back to article You can't ignore Spectre. Look, it's pressing its nose against your screen

The Spectre processor design vulnerability is here to stay. Even if you choose to ignore it, the problem still exists. This is potentially a very bad thing for public cloud vendors. It may end up being great for chip manufacturers. It's fantastic for VMware. Existing patches can fix Meltdown, but only seem to be able to …

        1. big_D Silver badge

          Re: Dedicated instances

          Probably not better, but hopefully good enough.

          CEH v9, VMWare CP, MSCSE, LPI. But, everything in the server room is behind out firewall and security systems. We control who has access, we control what software comes on the servers and PCs, we control what extra security is put in place.

          If somebody gains access to the servers, we only have ourselves to blame.

          If somebody gains access to the cloud, the providers shrug their shoulders, try and clean up their act and we are still the ones who get hauled in front of a court for splurging our customers' details.

          1. Ken Hagan Gold badge

            Re: Dedicated instances

            "Probably not better, but hopefully good enough."

            Since you are not trying to secure against an attacker who is legitimately already running on the same hardware, you don't *need* to be better. You don't even need to be as good. I think that's the point that your critic was missing.

        2. Mark 65

          Re: Dedicated instances

          And they have you to secure it - and you are better at cybersecurity than all the people at Google and amazon.

          What makes you think they're so damned good? FFS Google were running non-encrypted comms between data centres and got absolutely fucking owned by the TLAs. Have Google never released security fixes for Chrome? Seriously, your argument is just so weak. They'd need to be orders of magnitude better because

          1. The potential attacker is already on the hardware (shared resources)

          2. As an aggregator of compute users they are such a big fat juicy target whereas Johnny SME just isn't as attractive.

          You are also guilty of making assumptions as to how capable the OP may be. Plenty of talented people would rather not work for companies like Google and by all accounts they seem to have their fair share of chaff.

    1. Uffish

      Re: " guaranteed not to share"

      My tinfoil hat turns blue whenever that phrase occurs.

  1. Doctor Syntax Silver badge

    "What it means is that enterprises are relying on the public cloud to handle the really large workloads."

    Maybe they'll need to look at the relative financial merits of stopping doing that until the new generation of H/W is available vs doing it in-house.

    1. Sir Runcible Spoon Silver badge

      Does this mean the bean-counters now have a magic £/$ figure to put into their risk column?

      All of a sudden cloud computing doesn't look quite so cheap, yet what really, in essence, has changed with regards to the risk? The likelihood has risen, that's all - the impact is the same as it always was.

      1. Doctor Syntax Silver badge

        "The likelihood has risen, that's all - the impact is the same as it always was."

        Risk is a function of both.

        1. Sir Runcible Spoon Silver badge

          I realise that :P

          My point was that cost analysis is related to impact, not whether it will happen or not.

          In my experience bean counters don't listen to techies and tend to vastly underestimate the cost of the impact of some of these issues. I've seen valid observations dismissed because someone who doesn't understand the inter-connectedness of underlying IT thinks the techies are exaggerating the potential impact of a problem arising.

          I've experienced the very same thing on a recent project. Not from the bean-counters, but from the project managers who just want to hit their milestones - regardless of the risk when you cut corners.

  2. Thoguht Silver badge

    Isn't the Xeon Phi in-order? Up to 72 cores with 4 threads per core. Sorted.

    1. Anonymous Coward
      Anonymous Coward

      Xeon Phi processors are not only rather expensive, but pretty slow in ordinary single-thread integer work, since even the highest model tops out at paltry 1700MHz. The lack of out-of-order execution widens the performance gap even more.

      CPU speed isn't critical in file/print serving and such, but when the higher powers want to crunch data in their BI software set, then the CPU is a bottleneck for the next hour or so. (which may be due to bad software since it doesn't do parallel things)

      1. Anonymous Coward
        Anonymous Coward

        "but when the higher powers want to crunch data in their BI software set, then the CPU is a bottleneck for the next hour or so"

        Reducing the use of BI software and forcing people to use their brains might even prevent the next Carillion.

        1. Doctor Syntax Silver badge

          "forcing people to use their brains might even prevent the next Carillion."

          It depends on the quality of the brains as to whether it prevents the next Carillion.

