Interest: Zombieload - Yet another major, exploitable Intel CPU flaw

Chat about just about anything else
Forum rules
Do not post support questions here. Before you post read the forum rules. Topics in this forum are automatically closed 30 days after creation.
User avatar
catweazel
Level 19
Level 19
Posts: 9763
Joined: Fri Oct 12, 2012 9:44 pm
Location: Australian Antarctic Territory

Interest: Zombieload - Yet another major, exploitable Intel CPU flaw

Post by catweazel »

Zombieload
Zombieload, another Intel processor side-channel attack, just like Meltdown and Spectre before it, poses a security threat for Linux systems.
https://www.zdnet.com/article/linux-vs-zombieload/

If, like me, you view the mitigations for Spectre, Meltdown, and now this new MDS side-channel attack as low risk, and provided that you trust your sources of software, you can turn them off by adding mitigations=off to the GrUB command line. The 4.15.0-50 kernel contains a mitigation for this new exploit, and new microcode is being pushed out with it. Be ready for unbootable systems...
"There is, ultimately, only one truth -- cogito, ergo sum -- everything else is an assumption." - Me, my swansong.
User avatar
xenopeek
Level 25
Level 25
Posts: 29504
Joined: Wed Jul 06, 2011 3:58 am

Re: Interest: Zombieload - Yet another major, exploitable Intel CPU flaw

Post by xenopeek »

There's a bunch of related exploits for Intel processors made public: RIDL, Zombieload (which builds on RIDL) and Fallout.

I find it worrying that RIDL can be exploited through JavaScript in web browsers (existing side-channel attack mitigations don't work) but Intel refused to inform Mozilla and Google in advance of publication. Intel also tried to keep the vulnerability under wraps for another 6 months and only went public now after pressure from the researchers who would otherwise have gone public. That's serving shareholders, not customers.

Funnily enough (not really), the hardware mitigations for Meltdown in the latest generation of Intel processors actually make them more vulnerable to Fallout than earlier generations that didn't have mitigation for Meltdown in hardware.

But like you say, it's not clear what actual risks this exposes users to.

AMD's response is a good poke at Intel:
At AMD we develop products and services with safety in mind. Based on our own analysis and discussions with the researchers, we believe that our products are not subject to 'Fallout', 'RIDL' and 'ZombieLoad', thanks to the hardware protection in our architecture. We have not been able to demonstrate these leaks in AMD's products, and we are not aware of others who have succeeded.
Image
gm10

Re: Interest: Zombieload - Yet another major, exploitable Intel CPU flaw

Post by gm10 »

I'm starting to feel I'm missing out with my older generation intel CPU:

Code: Select all

$ cat /sys/devices/system/cpu/vulnerabilities/mds
Not affected
:P
User avatar
xenopeek
Level 25
Level 25
Posts: 29504
Joined: Wed Jul 06, 2011 3:58 am

Re: Interest: Zombieload - Yet another major, exploitable Intel CPU flaw

Post by xenopeek »

Hm. Mine says:
Mitigation: Clear CPU buffers; SMT disabled

SMT is always disabled, this chip doesn't have hyperthreading.
Image
User avatar
catweazel
Level 19
Level 19
Posts: 9763
Joined: Fri Oct 12, 2012 9:44 pm
Location: Australian Antarctic Territory

Re: Interest: Zombieload - Yet another major, exploitable Intel CPU flaw

Post by catweazel »

xenopeek wrote: Wed May 15, 2019 8:45 am There's a bunch of related exploits for Intel processors made public: RIDL, Zombieload (which builds on RIDL) and Fallout.

...

