Melt­down and Spec­tre trou­bleshoot­ing guide

BRAD CHACOS and MICHAEL SI­MON ex­plain how the crit­i­cal CPU flaws af­fect PCs and Macs

Tech Advisor - - Contents -

Mas­sive se­cu­rity vul­ner­a­bil­i­ties in mod­ern CPUs are forc­ing a re­design of the ker­nel soft­ware at the heart of all ma­jor op­er­at­ing sys­tems. Since the is­sues – dubbed Melt­down and Spec­tre – ex­ist in the CPU hard­ware it­self, Win­dows, Linux, An­droid, macOS, iOS, Chrome­books, and other op­er­at­ing sys­tems all need to pro­tect against it. And worse, plug­ging the hole can neg­a­tively af­fect your

PC’s per­for­mance. Ev­ery­day home users shouldn’t panic too much though. Just ap­ply all avail­able up­dates and keep your an­tivirus soft­ware vig­i­lant, as ever.

Here’s a high-level look at what you need to know about Melt­down and Spec­tre, in plain lan­guage. If you like div­ing deep into tech­ni­cal de­tails read Google’s post on the CPU vul­ner­a­bil­i­ties – fave.co/2DoKeKV.

What’s the is­sue?

Again, the CPU ex­ploits in play here are ex­tremely tech­ni­cal, but in a nut­shell, the ex­ploit al­lows ac­cess to your OSes sacro­sanct ker­nel mem­ory be­cause of how the pro­ces­sors han­dle ‘spec­u­la­tive ex­e­cu­tion’, which mod­ern chips per­form to in­crease per­for­mance. An at­tacker can ex­ploit th­ese CPU vul­ner­a­bil­i­ties to ex­pose ex­tremely sen­si­tive data in the pro­tected ker­nel mem­ory, in­clud­ing pass­words, cryp­to­graphic keys, per­sonal pho­tos, emails, or any other data on your PC.

Melt­down is the more se­ri­ous ex­ploit, and the one that op­er­at­ing sys­tems are rush­ing to fix. It “breaks the most fun­da­men­tal iso­la­tion be­tween user ap­pli­ca­tions and the op­er­at­ing sys­tem,” ac­cord­ing to Google. This flaw most strongly af­fects In­tel pro­ces­sors be­cause of the ag­gres­sive way they han­dle spec­u­la­tive ex­e­cu­tion, though a few ARM cores are also sus­cep­ti­ble.

Spec­tre af­fects AMD and ARM pro­ces­sors as well as In­tel CPUs, which means mo­bile de­vices are also at risk. There may be no per­ma­nent hard­ware so­lu­tion to Spec­tre, which ‘tricks other ap­pli­ca­tions into ac­cess­ing ar­bi­trary lo­ca­tions in their mem­ory’. Pro­ces­sor firmware up­dates can mit­i­gate the is­sue to some de­gree. Soft­ware also needs to be hard­ened to guard against it.

What’s a ker­nel?

The ker­nel in­side your op­er­at­ing sys­tem is ba­si­cally an in­vis­i­ble process that fa­cil­i­tates the way apps and func­tions work on your com­puter, talk­ing di­rectly to the hard­ware. It has com­plete ac­cess to your op­er­at­ing sys­tem, with the high­est pos­si­ble level of per­mis­sions. Stan­dard soft­ware has much more lim­ited ac­cess.

How do I know if my PC is at risk?

Short an­swer: It is. Yes, even if it’s a Mac. Google says “ef­fec­tively ev­ery” In­tel pro­ces­sor re­leased since 1995

is vul­ner­a­ble to Melt­down, re­gard­less of the OS you’re run­ning or whether you have a desk­top or lap­top.

AMD pro­ces­sors aren’t af­fected by the Melt­down bug. But chips from In­tel, AMD, and ARM are sus­cep­ti­ble to Spec­tre at­tacks. AMD says its hard­ware has “near zero” risk to one Spec­tre vari­ant be­cause of the way its chip ar­chi­tec­ture is de­signed, but AMD CPUs can still fall prey to an­other Spec­tre flaw.

How do I stay safe?

Up­date all the things. The en­tire com­puter in­dus­try is mov­ing as quickly as pos­si­ble to patch in Melt­down and Spec­tre pro­tec­tions. Right now, you should up­date your op­er­at­ing sys­tem, CPU firmware (if avail­able), and web browser as soon as pos­si­ble.

Make sure you are run­ning se­cu­rity soft­ware as well – ad­vice that In­tel also stresses. No known Melt­down and Spec­tre at­tacks have been seen in the wild, but that’s sure to change now the de­tails are pub­lic. Trig­ger­ing the at­tacks re­quires hack­ers to have ac­cess to your PC. An an­tivirus suite keeps bad guys off your PC. And as al­ways, only down­load soft­ware and apps from rep­utable sources to re­duce the risk of in­fec­tion.

What patches are al­ready avail­able?