          1. Anonymous Coward
            Anonymous Coward

            "It depends on the quality of the brains as to whether it prevents the next Carillion."

            Not entirely. The downside of computers is that it allows stupid people to be stupid even faster, hence the 2008 crisis. In the days when mortgages were handwritten on vellum by clerks, the throughput just didn't allow the same rate of making bad decisions. It was said that the advent of spreadsheets greatly increased fraud as bank managers were taken in by what looked like the product of vast intellectual resources, rather than one conman who had managed to blag time on a PC.

            1. Charles 9 Silver badge

              Trouble is, speed sells. If you can't get them through quickly, customers leave you for someone who can.

  3. 0laf Silver badge

    Sounds like they're left with insurance as a mitigation.

    Who has started selling spectre insurance then?

    1. Sir Runcible Spoon Silver badge

      "Who has started selling spectre insurance then?"

      Since it's just a re-branding exercise I reckon the market will be flooded quite soon.

  4. Missing Semicolon
    FAIL

    Smells like the financial crash...

    ... only it's silicon, not CDOs.

    The banks basically got the state to bail them out, and then carried on as before.

    Intel essentially expect us to just queue up to buy new chips and motherboards at full price to fix the problem caused by their poor CPU design.

    If they play their cards right, they will be richer as a result!

    The way I see it, you should be able to get a mail-in rebate on your old processor and motherboard!

    1. Yet Another Anonymous coward Silver badge

      Re: Smells like the financial crash...

      More like farming.

      We fed ground up cow brains to cows to grow faster and were shocked when that turned out to be a bad idea.

      We decided that all that protected modes and ring security could be bypassed to run faster and were surprised when that turned out to be a bad idea

      1. Charles 9 Silver badge

        Re: Smells like the financial crash...

        But it didn't seem like bad ideas at the time, particularly with other, more immediate pressures to address like DEADLINES.

  5. Pascal Monett Silver badge

    "It's not quite that simple"

    And just what exactly can I do about it ? Nada.

    While I applaud any article that draws attention to the security deficiencies of The Cloud (TM), I cannot help but remain unimpressed at this latest expositional piece. Telling me that state actors have the means to create malware to spy on VMs I would have spinning on AWS instances is hardly that important when the NSA can just write a National Security Letter to Amazon and have Bezos send them the data.

    Having another country capable of it does not really make a difference.

    1. Even Jelical

      Re: "It's not quite that simple"

      point = missed completely

    2. iron Silver badge

      Re: "It's not quite that simple"

      @Pascal Monett Yup, another lengthy diatribe by Potts with little or no useful content to take away from it.

    3. Ken Hagan Gold badge

      Re: "It's not quite that simple"

      "Having another country capable of it does not really make a difference."

      On the contrary, if you are a US company (or a close enough friend), it is unlikely that the NSA will write such a letter with the intention of causing your business to suffer a cataclysmic accident that wipes you off the map. (OK. In practice it might be more sensible to cause you a thousand minor headaches that, over time, make you less competitive than your rivals. But you get the idea.)

      Some other countries intelligence agencies might have different priorities.

  6. Gordon 10 Silver badge
    Meh

    A bit less FUD please El Reg

    How is this any worse than a zero day in any of the VM hypervisors? Lets have a sense of perspective please.

    They basically say that organisations have to do everything within their power to protect against any flaws that they reasonably should have known existed.

    The above is mostly bollocks - every regulation that I have come across has a "reasonableness test" ie it wasn't reasonable to expect us to replace all our servers.

    Lets look at whats needed to actually weaponise Spectre.

    1. Develop exploit code.

    2. Deploy exploit code.

    3. Actually find something worth stealing in several Gigs worth of randomly addressed memory per server whilst all the while trying not to get caught.

    Points 2 & 3 essentially mean that the biggest risk is either a bulk attack that will quickly be spotted and closed out AND which also requires another exploit to plant a lurker on a significant set of kit. OR a targeted attack on a known juicy target ala NSA and GCHQ.

    Either of which is only med risk IMO.

    There are bigger risks to worry about.

    1. Anonymous Coward
      Anonymous Coward

      Re: A bit less FUD please El Reg

      "zero day in any of the VM hypervisors"

      I'll see your patch-able zero day and raise you an undetectable exploit that could potentially be used to re-write your OS.

