 |
 |
Intel Gets Put On Notice (Page 2)
|
|
|
|
|
Moderator  Join Date: May 2001
Location: Hilbert space
Status:
Offline
|
|
But if I understand your argument, it'd be more accurate to say that TSX does not protect against it, correct? (Probably that's why I don't remember TSX being a part of the discussions I have read online.)
|
|
I don't suffer from insanity, I enjoy every minute of it.
|
| |
|
|
|
|
|
|
|
Moderator  Join Date: Apr 2000
Location: Gothenburg, Sweden
Status:
Offline
|
|
No, TSX is a mechanism. Say that you patch Meltdown (which is strictly a bug, and only affects Intel anyway). Also say that you patch Spectre 2 (Branch Target Injection), which is arguably a bug as well. (Equivalently, let's say AMD adds TSX, as specified, to Ryzen). Having done that, you can still use TSX to do a Meltdown-like attack to read any and all data from virtual memory. Spectre 1 cannot do that alone.
This was not publicized at all, most likely because TSX is still disabled in a lot of Intel chips.
|
|
The new Mac Pro has up to 30 MB of cache inside the processor itself. That's more than the HD in my first Mac. Somehow I'm still running out of space.
|
| |
|
|
|
|
|
|
|
Moderator Join Date: May 2001
Location: Hilbert space
Status:
Offline
|
|
Just to get the nomenclature right: the way I understand it, nowadays Spectre and Meltdown refer to classes of attacks, and you can do Meltdown-type attacks either with or without TSX. Correct? That‘d make TSX a security feature which protects against other vulnerabilities, but not Meltdown-type attacks.
Getting back to the original discussion: I think it is quite interesting to see how these CPU-based attacks will change the road maps of the big chip companies.
|
|
I don't suffer from insanity, I enjoy every minute of it.
|
| |
|
|
|
|
|
|
|
Moderator Join Date: Apr 2000
Location: Gothenburg, Sweden
Status:
Offline
|
|
Not really. Meltdown is a very specific bug, where Intel CPUs will make a speculative read to a protected memory area and only catch it when it goes to retire. This is a bug, there are no advantages to Intel to doing it this way. The fix will be to make the check for the permission bit earlier, so you don't waste precious load/store unit resources on a read that will be prevented anyway. Intel will just patch this. The consequences are catastrophic, you can easily read all of current memory using this.
Spectre 1, Bounds Check Bypass, is a speculative read happening because you trained the branch predictor to assume that a certain read would happen when it wouldn't, according to program flow. This is hard to patch out, because it is inherent in how speculative execution works, but the consequences aren't so bad. You can't read all of system memory, and you can prevent it to some extent in software. Intel won't ever patch this.
Spectre 2, Branch Target Injection, lies somewhere in-between. The branch predictor will use information that it gained from executing user mode code when executing kernel mode code. This lets you affect what the BTB contains, therefore how it will guess when triggering an indirect branch in kernel mode. This is arguably a bug, and I think Intel will patch it too, but it is much harder to exploit.
The TSX thing is neither of these. You can say that it is a variant of Meltdown if you want, but it isn't really a bug. It works according to specification. Intel can change the specification - to say that you will trigger a segmentation fault if trying to read something you shouldn't, even if you're inside a TSX speculation - but right now, when implemented correctly, TSX will enable a bug that is not there otherwise.
|
|
The new Mac Pro has up to 30 MB of cache inside the processor itself. That's more than the HD in my first Mac. Somehow I'm still running out of space.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
 
|
|
|
Forum Rules
|
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|
Top