this post was submitted on
91 points (98% upvoted)
shortlink:

Amd

95,022 readers

3,332 users here now

/r/AMD Community

AMD Official Community

Filters: AMD CPU APU GPU NEWS REVIEW RUMOR PHOTO

Latest Drivers & Tech Support

General Information

Welcome to /r/AMD! In this subreddit, we discuss and share news, rumors, ideas, and knowledge relating to AMD, their hardware and software products, and the silicon industry.

Please note that this subreddit is community run and does not represent AMD unless otherwise specified.

Rules

Rule 1: Tech support questions are only allowed in tech support megathreads and must instead be posted at /r/AMDHelp or /r/techsupport . Any other tech support posts will be removed at moderator discretion.

Rule 2: No referral links, including Amazon! Product links are fine, affiliate or referral links that benefit you are not.

Rule 3: Be civil and obey reddiquette. Please remember that behind every poster is a human. This means no brigade incitements, personal attacks, etc.

Rule 4: Use of slurs of any kind, racial, homophobic, or whatever, in any context will result in a ban. This includes derogatory comments such as "retard". There's no need for petty insults on this sub.

Rule 5: All posts must be related to AMD or AMD products. Example of okay: RX480 vs 1060. Not okay: GTX 1060 vs 1080.

Rule 6: No religion/politics! There are plenty of other places for that.

Rule 7: Use original sources. Copypasta articles sourced from other websites are not allowed. Quotes are fine, but pasting the entire article in a textpost is not. Original articles are always better than a reddit textpost.

Rule 8: Shitposts, memes, and plain box pictures are not allowed as linkposts (you can still include them within normal posts or comments). Visit /r/AyyMD for dank shitposts and memes. Strawpolls are not allowed.

Rule 9: The moderators of /r/AMD reserve the right to allow posts or comments that could technically break rules #1 (tech support) or #8 (no memes), when a situation has arisen where the post is especially necessary, funny, educational, or useful to the users of the subreddit. Reports are always welcome, but remember that content sometimes remains up due to this rule, rather than because of lack of moderator work.

Rule 10: No bamboozling

Links

Related Subreddits

/r/hardware
/r/Intel
/r/NVIDIA

/r/PCGaming
/r/PCMasterRace
/r/ultrawidemasterrace

/r/AyyMD

/r/AMDHelp
/r/techsupport

/r/AMD_Stock

created by jecroisModeratora community for
message the moderators

MODERATORS

×

90
91

DiscussionTechnical Analysis of Spectre & Meltdown (self.Amd)

submitted by KromaatikseRyzen 1300X + RX480 Red Devil

This has been a very interesting New Year - and I have something technical to wax lyrical about again. There's a lot of flak and misinformation flying around, and it's hard for most people to see what, precisely, is going on. That's understandable, since what is going on is pretty weird.

So here's a brief summary of what, exactly, the three security vulnerabilities are:

Spectre v1: "Bounds-Check Bypass".

The CPU is tricked into speculatively loading data from outside the bounds of an array which is bounds-checked, ie. at a virtual address chosen by the attacker. The bounds-check means that the data is never actually loaded into registers visible to the program. However, the data can be passed through several subsequent speculative instructions, including loads from dependent addresses, so cache-timing effects can be used as a side-channel to exfiltrate the data. The data, however, must legitimately be readable by the same process.

This vulnerability is difficult to exploit usefully. In most cases where it's possible to inject code to perform the attack, you can simply inject code to read the data directly, instead. Proofs of concept use JIT compilers (eBPF and Javascript) to implement the attack.

Vulnerable CPUs: Potentially anything with branch-prediction and a sufficiently deep pipeline. This is not an x86-specific exploit. The newer the CPU, the more likely it is vulnerable. In particular on the AMD side, Piledriver, Excavator and Ryzen are confirmed to be vulnerable - but this is nothing special. Potentially even K6 and Pentium Pro are vulnerable, but early Atoms and the Pentium-MMX are not.

Software Mitigation: Bounds-checked array accesses in untrusted JIT-compiled code should be associated with a memory barrier, so that the array access itself is not speculatively executed with respect to the bounds check. This has a small performance impact on JIT-compiled code.

Spectre v2: "Branch Target Injection".

The CPU is tricked into mispredicting an indirect branch (commonly used to implement 'virtual' functions in C++, or jump tables in the kernel) to speculatively execute program code chosen by the attacker. This code can directly read data visible to the process executing the branch, then perform a dependent read to permit exfiltration over the same cache-timing side-channel as Spectre v1. The exfiltrated data may reside in a privileged address space, if the targeted branch happens to be in privileged code.

