Massive security hole in CPU's incoming?Official Meltdown/Spectre Discussion Thread

[PhonakV30]

What app does use 4K Read/Write ?

 

[William Gaatjes]

I noticed something i never had before, when connecting to steam, i got twice the message today that the steam program could not connect to the steam server.
The next moment i tried the program could connect.
Maybe it is unrelated , i do not know but since steam is a massive network connected service. Who knows... Could be one of the side effects of the patches.

 

[Fanatical Meat]

I noticed something i never had before, when connecting to steam, i got twice the message today that the steam program could not connect to the steam server.
The next moment i tried the program could connect.
Maybe it is unrelated , i do not know but since steam is a massive network connected service. Who knows... Could be one of the side effects of the patches.

I’m having similar thoughts/observations. I question if I’m being too sensitive. Post windows update a game I play has a rotating piece that seems to lag a little bit and outlook seems to take a little longer to open. I’ve had one failed connection to steam too.
Maybe it’s happened before and I didn’t care, maybe I’m hyper sensitive to problems post patch.
I shouldn’t be bothered because it isn’t an inconvenience in a substantial way.

 

[formulav8]

KEEPING SPECTRE SECRET - How an industry-breaking bug stayed secret for seven months — and then leaked out

Project Zero’s official policy is to offer only 90 days before going public with the news, but as more companies joined, Zero seems to have backed down, more than doubling the patch window. As months ticked by, companies began deploying their own patches, doing their best to disguise what they were fixing. Google’s Incident Response Team was notified in July, a month after the initial warning from Project Zero. The Microsoft Insiders program sent out a quiet, early patch in November. (Intel CEO Brian Krzanich was making more controversial moves during the same period, arranging an automated stock sell-off in October to be executed on November 29th.) On December 14th, Amazon Web Server customers got a warning that a wave of reboots on January 5th might affect performance. Another Microsoft patch was compiled and deployed on New Year’s Eve, suggesting the security team was working through the night. In each case, the reasons for the change were vague, leaving users with little clue as to what was being fixed.

 

[William Gaatjes]

I’m having similar thoughts/observations. I question if I’m being too sensitive. Post windows update a game I play has a rotating piece that seems to lag a little bit and outlook seems to take a little longer to open. I’ve had one failed connection to steam too.
Maybe it’s happened before and I didn’t care, maybe I’m hyper sensitive to problems post patch.
I shouldn’t be bothered because it isn’t an inconvenience in a substantial way.

I do not think it is the patch on my pc or your pc that is causing the issue.
It is highly likely that the steam servers are patched as well.
Perhaps the steam servers are having trouble keeping connections with all steam users.
The patches seem to show the performance degradation when there is a lot of disk i/o and network i/o.
Servers in general do a lot of disk i/o and network i/o.
It could also be that some steam servers are offline to be patched and that other servers are now more occupied with servicing all the steam clients.

 

[Fanatical Meat]

I do not think it is the patch on my pc or your pc that is causing the issue.
It is highly likely that the steam servers are patched as well.
Perhaps the steam servers are having trouble keeping connections with all steam users.
The patches seem to show the performance degradation when there is a lot of disk i/o and network i/o.
Servers in general do a lot of disk i/o and network i/o.
It could also be that some steam servers are offline to be patched and that other servers are now more occupied with servicing all the steam clients.

Stop talking sensibly dammit

 

[William Gaatjes]

Stop talking sensibly dammit

Does it help that i for the last few hours also get a lot of " T1 H500" messages while watching netflix ?
Either my internet connection is getting hammered somewhere out there because of the patches or the netflix servers are also being patched or are patched.

I wonder how the multuplayer games are going.
Battle field with 64 players.
PUBG.

 

[bononos]

https://www.computerbase.de/2018-01/meltdown-spectre-amd-intel-benchmarks/

Looks like Microsoft wasn't kidding about making sure Windows 7 users really took it in the pants on this one. Kind of bizarre that gaming takes such a hit.

Wow the Intel Kabylake disk benchmarks took a kick to the balls with both bios+os update. 40% down for deeply queued writes and 25% for queue depth of 1.

 

[wahdangun]

I do not think it is the patch on my pc or your pc that is causing the issue.
It is highly likely that the steam servers are patched as well.
Perhaps the steam servers are having trouble keeping connections with all steam users.
The patches seem to show the performance degradation when there is a lot of disk i/o and network i/o.
Servers in general do a lot of disk i/o and network i/o.
It could also be that some steam servers are offline to be patched and that other servers are now more occupied with servicing all the steam clients.

because several hosting site get hammered quite hard, several hosting site and even my company feel the slowdown, even with just windows patch.

