undefined | Better HN

0 pointsmakomk6y ago0 comments

Not necessarily. This is more like Meltdown in that it involves one context just outright accessing data in a completely different context, and AMD chips seem to be totally immune from that attack. Any chip with a microarchitecture that actually enforces the architecturally-guaranteed checks, rather than ignoring them and fixing the results up later, can avoid such attacks.

Spectre, on the other hand, is harder both to fix in hardware and to attack because the victim context is itself tricked into speculatively executing code using attacker-supplied data that leaks information - it uses inherent properties of speculative execution rather than any kind of hardware bug, but it's only exploitable if there's some victim code that does exactly the right kind of processing on attacker-supplied data.

0 comments

kentonv6y ago

> This is more like Meltdown in that it involves one context just outright accessing data in a completely different context, and AMD chips seem to be totally immune from that attack.

No, AMD has been largely immune to bugs involving speculating past a page fault. Both Meltdown and L1TF involved speculating past page faults, and the ZombieLoad paper also mentions exploiting bad behavior during page faults (but, disclaimer, I haven't read in enough detail yet).

AMD was not immune to, for example, spectre variant 2, which very much did allow reading from other address spaces (even other VMs): https://www.amd.com/en/corporate/security-updates

In general it doesn't make sense to expect that any brand of processors might be vulnerable or invulnerable to all illegal memory access. There are many different components involved in handling memory access and many different ways they could go wrong.

makomkOP6y ago

Spectre variant 2 was a little more interesting in that it can trick the processor into speculative execution of something that's not a valid execution path for the victim context (by confusing it about the target of an indirect branch), but it still relies on the speculative execution happening in a context that is meant to have access to the targetted data. It's sort of halfway between this and the other Spectre variants; it can be fixed in hardware or software.

All three of these latest vulnerabilities are like Meltdown and L1TF in that they just allow speculative execution to completely ignore hardware-level access protections and read data from a completely different process, and there's nothing that can be done about it at the software level. (Originally, the comment you're replying to was posted on a discussion about all three, if I remember rightly.) All of these affect Intel but not AMD. It's not like modern AMD chips are exactly poor performers either.

kentonv6y ago

> All three of these latest vulnerabilities are like Meltdown and L1TF in that they just allow speculative execution to completely ignore hardware-level access protections and read data from a completely different process

Not really. These attacks are completely different from Meltdown and L1TF in that they don't involve reading from memory at all. They involve hidden processor state that contains values that were recently used in another context. The attacker never explicitly specifies an address they are interested in -- they just get whatever's floating around.

A comparable (but much more obvious) bug would be if the OS failed to clear registers when switching contexts. Although the values in those registers may have at one point been read from memory, the attacker recovering those values isn't directly accessing the victim's memory.

Your comments seem to be arguing that AMD isn't affected by these bugs for the same reason they weren't affected by Meltdown. But these bugs operate in a totally different way and exploit totally different components. There doesn't appear to be any reason to believe they are related.

I think the reason AMD isn't affected likely has to do with the fact that these attacks are targeting specific implementation details of Intel processors, which AMD processors probably just happen to implement differently. (Indeed, Fallout appears to be attacking outright unintentional behavior -- it would be surprising if multiple CPUs had the same bug.) It seems likely to me that AMD has different bugs which haven't been found yet, perhaps mostly because researchers haven't focused on them.

(Disclosure: I own some AMD stock. I don't own Intel stock. I have no other affiliation with either company.)

1 more reply

dfrage6y ago

And ARM had one design that had a Meltdown variant, and both of IBMs', POWER and mainframe as well. Every vendor with speculative out-of-order designs is vulnerable to Spectre.

j / k navigate · click thread line to collapse

0 comments

kentonv6y ago

> This is more like Meltdown in that it involves one context just outright accessing data in a completely different context, and AMD chips seem to be totally immune from that attack.

AMD was not immune to, for example, spectre variant 2, which very much did allow reading from other address spaces (even other VMs): https://www.amd.com/en/corporate/security-updates

makomkOP6y ago

kentonv6y ago

(Disclosure: I own some AMD stock. I don't own Intel stock. I have no other affiliation with either company.)

1 more reply

dfrage6y ago

And ARM had one design that had a Meltdown variant, and both of IBMs', POWER and mainframe as well. Every vendor with speculative out-of-order designs is vulnerable to Spectre.

j / k navigate · click thread line to collapse