Intel CPUs Massive Security Flaw issue
-
A "Quantum of Solace" for me in that statement - (To coin a phrase)
-
Our preliminary assessment of Meltdown and Spectre vulnerabilities suggests that most pfSense use cases without untrusted local users or a multi-tenant context should not be concerned.
Once the FreeBSD project issues a patched release, we will incorporate those patches, test, and release new versions of pfSense.
This makes sense for PFSense itself, but what about packages like Snort and Suricata that actively evaluate untrusted and malicious code all the time?
-
This post is deleted! -
@lra:
Our preliminary assessment of Meltdown and Spectre vulnerabilities suggests that most pfSense use cases without untrusted local users or a multi-tenant context should not be concerned.
Once the FreeBSD project issues a patched release, we will incorporate those patches, test, and release new versions of pfSense.
Engineering question, if the Meltdown and Spectre kernel fixes reduces pfSense performance by 5% or more, is that prudent ?
If Meltdown and Spectre require malicious code running locally, all bets are off, and there are far easier methods to extract credentials.
Bottom line, are the Meltdown and Spectre fixes appropriate for an appliance like pfSense ?
We will know more information once there's a fix in place so I would rather not speculate now. Once the fix is ready, it will be available in snapshots.
For Reference …
DragonFlyBSD Lands Fixes For Meltdown Vulnerability
https://www.phoronix.com/scan.php?page=news_item&px=DragonFly-Meltdown-Fixed"... system call performance is reduced, similar to Linux, when the isolation is enabled. DragonFly reports that system calls go from about 100ns to ~350ns. In typcial workloads they say you should "not lose more than 5% performance or so. System-call heavy and interrupt-heavy workloads (network, database, high-speed storage, etc) can lose a lot more performance."
-
Our preliminary assessment of Meltdown and Spectre vulnerabilities suggests that most pfSense use cases without untrusted local users or a multi-tenant context should not be concerned.
Once the FreeBSD project issues a patched release, we will incorporate those patches, test, and release new versions of pfSense.
This makes sense for PFSense itself, but what about packages like Snort and Suricata that actively evaluate untrusted and malicious code all the time?
No they don't, what they do is they analyze patterns in the incoming and outgoing connections on both the IP headers and the data payload level and then make decisions based on rules if there is an active threat going on. None of their operations involve an actual execution of untrusted program code, it would be just plain crazy if such thing was allowed.
-
@KOM:
AMD's performance is so far behind that even 30% slower the Intel is still faster and I suspect they have their own issues.
From what I have read, AMD's latest Threadripper CPUs are giving Intel a run for their money, and they're cheaper. As for issues, unless you have something concrete then you can't really make that claim. I've seen others saying the same thing on other tech forums, that this Intel bug is bad but AMD might maybe perhaps possibly have something as bad or worse. It's pure FUD.
Sorry to disagree
Threadripper does nearly half the work clock per cycle of an Intel plus they run much hotter and are less power efficient
Work per clock cycle is an irrelevant measurement unless you are comparing similar architectures and even then, while it may be interesting, it still doesn't really matter. The relative performance of AMD vs. Intel depends on the workload. (This applies to Ryzen vs. Core as well as Epyc vs. Xeon.)
Anandtech rated the ThreadRipper as the best overall workstation processor, taking both price and performance into account. Here is a reference: https://www.anandtech.com/show/11891/best-cpus-for-workstations-2017
-
I don't see much of an attack vector on a firewall
What about installs on hypervisors, be it local on, say vmware, or in the cloud at azure or aws?
That's where the fun begins and that's where more valuable data can be sourced from than from your home with a dedicated pfSense machine, right? -
Is is possible for pfSense to load updated CPU microcode at kernel boot as in Linux / windows ?
-
Based on what I've read, pfsense users have nothing to worry about if pfsense is installed on a physical machine or if it is installed as a VM along with other virtual appliances on hardware that you own and only you use.
You start having risks when you are one of many subscribers to a cloud service and you have no idea if the other subscribers are running malware that exploits these vulnerabilities.
I'm far more worried that for most of us, the cure will be worse than the disease.