The architectural results of this speculative execution are cancelled when the true branch target becomes known to the CPU, and true execution resumes from the correct address; it is therefore difficult to detect that the attack has taken place. The branch-target injection can be performed by another process or thread executing on the same CPU core as the target process, since the Branch Target Buffer (BTB) is shared between them.

This vulnerability is potentially useful to a local attacker. It can obtain secret data from a privileged address space, such as cryptographic tokens or the location of a viable Rowhammer target.

Vulnerable CPUs: This attack requires poisoning the CPU's BTB. This is easy on at least Intel Haswell CPUs (and probably some other Intel CPUs), because BTB entries are aliased in a very predictable way. Some recent ARM Cortex-A series CPU cores are reportedly vulnerable too, for the same reason. It is much more difficult on all AMD CPUs, because BTB entries are not aliased - the attacker must know (and be able to execute arbitrary code at) the exact address of the targeted branch instruction.

Software Mitigation: Indirect branches that can be mispredicted should be removed from privileged code. This is apparently being done in the Linux kernel on vulnerable CPUs. It's not yet clear what the performance impact is, but it should be small.

Meltdown: "Rogue Data Cache Load".

The CPU is tricked into speculatively loading data which is in the L1 D-cache, but which is marked as unreadable in the page tables. Such data is typically accessible to privileged code running in the same process (eg. upon executing a syscall), and is left mapped but unreadable as a performance optimisation. As with the Spectre attacks, the attack relies on passing the data through further speculatively-executed instructions to perform side-channel exfiltration, and normal execution resumes with no obvious side-effects once the speculation window closes.

This vulnerability is potentially useful to a local attacker. It can obtain secret data from a privileged address space, such as cryptographic tokens or the location of a viable Rowhammer target.

Vulnerable CPUs: This attack requires that the CPU fails to promptly check security flags while performing L1 D-cache loads for a speculatively-executed instruction. Various Intel CPUs (the full extent is not yet clear) are vulnerable. AMD CPUs are not vulnerable.

Software Mitigation: Operating Systems can fully unmap privileged address spaces, instead of merely marking them as inaccessible, when kernel-mode code is not being executed. This means that the rogue load in the attack code will not find the target data. This carries a significant overhead for each syscall, because switching to the alternative page tables and back requires flushing the TLBs twice. Some syscall-heavy workloads could see 30% or worse slowdown. Workloads which make few syscalls, or which are bottlenecked by other components, will see little or no degradation.

Happy New Year, everyone!

all 13 comments
sorted by:
best
topnewcontroversialoldq&a

[–]iBstoneyDaveR7 1700 @3.8 | 16GB3200 | RX580 8G 9 points10 points  (0 children)

Thanks dude, very helpful. Was starting to get a headache from all the "bits and pieces" articles out there contradicting each other.

[–]tomun 6 points7 points  (1 child)

Here's AMD's own page on Spectre and Meltdown. https://www.amd.com/en/corporate/speculative-execution

[–]Pie-in-Sky 3 points4 points  (0 children)

Yes I saw that, however it is sparse on details and as the saying goes "the devil is in the details".

[–]BadReIigionRyzen 7 2 points3 points  (0 children)

thanks!

[–]RaptaGzusXeon X5670 @ 4.4Ghz | PowerColor PCS+ R9 290 2 points3 points  (1 child)

Cheers!

For anyone with questions, there might be some answered here: https://meltdownattack.com/

An ELI5 on Meltdown:

In Intel CPUs certain instructions are executed before they are checked (aka speculatively [automatically]) which can increase CPU performance depending on the task. Attackers can exploit this blind eye on checking and trick the CPU into execute instructions which make the CPU reveal bits of data stored in memory. By repeating this process over and over, an attacker could retrieve all of the data stored in memory, which can include things such as passwords.

The software fix stops this speculative (unchecked) execution of instructions, however impacts performance in two ways while doing so; (1) because instructions aren't executed without checking so can't be completed as fast, and (2) because it's a software fix which is not as efficient as a hardware one. This is why general performance impact on systems which do a lot of context switching (e.g. running lots of virtual machines) can see an up to 30% impact on performance or more, depending on the task run.

Fortunately, things which do little context switching like user applications (e.g. video editing, encoding, playing games, and browsing) generally have no performance impacted.

Also, since AMD processors (Zen at least) don't speculatively execute instructions, they don't need the software fix applied so don't lose out on any performance.