 

[goldstone77]

Linux 4.15-rc8 Bringing BPF Security Improvements For Fending Speculative Attacks
Written by Michael Larabel in Linux Kernel on 14 January 2018 at 07:56 AM EST.
https://www.phoronix.com/scan.php?page=news_item&px=Linux-4.15-rc8-BPF-Security

With the Linux 4.15-rc8 kernel that is expected for release today as the final step before Linux 4.15, it's still seeing continued security improvements in the wake of the Spectre CPU vulnerabilities.
Landing in the mainline Git tree at this stage of the Linux 4.15 kernel cycle were some security features around BPF, the Berkeley Packet Filter and the related and popular Extended BPF (eBPF) virtual machine for the Linux kernel.
Landing this week was preventing out-of-bounds speculation with the BPF code. This is the BPF-side fix for dealing with the "Variant One" vulnerability for all architectures.
The other addition is adding BPF_JIT_ALWAYS_ON for preventing BPF from being used in a Variant Two style attack. The BPF_JIT_ALWAYS_ON enables the BPF Just-In-Time (JIT) code and removes the BPF interpreter that could be used for launching a Spectre 2 attack. The BPF JIT is supported on x86/x86_64, ARM/ARM64, SPARC64, and other architectures. BPF starts JIT'ed programs at a randomized location and the code page is marked read-only. There is also other hardening techniques for the BPF JIT to make it better than its interpreter. More details on that with the aforelinked Git commit message.
Linux 4.15 and ahead with Linux 4.16 is quite a busy kernel season. Linus Torvalds should be releasing the final Linux 4.15 release candidate later today.

index : kernel/git/torvalds/linux.git
https://git.kernel.org/pub/scm/linu.../?id=290af86629b25ffd1ed6232c4e9107da031705cb

bpf: introduce BPF_JIT_ALWAYS_ON config
The BPF interpreter has been used as part of the spectre 2 attack CVE-2017-5715.
A quote from goolge project zero blog:
"At this point, it would normally be necessary to locate gadgets in
the host kernel code that can be used to actually leak data by reading
from an attacker-controlled location, shifting and masking the result
appropriately and then using the result of that as offset to an
attacker-controlled address for a load. But piecing gadgets together
and figuring out which ones work in a speculation context seems annoying.
So instead, we decided to use the eBPF interpreter, which is built into
the host kernel - while there is no legitimate way to invoke it from inside
a VM, the presence of the code in the host kernel's text section is sufficient
to make it usable for the attack, just like with ordinary ROP gadgets."
To make attacker job harder introduce BPF_JIT_ALWAYS_ON config
option that removes interpreter from the kernel in favor of JIT-only mode.
So far eBPF JIT is supported by:
x64, arm64, arm32, sparc64, s390, powerpc64, mips64
The start of JITed program is randomized and code page is marked as read-only.
In addition "constant blinding" can be turned on with net.core.bpf_jit_harden

These security updates will be a continuous update process by the looks of it, since they do not fix the problem, but attempt to make it more difficult to exploit.

 

[dark zero]

But that won't affect the performance of the processor? If that so... this will get longer than expecting...

 

[cipurian]

What a weird language in that Intel statement.

https://arstechnica.com/information...r-security-flaw-in-intel-management-firmware/

 

[psolord]

Hello everybody.


So I did some benchmarks, before and after the kb4056892 patch, primarily on my core i7-860, but also some quick tests on the i5-8600k. My 2500k will have to wait for a while, because I am running some other projects at the same time and I need to finish up with the i5-860.


This effort is completely hobbyist and must not be compared with professional reviews. It’s just that I believe no reviewer will actually take old systems under consideration, so that’s where I stepped in. There are some shortcomings on this test anyway, some of which are deliberate.

The test is not perfect because I have used mixed drivers. Meaning that in some tests I have used the same driver, in another a couple months different drivers, but in Crysis I have used a year old driver for the pre patch run (it made no difference anyway). From my personal experience, newer drivers rarely bring any performance improvement. After the first couple drivers have come out, nothing of significance changes. Usually Nvidia’s game ready drivers, are ready right at the game launch and very few improvements come after that. Actually it’s primarily the game patches that affect the game’s performance, which granted, may need some reconsideration on the driver side. Still the games I have used did not have that problem (except one specific improvement that occurred in Dirt 4).


In this test, there are three kinds of measurements. First I did the classic SSD benchmark, before and after the patch. The I have gaming/graphics benchmarks, which consist from either the built in benchmark of the game or from my custom gameplay benchmarks. Then I have World of Tanks Encore, which is a special category, because it’s an automated benchmark, but I used fraps to gather framerate data while the benchmark was running, because it only produces a ranking number and I wanted fps data.


