Unexpected Page Fault In Virtualized Environment Advisory

zelon88 6 years ago |

Someone should make a graph quantifying the number of "mitigations" and performance impacting patch work for popular Intel SKU's since release.

It would be interesting to see how many times they've patched the same processor and how much slower they are now than when they were made due to all the mitigations.

kardos 6 years ago | |

It's workload dependent, so you're asking for a series of graphs. Not a small ask...

Phoronix has a bunch of articles where they do this but they are on a per-mitigation basis as I recall

freeopinion 6 years ago | |

Do you spell "someone" A-M-D?

olyjohn 6 years ago | | |

I was under the impression that AMD has their own fair share of these vulnerabilities, too. They just aren't as common in the datacenter.

sp332 6 years ago | | |

AMD never had one as boneheaded as Meltdown. Intel keeps having more and more uncovered, and according to researchers who went on the record in the NYT, they are not handling reported vulnerabilities quickly or thoroughly. https://www.nytimes.com/2019/11/12/technology/intel-chip-fix...

dmead 6 years ago | | |

IIRC intel stopped doing as much validation like 10ish years ago (so, 2009/2010). it would be nice to see then publish a paper about how those decisions lead into these problems...

ShroudedNight 6 years ago | | |

My understanding is that chip QA at Intel took somewhat of a nosedive post Haswell. From my ignorant but interested outsider perspective, everything from Broadwell on seemed to be a mess execution-wise compared to Haswell (modulo TSX), and _especially_ compared to Ivy Bridge.

Some of the recorded comments on https://danluu.com/cpu-bugs/ (First update section) mesh with my observations, but I wouldn't know enough to tell if I was on to something, or just confirming my own biases.

xvector 6 years ago | | |

Intel willingly admitting mistakes is just about as likely as hell freezing over

m00x 6 years ago | | |

Intel is also the most used processor in the market at the moment, once that balance shifts, more attention will be paid to AMD processor so we'll potentially have more vulns uncovered.

farisjarrah 6 years ago | | |

I'm inclined to believe that this is actually the case and not that AMD wrote more secure software. All software has security vulnerabilities, the more eyes on the software the more of them are found.

dreamcompiler 6 years ago | |

The inverse question is relevant as well: How many performance enhancements over the last 10 years were only possible because Intel ignored security?

bonzini 6 years ago |

This seems like the usual processor erratum causing potentially very bad things, but only in very rare conditions that no one really understands. It's not another L1TF or similar.

monocasa 6 years ago | |

Hence why we need open source CPUs pretty badly.

vajrabum 6 years ago | | |

I'm pretty sure that high performance open source CPUs will have their own obscure problems. Too much complexity, too many dependencies, too many possible feature interactions.

monocasa 6 years ago | | |

They will, but you'll be able to understand the problem, the fix, and how it combines with other fixes.

I can def see a world soon where all of Intel's woes have combined to the point that they've run out of patch space for their microcode updates, and you have to pick and choose what you want mitigations for.

hinkley 6 years ago | | |

"Good news, our brand new processor has twice as much space for microcode as the old versions!"

MayeulC 6 years ago | | |

That is undoubtedly true, but at least you will have more engineers that are able to dig into them to identify the root cause of these behaviours and fix it.

If you are badly impacted by a bug and no one else is, you are the only one with an incentive to find and fix it. You might pay the CPU manufacturer to share the incentive with them, but you'd need quite deep pockets for this.

I wouldn't be surprised if widespread open source CPUs also had better debugging tools at their disposal.

ddtaylor 6 years ago | | |

At least with an open source one more than a handful of engineers at a single company could work on the problem.

thu2111 6 years ago | | |

Is that actually better in this case? Intel found the issue internally. Nobody knows what it is. The advisory isn't sufficient information to figure it out. People can patch at their leisure, fairly sure that nobody is about to pop up with a 1-day exploit for it.

With an open source CPU, by now someone would have looked at the commits that fixed the Verilog/microcode, figured out what the bug is, and there'd be a convenient command line tool to get root on the hypervisor uploaded to GitHub within an hour.

This is one of those times when from a practical perspective proprietary seems to win.

bonzini 6 years ago | | |

> This is one of those times when from a practical perspective proprietary seems to win.