More in-depth information on Meltdown here: https://meltdownattack.com/meltdown.pdf

[–]spacemanspiff888i7 7700k | GTX 1080Ti | 16GB 3000MHz [score hidden]  (0 children)

Also, since AMD processors (Zen at least) don't speculatively execute instructions, they don't need the software fix applied so don't lose out on any performance.

I've read this from multiple sources, but I've yet to see confirmation that Windows won't simply implement a blanket fix that affects performance for everyone regardless of hardware. Does anyone yet know, or are there any benchmarks on AMD systems running Windows that show a before and after confirming this one way or the other?

[–]Pie-in-Sky 1 point2 points  (4 children)

Thanks for supplying this.

How likely is it that variant 1 will be exploited in the real world for AMD processors like FX or Phenom? Or is it mostly academic?

[–]Amdestroyer94AMD 2 points3 points  (2 children)

Amd has already stated that they have fixed variant 1 with patch with negligible performance impact

[–]KromaatikseRyzen 1300X + RX480 Red Devil[S] 4 points5 points  (0 children)

Given the nature of the attack, I'd be very interested to see how they did that.

EDIT: I've found some hints on how to mitigate both variants of Spectre, and added them to the main post.

[–]okinsahn 0 points1 point  (0 children)

was this confirmation through the press release yesterday? ie they were saying none of their processors are impacted?

[–]KromaatikseRyzen 1300X + RX480 Red Devil[S] 1 point2 points  (0 children)

I can see it being used as part of another attack, but it's not something I'd worry about too much. For most end-users, the fact that browsers now widely use process separation closes the biggest attack surface, which exists because browsers have JIT compilers (for Javascript).

[–]RedPetrichor [score hidden]  (1 child)

Thanks a lot!

Could you explain what Alex Ionescu is talking about in these two tweets about the patches ?

https://twitter.com/aionescu/status/948818841747955713

https://twitter.com/aionescu/status/948817335980142592

[–]KromaatikseRyzen 1300X + RX480 Red Devil[S] [score hidden]  (0 children)

I have no idea what the first one's about. The second one appears to refer to "retpolines".

Use of this site constitutes acceptance of our User Agreement and Privacy Policy. © 2018 reddit inc. All rights reserved.

REDDIT and the ALIEN Logo are registered trademarks of reddit inc.

Advertise - technology

π Rendered by PID 126066 on app-192 at 2018-01-04 15:18:13.647011+00:00 running d7891c4 country code: JP.

this post was submitted on
87 points (97% upvoted)
shortlink:

Amd

95,022 readers

3,332 users here now

/r/AMD Community

AMD Official Community

Filters: AMD CPU APU GPU NEWS REVIEW RUMOR PHOTO

Latest Drivers & Tech Support

General Information

Welcome to /r/AMD! In this subreddit, we discuss and share news, rumors, ideas, and knowledge relating to AMD, their hardware and software products, and the silicon industry.

Please note that this subreddit is community run and does not represent AMD unless otherwise specified.

Rules

Rule 1: Tech support questions are only allowed in tech support megathreads and must instead be posted at /r/AMDHelp or /r/techsupport . Any other tech support posts will be removed at moderator discretion.

Rule 2: No referral links, including Amazon! Product links are fine, affiliate or referral links that benefit you are not.

Rule 3: Be civil and obey reddiquette. Please remember that behind every poster is a human. This means no brigade incitements, personal attacks, etc.

Rule 4: Use of slurs of any kind, racial, homophobic, or whatever, in any context will result in a ban. This includes derogatory comments such as "retard". There's no need for petty insults on this sub.

Rule 5: All posts must be related to AMD or AMD products. Example of okay: RX480 vs 1060. Not okay: GTX 1060 vs 1080.

Rule 6: No religion/politics! There are plenty of other places for that.

Rule 7: Use original sources. Copypasta articles sourced from other websites are not allowed. Quotes are fine, but pasting the entire article in a textpost is not. Original articles are always better than a reddit textpost.

Rule 8: Shitposts, memes, and plain box pictures are not allowed as linkposts (you can still include them within normal posts or comments). Visit /r/AyyMD for dank shitposts and memes. Strawpolls are not allowed.

Rule 9: The moderators of /r/AMD reserve the right to allow posts or comments that could technically break rules #1 (tech support) or #8 (no memes), when a situation has arisen where the post is especially necessary, funny, educational, or useful to the users of the subreddit. Reports are always welcome, but remember that content sometimes remains up due to this rule, rather than because of lack of moderator work.