Funnily enough (not really), the hardware mitigations for Meltdown in the latest generation of Intel processors actually make them more vulnerable to Fallout than earlier generations that didn't have mitigation for Meltdown in hardware.
Yes. I found that out shortly after posting.
"There is, ultimately, only one truth -- cogito, ergo sum -- everything else is an assumption." - Me, my swansong.
User avatar
smurphos
Level 18
Level 18
Posts: 8501
Joined: Fri Sep 05, 2014 12:18 am
Location: Irish Brit in Portugal
Contact:

Re: Interest: Zombieload - Yet another major, exploitable Intel CPU flaw

Post by smurphos »

On an i5-2430M with intel microcode 3.20190514 and kernel 4.15.0.50.

Code: Select all

steve@steve-HP-Pavilion-g6-Notebook-PC:~$ cat /sys/devices/system/cpu/vulnerabilities/mds
Mitigation: Clear CPU buffers; SMT vulnerable
There is no BIOS option to disable SMT/Hyper-threading on this machine so with kernel boot option nosmt set in grub

Code: Select all

steve@steve-HP-Pavilion-g6-Notebook-PC:~$ cat /sys/devices/system/cpu/vulnerabilities/mds
Mitigation: Clear CPU buffers; SMT disabled
There's definitely a noticeable negative impact on boot time disabling SMT. Specifically the userspace component of systemd-analyze consistently reports about 20-25% percent longer time (circa 10 seconds instead of circa 8 seconds) with SMT disabled. No impact on Cinnamon desktop load times (not surprising as I think Cinnamon runs a single thread). Will have to see what other activities are impacted.

It's interesting what different companies are doing - Google is disabling Hyperthreading across the board in ChromeOS running on Intel hardware for example - https://www.theregister.co.uk/2019/05/1 ... tigations/

Edit to add - again about a 20% performance reduction seen building the adapta themes from source (involves lots of png rendering with inkscape which maximises CPU on all available real and virtual cores). 4m:22s with SMT enabled, 5m:11s with SMT disabled.
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.
User avatar
thx-1138
Level 8
Level 8
Posts: 2092
Joined: Fri Mar 10, 2017 12:15 pm
Location: Athens, Greece

Re: Interest: Zombieload - Yet another major, exploitable Intel CPU flaw

Post by thx-1138 »

...there were some benchmarks published on Phoronix few months ago,
specifically for Bionic & SMT if you're interested (under newer CoffeeLake)...
User avatar
xenopeek
Level 25
Level 25
Posts: 29504
Joined: Wed Jul 06, 2011 3:58 am

Re: Interest: Zombieload - Yet another major, exploitable Intel CPU flaw

Post by xenopeek »

Phoronix have new article on performance impact of MDS / Zombieload mitigation:
https://www.phoronix.com/scan.php?page= ... ial-Impact
The default Linux mitigations for the new Microarchitectural Data Sampling (MDS) vulnerabilities (also known as "Zombieload") do incur measurable performance cost out-of-the-box in various workloads. That's even with the default behavior where SMT / Hyper Threading remains on while it becomes increasingly apparent if wanting to fully protect your system HT must be off.
Image
littlehuman
Level 1
Level 1
Posts: 48
Joined: Sun Jan 07, 2018 7:41 pm

Re: Interest: Zombieload - Yet another major, exploitable Intel CPU flaw

Post by littlehuman »

Thank you all for this useful information and details.

Do you think HT need to be off ad eternam or will some future software upgrades (either bios firmwares or kernel or intel microcode) allow us to re-enable it safely ?
Vs lbh nfxrq Oehpr Fpuarvre gb qrpelcg guvf, ur'q pehfu lbhe fxhyy jvgu uvf ynhtu.
User avatar
xenopeek
Level 25
Level 25
Posts: 29504
Joined: Wed Jul 06, 2011 3:58 am

Re: Interest: Zombieload - Yet another major, exploitable Intel CPU flaw

Post by xenopeek »

If you think the risks are tangible HT needs to be off on Intel CPUs. It's hard to pin what real world risks are of leaving HT on.

Maybe it is fixable in microcode but I'm not holding my breath for that. Maybe a future new generation CPU from Intel will redesign how HT works in silicon, to not have these holes.

