x2F;advisory&#x2F;intel-sa-00950.html" rel="nofollow noreferrer">https:&#x2F;&#x2F;www.intel.com&#x2F;content&#x2F;www&#x2F;us&#x2F;en&#x2F;security-center&#x2F;advi...</a><p>&gt; Sequence of processor instructions leads to unexpected behavior for some Intel(R) Processors may allow an authenticated user to potentially enable escalation of privilege and&#x2F;or information disclosure and&#x2F;or denial of service via local access.

Konrad Magnusson from Paradox Interactive (Victoria 3) team found something related to that and mimalloc -&gt; <a href="https:&#x2F;&#x2F;github.com&#x2F;microsoft&#x2F;mimalloc&#x2F;issues&#x2F;807">https:&#x2F;&#x2F;github.com&#x2F;microsoft&#x2F;mimalloc&#x2F;issues&#x2F;807</a><p>Not sure if fully related, but possibly.

Any reason to why its named after the dinosaur from the cartoon Rugrats? Or was that what was on TV at the time?<p>Maybe I should start hacking while watching Teenage Mutant Ninja Turtles.

This was a lot more fun than the Google puff piece.

Uhm.. Why not padding using NOP ? Looks much more safer that slapping around random prefixes.

Is it even possible to design a cpu with out-of-order and speculative execution that would have no security issue? Is the future leads to a swarm of disconnected A55 cores each running a single application?

It&#x27;s going to be a pain for cloud and shared hosting.<p>Most likely dedicated resources on demand will be the future. Some companies already offer it.

The REX prefix is redundant for &#x27;movsb&#x27;, but not &#x27;movsd&#x27;&#x2F;&#x27;movsq&#x27; (moving either 32- or 64-bit words, depending on the prefix). That may have something to do with the bug, if there is any shared microcode between those instructions?

Benchmarking is always problematic -- what is a good representative workload? All the same, I&#x27;d be curious if the ucode update that plugs this bug has affected CPU performance, eg, it diverts the &quot;fast short rep move&quot; path to just use the &quot;bad for short moves but great for long moves&quot; version.

Would be possible to describe a modern CPU in something like TLA+ to find all non-electrical problems like these?

<p><pre><code> ...our validation pipeline produced an interesting assertion... </code></pre> What is a validation pipeline?

This is such an interesting read, right in the league of &quot;Smashing the stack&quot; and &quot;row hammer&quot;. As someone with very little knowledge of security I wonder if CPU designers do any kind of formal verification of the microcode architecture?

Nice find. That indeed sounds terrible for anyone executing external code in what they believe to be sandboxes. Good thing it can be patched (and AFAICT, it seems to be a good fix, rather than a performance-affecting workaround.)

I wonder which MCEs are being taken when this is triggered?

Can someone give a TL;DR for non-CPU experts? All technical articles seem pretty long and&#x2F;or complex.

Interesting write up. The submission needs a better and more accurate title though

Intel is a known partner of the NSA. If Intel was intentionally creating backdoors at the behest of the NSA, how would they look different from this vulnerability and the many other discovered vulnerabilities before it?

The date on the article is for tomorrow?

Is what? Another useless title.

&gt; the processor would begin to report machine check exceptions and halt.<p>I get it <a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=dXekDCcw2FE">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=dXekDCcw2FE</a>

The most awesome part:<p>&gt; This bug was independently discovered by multiple research teams within Google, including the silifuzz team and Google Information Security Engineering.

Can we get a better title for this? &quot;Reptar - new CPU vulnerability&quot; or something. I thought it was some random startup ad until I picked up the name somewhere else.

Dupe: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=38268043">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=38268043</a><p>(As of this writing, this post has more votes, the other has more comments)

In this new Intel microcode bug, Tavis writes:<p>&quot;We know something strange is happening, but how microcode works in modern systems is a closely guarded secret.&quot;<p>My question: How likely is it that this is an intentional bug door that was added into the microcode by Intel and its government partners?<p>I don&#x27;t know enough about microcode and CPU&#x27;s to be able to answer this myself, so backed-up opinions welcome!

It looks like Intel was cutting corners to be faster than AMD and now all those thigs come out. How much slower will all those processors be after multiple errata? 10%? 30%? 50%?<p>In a duopoly market there seems to be no real competition. And yes I know that some (not all) bugs also happen for AMD.