-
If I have to trade speed for security, I choose security every time. With Intel, it used to be a win-win but, with recent news… I just don't believe it so blindly anymore. Of course AMD is not the cure to all your problems but it sure starts to seem a little better.
A system with a speed of zero is perfectly secure, and perfectly useless.
-
PPP will still be somewhat slow after this gets patched. :)
-
http://www.newsweek.com/apple-iphone-chip-vulnerability-most-disturbing-security-issue-decades-771638
-
What's more is the Intel CEO sold $24M in stock months AFTER Google advised Intel of the problem, but before it was made public.
-
https://www.netgate.com/blog/an-update-on-meltdown-and-spectre.html
-
Info for those running on ARM devices:
https://developer.arm.com/support/security-update
-
"Once these backports are available, snapshots including the fixes will only be available for pfSense 2.4.x and amd64 architecture."
Thank god my D2700 doesn't do branch prediction!
"Our Amazon Web Services and Microsoft Azure customers are safe as both providers already patched their infrastructure against these vulnerabilities."
I'm dubious that cloud servers are"Safe". Mitigated and cured are not the same thing.
-
@https://www.netgate.com/blog/an-update-on-meltdown-and-spectre.html:
The FreeBSD developers will likely wait a bit before starting the backport of these patches to both FreeBSD 11 and 10. Once these backports are available, snapshots including the fixes will only be available for pfSense 2.4.x and amd64 architecture.
Did I get that right: you will neither patch the ARM-Branch nor the 2.3.x (32bit) versions of pfSense because you think use cases prevent exploration of current security vulnerabilities?
-
Here is 1 example the AMD has 8 cores 16 threads Intel 4 core 8 threads
https://www.tomsguide.com/us/amd-ryzen-benchmarks,review-4232.html
I did not reed the post in detail but at a quick look the Intel did better with less cores , I am not trying to make Intel look better just trying to justify if switching to AMD will be worth it as you still have to buy expensive CPUs like ryzen to get good performance
Keep in mind that games are highly fast core dependant now. DirectX 12 and Vulkan games will not be nearly so fast core dependant in the future. I expect the 1800X will pull ahead in future games. In the long run, AMD CPUs will be better since they specilize at multi-tasking.
-
All benchmarks performed before the BIOS upgrades needed to patch the CPUs and the OS patches are meaningless as far as I'm concerned.
To compare apples to apples, we need to compare CPU benchmarks AFTER all the patches are installed.
-
Did I get that right: you will neither patch the ARM-Branch nor the 2.3.x (32bit) versions of pfSense because you think use cases prevent exploration of current security vulnerabilities?
ARM doesn't need variant 3 (meltdown) fix. Once fixes for variants 2 and 1 are developed we will incorporate them, if possible. There are no fixes for i386 yet, so we can't comment yet.
-
I'm dubious that cloud servers are"Safe". Mitigated and cured are not the same thing.
Safe from the vulnerabilities written about in the blog post.
-
From my understanding of the problem all x86 processors are effected but the AMD processors have the ability to turn off the branch prediction feature. It would seem to me that if some bioses can be updated to turn this feature off on Intel Processors than the problem can be minimized without the 5% performance hit. We all want speed and putting the Kernel page file and user page file in the same space was a way for them to achieve this. I don't really think it's fair to blame Intel. Security is really hard and I would say the problem is really at the OS level. OS makers are working on the fix now so I would say everyone is doing their job. I would imagine in the future Intel processors will have the ability to turn the branch prediction off which will fix this issue.
Turning off branch prediction would be a much more significant performance hit. The impact of KPTI is felt on code with a lot of system calls, and has close to zero impact on code that stays in user land. Killing branch prediction would impact everything.
It's also worth pointing out that this isn't a kernel-specific issue, and that side channel attacks can impact any program that tries to isolate untrusted code. (For example, a browser running javascript.) The kernel mitigations don't fix all of those other programs–and AMD CPUs are impacted by this just as much as Intel CPUs.
Both Intel and AMD are affect by Spectre but only Intel ( and the Arms) are effected by Meltdown.
-
There are no fixes for i386 yet, so we can't comment yet.