I always thought price/performance made i5 CPU's the better buy so myself and family members all have i5's. Certainly now i5 comes in 6 cores.
Image
littlehuman
Level 1
Level 1
Posts: 48
Joined: Sun Jan 07, 2018 7:41 pm

Re: Interest: Zombieload - Yet another major, exploitable Intel CPU flaw

Post by littlehuman »

Thank you
Vs lbh nfxrq Oehpr Fpuarvre gb qrpelcg guvf, ur'q pehfu lbhe fxhyy jvgu uvf ynhtu.
User avatar
Portreve
Level 13
Level 13
Posts: 4882
Joined: Mon Apr 18, 2011 12:03 am
Location: Within 20,004 km of YOU!
Contact:

Re: Interest: Zombieload - Yet another major, exploitable Intel CPU flaw

Post by Portreve »

xenopeek wrote: Wed May 15, 2019 8:45 am I find it worrying that RIDL can be exploited through JavaScript in web browsers (existing side-channel attack mitigations don't work) but Intel refused to inform Mozilla and Google in advance of publication. Intel also tried to keep the vulnerability under wraps for another 6 months and only went public now after pressure from the researchers who would otherwise have gone public. That's serving shareholders, not customers.
Businesses are, on the whole, far more interested in profit and image than they are in anything else. They will cut corners and shaft customers and employees alike to save a buck (and claim this is them being "more efficient and cost-effective" than government) yet this is exactly why there's been the need, over the course of the last ~12 to 14 decades, to enact regulations restricting what they do and how they do it. It's my feeling that both Intel and AMD, even though AMD is claiming innocence this time, are going to cause brand new sorts of regulation¹ to be brought down on their own heads if this sort of thing continues to happen.

AMD's response is a good poke at Intel:
For now, perhaps, but I wouldn't trust them any more than Intel or anyone else.

At AMD we develop products and services with safety in mind. Based on our own analysis and discussions with the researchers, we believe that our products are not subject to 'Fallout', 'RIDL' and 'ZombieLoad', thanks to the hardware protection in our architecture. We have not been able to demonstrate these leaks in AMD's products, and we are not aware of others who have succeeded. [Emphasis added.]
Those are examples of parsing language and possibly even deflection. It's the language of a company out to save it's own hide.

¹ Of course, both of these companies are American, and in America there's a massive movement out there to cast regulation as being tantamount to government overreach, so it's unlikely at this time we will see anything other than token fines levied to make it appear as though something's being done.
Flying this flag in support of freedom 🇺🇦

Recommended keyboard layout: English (intl., with AltGR dead keys)

Podcasts: Linux Unplugged, Destination Linux

Also check out Thor Hartmannsson's Linux Tips YouTube Channel
User avatar
AZgl1800
Level 20
Level 20
Posts: 11145
Joined: Thu Dec 31, 2015 3:20 am
Location: Oklahoma where the wind comes Sweeping down the Plains
Contact:

Re: Interest: Zombieload - Yet another major, exploitable Intel CPU flaw

Post by AZgl1800 »

xenopeek wrote: Thu May 16, 2019 1:19 am Hm. Mine says:
Mitigation: Clear CPU buffers; SMT disabled

SMT is always disabled, this chip doesn't have hyperthreading.
Mine says:

$ cat /sys/devices/system/cpu/vulnerabilities/mds
$: command not found
LM21.3 Cinnamon ASUS FX705GM | Donate to Mint https://www.patreon.com/linux_mint
Image
User avatar
smurphos
Level 18
Level 18
Posts: 8501
Joined: Fri Sep 05, 2014 12:18 am
Location: Irish Brit in Portugal
Contact:

Re: Interest: Zombieload - Yet another major, exploitable Intel CPU flaw

Post by smurphos »

AZgl1500 wrote: Sun May 26, 2019 3:02 am Mine says:

$ cat /sys/devices/system/cpu/vulnerabilities/mds
$: command not found
That would suggest you've not applied the kernel update that helps to mitigate against the vulnerability and reports that status

