Meltdown and Spectre Security Vulnerability Impacts Intel most, but AMD, Arm as well

Subject: Processors | January 3, 2018 - 08:17 PM |
Tagged: Intel, amd, arm, meltdown, spectre, security

The following story was originally posted on ShroutResearch.com.

UPDATE 1 - 8:25pm

Just before the closing bell on Wednesday, Intel released a statement responding to the security issues brought up in this story. While acknowledging that these new security concerns do exist, the company went out of its way to insinuate that AMD, Arm Holdings, and others were at risk. Intel also states that performance impact on patched machines “should not be significant and will be mitigated over time.”

Intel’s statement is at least mostly accurate though the released report from the Google Project Zero group responsible for finding the security vulnerability goes into much more detail. The security issue concerns a feature called “speculative execution” in which a computer tries to predict work that will be needed beforehand to speed up processing tasks. The paper details three variants of this particular vulnerability, the first of which applies to Intel, AMD, Arm, any nearly every other modern processor architecture. This variant is easily patched and should have near-zero effect on performance.

The second variant is deeply architecture specific, meaning attackers would need a unique code for each different Intel or AMD processor. This example should be exceedingly rare in the wild, and AMD goes as far as to call it a “near-zero” risk for systems.

The third is where things are more complex and where the claim that AMD processors are not susceptible is confirmed. This one is the source of the leaks and information that filtered out and was the target of the information for the story below. In its statement, AMD makes clear that due to architectural design differences on its products, past and modern processors from its family are not at risk.

The final outlook from this story looks very similar to how it did early on Wednesday though with a couple of added wrinkles. The security report released by Project Zero indicates that most modern hardware is at risk though to different degrees based on the design of the chips themselves. Intel is not alone in this instance, but it does have additional vulnerabilities that other processor designs do not incur. To insinuate otherwise in its public statement is incorrect.

As for performance impact, most of the initial testing and speculation is likely exaggerating how it will change the landscape, if at all. Neither Intel nor AMD see a “doomsday” scenario of regressing computing performance because of this security patch.

At the end of 2017, Intel CEO Brian Krzanich said his company would be going through changes in the New Year, becoming more aggressive, and taking the fight to its competitors in new and existing markets. It seems that BK will have his first opportunity to prove out this new corporate strategy with a looming security issue that affects nearly 10 years of processors.

recently revealed hardware bug in Intel processors is coming to light as operating system vendors like Microsoft and the Linux community scramble to update platforms to avoid potential security concerns. This bug has been rumored for some time, with updates to core Linux software packages indicating that a severe vulnerability was being fixed, but with comments redacted when published. Security flaws are often kept secret to avoid being exploited by attackers until software patches are available to correct them.

This hardware-level vulnerability allows user-mode applications, those run by general consumers or businesses, to potentially gain access to kernel-level memory space, an area that is handled by the operating system exclusively and can contain sensitive information like passwords, biometrics, and more. An attacker could use this flaw to potentially access other user-mode application data, compromising entire systems with bypass around integrated operating system firewalls.

At a time when Intel is being pressured from many different angles and markets, this vulnerability and hardware bug comes at an incredibly inopportune time. AMD spent its 2017 releasing competitive products in the consumer space with Ryzen and the enterprise space with EPYC. The enterprise markets in particular are at risk for Intel. The EPYC processors already offered performance and pricing advantages and now AMD can showcase security as none of its processor are affected by the same vulnerability that Intel is saddled with. Though the enterprise space works in cycles, and AMD won’t see an immediate uptick in sales, I would be surprised if this did not push more cloud providers and large scale server deployments to look at the AMD offerings.

View Full Size

At this point, only the Linux community has publicly discussed the fixes taking place, with initial patches going out earlier this week. Much of the enterprise and cloud ecosystem runs on Linux-based platforms and securing these systems against attack is a crucial step. Microsoft has yet to comment publicly on what its software updates will look like, when they will be delivered, and what impact they have might on consumer systems.

While hardware and software vulnerabilities are common in today’s connected world, there are two key points that make this situation more significant. First, this is a hardware bug, meaning that it cannot be fixed or addressed completely without Intel making changes to its hardware design, a process that can take months or years to complete. As far as we can tell, this bug will affect ALL Intel processors released in the last decade or more, including enterprise Xeon processors and consumer Core and Pentium offerings. And as Intel has been the dominate market leader in both the enterprise and consumer spaces, there are potentially hundreds of millions of affected systems in the field.

The second differentiating point for this issue is that the software fix could impact the performance of systems. Initial numbers have been claiming as much as a 30% reduction in performance, but those results are likely worst case scenarios. Some early testing of the updated Linux platforms indicate performance could decrease from 6-20% depending on the application. Other testing of consumer workloads including gaming show almost no performance impact. Linux founder and active developer Linus Torvalds claims performance impact would range from nothing to “double-digit slowdowns.”

Even though the true nature of this vulnerability is still tied behind non-disclosure agreements, it is unlikely that there will be a double-digit performance reduction on servers at a mass scale when these updates are pushed out. Intel is aware of this vulnerability and has been for some time, and financially it would need to plan for any kind of product replacement or reimbursement campaign it might undertake with partners and customers.


January 3, 2018 | 09:09 PM - Posted by AndThisNewYearHasOnlyJustStartedInEarnest (not verified)

And 2018 Becomes the year of the great FUCKWIT Trampoline incident where user-space and kernel-space collide like a couple of drunken Trampoline Bouncing Hippos in mid air. Oh what a big pile of hippo-dung laced with Wild Turkey that will produce going forward as the large corporate damage control apparatus kicks into high gear!

