AMD will tell you it’s not that big a deal: The chip giant believes this vulnerability is only potentially exploitable locally, such as via downloaded malware. Nevertheless, AMD “recommends customers employ security best practices, including running up-to-date software and malware detection tools.”
However, the ETH Zurich security researchers who found the flaw aren’t so optimistic. They believe Inception could be used by an attacker in cloud computing, where customers commonly share the same processing hardware resources.
The researchers say that Inception is a new class of transient execution attacks that uses Training in Transient Execution (TTE). Instead of attempting to leak data in a transient window, TTE attacks abuse the transient window to insert new predictions into the branch predictor. Combined with the Phantom, which is a way of triggering transient windows from arbitrary instructions, Inception can be a nasty way to vacuum down private data.
Also: If you’re looking to up your desktop computer security, Linux might be your best bet
Amusingly, veteran Linux kernel developer Peter Zijlstra, who is affiliated with Intel, refined the AMD patches. It’s somewhat ironic to witness an Intel engineer spearheading the kernel’s refinement of AMD mitigation code. Welcome to the open-source community spirit!
The Linux kernel developers also addressed the Intel Gather Data Sampling (GDS) vulnerability, known as Downfall. This particular vulnerability affects Intel Core processors from the 6th-generation Skylake to the 11th-generation Tiger Lake. In short, chances are your PC, your servers, and your cloud processors are all vulnerable.
According to Daniel Moghimi, the Google senior research scientist who discovered Downfall, “The vulnerability is caused by memory optimization features in Intel processors that unintentionally reveal internal hardware registers to software. This allows untrusted software to access data stored by other programs, which should not normally be accessible.”
So, how bad is it? Moghimi has shown that an exploit can be used to steal another user’s security keys and passwords. Worst still, such attacks are “Highly practical,” Moghimi notes. “It took me two weeks to develop an end-to-end attack stealing encryption keys from OpenSSL. It only requires the attacker and victim to share the same physical processor core, which frequently happens on modern-day computers, implementing preemptive multitasking and simultaneous multithreading.”
Also: AMD vs Intel: Which desktop processor is right for you?
Intel Software Guard Extensions (SGX), an Intel hardware security feature available on Intel CPUs to protect users’ data against malicious software, is also helpless against this vulnerability.
For some users, the fix may seem more trouble than the problem. According to Intel, some workloads may experience up to 50% overhead. That’s some slowdown! Moghimi warns, however, “This is a bad idea. Even if your workload does not use vector instructions, modern CPUs rely on vector registers to optimize common operations, such as copying memory and switching register content.”
For Linux, however, the slowdown may not be that bad. Michael Larabel, a Linux software engineer and editor-in-chief of the hardcore Linux site Phoronix, has benchmarked the Downfall patches. Larabel found that instead of impacting I/O or user-space and kernel interactions — as the fixes for Meltdown, Spectre, and their relatives did — Downfall’s fix impairs user-space bound software only. He also found that while the performance hit tended to be not as bad as Intel predicted, there were still some significant slowdowns.
The Linux security patches have been incorporated into the Linux Git for the upcoming Linux 6.5 kernel. The latest stable point releases incorporating these patches include Linux versions 6.4.9, 6.1.44, 5.15.125, 5.10.189, 4.19.290, and 4.14.321. These releases encompass the current Linux 6.4 stable series and the supported Long-Term Support (LTS) series kernels.
Also: The best all-in-one computers: Mac, Lenovo, and more compared
The patches facilitate the reporting of the CPU speculative execution vulnerabilities state and introduce new controls to modify their behavior in conjunction with the latest CPU microcode. Of course, for these patches to work, you must also install the AMD and Intel microcode updates.
So, what should you do? Get ready to install the new microcode as soon as it’s available. Then, follow up, by patching your Linux systems as the patches become available. This won’t be a big deal for Linux desktop users, but it will be for those of you running Linux on your servers and clouds.
See also
How to install Ubuntu Linux (It’s easy!)
How to run a Windows app on Linux with Wine
How to get started with Git on Linux
How to kill a process in Linux
How to install Ubuntu Linux (It’s easy!)
How to run a Windows app on Linux with Wine
How to get started with Git on Linux
How to kill a process in Linux
Article source: https://www.zdnet.com/article/amd-and-intel-cpu-security-bugs-bring-linux-patches/#ftag=RSSbaffb68