Announcement

Collapse
No announcement yet.

KPTI + Retpoline Linux Benchmarking On Old Laptops

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #21
    Originally posted by nanonyme View Post

    Who uses their PC for only gaming these days? This means you literally never use eg online banks, buy games online etc etc.
    I would never bank online both because of the security arms race (no guarantees for anyone) and because banks would probably have to block my machines due to my refusal to ever unblock fingerprinting code and sites. As for buying games online etc, I do not pay for content at all and do not handle paid files at all. Thus, a banking and financial exploit that always worked and could never be blocked would not be a factor. It is attempts to log browsing history, verify authorship of controversial anonymous postings, and steal encryption keys that I worry about-and guess what, the basic exploits are probably the same no matter what the payload. A banking trojan and an FBI CIPAV can probably both be installed using the exact same vulnerabilities.

    This was enough that I had to replace all browsers as soon as they have been rebuilt to mitigate SPECTRE, and thankfully do not use any Intel boxes with branch prediction (vulnerable to Meltdown) online at all. Since Spectre is about using timing to export data, FF devs have modified FF to greatly reduce the resolution of any timing information exported by the browser. This both blocks the obvious ways to use JS on it with Spectre and probably (not sure if this is always through the new code) also weakens clock skew as a fingerprinting tool.

    Another defense is always blocking a website from using JS (code run on your machine!) at intial lode and never letting unknown or untrusted sites use it at all. A random porn site carrying keyloggers and trojans (haha...) can't get you if you don't allow it to run scripts and just treat it as broken when it doesn't load images or video as a result. A malicious ad with a ransomware payload probably won't be seen at all.

    One advantage most Linux user will get is this: even the best of cross-platform exploits are usually used by cops and criminals alike to install Window malware unless a known Linux user is individually targettted. For instance, the whole Freedom Hosting mess was the use by the FBI of a vulnerablity in certain versions of Firefox to install FBI spyware in Tor user's computers if they visited certain .onion (Tor-only) sites on Freedom Hosting. I do not know if the server-side malware was only on the targetted kiddie porn sites or all sites on Freedom Hosting. Here's the kicker: the server side code leveraged a cross-platform exploit, but the code it installed (the CIPAV) only ran on Windows! On top of all else, the installer also required javascript. Thus, the only vulnerable users were those who ran an obsolete version of Torbrowser on Windows and enabled JS on the offending site.

    The FF vulnerability was a memory issue, so I suspect that use of SPECTRE or Meltdown by the FBI or even the NSA would also follow this model. Not a guarantee though, as if you are known to use Linux and are individually targetted they won't waste their time on Windows payloads. Fortunately for most readers here, the FBI is reluctant to deploy CIPAVs or other spyware against anyone considered a hacker, for fear it will be detected and captured rather than do its job. Once it gets decompiled and the resulting source published, they both both the ability to hide it (virus scan authors etc will target it) and to keep it from being re-used the way the NSA's Eternal Blue exploit was re-used by ransomware creeps.

    Comment


    • #22
      Cherry trail, Apollo lake and probably some other atom, either have pcid support. it would be possible to include some of them?

      Comment


      • #23
        Michael
        Junior Member
        Michael I was under the impression that full spectre mitigation requires a recompiled userspace using a patched compiler, at least for software which provides the ability to execute arbitrary code as Luke mentioned with browsers above. Presumably all benchmarks thus far are have only the kernel protected.

        Comment


        • #24
          Originally posted by wsxy162 View Post

          This seems silly, even with your gaming PC, sometimes you still need to sign in gaming accounts. You are no way to avoid from the risk.
          As some one else pointed out: it's just a very small number of gaming accounts. If my gaming/toy PC gets hacked then the attacker potentially gets 1 account that doesn't matter much to me. I could easily secure my Steam account using 2 factor if I wanted anyway. If I did that they wouldn't even get 1 account.