Rule 10: No bamboozling

Links

Related Subreddits

/r/hardware
/r/Intel
/r/NVIDIA

/r/PCGaming
/r/PCMasterRace
/r/ultrawidemasterrace

/r/AyyMD

/r/AMDHelp
/r/techsupport

/r/AMD_Stock

created by jecroisModeratora community for
message the moderators

MODERATORS

×

86
87

DiscussionTechnical Analysis of Spectre & Meltdown (self.Amd)

submitted by KromaatikseRyzen 1300X + RX480 Red Devil

This has been a very interesting New Year - and I have something technical to wax lyrical about again. There's a lot of flak and misinformation flying around, and it's hard for most people to see what, precisely, is going on. That's understandable, since what is going on is pretty weird.

So here's a brief summary of what, exactly, the three security vulnerabilities are:

Spectre v1: "Bounds-Check Bypass".

The CPU is tricked into speculatively loading data from outside the bounds of an array which is bounds-checked, ie. at a virtual address chosen by the attacker. The bounds-check means that the data is never actually loaded into registers visible to the program. However, the data can be passed through several subsequent speculative instructions, including loads from dependent addresses, so cache-timing effects can be used as a side-channel to exfiltrate the data. The data, however, must legitimately be readable by the same process.

This vulnerability is difficult to exploit usefully. In most cases where it's possible to inject code to perform the attack, you can simply inject code to read the data directly, instead. Proofs of concept use JIT compilers (eBPF and Javascript) to implement the attack.

Vulnerable CPUs: Potentially anything with branch-prediction and a sufficiently deep pipeline. This is not an x86-specific exploit. The newer the CPU, the more likely it is vulnerable. In particular on the AMD side, Piledriver, Excavator and Ryzen are confirmed to be vulnerable - but this is nothing special. Potentially even K6 and Pentium Pro are vulnerable, but early Atoms and the Pentium-MMX are not.

Software Mitigation: Bounds-checked array accesses in untrusted JIT-compiled code should be associated with a memory barrier, so that the array access itself is not speculatively executed with respect to the bounds check. This has a small performance impact on JIT-compiled code.

Spectre v2: "Branch Target Injection".

The CPU is tricked into mispredicting an indirect branch (commonly used to implement 'virtual' functions in C++, or jump tables in the kernel) to speculatively execute program code chosen by the attacker. This code can directly read data visible to the process executing the branch, then perform a dependent read to permit exfiltration over the same cache-timing side-channel as Spectre v1. The exfiltrated data may reside in a privileged address space, if the targeted branch happens to be in privileged code.

The architectural results of this speculative execution are cancelled when the true branch target becomes known to the CPU, and true execution resumes from the correct address; it is therefore difficult to detect that the attack has taken place. The branch-target injection can be performed by another process or thread executing on the same CPU core as the target process, since the Branch Target Buffer (BTB) is shared between them.

This vulnerability is potentially useful to a local attacker. It can obtain secret data from a privileged address space, such as cryptographic tokens or the location of a viable Rowhammer target.

Vulnerable CPUs: This attack requires poisoning the CPU's BTB. This is easy on at least Intel Haswell CPUs (and probably some other Intel CPUs), because BTB entries are aliased in a very predictable way. Some recent ARM Cortex-A series CPU cores are reportedly vulnerable too, for the same reason. It is much more difficult on all AMD CPUs, because BTB entries are not aliased - the attacker must know (and be able to execute arbitrary code at) the exact address of the targeted branch instruction.

Software Mitigation: Indirect branches that can be mispredicted should be removed from privileged code. This is apparently being done in the Linux kernel on vulnerable CPUs. It's not yet clear what the performance impact is, but it should be small.

Meltdown: "Rogue Data Cache Load".

The CPU is tricked into speculatively loading data which is in the L1 D-cache, but which is marked as unreadable in the page tables. Such data is typically accessible to privileged code running in the same process (eg. upon executing a syscall), and is left mapped but unreadable as a performance optimisation. As with the Spectre attacks, the attack relies on passing the data through further speculatively-executed instructions to perform side-channel exfiltration, and normal execution resumes with no obvious side-effects once the speculation window closes.

This vulnerability is potentially useful to a local attacker. It can obtain secret data from a privileged address space, such as cryptographic tokens or the location of a viable Rowhammer target.

Vulnerable CPUs: This attack requires that the CPU fails to promptly check security flags while performing L1 D-cache loads for a speculatively-executed instruction. Various Intel CPUs (the full extent is not yet clear) are vulnerable. AMD CPUs are not vulnerable.

Software Mitigation: Operating Systems can fully unmap privileged address spaces, instead of merely marking them as inaccessible, when kernel-mode code is not being executed. This means that the rogue load in the attack code will not find the target data. This carries a significant overhead for each syscall, because switching to the alternative page tables and back requires flushing the TLBs twice. Some syscall-heavy workloads could see 30% or worse slowdown. Workloads which make few syscalls, or which are bottlenecked by other components, will see little or no degradation.