Well, that's in contrast to "fixes will only be available for pfSense 2.4.x and amd64 architecture".
I'm not a native in this language but "only" usually means exclusively. Correct me if I'm wrong…And who has the final decision at netgate, you or jwt (who wrote the "only" blog post)?
So much for security fixes in the 2.3.x branch ... I know, you said you cannot comment yet.
The "official" announcement of "only 2.4.x branch and amd64" still stands, doesn't it?From a security standpoint this killed the 2.3.x branch - and doing so significantly before reaching the promised lifespan.
-
Well, that's in contrast to "fixes will only be available for pfSense 2.4.x and amd64 architecture".
I'm not a native in this language but "only" usually means exclusively. Correct me if I'm wrong…You should really pay more attention to what others say. We can’t implement fixes we don’t have. We will have 64-bit fixes for pfSense 2.4.x but we don’t have anything yet for i386 and it's unclear when or if fixes will be available. You don't seem to understand the magnitude of these vulnerabilities.
And who has the final decision at netgate, you or jwt (who wrote the "only" blog post)?
How is that relevant for this discussion? What's "only" blog post?
So much for security fixes in the 2.3.x branch … I know, you said you cannot comment yet.
That's rude and unwelcome attitude. We promised to support 2.3.x branch for at least a year after 2.4 release but we cannot implement fixes we do not have.
The "official" announcement of "only 2.4.x branch and amd64" still stands, doesn't it?
I'm not sure what you're asking me.
From a security standpoint this killed the 2.3.x branch - and doing so significantly before reaching the promised lifespan.
Vulnerabilities like these and fixing of the same is the main reason why we dropped i386 support, and spent a long time announcing it. Once and if fixes for i386 are available, we will incorporate them. However, predictions like "this killed 2.3.x branch" are not welcome. You are welcome to help in finding solutions but what you're doing is not helpful.
-
@https://www.netgate.com/blog/an-update-on-meltdown-and-spectre.html:
fixes will only be available for pfSense 2.4.x and amd64 architecture.
Only means exclusively what in return means that neither ARM nor 2.3.x will ever get available fixes, otherwise it wouldn't be "only". jwt would not have written it that way if he didn't mean it.
This has nothing to do with my understanding of the magnitude of these vulnerabilities. This is about a business decision and the language to describe it.
-
The FreeBSD Devs have said that initially they are targeting patches for AMD64 (x86-64) in the next couple of weeks for FreeBSD 11.1. They have not said when 32 bit patches will be available, nor have they said when they will patch FreeBSD 10.x releases although they do mention 10.3 and 10.4 in their mailing list. The pfSense team most likely doesn't have much more information at this stage and is probably why the blog post was worded as it is. Hope that helps.
Ref: https://lists.freebsd.org/pipermail/freebsd-security/2018-January/009719.html
-
gsiemon is correct.
-
As far as I understood, Meltdown and Spectre only affects 64-bit CPUs. 32-bit CPUs are not affected, correct me if I'm wrong.
-
As far as I understood, Meltdown and Spectre only affects 64-bit CPUs. 32-bit CPUs are not affected, correct me if I'm wrong.
Respectfully you would be wrong. If your processor does any kind of speculative branch prediction you are in the target zone.
-
Mikeisrespectful… Yeah. 32 bit got hit too.
The thing I find interesting is that researchers with nothing to gain or lose say this can't be truly fixed.
Meanwhile people who stand to lose billions upon billions are saying "We can fix it with patches".
-
Mikeisrespectful… Yeah. 32 bit got hit too.
The thing I find interesting is that researchers with nothing to gain or lose say this can't be truly fixed.
Meanwhile people who stand to lose billions upon billions are saying "We can fix it with patches".
From how I understand it, it can be fixed by turning a feature off in a specific way such that you don't cause to much of a performance hit but there will be a performance hit. In the future, they will have to develop new hardware that doesn't have this problem. That could be what they mean by "truely fixed". No matter how you patch this, there will be a performance hit. It is impossible to patch this in a way that will not cause a performance hit.