Mi­crosoft pushed out a Win­dows up­date pro­tect­ing against Melt­down on 3 Jan­uary, the day that the CPU ex­ploits hit head­lines. Up­dates is­sued out­side of Mi­crosoft’s monthly ‘Patch Tues­days’ are rare, un­der­lin­ing the sever­ity of this is­sue. Un­for­tu­nately, the emer­gency patch ren­ders some AMD com­put­ers un­bootable – mostly ones with older Sem­pron

and Athlon pro­ces­sors, judg­ing by ini­tial re­ports. Mi­crosoft halted the roll-out of the patch on af­fected sys­tems un­til the fix is fixed.

In­tel is also pub­lish­ing firmware up­dates for its pro­ces­sors. You’ll need to snag them from your PC, lap­top, or moth­er­board maker (like HP or Gi­ga­byte) rather than In­tel it­self. At the time of writ­ing, In­tel ex­pected to have re­leased firmware up­dates for 90 per­cent of pro­ces­sors re­leased in the past five years to its part­ners, though it will take longer for PC mak­ers to ac­tu­ally push those fixes out for their de­vices. Firmware up­dates for all CPUs re­leased in the past five years will roll out by the end of Jan­uary, at which point In­tel “will then fo­cus on is­su­ing up­dates for older prod­ucts as pri­or­i­tized by our cus­tomers,” CEO Brian Krzanich said.

In­tel re­vealed on 11 Jan­uary it had re­ceived re­ports some users who owned Haswell or Broad­well sys­tems were see­ing “higher sys­tem re­boots” after ap­ply­ing firmware up­dates. In­tel’s work­ing to fix the is­sue.

AMD plans to re­lease firmware up­dates to pro­tect against Spec­tre, with patches for Ryzen, Thread­rip­per, and Epyc CPUs com­ing first, and older ar­chi­tec­tures later. They’re clas­si­fied as op­tional be­cause AMD says its CPU ar­chi­tec­ture has ‘near-zero’ risk against the Spec­tre vari­ant that re­quires a firmware up­date.

Ap­ple qui­etly pro­tected against Melt­down in macOS High Sierra 10.13.2, which re­leased on 6 De­cem­ber, as well as in iOS and tvOS 11.2. Ker­nel patches are also avail­able for Linux.

Chrome­books re­ceived pro­tec­tion in Chrome OS 63, which re­leased on De­cem­ber 15. You can find a de­tailed list of how in­di­vid­ual Chrome­books

are af­fected at fave.co/2Dr­r8Uo. Fur­ther­more, the Chrome web browser it­self was up­dated to in­clude an opt-in ex­per­i­men­tal fea­ture called “site iso­la­tion” that can help guard against Spec­tre at­tacks. Site iso­la­tion is trick­ier on mo­bile de­vices; Google warns that it can cre­ate “func­tion­al­ity and per­for­mance is­sues” in An­droid, and since Chrome on iOS is forced to use Ap­ple’s WKWe­bView, Spec­tre pro­tec­tions on that plat­form need to come from Ap­ple it­self. Chrome 64 will in­clude more mit­i­ga­tions.

Other browsers are bat­ten­ing down the hatches against Spec­tre as well. Fire­fox 57 re­leased in Novem­ber with some ini­tial safe­guards, and Edge and In­ter­net Ex­plorer re­ceived an up­date along­side Win­dows 10. On 8 Jan­uary, Ap­ple pushed out up­dates

to iOS 11 and macOS with ‘se­cu­rity im­prove­ments to Sa­fari and We­bKit to mit­i­gate the ef­fects of Spec­tre’.

Nvidia swiftly re­leased graph­ics card driv­ers con­tain­ing ini­tial pro­tec­tion against Spec­tre as well – a cru­cial fix since GPU dis­play driv­ers sink deep hooks into your ker­nel. Grab the lat­est Nvidia driv­ers here.

Will th­ese fixes slow down my PC or Mac?

It’s com­pli­cated, and highly de­pen­dent on your hard­ware, op­er­at­ing sys­tem, and work­loads.

More re­cent In­tel pro­ces­sors from the Sky­lake (6thgen Core 6xxx se­ries) era on­ward have a tech­nol­ogy called PCID (Process-Con­text Iden­ti­fiers) en­abled and suf­fer less of a per­for­mance im­pact, ac­cord­ing to Mi­crosoft. Your ver­sion of Win­dows makes a dif­fer­ence as well. Plus, some ap­pli­ca­tions – most no­tably vir­tu­al­iza­tion and data cen­tre/cloud work­loads – are

af­fected more than oth­ers. In­tel con­firmed that the per­for­mance loss will be de­pen­dent on work­load, and ‘should not be sig­nif­i­cant’ for av­er­age PC users.

Mi­crosoft of­fers a slightly dif­fer­ent and more nu­anced opin­ion. Win­dows chief Terry My­er­son says they “don’t ex­pect most users to no­tice a change” on Win­dows 10 sys­tems run­ning In­tel 6th, 7th, or 8thgen­er­a­tion In­tel pro­ces­sors.

In­tel pub­lished some post-patch bench­mark re­sults on best-case PCs like this on its blog (fave.co/2Dte3tJ). The tests showed an av­er­age per­for­mance loss of be­tween 2- and 7 per­cent in the SYSMark 2014 SE bench­mark, which sim­u­lates pro­duc­tiv­ity tasks and me­dia cre­ation. Its re­spon­sive­ness score – which In­tel says mea­sures “‘pain points’ in the user ex­pe­ri­ence when per­form­ing com­mon ac­tiv­i­ties” – plum­meted by a whop­ping 14 per­cent, though. In web ap­pli­ca­tions that use heavy amounts of JavaScript, In­tel saw a 7- to 10 per­cent per­for­mance loss post-patch. Th­ese tests were per­formed on SSD-equipped sys­tems; In­tel re­ports the per­for­mance loss is less no­tice­able if you’re us­ing a tra­di­tional hard drive. Those are the best-case sce­nar­ios, though. If you’re run­ning older pro­ces­sors, in­clud­ing 5thgen Haswell chips, “some bench­marks show more sig­nif­i­cant slow­downs, and we ex­pect that some users will no­tice a de­crease in sys­tem per­for­mance,” Mi­crosoft re­ports. Fi­nally, Mi­crosoft says for PCs run­ning one of those older In­tel CPUs and the older Win­dows 7 or 8 op­er­at­ing sys­tems, “we ex­pect most users to no­tice a de­crease in sys­tem per­for­mance.” As far a busi­ness use cases, Win­dows Server “shows a

more sig­nif­i­cant per­for­mance im­pact when you en­able the mit­i­ga­tions to iso­late un­trusted code within a Win­dows Server in­stance.”

Early con­sumer bench­marks con­ducted us­ing the Win­dows patch alone showed the most per­for­mance im­pact in stor­age speeds, but Mi­crosoft’s My­er­son stresses, “many of the bench­marks pub­lished so far do not in­clude both OS and sil­i­con up­dates,” which he deems a cru­cial part of the per­for­mance puz­zle. In­tel’s bench­marks in­clude both OS and firmware up­dates.

“Ob­vi­ously it de­pends on just ex­actly what you do,” Linux cre­ator Li­nus Tor­valds wrote in the Linux Ker­nel

Mail­ing List. “Some loads will hardly be af­fected at all, if they just spend all their time in user space. And if you do a lot of small sys­tem calls, you might see dou­ble-digit slow­down.”

Will my games get slower?

Not ac­cord­ing to the lim­ited test­ing per­formed so far, though th­ese sources didn’t test the Melt­down and Spec­tre patches with up­dated CPU firmware.

Phoronix tested Dota 2, Counter-Strike: Global Of­fen­sive, Deus Ex: Mankind Di­vided, Dawn of War III, F1 2017, and The Ta­los Prin­ci­ple on a Linux 4.15-rc6 ma­chine with a Core i7-8700K and Radeon Vega 64. None saw a frame rate change out­side the mar­gin of er­ror range.

Hard­ware Un­boxed tested a hand­ful of Direc­tXbased Win­dows games in the video linked above. With DirectX hook­ing so deeply into Win­dows, gamers were wor­ried about a po­ten­tial per­for­mance degra­da­tion there. For­tu­nately, Hard­ware Un­boxed ob­served vir­tu­ally no frame rate loss in Ashes of the Sin­gu­lar­ity, As­sas­sin’s Creed: Ori­gins, or Bat­tle­field 1.

Are AMD pro­ces­sors af­fected?

Much, much less than In­tel chips. All mod­ern CPUs are vul­ner­a­ble to Spec­tre at­tacks, but AMD says that its CPUs have “near zero” risk to the vari­ant caus­ing per­for­mance slow­downs in Win­dows PC due to the way they’re con­structed. Nev­er­the­less, AMD is re­leas­ing CPU firmware up­dates to pro­tect against it, though they’re clas­si­fied as op­tional. Op­er­at­ing sys­tem and soft­ware up­dates will pro­tect against the other

Spec­tre vari­ant. There is “zero AMD vul­ner­a­bil­ity” to Melt­down thanks to chip de­sign, AMD says. If op­er­at­ing sys­tem patches ex­clude AMD CPUs from the new Melt­down-re­lated per­for­mance re­stric­tions – and Linux def­i­nitely is – the per­for­mance war be­tween In­tel’s chips and AMD’s new Ryzen CPUs may get even tighter.

Un­for­tu­nately, the emer­gency Win­dows patch ren­ders some AMD PCs un­bootable, which prompted Mi­crosoft to halt its in­stal­la­tion on po­ten­tially im­pacted sys­tems. It ap­pears mostly older Sem­pron and Athlon CPUs are af­fected. The se­cu­rity patches will re­sume once AMD and Mi­crosoft cor­rect the is­sue.

In­tel’s post-patch per­for­mance re­sults on ‘best-case’ PCs

In­tel pro­ces­sors have a se­vere ker­nel se­cu­rity flaw

Macs are af­fected by Melt­down and Spec­tre, too

Even new In­tel chips like the Core i78700K are af­fected by Melt­down and Spec­tre

Newspapers in English

Newspapers from UK

© PressReader. All rights reserved.