
‘It Can’t Be True’ – Inside the Semiconductor Industry’s Meltdown - o_nate
https://www.bloomberg.com/news/articles/2018-01-08/-it-can-t-be-true-inside-the-semiconductor-industry-s-meltdown
======
o_nate
This article made it easier for me to understand how various independent
researchers could have arrived at the same discovery around the same time. It
seems like Fogh was informally pushing the idea in private discussions, and
then after Horn found the first PoC and notified Intel, other researchers got
suspicious by the patches being submitted and put 2 and 2 together.

------
jedmeyers
"Last week, his worst fears were proved right when Intel, one of the world’s
largest chipmakers, said all modern processors can be attacked by techniques
dubbed Meltdown and Spectre".

Seems like a sneaky reporting by Bloomberg - has Intel actually said that "all
modern processors can be attacked by ... Meltdown"?

~~~
makomk
They're basically just regurgitating the sneakiness of Intel's official press
release, which just said that all modern processors were affected and it
wasn't an Intel-specific problem without clarifying in any way that the most
serious problem was Intel-specific.

------
golergka
> Spectre fools the processor into running speculative operations -- ones it
> wouldn’t normally perform -- and then uses information about how long the
> hardware takes to retrieve the data to infer the details of that
> information.

After reading several in-depth analysis of this vulnerability and then trying
to explain my non-tech friends what this is all is about (disclaimer: I'm just
a developer and don't work with assembly, processors or security), I have to
admit that it's a pretty awesome executive summary of the issue for a non-
technical reader.

~~~
ptaipale
It's slightly wrong, proposal for improvement:

Spectre fools the processor into running speculative operations -- ones that
it usually executes "just in case" and then throws the result away if it is
not needed -- and then uses information about how long the hardware takes to
retrieve the data to infer the details of that information.

------
shock
> _Last week, his worst fears were proved right when Intel, one of the world’s
> largest chipmakers, said all modern processors can be attacked by techniques
> dubbed Meltdown and Spectre, exposing crucial data, such as passwords and
> encryption keys._

Intel was extremely lucky that Spectre was discovered at the same time as
Meltdown, otherwise Intel would've been standing alone facing the industry.

------
3chelon
Having read the tech reports myself, the interviewee on the Bloomberg report
seemed to be most sensible talking head I've yet seen in the media. While most
of the press are shouting that we're all pwned and it's Intel's fault or
Apple's fault, or whoever, I'm of the opinion that this is one _seriously_
difficult bug to exploit.

The speculative branch predication vulnerability seems to basically depend on
finding a specific instruction sequence in the target code and then going to
some extraordinary lengths to exploit it via a highly convoluted side-channel.

My first thought when I started to appreciate the technical details were that
this was a Bletchley Park level of exploit, or "nation state" as the man in
the interview said. And whilst it's completely possible that the exploit could
be packaged up for script kiddies, it seems to me unlikely that someone with
the necessary skills would do that, because the return would be too low. But
states spying on each other: that seems a much more likely scenario for this.

~~~
collyw
I am not an expert in these matters in any way, but most vulnerabilities
appear fairly difficult to exploit to me (as an application developer).

Isn't it usually the case that someone scripts (difficult parts of) the
process and then it is a lot easier to exploit?

~~~
3chelon
Yes, but my point is I think the exploit would be extremely difficult, and any
agent capable of doing it would not be too interested in making it available
to anyone else. Perhaps I'm naive, but it feels like the kind of thing
government agencies would keep in their own armouries.

~~~
pixl97
This

>I think the exploit would be extremely difficult,

and this

>The idea nagged at Prescher, so when he got home he fired up his desktop
computer and set about putting the theory into practice. At 2 a.m., a
breakthrough: he’d strung together code that reinforced Fogh’s idea and
suggested there was something seriously wrong.

Don't seem to match up. It may be hard, but even a security researcher doesn't
bust a hard to exploit hole open in a few hours overnight. I believe that this
was an area where no one was looking and now that its out in the open it will
be much easier for others to exploit.

~~~
3chelon
Yes, but again, proving there's an exploit is different to implementing it and
actually stealing someone's banking details (which is the media definition of
a scary hack). And you say "even a security researcher"... surely they are the
guys most likely to be able to perform the exploit, in real life?

~~~
solarkraft
To prove the vulnerability is exploitable I'd ideally do ahead and do it. Has
this not been done?

------
dandare
Is this Brian White for real?

Host: Who could exploit this vulnerability...? White: Those that have
significant resources, for instance, Google... (mentions nation-states much
later)

Nice FUD there.

White: what is important here, there are no known attacks ongoing right now...

Nice argument from ignorance there.

White: there is a lot of things we don't know but it reinforces two things to
me, one is that increasingly the software we are operating is quite secure,
coz now we are looking at kernel level problems...

Nice false cause fallacy.

~~~
wickawic
You should argue the points, not label the fallacies. Would you rather White
say “well there’s probably attacks, but no one knows!”? This is just as
incorrect as his statement, the problem being that /no one knows./

The FUD is real though.

~~~
rando444
Arguing logical fallacies is a waste of time and effort.

They are things that never should have been said in the first place because
they're only made to deflect, detract, or support a nonsensical argument.

If you get caught up in trying to defend against these things you've already
fallen into their trap.

~~~
pessimizer
People frequently use logical fallacies in good faith, usually because they're
falling for one of the many permutations of the law of averages, using
associative logic/magical thinking, or just have some axiomatic beliefs that
they believe are somehow sinful/wrong to scrutinize due to their
religion/loyalty.

~~~
rando444
Very true, I think the point still stands though that the best thing to do is
to point them out rather than to try and argue them.. otherwise you end up
legitimizing the discussion and going off on some irrelevant tangent rather
than debating something worthwhile.

------
thriftwy
Is it just me who now thinks there should be some gigantic holes in processor
security, which were just never stumbled upon before, but now will?

Similarly how there was a long and happy life of flash plugin before it was
recognized as a massive vulnerability surface?

