The Spectre of control system Meltdown

Subject: General Tech | January 16, 2018 - 02:33 PM |
Tagged: security, spectre, meltdown

The various patches released to ameliorate the damage which can be inflicted to computer systems is slowing down or crashing some systems, up to and including industrial control systems according to The Register.  These issues are not specific to Windows machines, many control systems run on Linux, the vulnerabilities stem from an architectural issue and so any operating system could suffer slowdowns.  Seeing your VMs slow down on Azure or AWS is rather frustrating, slow response from critical systems in a power plant could be much more than just an inconvenience.  The story also has a link to a compiled list of Meltdown patches if you would like to see what is currently in development.

View Full Size

"Rockwell Automation revealed that the same patch had caused issues with Studio 5000, FactoryTalk View SE, and RSLinx Classic (a widely used product in the manufacturing sector). "In fairness [this] may be RPC [Remote Procedure Call] change related," said cybersecurity vulnerability manager Kevin Beaumont."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

January 16, 2018 | 04:04 PM - Posted by GamingTheBenchmarksForSpinNOT (not verified)

So far no AMD vulnerabilities to Meltdown so AMD has only some Sepctre issues. But that's not stopping some from bundling both vulnerabilities together in an attempt to false equate AMD as having issues with both.

Lots of PR/Damage control folks over at Intel apparently do not like to make mention of Meltdown by itself at all and try and focus on both Meltdown and Spectre in a non-specific manner so Intel will not be singled out. And plenty of folks on the internet forums posting in a similar manner even when the subject is about the Meltdown remediation efforts that are causing some very substantial performance loss on some server workloads.

Sure there are both Meltdown and Spectre issues to be fixed but the specific remediation steps and costs to system performance need to be listed per vulnerability under separate Meltdown and Spectre breakdowns. This is so the relative cost of these performance reducing remediation steps can be measured for each individual CPU maker's ARM/X86/Other designs with each maker's specific products so each maker’s products can be rated after each remediation/patch is applied.

I want to Know exactly which makers products are affected by each category of vulnerability and which maker's CPU products are affected more to one than the others so a breakdown in tabular format with Meltdown under one heading and Spectre under another and an accounting as to which maker has the most issues with Meltdown and which as the most Spectre issues. This is so others can see if the Meltdown remediation steps are more costly than the Spectre remediation steps once the individual remediation steps have been taken.

Here is another interesting article(1) from the Register that should be noted with regards to benchmarking and not cherry picking results and it looks like Meltdown and Spectre will be the subject of some extensive academic study over the next few years including some CPU architectural analysis with stress on the spectulative execution unit/branch prediction unit and cache subsystems focus in order to redesign for with security in mind without causing too much performance loss.

"In their analysis of 50 papers published between 2010 and 2015 (in Usenix Security, as well as IEEE's Security & Privacy, the ACM's CCS, and papers accepted by the NDSS symposium), the researchers say they identified 22 discrete “benchmarking crimes”, ranging from ignoring performance impacts altogether, “creative overhead accounting”, using misleading benchmarks, all the way through to presenting only relative numbers in a benchmark.

Most often, Heiser said, the crime is that “evaluation data is not complete enough … you look at the 'cost' of the mechanism in a scenario, without doing a thorough evaluation of the performance effects in a representative set of scenarios”.

Take, for example, a researcher running runs the SPEC suite on systems with and without their security solution. “The suite is designed to represent a broad class of use-cases” he said, but “SPEC only makes sense if you make all the individual programs to come up with the score”.

Cherry-picking SPEC results means they're less effective: “you might pick predominantly CPU-intensive processes and ignore memory-intensive processes,” he said. " (1)


"Bad benchmarks bedevil boffins' infosec efforts

'Benchmark crimes' understate true performance impact of security controls"

January 16, 2018 | 07:19 PM - Posted by MoreConfusionWithTheMeltdownAndSpectreMadness (not verified)

An interesting Read for Windows 7 and 8.1 users from Woody Leonhard(1) and It's getting more confusing because of the lack of proper patch documentation/instructions from Microsoft. I do all of My windows 7 patching directly from the Microsoft Windows update catalog and only the security only patches(To Keep The Spyware Out) but all of my laptope are Intel Based and the original patches installed without problems. But AMD users are needing different patches so Microsoft needs better patch notes in one place so AMD users can do the proper fixes. Microsoft's notes need to include information on just what windows patches require microcode updates included in the PC's/laptop's/MB's UEFI/BIOS via firmware updates from the MB's/Laptop's/PC's OEMs. Who Knows what's going on for AMD processors and windows 10.

I really hope that the Linux Laptop OEMs will begin offering Laptops with AMD's APUs inside because I want to get out from under any Microsoft OSs come 2020 and windows 7's EOL and AMD's CPUs have no Meltdown issues currently it's only the Spectre variants that may give AMD some lesser problems.


"Woody on Windows

By Woody Leonhard, Columnist, Computerworld |
Jan 16, 2018 7:33 AM PT

News Analysis

Microsoft's mystifying Meltdown/Spectre patches for AMD processors

Take a look inside the new January Security-only patches specifically for Win7 and 8.1 AMD machines that were blue-screend by the original January Security-only patches. Win10 brickees still in limbo."

January 16, 2018 | 07:56 PM - Posted by Richard Atkinson (not verified)

Steve Gibson has made a great tool for these issues.

January 17, 2018 | 12:26 AM - Posted by James

If you have an isolated machine, that has little chance of running any third part code, then just don’t install these updates yet. It would require code execution, so a well protected machine that is used for specific software, not general use, is not at much risk. For cloud providers, they don’t have much choice since they don’t control the code on the machines and the machines may host multiple VMs from different customers. For general users, the main threat would be java script in web browsers. They should definitely update, but it probably is a good idea to look up the hardware and see if people are having any issues with the update first. You should be running something like noscript anyway, although the recent update seems to have really messed it up. I actually down graded Firefox on my laptop to use the old noscript for now. I will have to take a closer look and learn how to use the new one or switch to something else.

January 17, 2018 | 03:47 AM - Posted by WhyMe (not verified)

If the critical system is so critical I'd be questioning why it's connected to a public network in the first place or even allows unknown people physical access to it.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <blockquote><p><br>
  • Web page addresses and e-mail addresses turn into links automatically.

More information about formatting options

This question is for testing whether you are a human visitor and to prevent automated spam submissions.