          My approach massively reduces the risks of getting my important data copied or my banking accounts compromised. At the same time it means I can be far more relaxed about security on my gaming pc. I can treat it like an advance games console, freely experimenting with games and mods with barely a thought for malware. I do actually think about malware a bit when making decisions, but not nearly as much as on my main system.

          Originally posted by starshipeleven View Post
          Same here.

          Is your gaming rig on linux? Because if you have a separate gaming rig there are so much good reasons to just use Windows on it, and the point of smartalgorithm becomes quite weak.
          Currently it's actually Windows 7, but I intend to switch over to a GNU/Linux distro for gaming within 2 years.

          Microsoft will have or already have mitigation patches for these vulnerabilities. I expect they too will incur a performance penalty. So some people may wish to not apply the Microsoft update containing these mitigations for the same reasons as I listed previously.

          Comment


          • #25
            I know a Linux forum is perhaps not the best place to ask this, but people here tend to be much more technically-knowledgeable than on any Windows-centered website.

            Does anyone know if there is a way to disable the exploit mitigations on Windows? Does Windows have an equivalent to "nopti noretpoline" in the Linux cmdline?

            I have a Windows machine where I don't care about security. I want my performance back.

            Comment


            • #26
              Originally posted by hvis View Post
              There's no point in disabling KPTI on a gaming rig. All performance tests say that the effect on the gaming performance is negligible.
              The reason why the OP wants to turn off PTI is really irrelevant. It's up to a user to determine if the performance impact of the security fixes outweigh the potential security risks. Security is always a trade off between performance, user convenience, and risk assessment. It's unfounded to say ALL games are going to have negligible impact because not all games are created equal. We've only seen benchmarks on the most popular games on the market, it's conceivable there's some out there that are heavier on I/O which would be at least somewhat impacted. Basically anything not running untrusted code isn't really that vulnerable to the exploits PTI is supposed to mitigate. While the likes of Google, Facebook, and other high profile targets are correct to be concerned, and patch appropriately, small fry like myself are more free to weigh the likelihood of security impacts versus performance impact versus our bank balance. My house file server never does anything but serve files inside the house LAN, and that's one of the most severe impacts of Meltdown performance mitigation. I can't afford new hardware nor would it particularly benefit me to do so, so yes, PTI will be switched off on the server. Luckily my desktop uses an AMD CPU which won't see the severe I/O impacts to begin with.

              Comment


              • #27
                Well put stormcrow.

                Comment


                • #28
                  With the System V message passing micro-benchmark with Thinkpad W510 was dragged down to 32% performance.

                  Dragonfly BSD is an attempt to produce a kernel that relies more on message passing. This probably explains why the Retpoline patch hammered Dragonfly so badly.

                  I wonder how Dragonfly would fare on the Thinkpad W510.

                  Comment


                  • #29
                    Originally posted by Luke View Post

                    I would never bank online both because of the security arms race (no guarantees for anyone) and because banks would probably have to block my machines due to my refusal to ever unblock fingerprinting code and sites. As for buying games online etc, I do not pay for content at all and do not handle paid files at all. Thus, a banking and financial exploit that always worked and could never be blocked would not be a factor. It is attempts to log browsing history, verify authorship of controversial anonymous postings, and steal encryption keys that I worry about-and guess what, the basic exploits are probably the same no matter what the payload. A banking trojan and an FBI CIPAV can probably both be installed using the exact same vulnerabilities.

                    This was enough that I had to replace all browsers as soon as they have been rebuilt to mitigate SPECTRE, and thankfully do not use any Intel boxes with branch prediction (vulnerable to Meltdown) online at all. Since Spectre is about using timing to export data, FF devs have modified FF to greatly reduce the resolution of any timing information exported by the browser. This both blocks the obvious ways to use JS on it with Spectre and probably (not sure if this is always through the new code) also weakens clock skew as a fingerprinting tool.

                    Another defense is always blocking a website from using JS (code run on your machine!) at intial lode and never letting unknown or untrusted sites use it at all. A random porn site carrying keyloggers and trojans (haha...) can't get you if you don't allow it to run scripts and just treat it as broken when it doesn't load images or video as a result. A malicious ad with a ransomware payload probably won't be seen at all.

                    One advantage most Linux user will get is this: even the best of cross-platform exploits are usually used by cops and criminals alike to install Window malware unless a known Linux user is individually targettted. For instance, the whole Freedom Hosting mess was the use by the FBI of a vulnerablity in certain versions of Firefox to install FBI spyware in Tor user's computers if they visited certain .onion (Tor-only) sites on Freedom Hosting. I do not know if the server-side malware was only on the targetted kiddie porn sites or all sites on Freedom Hosting. Here's the kicker: the server side code leveraged a cross-platform exploit, but the code it installed (the CIPAV) only ran on Windows! On top of all else, the installer also required javascript. Thus, the only vulnerable users were those who ran an obsolete version of Torbrowser on Windows and enabled JS on the offending site.

                    The FF vulnerability was a memory issue, so I suspect that use of SPECTRE or Meltdown by the FBI or even the NSA would also follow this model. Not a guarantee though, as if you are known to use Linux and are individually targetted they won't waste their time on Windows payloads. Fortunately for most readers here, the FBI is reluctant to deploy CIPAVs or other spyware against anyone considered a hacker, for fear it will be detected and captured rather than do its job. Once it gets decompiled and the resulting source published, they both both the ability to hide it (virus scan authors etc will target it) and to keep it from being re-used the way the NSA's Eternal Blue exploit was re-used by ransomware creeps.
                    My bank's online banking works fine with fingerprinting disabled (date/fonts/canvas/media APIs etc) in ScriptSafe, and only scripts from the bank website allowed. Cookies, yes I let them use cookies. They have my card number, lol, they know its me. I'm not trying to pretend I'm not me. The reason to disable fingerprinting and cookies when accessing a business website that you trust your identity with, is to prevent leaking that identity to other sites. Disabling 3rd party scripts and content effectively prevents that, so I could even enable the other fingerprinting methods, if my bank required them.

                    Comment


                    • #30
                      Originally posted by linuxgeex View Post

                      My bank's online banking works fine with fingerprinting disabled (date/fonts/canvas/media APIs etc) in ScriptSafe, and only scripts from the bank website allowed. Cookies, yes I let them use cookies. They have my card number, lol, they know its me. I'm not trying to pretend I'm not me. The reason to disable fingerprinting and cookies when accessing a business website that you trust your identity with, is to prevent leaking that identity to other sites. Disabling 3rd party scripts and content effectively prevents that, so I could even enable the other fingerprinting methods, if my bank required them.
                      I actually regard all online banking as too dangerous even if you could guarantee the security of your computers, because it increases the attack surface against your bank account. If a merchant's computer is compromised or a skimmer gets attached to your bank's own ATM, you will get much less argument about reversing fraudulent transactions. I also recommend withdrawing your money in the form of cash as you use it, buying with cash and not debit cards to deny merchants that information, and never registering products or participating in mail in rebate programs, surveys, warrenty registrations, etc. You want the product, not the telemarketing calls, spam, junk mail (and maybe subpeonas and search warrants) generated by your personal information being bought and sold.

                      If you doubt what I said about subpeonas and warrants, one argument raised against noncash (EZ-Pass only) toll roads has been that divorce lawyers can subpeona travel records generated by them to track the whereabouts of a spouse suspected of having some action on the side. Counter to that one of course is not to use the offending roads or own an EZ-pass.

                      Privacy is a way of life, and its not just what you do with computers.

                      EDIT: if you never bank online and never give your bank your email address, you also know that ALL emails claiming to come from your bank are "something phishy" and not do do anything they ask you to do.
                      Luke
                      Senior Member
                      Last edited by Luke; 17 January 2018, 10:28 PM.

                      Comment

                      Working...
                      X