In my custom gameplay benchmarks, I rerun some of my previous benchmarks of my database, with the same settings, same location etc. Keep in mind that these runs are not 30-60 second runs, but several minutes long ones. I collected data with fraps or Ocat depending on the game.


Please note that ALL post patch benchmarks, were with the 390.65 driver for both the 1070+860 and 970+8600k configurations. This driver is not only the latest available, but also brings security updates regarding the recent vulnerabilities.


So let’s begin with the core i7-860 SSD benchmarks. Please note that the SSD benchmarks on boths systems, were done at stock clocks. The 860’s SSD is an old but decent Corsair Force GT 120GB.

Spoiler

As you can see, there are subtle differences, not worthy of any serious worries imo. However, don’t forget, that we are talking about an older SSD, which also is connected via SATA2 since this is an old motherboard as well.

Now let’s process to the automated graphics benchmarks, which were all done with the core i7-860@4Ghz and the GTX 1070@2Ghz.



Assassins Creed Origins 1920x1080 Ultra

Spoiler

Ashes of the Singularity 1920x1080 High

Spoiler

Crysis classic benchmark 1920X1080 Very High

Spoiler

F1 2017 1920X1080 Ultra

Spoiler

 

[psolord]

Unigine Heaven 1920x1080 Extreme

Spoiler

Forza Motorsport 7 1920X1080 Ultra

Spoiler

Gears of War 4 1920X1080 Ultra

Spoiler

Rainbow Six Siege 1920X1080 Ultra

Spoiler

Shadow of War 1920X1080 Ultra

Spoiler

Unigine Valley Extreme HD

Spoiler

Gears of War Ultimate Edition 1920X1080 maxed

Spoiler

Total War Warhammer 2 1920x1080 Ultra

Spoiler

And the special category of World of Tanks Encore I told you about, since it essentially belongs in the automated category.



World of Tanks Encore 1920X1080 Ultra





Now as you can see, the differences are not big. They are quite insignificant I would date say actually. They seem to be well within the margin of error. I actually decided to benchmark the i7-860 with the 1070 first, since it’s the weakest of my processors and any impact on the cpu performance would be directly highlighted. Many of these runs are cpu limited already.


The two games that showed a measurable and repeatable performance drop, were both UWP games, Gears of War and Forza Motorsport 7. Even so, the drop was not such to make you jump off your chair! Actually in Gears 4, in spite the general performance drop, we did get a 5% lows performance increase. Note that I sued the same driver for both the pre and post patch runs.

 

[psolord]

My custom gameplay benchmarks follow suit. You can see the game titles and the settings in the screeshots. All at 1920X1080.

Spoiler

Here we can see that there are no big differences on the average framerate, which is the first primary and most important result. There are some fluctuations on the 0.1% lows mostly, but not in all games. Prey seem to had a harder time that the rest of them. I did notice two momentary hiccups during the run and I was certain they would appear in the 0.1% lows.

The better 0.1% and 1% lows you see on Dirt 4, I have to admit that have been affected by the newer driver. This is the exception to the rule however and not the other way around. There is a specific part at the beginning of the run, which makes the framerate to dip. It dips on the newer driver also, but a little less. The overall average framerate was not affected as you can see however and I felt the game running exactly the same.

 

[psolord]

Now let’s move on the quick Core i5-8600k with the 970, which is essentially a preview, since I will do more testing later on, with the 1070 installed, in order to better highlight any differences in performance.

Again the SSD test come first with the system also at stock. Please that all post kb4056892 patch benchmarks on the 8600k, were done with the 1.40 Asrock Z370 Extreme 4 BIOS, which included microcode fixes for the cpu, regarding the Spectre and Meltdown vulnerabilities. It is therefore more solidly patched, compared to i7-860.



Ashampoo cpu check report verifies the system to be ok.





I have two SSDs. A Samsung 850 EVO 500GB and a Sandisk Extrepe Pro 240GB. Needless to say that the screeshots with the lower performance, are the ones of the patched system. I have the windows version captured on those.










Unfortunately, there is a substantial and directly measureable performance drop on both SSDs, that reach 1/3 of performance loss on the smaller file sizes. On the bigger file sizes things are much better of course. I did a mistake and used different ATTO versions for the Samsung and Sandisk drives, but the performance drop has been recorded correctly for both anyway.

As for pure cpu tests, I didn’t do much. Just cpuz and cinebench.






Cinebench didn’t show significant difference, but cpuz showed a drop on the multicore result. I then realized that I had used version 1.81 on the pre patch test and version 1.82 on the post patch test. I am not sure if this would affect things. Still I trust cinebench more, since it’s a much heavier test.

