So, is anyone actually worried about recent development about CPU security?


#1

First, there was Google Project Zero, that discovered three security flaws that are inherent in the design of modern CPUs. Then there were chaotic attempts to fix those flaws, but some older hardware will simply be left unfixed… Nice idea to make CPU sales go up again!

Those were three (3) flaws: Meltdown, Spectre V1 and Spectre V2. Modern BIOSes, ähm, UEFI firmware does fix Spectre partly by microcode updates. But again, only newer CPUs get those updates and CPU performance will in general be lower afterwards, since it was by design in order to make CPUs faster, but the design was flawed and now the workaround fixed it while making the CPU slower, obviously. Developers of operating systems have also implemented different strategies to mitigate the flaws.

And now the story continues… now there is Spectre NG: eight—yes, EIGHT (8)—additional security flaws, presumably also by design. One is said to be very dangerous (a “high risk” fault), 3 are high risk and 4 are medium risk.

So, my question to you all: are you even interested? Is it relevant in your lives?

For game developers: Does it affect you at all? Are there any mitigations that you have to account for during game development (software in general)?

For us users: are you worried at all?

I know I am worried. At least a bit. I’m not panicing or anything like it, but I don’t like the though that suddenly browser applications, JavaScript code, is able to read my passwords which happen to be stored in secured areas of the memory (RAM), but suddenly become accessable… But maybe that’s just me, a bit paranoid…

Anyway, I haven’t read anything about it here on the forums yet, but I’m interested in your thoughs on Meltdown, Spectre and Spectre NG (final names to be determined, CVE numbers already reserved)…

Interesting reads:

[ul]
[li]Meltdown and Spectre: ‘worst ever’ CPU bugs affect virtually all computers[/li]
[li]Spectre and Meltdown flaws being exploited by more than 100 strains of malware[/li]
[li]Spectre-NG: Security bods uncover eight new ‘Spectre-class’ flaws in Intel CPUs[/li]
[/ul]

Thanks in advance!


#2

Yes. Concerned enough that I asked the makers of Brave, my preferred browser (whose team is led by the inventor of JavaScript), whether it does anything about Meltdown/Spectre.

They were already working to add the Strict Site Isolation feature, which helps against the early Spectre by giving each site its own process. That feature has now been in Brave for a while. They’ve got a pretty good security team, so I assume that whatever a browser can do against these menaces, Brave will at some point do.

Even so, it seems the CPU microcode that tried to gain speed by precomputing code paths is going to have to be changed to take away this particular vector. I have to hope the speed penalty isn’t too severe, but it’s not like there’s a reasonable option.

Also, if I’m understanding what I’ve read, bear in mind that your desktop PC is not the only problem: the firmware in routers, and webcams, and the whole Internet of Things, is also endangered, and all these devices are a lot less likely to get updated. The possibility of a global botnet doesn’t seem like crazy-talk at this point.

Pleasant dreams. :frowning: