Announcement

Collapse
No announcement yet.

The Brutal Performance Impact From Mitigating The LVI Vulnerability

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #61
    btw...all this security issues are not only a concern for personal data. i think those drm people might be also ...lets say not amused. this makes all the psp and intel secure code efforts look like a joke. i hope netflix etc will not restrict their service on x86 more...at the moment 4k or proper full hd is not avsilable in the classic browser.....i really start to hate what happens to the pc world...restrictions, strange bugs, strange intel me and psp crap, trojan browsers, drm...

    Comment


    • #62
      Originally posted by dweigert View Post
      Ugh... I can't afford Epyc based servers at the moment. I will be building out a Threadripper box though. I'm done with Intel for a while.
      I mean, they are a lot less expensive than Intel's, at a given performance target.

      Comment


      • #63
        Originally posted by areilly View Post
        Sucks to be trying to sell "hostless lambdas" or whatever the cloud geeks think is cool at the moment, and it seems that running contemporary JavaScript on the same machine that handles your secrets and does your real work might not be such a good idea, but I don't think that this is the end of the world. The problem, such as it is, arises from letting malicious code share hardware that has lots of hidden (non-architectural) state, (because it turns out not to be very well hidden). Seems obvious that rather than slowing the machine down by orders of magnitude, by preventing any of that hidden state from doing its job, the much better approach would be to just keep the malicious code somewhere more isolated, where it can't see the hidden state of other code. That may require operating system changes, so that task switches don't just swap visible register state, but do some more work to flush that hidden state, at least when switching between different "trust" domains. That is: you can separate in time, and you can separate in space. Modern processors are growing cores like rabbits (those new Amazon Graviton2, for example: 64 single-threaded cores) so much more often threads will not have to time-slice at all, they'll just spin up another core and own it for the duration.

        Oh, and the good old rule of not running malicious code in the first place seems like a keeper, too. Besides sticking with open source, and being careful around the trust of your sources when you can't. Surely it's not beyond the wit of man to detect code that spends a lot of cycles doing nothing obviously useful while looking at the high-res clock, and just knocking it on the head? