Hardware purchase implications of Spectre and Meltdown

This discussion was created from comments split from: Intel SGX stopped working [It's working but the option is not in yet].

Comments

  • pbryanw
    pbryanw
    Community Member
    edited August 2018

    @bundtkate - I was also concerned about reports I read in March this year, suggesting Intel SGX could be susceptible to Spectre style attacks: https://www.theregister.co.uk/2018/03/01/us_researchers_apply_spectrestyle_tricks_to_break_intels_sgx/

    I don't know how easy it would be to execute these attacks in real life but as a normal user, they'd just add to my worry if SGX was added to a future 1Password release. That, and the possibility you could be using an outdated version (as noted above), suggests you did the right thing.

  • AGAlumB
    AGAlumB
    1Password Alumni

    I think it's more a usability issue than anything, since an attack (none of which have been seen in the wild) would not be any more effective as a result of SGX. But I've followed the developments all year surrounding this with interest as well. Pretty much any hardware available today will have the same attack vector, though the mitigation in place and difficulty of putting such an attack into practice make them less concerning. If nothing else, it's good that there's so much activity surrounding this since it brings awareness, both for users and for vendors, who are highly motivated to make further changes to their products to combat this.

  • pbryanw
    pbryanw
    Community Member
    edited August 2018

    @brenty - I hope it's alright to go briefly off-topic, but I'd like to pick your brain regarding Spectre as my knowledge of this vulnerability is sketchy at best, and I'm sure you've got a better grasp of this than me.

    I'm interested in this, as it's coming up to the time I usually refresh my PC, and I was wondering if it's worth holding off 'till later next year before I build a new one - so that better mitigations can be built into Intel CPUs? Alternatively, would an AMD CPU be a better choice, as I believe they're less susceptible to this kind of vulnerability?

    Or, would it not be worth worrying about Spectre & Meltdown (regarding hardware purchases), as it's so difficult to put such an attack into practice (as you say)? Thank you (and apologies again for going off-topic) :+1:

  • AGAlumB
    AGAlumB
    1Password Alumni

    I hope it's alright to go briefly off-topic, but I'd like to pick your brain regarding Spectre as my knowledge of this vulnerability is sketchy at best, and I'm sure you've got a better grasp of this than me.

    @pbryanw: This isn't so far off topic since, as you mentioned, that also has implications for SGX. But I'll just split it off now since that discussion was rather old anyway, and this is quite a topic on its own. :)

    The point I was trying to make, which may have been worded poorly, is that a system (or app) using SGX is no more or less vulnerable to potential speculative execution attacks than one without SGX (or with it disabled or unused). So our concern with 1Password is more about not giving our users headaches due to the limitations of the current SGX update situation, and also potentially giving them a false sense of security if they get stuck on an outdated version which proves to have flaws. Since, as Kate mentioned above, 1Password's security doesn't depend on any of that, we're eschewing it for now until such time as there's a better system in place to maintain it.

    I'm interested in this, as it's coming up to the time I usually refresh my PC, and I was wondering if it's worth holding off 'till later next year before I build a new one - so that better mitigations can be built into Intel CPUs? Alternatively, would an AMD CPU be a better choice, as I believe they're less susceptible to this kind of vulnerability?

    I would say no. Certainly some folks will hold off on hardware purchases because they want to wait to get newer chips with protections in place in silicon to help with this, and that's up to you. But new chips are likely years away*. For most of us, practicality will win out. I bought a new Windows machine earlier this year and hope to get some new Mac hardware in the near future because I can't do my job without this equipment. Those responsible for the hardware and software we're using have been very quick to respond to these revelations with concrete improvements though, and are also highly motivated to continue to do so, so it wasn't something I agonized over. The money, on the other hand, is another matter. :lol:

    *For context, we're still waiting for Intel to ship some stuff they announced would be _available_ years ago. It's a long pipeline to bring a CPU to market, and delays and setbacks are inevitable. Best case scenario, I'd expect to see work started this year come to fruition in 2020. It could be less if only some tweaks are necessary (and we'll likely see chips with mitigations built in shipping first), but speculative execution is fundamental to how current CPUs operate. It could be a very long time before we see chips that are not susceptible to anything like this.

    While the Spectre and Meltdown research has centered around Intel CPUs ("Currently, we have only verified Meltdown on Intel processors") and specifically
    targets them, the nature of speculative execution (which all modern processors use, from the late 90s) is such that it is unlikely that any hardware using this optimization technique is not vulnerable in some way ("the root cause, speculative execution"). It's likely just a matter of time. Though it was not part of the initial research* (the focus was Intel, which is already a lot of ground to cover), AMD chips have already been shown susceptible to Spectre later this summer. It may turn out that something similar to Meltdown is possible with AMD hardware, even if the exact same vulnerability does not exist due to architectural differences. The problem is that security just wasn't on anyone's radar back when we all went down this path for performance. It seemed like a clear win with no downside, so nobody is even going to say that the chip manufacturers we wrong to do this. We all wanted it. :sweat:

    *At the beginning of the year: "At the moment, it is unclear whether AMD processors are also affected by Meltdown. According to ARM, some of their processors are also affected."

