add arrow-down arrow-left arrow-right arrow-up authorcheckmark clipboard combo comment delete discord dots drag-handle dropdown-arrow errorfacebook history inbox instagram issuelink lock markup-bbcode markup-html markup-pcpp markup-cyclingbuilder markup-plain-text markup-reddit menu pin radio-button save search settings share star-empty star-full star-half switch successtag twitch twitter user warningwattage weight youtube

Spoiler and Intel

raffytaffy213

8 months ago

I just bought Intel components for my first time build and want to know what the issue is with Spoiler? I know it's not a Spectre attack, but should I be concerned? I went to Micro Center yesterday and picked up an X470 mobo and R7 2700x but still have my Z390 mobo with no CPU. I RMAed the mobo to B&H but haven't packed it yet for return. Is it worth switching to AMD considering AMD seems to not be affected. I also understand that anything is susceptible to a threat or attack, but Spoiler kinda SPOILED my mood and made me want to switch to AMD.

Comments

  • 8 months ago
  • 7 points

raffy,

Until you spend a few hundred hours locking down all the security vulnerabilities in the software you're running (default configurations are very weak in terms of security for almost all the software you use), and modify the way you use a computer to be fundamentally secure, I wouldn't bother worrying about these sort of CPU related vulnerabilities.

It's like... your kitchen is on fire so you're going to sweep the garage....


I am an ISSM for a small company. My job is basically to find the largest vulnerabilities for information security we have, highlight them, and solve them, then move on to the next. Constant rotating door of risk assessment, improving configurations, locking things down, etc. Finding an acceptable balance of risk vs functionality in everything.

These "CPU" related vulnerabilities that have cropped up in the last couple years, aren't even on my radar because in any information system, there are going to be dozens if not hundreds of far more likely attack vectors than these, even in system that are under significant configuration management.

I am considering AMD CPU's for some of our server systems, not because I think it's going to make a meaningful difference for security, but because AMD is more competitive in the single socket server market right now (way more IO and cores for way less money). Some of our server systems (application layer firewalls), will probably be better off on Intel platforms for performance reasons (Access to much higher clock speeds on server platforms).

  • 8 months ago
  • 5 points

Just like spectre, meltdown, and PortSmash they are all possible vectors of attack.

While Meltdown is an exclusively Intel issue, PortSmash should also impact AMD since it uses very similar tech for SMT (hyperthreading). Intel just holds a massive market share of X86 CPUs and so they are much more likely to get people testing possible exploits (servers are the biggest risk) and I think Intel has a bounty program for exploits.

It relies on speculative execution, both of which AMD and Intel use. It just relies on a flaw in the Intel memory subsystem to speed up rowhammer and cache attacks. Both of which already exist today, Rowhammer isn’t really a risk for most consumers since it takes time and generally people aren’t storing important information in DRAM. It also has never been used as an attack vector, it’s just a possible vector with a few different ways noted on it. Oh and the risk can pretty much be removed by buying DRAM with protections in place (they exist).

Cache attacks are a lot more scary since you could be pulling passwords, etc but it’s again one of those time consuming attacks that are a major risk to servers and less of general consumers who should be worrying about other security risks on their computers (Java, weak password, etc).

Spoiler can be solved somewhat by software changes on the developer side, and might be fixed in SunnyCove on a physical level. But it’s not really a risk, since it only increases the speed of existing vectors that haven’t been used.

For example using Spoiler to speed up a rowhammer attack on a major server could get it to allow unprivileged access to the entire memory (aka the software gets to read everything). But rowhammer is entirely luck based (gotta wait for the error to happen) and can be migrated sometimes by ECC and fully by a physical level change on DRAM manufacturers (its really just a new timing).

AMD is also impacted by Rowhammer, as with any system using DDR3 and DDR4. I haven’t read the entire paper to see what cache exploits are sped up (and what level of cache), but those aren’t Intel exclusive.

If you have Java installed, that is a much bigger risk than any hardware exploitation. Or if you haven’t updated your routers firmware. Or click on emails. Worrying about something that almost certainly won’t impact you while most people practice unsafe security is just a little confusing.

  • 8 months ago
  • 2 points

TL;DR It's nothing to be really concerned about, just keep the important data somewhere safe

  • 8 months ago
  • 1 point

I think willow cove the sunny cove revamp is suposed to address all security concerns.

Also just like you said for your average consumer the security scares are almost a non factor.

  • 8 months ago
  • 1 point

Reminds me of CTS Labs report on an AMD version of meltdown and specter. https://www.youtube.com/watch?v=ZZ7H1WTqaeo

Talk about overblown hype and malicious publications of said bugs.

  • 8 months ago
  • 1 point

With all the major companies offering big bounties if you can come up with something legitimate it's only likely to continue.

[comment deleted]
[comment deleted]

Sort

add arrow-down arrow-left arrow-right arrow-up authorcheckmark clipboard combo comment delete discord dots drag-handle dropdown-arrow errorfacebook history inbox instagram issuelink lock markup-bbcode markup-html markup-pcpp markup-cyclingbuilder markup-plain-text markup-reddit menu pin radio-button save search settings share star-empty star-full star-half switch successtag twitch twitter user warningwattage weight youtube