18.x - These kernels or later
4.4.0-148-generic 4.4.0-148.174
or
4.15.0-50-generic 4.15.0-50.54

19.x - These kernels or later
4.15.0-50-generic 4.15.0-50.54
or
4.18.0-20-generic 4.18.0-20.21

LMDE3
4.9.168-1+deb9u2 or later
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.
gm10

Re: Interest: Zombieload - Yet another major, exploitable Intel CPU flaw

Post by gm10 »

nvm, see xenopeek below:
Last edited by gm10 on Sun May 26, 2019 4:20 am, edited 1 time in total.
User avatar
xenopeek
Level 25
Level 25
Posts: 29504
Joined: Wed Jul 06, 2011 3:58 am

Re: Interest: Zombieload - Yet another major, exploitable Intel CPU flaw

Post by xenopeek »

No it means they copied the $ in front of the command; that's what the error says.
AZgl1500 wrote: Sun May 26, 2019 3:02 am Mine says:

$ cat /sys/devices/system/cpu/vulnerabilities/mds
$: command not found
Make sure you run the command as such:
cat /sys/devices/system/cpu/vulnerabilities/mds
Image
gm10

Re: Interest: Zombieload - Yet another major, exploitable Intel CPU flaw

Post by gm10 »

xenopeek wrote: Sun May 26, 2019 3:40 am No it means they copied the $ in front of the command; that's what the error says.
AZgl1500 wrote: Sun May 26, 2019 3:02 am Mine says:

$ cat /sys/devices/system/cpu/vulnerabilities/mds
$: command not found
Make sure you run the command as such:
cat /sys/devices/system/cpu/vulnerabilities/mds
Aha, lol, I had been mildly wondering what shell he was using to get that output but you saw through it all. Nice. :)
User avatar
smurphos
Level 18
Level 18
Posts: 8501
Joined: Fri Sep 05, 2014 12:18 am
Location: Irish Brit in Portugal
Contact:

Re: Interest: Zombieload - Yet another major, exploitable Intel CPU flaw

Post by smurphos »

xenopeek wrote: Sun May 26, 2019 3:40 am No it means they copied the $ in front of the command; that's what the error says.
Doh.. :roll:

Still the kernel info may be useful for some.
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.
User avatar
AZgl1800
Level 20
Level 20
Posts: 11145
Joined: Thu Dec 31, 2015 3:20 am
Location: Oklahoma where the wind comes Sweeping down the Plains
Contact:

Re: Interest: Zombieload - Yet another major, exploitable Intel CPU flaw

Post by AZgl1800 »

xenopeek wrote: Sun May 26, 2019 3:40 am No it means they copied the $ in front of the command; that's what the error says.
AZgl1500 wrote: Sun May 26, 2019 3:02 am Mine says:

$ cat /sys/devices/system/cpu/vulnerabilities/mds
$: command not found
Make sure you run the command as such:
cat /sys/devices/system/cpu/vulnerabilities/mds
ah......... I had just updated and all was updated..... didn't see the new kernel.

Code: Select all

john@john-TP500LA ~ $  cat /sys/devices/system/cpu/vulnerabilities/mds
Mitigation: Clear CPU buffers; SMT vulnerable

john@john-TP500LA ~ $ inxi -S
System:    Host: john-TP500LA Kernel: 4.15.0-50-generic x86_64 (64 bit) Desktop: Cinnamon 3.6.7
           Distro: Linux Mint 18.3 Sylvia
john@john-TP500LA ~ $ 

SMT vulnerable

see, I was all fat, dumb and happy until I read this thread :shock:


So, should I add this to my Grub Command Line?

There is no BIOS option to disable SMT/Hyper-threading on this machine so with kernel boot option nosmt set in grub
LM21.3 Cinnamon ASUS FX705GM | Donate to Mint https://www.patreon.com/linux_mint
Image
Locked

Return to “Open Chat”