    Or, would it not be worth worrying about Spectre & Meltdown (regarding hardware purchases), as it's so difficult to put such an attack into practice (as you say)? Thank you (and apologies again for going off-topic) :+1:

    No exploits have been seen in the wild, and since "there are software patches against Meltdown" and "it is possible to prevent specific known exploits based on Spectre through software patches" it's not something I lose sleep over. It's encouraging to see the whole industry on top of this: software vendors are offering mitigating patches, hardware vendors are updating microcode and working to harden future designs, and security researchers continue to look for — and find — new vulnerabilities in this area. Certainly it can be scary to read headlines about new vulnerabilities, but the reality is that they exist either way and it's better that we know about them so they can be addressed. The folks who really need to stress out about this are those responsible for fixing things, since there's a lot of pressure from their customers — you and I certainly, but even more so the large companies with expensive contracts. As individual end users, we've got it pretty easy: stay up to date with OS, software, and firmware patches. :sunglasses:

  • AGAlumB
    AGAlumB
    1Password Alumni

    Put another way, if we hold off on getting new hardware we need because of the specter (ha!) of Spectre and Meltdown, we'll be waiting a long time — probably longer than anyone who spends time on internet forums wants to — for hardware that is hardened against these sorts of speculative execution attacks. So personally I'm not gonna wait. :pirate:

  • pbryanw
    pbryanw
    Community Member

    @brenty - Firstly, thanks for splitting this discussion off, and also thanks for explaining the rational behind removing SGX support from 1Password 7.

    I'd also like to say a big thank you for your detailed explanation of the Spectre & Meltdown vulnerabilities, especially with regards to new PC purchases. I have yet to find an article or post that summarises it so well, and that's easily understandable to a layman like me (thanks for the links too, which I will store away for reference) :+1:

    ...we'll be waiting a long time — probably longer than anyone who spends time on internet forums wants to — for hardware that is hardened against these sorts of speculative execution attacks. So personally I'm not gonna wait. :pirate:

    This is key for me, as someone who likes to upgrade their hardware every couple of years. I'm getting the upgrade bug/itch again, so a new build is forthcoming. My Mum, on the other hand, has just recently replaced her 2011 Mac mini with an Intel NUC, and that will probably last her another decade :chuffed:

    Certainly it can be scary to read headlines about new vulnerabilities, but the reality is that they exist either way and it's better that we know about them so they can be addressed. The folks who really need to stress out about this are those responsible for fixing things, since there's a lot of pressure from their customers — you and I certainly, but even more so the large companies with expensive contracts. As individual end users, we've got it pretty easy: stay up to date with OS, software, and firmware patches. :sunglasses:

    Thank you - it can be scary, especially as an end-user - when you don't know how these attacks will affect you in real life. It's reassuring to hear that it still comes down to following good practice when it comes to security - keeping OS, software & firmware up-to-date. Thankfully, I should be able to manage this for the foreseeable future :chuffed:

    (And good luck with your new Mac purchase - hopefully new Macs are incoming, with new mini rumours and the prospect of a new Mac Pro next year).

  • AGAlumB
    AGAlumB
    1Password Alumni

    Firstly, thanks for splitting this discussion off, and also thanks for explaining the rational behind removing SGX support from 1Password 7.

    @pbryanw: You're very welcome! :)

    I'd also like to say a big thank you for your detailed explanation of the Spectre & Meltdown vulnerabilities, especially with regards to new PC purchases. I have yet to find an article or post that summarises it so well, and that's easily understandable to a layman like me (thanks for the links too, which I will store away for reference) :+1:

    Wow! Thank you! I guess all of my reading and writing has paid off then. :lol: It's sometimes hard to tie it all together, so I'm glad that helped. :chuffed:

    This is key for me, as someone who likes to upgrade their hardware every couple of years. I'm getting the upgrade bug/itch again, so a new build is forthcoming. My Mum, on the other hand, has just recently replaced her 2011 Mac mini with an Intel NUC, and that will probably last her another decade :chuffed:

    Sounds good! I will admit to being fairly ignorant of the NUCs except to know that they exist, but I've been looking at them more recently. There are some really powerful machines packed into those small packages now!

    Thank you - it can be scary, especially as an end-user - when you don't know how these attacks will affect you in real life. It's reassuring to hear that it still comes down to following good practice when it comes to security - keeping OS, software & firmware up-to-date. Thankfully, I should be able to manage this for the foreseeable future :chuffed:

    It occurs to me that one thing I failed to mention earlier is that all of the known potential attacks in this area depend on direct control of the machine to run malicious code to try to capture data. And, honestly, that's a bad situation even if Spectre and Meltdown didn't exist. So as long as you're practicing skeptical computing and not installing software from untrusted sources (or giving someone else access to do so), there really isn't much to fear at all, either from these vulnerabilities or the rest of the wild world of malware out there. :sunglasses:

    (And good luck with your new Mac purchase - hopefully new Macs are incoming, with new mini rumours and the prospect of a new Mac Pro next year).

    Fingers crossed! ;)

This discussion has been closed.