I'm not sure about that, but I must say that Intel is being surprisingly candid. Similar errata have been swept under a rug and published a dozen at a time with no workarounds for years.

ddtaylor 6 years ago | | |

Many open source systems exist that fix vulnerabilities in a timely manner without falling apart. Linux, BSD, etc.

tenebrisalietum 6 years ago | | |

You don't know that such a command doesn't exist for the Intel vulnerabilities, but hasn't been released to the wild or public.

sillysaurusx 6 years ago | | |

Is that actually better in this case? Intel found the issue internally. Nobody knows what it is. The advisory isn't sufficient information to figure it out. People can patch at their leisure, fairly sure that nobody is about to pop up with a 1-day exploit for it.

That's pretty bad, actually. It means a determined adversary can simply look at the patch to figure out how to exploit vulnerable systems. (Presumably there exists a way to look at the actual unencrypted bytes being modified; if so, you can work out what it's doing.)

And since people can patch at their leisure, a determined adversary will have lots of targets to choose from after they analyze the patch.

To be fair, I don't know much about CPU microcode. But while it's true that lonewolf hackers are less likely to be a threat here, a threat does exist: governments are increasingly turning to industrial espionage-type practices (apparently even the NSA https://en.wikipedia.org/wiki/ECHELON#Examples_of_industrial...) and this type of exploit seems, at a glance, pretty lucrative: unauthenticated users can achieve privilege escalation.

It's easy to imagine some facility somewhere of industrious Chinese reverse engineers who are pretty darn good at this, and that it's their full-time job to find and weaponize such exploits. In fact, swap out "Chinese" with "American" and you get the NSA.

EDIT: It turns out that I am mistaken: Intel microcode updates are encrypted. https://en.wikipedia.org/wiki/Intel_Microcode#Microcode_upda...

> With the Pentium there are two layers of encryption and the precise details explicitly not documented Intel, instead being only known to less than ten employees.

I guess I'll leave the comment up, since... well, I was formerly a pentester, and it seemed like a logical sequence of arguments. That's where I learned about the technique of looking at binary diffs to work out what security patches were doing.

It's very strange to me that this is possible to encrypt, though. Isn't it "just" a matter of getting your hands on a processor + the update? Why is it impossible to dump the microcode as it's being decrypted? Sure, you won't be able to analyze the patch before it's decrypted, but are we just relying on the idea that it's too much work for someone to figure out how to listen in on the decrypting process?

Following that Wikipedia citation, the quote about it being in the heads of less than 10 employees is from 1997, so it's ancient information. I'm curious what the current state of the art is.

strstr 6 years ago |

Anyone know what conditions are required? The advisory is sparse on details.

The errata lists the same vague info: https://www.intel.com/content/dam/www/public/us/en/documents...

erk__ 6 years ago | |

>November 2910

They seem to have gotten information about the bug from the future :P

This could also show that trhey released it in a hurry since they did not fix that typing mistake.

ars 6 years ago | | |

It's not a typo, it's in Middle-endian format. :)

hinkley 6 years ago | | |

It looks more like a concurrency bug to me.

_Codemonkeyism 6 years ago |

It feels like the only mails I get from DigitalOcean are about Intel processors.

rossmohax 6 years ago |

Intel now runs bug bounty program with up to $100k payouts (https://www.intel.com/content/www/us/en/security-center/bug-...), where one of the requirements is not to leak vulnerability details.

cortesoft 6 years ago | |

Isn't that a pretty standard bug bounty requirement? The idea is that you submit the bug to the company and they fix it before it is disclosed.

throwawaymath 6 years ago | | |

It is standard in the sense that it's not uncommon. But about as frequently it's not a requirement. Many companies allow complete or partial vulnerability disclosure once resolution is complete. It's often on a case by case basis and requires approval.

cortesoft 6 years ago | | |

Oh, I thought that was what you meant (until resolution).. didn't realize they block disclosure forever

ysleepy 6 years ago |

Skylake and newer.

Is Broadwell and before not affected or are those not mentioned since their support cycle has ended? I'd be surprised with Intel spinning up Haswell production for lower grade CPUs on 22nm, but I can't be sure.

bdibs 6 years ago |

There seem to be quite a few security updates today from Intel: https://www.us-cert.gov/ncas/current-activity/2019/12/10/int...

_Codemonkeyism 6 years ago |

Intel feels so much like Boeing now.