-
Also they will have to try to find performance gains another way. Out of order Instruction execution and branch prediction were big deals when they were implemented. Limiting access to a page frame to the process that created it is a way that may be able to fix the issue. Reducing the access to the high resolution clock (if possible) may also be a way to mitigate these timing leak attacks. I'm not a expert though, I just stayed at a Holiday Inn Express last night.
-
Mikeisrespectful… Yeah. 32 bit got hit too.
The thing I find interesting is that researchers with nothing to gain or lose say this can't be truly fixed.
Meanwhile people who stand to lose billions upon billions are saying "We can fix it with patches".
researchers with nothing to lose have no reason to distinguish between "perfect" and "good enough". for most people "good enough" is sufficient, or else we'd all be twiddling our thumbs waiting for a "perfect" system to appear.
-
Limiting access to high resolution timers is what google chrome and firefox have done. Also strictly segmenting memory between pages. The patch sucks to high heaven performance wise and still is vunerable.
Good enough security? Hmmmm. I don't think we will have that before a processor redesign. I mean I'm not selling my laptop or anything but I'm well aware that I need to change how I use my machines. I'm going to have to cut way back on the number of sketchy porn sites I visit.
I think they should be presenting the patches for what they are. An attempt to reduce the risk. However they consistently use language that leads people to believe the patches fix things. Last time I saw writing that misleading was when cigarette companies tried to convince everyone that smoking was perfectly harmless.
However, because of the way pfsense is used and the fact that it isn't a web browsing machine, I worry about pfsense way less than my computers that have desktops and keyboards.
-
Mikeisrespectful… Yeah. 32 bit got hit too.
The thing I find interesting is that researchers with nothing to gain or lose say this can't be truly fixed.
Meanwhile people who stand to lose billions upon billions are saying "We can fix it with patches".
researchers with nothing to lose have no reason to distinguish between "perfect" and "good enough". for most people "good enough" is sufficient, or else we'd all be twiddling our thumbs waiting for a "perfect" system to appear.
Also, you can't fix a problem that you don't know about. Apparently, Google discovered this problem last June, so Intel wouldn't have considered fixing it years ago.
-
Thats true, and totally understandable. However, downplaying the severity and lack of full fix isn't understandable.
In the end, the first company to come up with a high performance chip that isn't susceptible is going to make trillions of dollars. Hopefully it will be a new contender and an entirely new architecture. We are due for a refresh.
-
In the future, they will have to develop new hardware that doesn't have this problem.
I'd love to see the following:
- replace all the CPUs sold last "x" years free of charge (under warranty - the product is faulty, right?)
- offer massive discounts to upgrade CPUs from affected models to fixed models outside the warranty time
- offer discounts through OEM partners for CPUs embedded in motherboards, to replace CPUs and motherboards too (for cases when CPU is soldered to the board, like atoms and such)
-
- replace all the CPUs sold last "x" years free of charge (under warranty - the product is faulty, right?)
That's why Intel chose the "working as designed" lingo. They never said "yes, we have a fault here" which makes it incredibly hard to get a dime from them. Maybe if you take it to court, maybe not.
- offer massive discounts to upgrade CPUs …
- offer discounts through OEM partners for CPUs embedded in motherboards ...
First they would have to admit a problem caused by them. If they did so it would be a "hara-kiri" mission which even Intel wouldn't survive.
-
Likely there will be massive class action suits now that you mention it. Wonder when that hammer will drop?
It wouldn't take much work to prove that the people who designed and manufactured the chips are responsible for their flawed design. One would think?
Looking around the web I can see that several states are already filing suit against intel saying that by keeping the flaw secret for six months they allowed people to buy their products who likely would not have given the flaw. You can put me on that list. I'd have to be desperate for a new machine to buy one right now.
-
I don't think a 5% performance drop would be declared as defective and not work in a court though. If they can't declare it defective then Intel is off the hook. Intel would lose way to much money to be a viable company if they had to pay to replace every CPU. If the CPUs didn't work, that would be one thing but crashing a company over a 5% performance loss is something else. Their reputation is on the hook though. It is also standard to not mention bugs for a period of time to give patchers time to patch. Many businesses involved in doing the patch knew about this months ago.