    2. 2Nick3

      Re: A bit less FUD please El Reg

      Regarding #3, they're running the exploit on cloud. Where, per the article:

      "What it means is that enterprises are relying on the public cloud to handle the really large workloads."

      So it's pretty much exactly where they want to be. It would be easy enough to pull the data using the exploit, then process it to see if there's anything useful, or if not directly useful if there's a good target - say a banking operation. If you know you're running on a good host, then you keep pulling data until you get what will be useful to exploit.

      And from what it sounds like no one will have any idea that you're doing it.

  7. SPiT

    Can anyone explain why we should consider SPECTRE a hardware fault

    I continue to be confused about why everyone keeps talking about SPECTRE as if it is a hardware fault. As far as I can make out the issue is that SPECTRE can be used to read the entire readable address space of your own process. The hardware security promise is that you CAN do this. The problem lies with the whole idea of running a sandboxed program within this environment that cannot see the rest of the address space without having a security rules commitment from the CPU manufacturer. The only sensible way to have safe sandboxing is to have a hardware promise behind it. The obvious solution is for all scripting / sanboxing solutions to use essentially the same solution as for meltdown, make sure that the only mapped memory in the process environment as that which is allowed with the benefit that if you don't have a meltdown problem you can use privilege flagging to protect it.

    I appreciate that there are issues around how virtualisation works but the idea that Javascript, for example, wasn't massively exposed to sandbox breaches anyway is madness.

    1. TechnicalBen Silver badge

      Re: It kind of is and is not.

      No one realised this side channel was actually usable. They may of known it was there, and "possible", but some things are possible but not practical (brute forcing some encryption hits the heat death of the universe etc).

      So while the software was partially vulnerable to SPECTRE, the hardware continued with branch prediction because it was thought to be a near impossibility to exploit. Turns out it can be done (though slowly, at KB/MB per hour kind of speed). It's a bit like the row hammer exploits etc. It's a part of the "failings" of computing, not of a specific design (halting problem, P versus NP problem etc).

      Google have already hinted at a way to mitigate it entirely. But setting up any (and only to avoid performance hits else where) sensitive data to be branch prediction proof (though in their case I think they do it via blocking branch prediction for that bit of code, not proofing the actual code it's self entirely).

      So that kind of mitigation will take changes from the ground up, and a lot of time. It will still leave the occasional programmer/compiler writing out the password to an unprotected bit of memory and being at risk of being read... unless the entire computer blocks branch prediction, this will be the extra work needed to mitigate it. :(

    2. mevets

      Re: Can anyone explain why we should consider SPECTRE a hardware fault

      Spectre lets you read other processes address space; Meltdown lets you read a privileged address space. Where it gets confusing is that the privileged address space is in your map, you just aren’t supposed to be able to peek at it. Sadly you are.

      Modern CPUs have branch prediction mechanisms which inform the speculative execution mechanism whether it is likely a given (conditional) path will be followed. The predictor works from virtual addresses, which I think is part of the mistake, they should work from virtual address + Address Space IDentifier. Since my process has virtual addresses, as does my victims, and we likely share code in a shared library (libc.so, {mumble}.dll, ...) I can choose an address in my mapping of this library, and poison the branch predictor to favour a particular path. Then, when my victim runs in the area of this path, the branch predictor will follow it, and dirty the cache based upon the data. I then measure the cache dirt, and voila, I know what that data was.

      Seems like a lot, but with the use of decent analysis tools to find candidate paths and a little reverse engineering of some programs, and a pile of money or bitcoins as the payoff, you are away.

      It strikes me that there is a readily available mitigation for OSes: don’t permit the same virtual address to appear in two address spaces. This means that libc.so would be mapped to unique locations in each process. Most binaries are relocatable [ needed for ASLR ] so it shouldn’t be a big deal for them; that leaves only ‘forked’ processes as potential victims, and only forked copies of them can be used to induce the predictor.

      This would have been tragic in 32bit machines, but 64bit machines, even with lowly 47 bit VAspace can still offer 1024 unique address spaces of 140 GBytes...

  8. thondwe

    Containers worse than VMs?