~~~
leoc
I'm finding it hard to escape the suspicion that Spectre and (to a lesser
extent) Meltdown is another failure of expertise on the same rough scale as
the run-up to the financial crisis, the decades of bad or poorly-justified
dietary advice, and the statistical problems in experimental psychology. On
the face of it, it seems obvious that speculation + cache + protected mode was
a combination likely ripe for exploitation, but the response seems to have
been "nah, it'll be fine, probably"? And even if it for some reason wasn't
obvious, it's now clear that it actually was the case. So the academic _and_
industrial _and_ bad-boy "security community" collectively more or less let
the CPU manufacturers take a flyer on this for, what, a decade?

~~~
graycat
Speculative execution, out of order execution, branch prediction have been in
processor designs at least back to the 1980s.

~~~
leoc
Sure. I had Meltdown specifically on the brain when I wrote that, sorry. It
hardly needs saying that the preconditions for Spectre-like attacks being
around for _several_ decades doesn't make the situation any less embarrassing.
(That said, I don't know whether things like eg. increasing pipeline depths
only made actual attacks feasible relatively recently.)

------
CaliforniaKarl
I didn't see any mention of weather Linus et al were on the inside of this.
The impression I get from the article is that they weren't. But that must be
wrong, right?

~~~
nsnick
He does live less than 20 miles from Intel. They could have just driven to his
house to let him know.

~~~
prewett
I can imagine Linus Torvalds happily working one bright California afternoon
and gets a knock at the door. Two men say they are from Intel and need to
discuss a serious bug with him. Wondering what could be so bad that Intel pays
him a personal visit, he invites them into the sitting room, gets them some
tea/coffee. Then they describe the problem.

What I want to know is what happens next? Is Linus (or "Mr. Torvolds" to me)
silently shocked? Does he go on a LKML-style rant? Immediately whip out his
laptop and code up an exploit just to see if it's actually true? All of them?

(Mostly I just want to hear him rant, I love his well-informed, opinionated
take-downs of lousy ideas. Although it's probably a toxic environment to work
it.)

~~~
nsnick
One problem. Linus Torvalds lives in Oregon.

~~~
deelowe
Which is where Intel is located...

------
gumby
Headline hyperbole. Applications of high end CPU suffer. That AVR-equipped
light bulb doesn’t, nor do voltage regulators or DRAMs (though they could
suffer if fewer devices are built...which won’t happen)

~~~
katastic
That's actually an interesting accidental point.

How many embedded CPU's with speculation might be affected? You may say "none"
but there are Cortex CPUs embedded into FPGAs (either directly or form of IP
cores). What if enterprise routers have them? What if TVs have them?

I know many Cortex's aren't affected. The point is, anything that needs a
"fast enough" CPU to benefit from OoO scheduling is possibly at risk, right?
So while most embedded devices use cheaper, less complex CPUs, there are
plenty that don't--as more powerful CPUs (which offer speculation) are
becoming cheaper and cheaper.

A Raspberry Pi 3 has a Cortex-A53 (because they're cheap). They're luckily not
affected, but those CPUs and faster are cheap enough to throw onto a $35
retail price computer. What's running in your $800 internet-connected 4K TV?

Per the Pi 3 explaination page:

>Examples of out-of-order processors include the Intel Pentium 2 (and most
subsequent Intel and AMD x86 processors with the exception of some Atom and
Quark devices), and many recent ARM cores, including Cortex-A9, -A15, -A17,
and -A57.

[https://www.raspberrypi.org/blog/why-raspberry-pi-isnt-
vulne...](https://www.raspberrypi.org/blog/why-raspberry-pi-isnt-vulnerable-
to-spectre-or-meltdown/)

The A9, 15, 17, and A57 are all affected and used across TONS of devices in
the world. They're very popular not just in chip form (as the primary CPU),
but also in IP cores (inside an FPGA), as well as "secondary CPU" systems
attached to FPGAs or other CPU's.

And that's just one brand of one type of CPU. Who knows what else is out
there. PowerPCs are in everything. Even your dust-covered Gamecube has out-of-
order speculation!

Here's a link mentioning that PowerPC CPUs are affected:

[http://tenfourfox.blogspot.com/2018/01/is-powerpc-
susceptibl...](http://tenfourfox.blogspot.com/2018/01/is-powerpc-susceptible-
to-spectre-yep.html)

So there goes all your PowerMacs. (And likely the Gamecube and Wii too!)

~~~
cm2187
Unless these embedded CPU run third party code, they aren't really vulnerable.
This is more of a general computing problem.

~~~
pixl97
Many of these devices can run 3rd party code in user context (java script in
browser). The big issue is they rarely have updates and many if not most are
impossible to do a good security audit on.

~~~
AnimalMuppet
Not many embedded devices run browsers. That leaves you no place to run the
javascript.

------
slededit
Not really a semiconductor issue. I doubt the guys working on analogue ICs are
working overtime on this.

~~~
adrianmonk
It's Bloomberg. They view things in terms of economic sectors. To them,
integrated circuit design and manufacturing is all part of one sector.

~~~
godelmachine
Well said. I think that applies to any journalist by extension. Little do they
know about the difference between analog and digital.

------
abricot
The narrative sounds a bit like the story of Chernobyl. Except with less (for
now) human suffering.

