back to article Older AMD, Intel chips vulnerable to data-leaking 'Retbleed' Spectre variant

Older AMD and Intel chips are vulnerable to yet another Spectre-based speculative-execution attack that exposes secrets within kernel memory despite defenses already in place. Mitigating this side channel is expected to take a toll on performance. ETH Zurich computer scientists Johannes Wikner and Kaveh Razavi have dubbed the …

  1. Nate Amsden Silver badge

    worry more about the fixes than the problems

    The risk involved with any of these side channel attacks are so tiny for 98% of the systems out there. I suppose the one place where one might need to be more concerned is if you are a service provider with multiple customers on the same systems. Otherwise if you have control of your workloads there really isn't much to worry about, there's far bigger threats out there than side channel and will be forever, and there will always be some new side channel attack about to be discovered because security folks want to be famous regardless of how limited in scope the issue is. Meanwhile the fixes for these problems cause their own problems whether it's performance or stability issues.

    I would like it if there was a simple bios setting to disable these side channel fixes so you could install new microcode for OTHER fixes but keep the side channel stuff disabled. I run all my linux systems with "spectre_v2=off nopti" kernel settings(which may or may not be enough), and most of my systems are quite old at this point(Xeon E5-2699 v4 are my newest) and I have intentionally not updated firmware in many cases to avoid these fixes. Have read too many horror stories about them. I also have gone the extra mile (so far anyway) to exclude microcode updates from vSphere 6.5 (yes still running that) updates.

    It's nice to have the fixes for people who are super paranoid and really want them, but also nice to have easy to use options for folks to opt out of them if they desire.

    1. Mike 125

      Re: worry more about the fixes than the problems

      >there will always be some new side channel attack about to be discovered because security folks want to be famous regardless of how limited in scope the issue is.

      Hey: everyone wants to be famous for something. Don't be snidey !

      It's comforting to assume this stuff doesn't matter. But it does, because it's input for Intel, et al: speed isn't everything.

      It probably won't learn, because, well, it's Intel. But at least they can be told 'we warned you'.

      TFA: "Exploitation in general of these flaws seems non-trivial."

      True- but remotely spinning up centrifuges to destruction in Iran once seemed non-trivial.

      As for problematic mitigations and low current risk, I agree.

    2. Roland6 Silver badge

      Re: worry more about the fixes than the problems

      The fixes assume that what is needed is some design change that will remove the vulnerability. However, what seems to have been forgotten is the purpose of anti-malware software or the way of analogy a computer's immune system.

      This thus raises the question of whether these side attacks have a recognisable fingerprint and so become detectable by anti-malware software.

      Once we have confidence in the detection and its mitigation, does it really matter if the chip has a vulnerability.

      1. djnapkin

        Re: worry more about the fixes than the problems

        Very good point, and not one I've noticed other suggest, up to now. Makes a lot of sense. And, if we are going to take the usual hit from anti-malware, do we really want a 70% speed drop as well?

  2. amanfromMars 1 Silver badge

    AI NEUKlearer Present Danger and/or Remote Virtual HyperRadioProACTive IT Delight?*

    It also allows the attacker[s] secret secure coded access to direct root processor and speculative branch instruction sets for their own secret live remote execution operations in mainstream channels delivering command and control outputs/outcomes/future augmented virtual reality input/future virtually augmented reality instruction for SCADASystems to Present .... or Defy and Deny as the psychotic case may reveal and vaingloriously pursue.

    And that is worlds apart and light years ahead of just rogue software on a machine which can exploit Retbleed to obtain from memory it shouldn't have access to – such as operating system kernel data – passwords, keys, and other secrets

    That said, if nothing's done about Spectre et al, maybe one day someone will exploit it in the wild in a meaningful way.

    Hmmm? Maybe? In the wild? Someone one day? Oh, methinks all of that is the least one can fully expect to be a guaranteed certainty to be employed and enjoyed, deployed and directed. But it's not good for your health to worry teams too much about all of that over which one has zero command and control. Que Sera, Sera.

    * Choose your weapon to wield wisely .... for one is well known to autonomously self-destruct at both the most opportune and inopportune and disruptive of times, being as how it is, a right doozy of a booby trapped prize device.

  3. Steve Jackson

    Is it me or is it just those chips that perhaps should have made the cut for W11 hardware requirements?

    Skylake (refresh of a refresh) made it actually and Zen/Zen+ doesn't perform badly.

    As usual, I guess we should infer that plenty of unsupported W10 hardware Intel Core to Core 5 and AMD (whatever it was, Dozer?) are also vulnerable?

  4. Ceiling Cat

    Just wondering : For those of us whose gear is old, sad, tired, and not used for anything that would be worth exploiting the system to steal (IE: a machine that only runs my DAW, Modular synth emulator, etc), what is the best way to disable all the "fixes" that would wind up hamstringing my hardware t the point that I would have to scrap my rig and start from scratch?

    I only ask because it has been 11 years since I last purchased a system, and about 8 years since I last purchased a GPU. When I went to check modern component prices, especially GPUs, I was violently and explosively ill. No video card save for the top of the line gaming GPU should cost more than I would pay for the rest of the system. I do not feel like buying new hardware at those prices, but fixing these speculative execution exploits on a machine that isn't handling anything sensitive (or even useful to miscreants) seems... well... like shooting myself in the battered sausage.

    1. Jon 37

      Cryptocurrency miners using GPUs pushed the prices up and led to a shortage.

      I had heard it got a little bit better when cryptocurrency prices dropped recently. However, I stay away from that particular planet-destroying crazy. So I have no idea what cryptocurrency prices are doing now.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like