    Suggestion is that once the Microcode fixes are available and don't do further damage attacks from VMs to Kernels is sorted for the moment? However, App <-> App attack is still an issue - so Container style hosting is in real trouble?

  9. Anonymous Coward
    Anonymous Coward

    Hit to clouds?

    So does this mean that cloud services are going to be shunned for the foreseeable future? Will there be a rush to go back to self hosting of data as a more secure storage method?

    N

    1. SquidEmperor

      Anyone got some cheap C90 cassettes?

      What? Are we not cloud now? I just off loaded my last C90 cassette tapes (Hot Hits of the 80's Vol.3) because I thought we were all cloud, spotify and netflx. I should have listened to my mother.

  10. Ugotta B. Kiddingme Silver badge

    but hang on a bit

    I thought we already had a proper solution for SPECTRE

  11. Tim Brown 1

    Unecessarily alarmist

    The biggest weakness in any organisation is always going to be the human element. The "password on a post-it note" syndrome.

    Why bother going to the immense time and trouble of developing speculative Spectre exploits to harvest random data when you could just honey-trap a senior executive who has all the access you need?

    1. Steve the Cynic

      Re: Unecessarily alarmist

      Obligatory reference: https://xkcd.com/538/

    2. croky

      Re: Unecessarily alarmist

      You're absolutely right. Most people just want the drama and, some, the need to be a valid target. Probably, it makes them feel more important ... This whole soap opera is hilarious. Almost ridiculous, I might add.

    3. Ken Hagan Gold badge

      Re: Unecessarily alarmist

      For a honey-trap, you need to target a particular individual, devote human resources to the task, and risk being found out. The cost-per-attack and the risk are both quite high. With Spectre, the whole thing can be automated and it is undetectable.

  12. WatAWorld

    For 5 decades we've known no connected computer is truly secure

    Intelligence agencies spy on intelligence agencies, so clearly it doesn't matter how hard anyone tries, there will always be vulnerabilities in systems connected to anything.

    You want real security: Lock your computer is a bank-quality safe in a faraday cage room. Never remove it from that room. Never connect it. Don't transfer data by any means other than retyping.

    We've known this for 5 decades. And still there are people out there who think "one more patch and it will be secure". No it will not.

    There will always be some link in the chain of any useful system via which information can leak out.

    Please stop implying otherwise.

    1. Charles 9 Silver badge

      Re: For 5 decades we've known no connected computer is truly secure

      You forget TEMPEST. They can glean information simply from electromagnetic radiation: a natural consequence of it being SWITCHED ON. Basically, the only secure computer is one that is never used AT ALL. If it's used in any way, it CAN be pwned by a sufficiently-determined adversary. Problem is, that bar keeps getting lower.

  13. WatAWorld

    I wonder how many years intelligence agencies have been using spectre?

    Something to think about.

    I wonder how many years our and their intelligence agencies have been using spectre?

    Is it just years? Is it decades?

    Did they know even before day one of device production?

    And if not for "White Hat Hackers", I wonder how many more years would have gone by where only intelligence agencies (and maybe a few chip maker employees) knew about Spectre?

    The bug was there for over a decade and no free-enterprise criminal figured it out.

    There is a near endless supply of *obscure* bugs and *obscure* vulnerabilities that have been out there for years and decades that no free-enterprise criminal has figured out yet.

    And none of them will be an issue until some PhD candidate or Google employee does a paper revealing them.

    Security by obscurity: It isn't only Apple customers who rely on that. We ALL do -- even the NSA, GCHQ, Mossad, 3PLA, and FSB.

    (The word "obscure" as used in "obscure bugs and obscure vulnerabilities" is important to my meaning. Of course vulnerabilities a criminal could realistically discover and utilize should be revealed. Vulnerabilities that have existed for decades undiscovered -- how likely is it that with so many other easier vulnerabilities to find and use they'd have invested the time and effort into this?)

    I'm not sure the answer. Where do we draw the line at "realistically discover"?

    And what new vulnerabilities are introduced by hasty fixes? (And in this case "hasty fixes" being fixed down with less than 2 years lead time.)

    And even fully considered and tested fixes, the added complexity they'll create, will those introduce new vulnerabilities?

    I don't know what to think, other than that there is no way to have complete security on a connected computer.