Ok then, gaming benchmarks time. i5-8600k@5Ghz, GTX 970@1.5Ghz.

The pattern is the same as above.

Assassins Creed Origins 1920X1080 Ultra

Spoiler

Gears of War 4 1920X1080 Ultra

Spoiler

World of Tanks Encore 1920X1080 Ultra

Spoiler

Grand Theft Auto V 1920X1080 Very High

Spoiler

And I left Ashes of the Singularity for the end, because I only have post patch measurements, but there’s a reason I am including those too.

Spoiler

Again as you can see, we have a measureable drop on Gears of War 4. It’s probable that with the 1070 the difference will be higher. The point is not just that however.


Let’s do a comparison on the above numbers. Take GTA V for example on the i7-860+1070. You will see that it has the same benchmarking result of 75fps average, as the 8600k with the much slower 970. However its 0.1% and 1% lows are quite better. You can feel it while playing. This is a direct result of how cpu limited this game is. For reference, the 1070 with the 8600k gave me 115fps average, but this is a discussion for another time.


After that, you can take a look at Gears of War 4 post patch results for both cpu scores. 364fps for the 8600k, 199 fps for the 860.


And of course we cannot defy the king of cpu limits, Ashes of the Singularity, which for the Vulkan test being the best for both systems, gave us post patch, an average cpu framerate of 152fps for the 8600k and 74fps for the i7-860.


Why am I saying all that and why am I comparing first and eighth generation cpus? Because as you can see even from these few tests, the i5-8600k continues to perform as an 8th gen cpu. It did not suddenly turn into a Lynnfield or something. Also the Lynnfield stayed a Lynnfield and did not become a Yorkfield or whatever.


I generally observe a severe doom and gloom attitude and the consensus that our systems are only fit for the trash, seems to have taken hold on some users minds. This is not what I am seeing however. Always talking from a home user perspective.


I am not trying to diminish the importance of the issue. It’s very serious and it is sad that it has broken out the way it did. However I do see some seriousness from all affected parties. I mean Asrock brought out the BIOS with what, less than a week or something.


Now regarding the professional markets, I can understand that things will be much worse, especially with the very real IO performance degradation. Even some home users with fast SSDs will be rightfully annoyed. In these situations I believe some form of compensation should take place or maybe some hefty discounts for future products. Heck I know that I would be furious if I had seen a severe degradation on the gaming graphics department, which is my main focus.

Of course testing will continue. I have a good 1070+8600k pre patch gaming benchmarks database already, which I will compare with some select post patch benchmarks. If I find anything weird I will repost.


For reference, here are my pre patch benchmarking videos, from which the above pre patch results came from. I did no recordings for the post patch runs.

Take care.

Assassin's Creed Origins 1920X1080 ultra GTX 1070 @2Ghz CORE i7-860 @4GHz

Tom Clancy's Rainbow Six Siege 1920X1080 Ultra GTX 1070 @2Ghz CORE i7-860 @4GHz

Forza Motorsport 7 1920X1080 Ultra 4xAA GTX 1070 @2Ghz CORE i7-860 @4GHz

Ashes of the Singularity 1920X1080 High DX11+DX12+Vulkan GTX 1070 @2Ghz CORE i7-860 @4GHz