January 3, 2018 | 09:13 PM - Posted by pdjblum

not zen, threadripper, or epyc at all you intel shill

i guess a large part of their plan to deflect is by using gullible dicks to spread false news in an opportunistic way

January 3, 2018 | 09:20 PM - Posted by Robert Marston (not verified)

Here is the latest from AMD on the matter. More will follow in the days and weeks ahead. https://www.amd.com/en/corporate/speculative-execution

January 3, 2018 | 09:43 PM - Posted by Kareha

I wish I was the Intel CEO and get away with insider trading.

January 5, 2018 | 12:29 AM - Posted by WithMyGoodEyeClosed (not verified)

What?... He just followed the advice of the recently aquired Guru Raja Koduri!

January 3, 2018 | 09:57 PM - Posted by 2901bitslice

After all the racket raised by Intel saying that 'everybody does it' Linux has agreed to disable the KPTI patch for AMD. https://www.phoronix.com/scan.php?page=news_item&px=Linux-Tip-Git-Disabl...

January 3, 2018 | 09:57 PM - Posted by Kareha

Windows gaming benchmarks in here :

https://www.hardwareluxx.de/index.php/news/hardware/prozessoren/45319-in...

January 4, 2018 | 02:31 AM - Posted by razor512

Seems to be a 4+% drop in gaming performance, and 7+% drop in storage performance.

January 3, 2018 | 10:09 PM - Posted by kenjo

the only one that is solvable 100% in software is the variant 3 and that one do qualify as significant slow down. Good news for gamers the slowdown is in the userspace/kernel transition and that is not happening so much for games.

the variant 1 has some type of band aid but is not possible to do a software solution that fixes it at least not on intel. I do not currently understand why AMD thinks it easy on amd cpus as the only solution I can see is the same one. Namely you have to identify the potential problematic code and change it. that is not a one time solution but a never ending game of whack-a-mole that is going to fail at some point.

January 3, 2018 | 10:30 PM - Posted by kenjo

I read the statement from Intel it ends with some rather delusional thinking :)

"Intel believes its products are the most secure in the world and that, with the support of its partners, the current solutions to this issue provide the best possible security for its customers."

January 3, 2018 | 11:10 PM - Posted by OneSeesFandOneSeesUandOneSeesDwithIntelsResponce (not verified)

It's Intel's damage control trying to deflect attention onto a larger group of issues to make it appear like Intel's problems are shared but they are not. Intel's solution to that Intel Only issue will result in a noticeable performance degradation on some workloads while AMD's and ARM’s/Other’s unrelated issue/issues can be fixed with little or no performance degradation!

Intel and others are digressing/diverting the main issue focus away from Intel by bringing up other security issues that while they do need attention are only mentioned by Intel as a way to draw attention away from the 10,000Lb Chipzilla ONLY problem in the room. Intel’s methods are intentionally and nefariously formulated to cause the maximum of uncertainty among the public in order for there to be some doubt regarding the main Intel Only issue and Intel is taking advantage of the public’s fear over any security related issues. So now Intel’s issue does not appear so bad with all the other noise in the room drowning out that Intel Only performance degradation issue that’s Intel’s only way to deal with its poorly designed CPU micro-architecture with that Intel Only problem.

January 3, 2018 | 11:46 PM - Posted by TheYarnsUnSpun (not verified)

Some interesting Register Reading to take away the Spin!

"We translated Intel's crap attempt to spin its way out of CPU security bug PR nightmare

As Linus Torvalds lets rip on Chipzilla"

https://www.theregister.co.uk/2018/01/04/intels_spin_the_registers_annot...

January 4, 2018 | 03:33 AM - Posted by JohnGR

Intel gets completely dishonest when in panic. It proved that. It also proved the importance of this bug when it tried to make it look like every architecture out there is having the same problems as Intel processors. And unfortunately it will probably manage to make most people at IT to consider using this patch even with AMD processors. "Just to be safe, lets put some parachutes in the trunk of the car, because, you know, parachutes enhance security for people on airplanes".

January 4, 2018 | 12:58 PM - Posted by AnonymousNT (not verified)

Wow! Just Wow! The class action lawsuits are going to fly. There is no way to fix a sloppy, ill conceived, blatantly security disregarded, poorly architecturally designed chip - designed solely to "beat" the competition while cheating at everything else - hoping
no one would notice - chip. Circumventing the speculative flaw is not a fix - it's a workaround. Now, if you want the new shiny i9-7980XE (with HUGE security holes), just wait. It'll be on sale soon. ;)

January 4, 2018 | 01:29 PM - Posted by Bill (not verified)

Bad timing for me on this. I'm in the process of buying parts for my next pc build for my daughter. I've been dragging my feet hoping that ram goes down in price. My next purchase was to be a Ryzen and a mobo. I really hope there's not a run on Ryzen's now inflating their prices.

January 4, 2018 | 07:21 PM - Posted by SkOrPn

I sure hope not. But that is highly unlikely in the consumer space. We need Intel and AMD to be playing on fair and equal grounds as soon as possible. I wouldn't mind seeing them both at 50/50 market share though. If there is a run on AMD, it will more than likely be in the datacenter and cloud service space, and on only EPYC sku's. But who knows?

January 7, 2018 | 11:15 PM - Posted by jerry-li (not verified)

EXT-CU440

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <blockquote><p><br>
  • Web page addresses and e-mail addresses turn into links automatically.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.