    1. Charles 9 Silver badge

      Re: I wonder how many years intelligence agencies have been using spectre?

      There's no way to have complete security, short of total destruction. The only way to be sure is to burn it, dissolve it, or melt it: something sufficiently physical and irreversible.

      But if you have to use it, then there WILL be a way to pwn it, simply because legal and illegal access can use the same interfaces.

  14. herman Silver badge

    Sir Mick said it best

    Hey, you! Get offa my cloud!

    1. Anonymous Coward
      Anonymous Coward

      Re: Sir Mick said "Hey, you! Get offa my cloud!"

      "Hey McLeod! Get offa my ewe!"

  15. Richard Conto

    Governance model

    The human housing market suggests a SET of solutions:

    (*) Own your own

    (*) Rent dedicated, private unshared housing

    (*) Rent shared housing

    (*) Rent target market specific housing

    (*) Buy into a condominium (where you know who else is there)

    (*) Buy into a co-op (where you govern together. Somehow.)

  16. amanfromMars 1 Silver badge

    AIDanegeld Option/Future/Root

    A number of security experts I have spoken to confirm that the Spectre problem has not gone away, nor is it going to any time soon. There is some concern, however, about the messaging that is emerging around this vulnerability.

    Spectre can theoretically allow code operating in a VM to read code in the cache of the physical CPU. If anyone figures out how to exploit it then it can allow someone executing code in one VM to peek into what's running in memory of another VM.
    ....... The Position here now is that now IT is, and Fully Cogniscent of the Immaculate Transubstantiation.

    All SCADA Systems are forever Susceptible to Novel IntelAIgents Adventing and Distributing New Knowledge, A Taster of which has been Diligently and Valiantly Registered ITSelf in a Post share earlier here .... https://forums.theregister.co.uk/forum/1/2018/01/25/uk_prime_minister_encryption/#c_3407738 ..... Introducing Quantum Field Great Games Plays

    Something Extra Terrestrial Supplied for Heavenly Endeavours ..... AIMaster PilotedD Plans. Or is IT AI of your Own Build?

    What when IT is Both .... with JOINT Applications for Others to Enjoy and Move on and Make a Move to/on the Next Great Temptation?

    You know there we're talking SCADA Core Systems Meltdown.

    Interesting Times ahead. Of that be Perfectly Reassured.

  17. croky

    Seriously, I'm tired of this Spectre Meltdown bla bla bla ...

    I mean, what's the probability for me to become a target ? That's the "elephant in the room" question some people don't want to answer. It seems those people need to freak out for some "ah" reason.

    1. diodesign (Written by Reg staff) Silver badge

      Re: croky

      "I mean, what's the probability for me to become a target ?"

      Spectre is irritating because it's hard to fix and lets software read stuff it shouldn't. This means JavaScript in the browser can sniff out secrets from the kernel and other tabs. There are PoC exploits for this out there. It's important for ppl to update their stuff, hence the attention on the flaws.

      Likewise Meltdown: malware will be along to lift stuff out of the kernel.

      PS: For us, the biggest thing about it is the embarrassing design cockup and the messy fixes, rather than this being the total end of the world (because it isn't).

      C.

      1. croky

        Re: croky

        "Secrets" ? Who wants those "secrets" ? Does the "other end" even know I've got any "secrets" ? Even if I have "secrets", they don't know what they are ! Thus, who on planet earth is willing to waste time searching for "secrets" they don't even know about what they are ? That's for a 12 year old with tooooo much imagination. Just like any paranoid, over analyzer, micro manager and nitpicker I see popping around here and there. People need to get a grip and to get real. Being so, show me proof people are being attacked, left and right, thanks to Spectre and Meltdown.

        1. Uffish

          Re: "secrets"

          I still use a phone number that was listed in phone books, when they existed. At the time I thought that keeping your phone number secret was stupid. Now I get at least two phone calls per day from what I assume are cold calling companies. They persist even though for the last two years everything has been blocked by an answering machine. Why do they persist? I suppose somehow there would be a profit in getting through to me. Do I regret not keeping my phone number secret - yes.

          1. KSM-AZ

            Re: "secrets"

            A robo dialer walks the exchange. Could care less if you are or were "listed" at some point.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019