Gears of War 4 1920X1080 Ultra GTX 1070 @2Ghz CORE i7-860 @4GHz

Gears of War Ultimate 1920X1080 maxed GTX 1070 @2Ghz CORE i7-860 @4GHz

Prey 1920X1080 very high GTX 1070 @2Ghz CORE i7-860 @4GHz

Total War Warhammer 2 1920X1080 Ultra GTX 1070 @2Ghz CORE i7-860 @4GHz

Unigine Valley 1920X1080 Extreme HD GTX 1070 @2Ghz CORE i7-860 @4GHz

Shadow of War 1920X1080 Ultra+V.High GTX 1070 @2Ghz CORE i7-860 @4GHz

World of Tanks Encore 1920X1080 Ultra GTX 1070 @2Ghz CORE i7-860 @4GHz

The Evil Within 2 1920X1080 Ultra GTX 1070 @2Ghz CORE i7-860 @4GHz

Road Redemption 1920X1080 fantastic GTX 1070 @2Ghz CORE i7-860 @4GHz

Dirt 4 1920X1080 4xAA Ultra GTX 1070 @2Ghz CORE i7-860 @4GHz

F1 2017 1920X1080 ultra + high GTX 1070 @2Ghz CORE i7-860 @4GHz

Dead Rising 4 1920X1080 V.High GTX 1070 @2Ghz CORE i7-860 @4GHz

ELEX 1920X1080 maxed GTX 1070 @2Ghz CORE i7-860 @4GHz

Project Cars 2 1920X1080 ultra GTX 1070 @2Ghz CORE i7-860 @4GHz

Grand Theft Auto V 1920X1080 V.High GTX 1070 @2Ghz CORE i7-860 @4GHz

i5-8600k + 1070

World of Tanks Encore 1920x1080 Ultra GTX 970 @1.5Ghz Core i5-8600k @5GHz

Grand Theft Auto V 1920x1080 V.High outdoors GTX 970 @1.5Ghz Core i5-8600k @5GHz

Gears of War 4 1920x1080 Ultra GTX 970 @1.5Ghz Core i5-8600k @5GHz

Assassin's Creed Origins 1920x1080 Ultra GTX 970 @1.5Ghz Core i5-8600k @5GHz

 

[psolord]

If an admin could lift the 20 images per post limit it would be great.

Also if possible merge all the above posts in one post.

Thanks.

 

[TempAcc99]

With this huge effort and performance loss I fail to see why client devices even need a patch besides getting people to upgrade.

These issues are a huge problem in cloud services or say any kind of virtualized environment. You can buy space and then install any software you want and then spy on the other guests running on the same host. Yeah, obviously a huge problem.

But on my gaming PC or my mobile phone? I fail to see the problem. If someone can install their software on my device, all bets are off anyway because I will then catch ransomware, keyloggers and what not anyway. I fail to see the need of a patch for desktops, laptops and mobile phones.

 

[snstr]

With this huge effort and performance loss I fail to see why client devices even need a patch besides getting people to upgrade.

"Meltdown" seems only exploitable by using a native program.
Spectre can exploit your browser (that includes Steam which has a built-in web-browser).

 

[thecapsaicinkid]

I'm trying to weigh up if it's worth trying to manually merge the updated Intel microcode into a current BIOS for my Haswell/Z97 system as an official update seems unlikely. Are there much in the way of gaming benchmarks for Haswell systems on the new microcode? I've only read some brief anecdotes that performance isn't affected much at all. The system in question is a purely gaming Windows 10 PC with some use of Google web apps in Chrome (YouTube etc.). How could this system be exploited remotely if no untrusted executables are executed? Site Isolation has been enabled in Chrome. Would others risk applying updated microcode to this machine?

 

[snstr]

I'm trying to weigh up if it's worth trying to manually merge the updated Intel microcode into a current BIOS for my Haswell/Z97 system as an official update seems unlikely. Are there much in the way of gaming benchmarks for Haswell systems on the new microcode? I've only read some brief anecdotes that performance isn't affected much at all. The system in question is a purely gaming Windows 10 PC with some use of Google web apps in Chrome (YouTube etc.). How could this system be exploited remotely if no untrusted executables are executed? Site Isolation has been enabled in Chrome. Would others risk applying updated microcode to this machine?

The problem is that many programs bring their own built-in web browser (Steam, Stellaris Help, ...) for UI purposes. If they don't use proper site isolation or process isolation you might lose your account data or get hacked while using them. My personal opinion is that you should update.

 

[thecapsaicinkid]

The problem is that many programs bring their own built-in web browser (Steam, Stellaris Help, ...) for UI purposes. If they don't use proper site isolation or process isolation you might lose your account data or get hacked while using them. My personal opinion is that you should update.

That's a good point. Wouldn't that only really be an issue though if you were redirected to an external site in the embedded browser with malicious code? I would probably do it if an official BIOS became available but hacking the microcode into an existing BIOS seems incredibly risky to me.

 

[IEC]

ASRock appears to be releasing the revision 80 microcode updates for their newer boards.

Z370 Taichi:
http://www.asrock.com/mb/Intel/Z370 Taichi/index.asp#BIOS

 

[snstr]

Wouldn't that only really be an issue though if you were redirected to an external site in the embedded browser with malicious code?

I assume that, especially on sites/apps with user generated or external content (Online Help Wikis, ads in Skype or other apps), malicious JavaScript code snippets could be embedded or slip through the checks.

 

[snstr]

That's a good point. Wouldn't that only really be an issue though if you were redirected to an external site in the embedded browser with malicious code? I would probably do it if an official BIOS became available but hacking the microcode into an existing BIOS seems incredibly risky to me.

Maybe you will get an update?
I'm not sure what is meant by "9-series motherboards" (link leads to a german site):
http://www.pcgameshardware.de/Mainboard-Hardware-154107/News/Spectre-BIOS-Updates-1247555/