Happy New Year, everyone!

all 13 comments
sorted by:
best
topnewcontroversialoldq&a

[–]iBstoneyDaveR7 1700 @3.8 | 16GB3200 | RX580 8G 9 points10 points  (0 children)

Thanks dude, very helpful. Was starting to get a headache from all the "bits and pieces" articles out there contradicting each other.

[–]tomun 6 points7 points  (1 child)

Here's AMD's own page on Spectre and Meltdown. https://www.amd.com/en/corporate/speculative-execution

[–]Pie-in-Sky 3 points4 points  (0 children)

Yes I saw that, however it is sparse on details and as the saying goes "the devil is in the details".

[–]BadReIigionRyzen 7 2 points3 points  (0 children)

thanks!

[–]RaptaGzusXeon X5670 @ 4.4Ghz | PowerColor PCS+ R9 290 2 points3 points  (1 child)

Cheers!

For anyone with questions, there might be some answered here: https://meltdownattack.com/

An ELI5 on Meltdown:

In Intel CPUs certain instructions are executed before they are checked (aka speculatively [automatically]) which can increase CPU performance depending on the task. Attackers can exploit this blind eye on checking and trick the CPU into execute instructions which make the CPU reveal bits of data stored in memory. By repeating this process over and over, an attacker could retrieve all of the data stored in memory, which can include things such as passwords.

The software fix stops this speculative (unchecked) execution of instructions, however impacts performance in two ways while doing so; (1) because instructions aren't executed without checking so can't be completed as fast, and (2) because it's a software fix which is not as efficient as a hardware one. This is why general performance impact on systems which do a lot of context switching (e.g. running lots of virtual machines) can see an up to 30% impact on performance or more, depending on the task run.

Fortunately, things which do little context switching like user applications (e.g. video editing, encoding, playing games, and browsing) generally have no performance impacted.

Also, since AMD processors (Zen at least) don't speculatively execute instructions, they don't need the software fix applied so don't lose out on any performance.

More in-depth information on Meltdown here: https://meltdownattack.com/meltdown.pdf

[–]spacemanspiff888i7 7700k | GTX 1080Ti | 16GB 3000MHz [score hidden]  (0 children)

Also, since AMD processors (Zen at least) don't speculatively execute instructions, they don't need the software fix applied so don't lose out on any performance.

I've read this from multiple sources, but I've yet to see confirmation that Windows won't simply implement a blanket fix that affects performance for everyone regardless of hardware. Does anyone yet know, or are there any benchmarks on AMD systems running Windows that show a before and after confirming this one way or the other?

[–]Pie-in-Sky 1 point2 points  (4 children)

Thanks for supplying this.

How likely is it that variant 1 will be exploited in the real world for AMD processors like FX or Phenom? Or is it mostly academic?

[–]Amdestroyer94AMD 2 points3 points  (2 children)

Amd has already stated that they have fixed variant 1 with patch with negligible performance impact

[–]KromaatikseRyzen 1300X + RX480 Red Devil[S] 4 points5 points  (0 children)

Given the nature of the attack, I'd be very interested to see how they did that.

EDIT: I've found some hints on how to mitigate both variants of Spectre, and added them to the main post.

[–]okinsahn 0 points1 point  (0 children)

was this confirmation through the press release yesterday? ie they were saying none of their processors are impacted?

[–]KromaatikseRyzen 1300X + RX480 Red Devil[S] 1 point2 points  (0 children)

I can see it being used as part of another attack, but it's not something I'd worry about too much. For most end-users, the fact that browsers now widely use process separation closes the biggest attack surface, which exists because browsers have JIT compilers (for Javascript).

[–]RedPetrichor [score hidden]  (1 child)

Thanks a lot!

Could you explain what Alex Ionescu is talking about in these two tweets about the patches ?

https://twitter.com/aionescu/status/948818841747955713

https://twitter.com/aionescu/status/948817335980142592

[–]KromaatikseRyzen 1300X + RX480 Red Devil[S] [score hidden]  (0 children)

I have no idea what the first one's about. The second one appears to refer to "retpolines".

Use of this site constitutes acceptance of our User Agreement and Privacy Policy. © 2018 reddit inc. All rights reserved.

REDDIT and the ALIEN Logo are registered trademarks of reddit inc.

Advertise - technology

π Rendered by PID 49190 on app-152 at 2018-01-04 15:18:07.051820+00:00 running d7891c4 country code: JP.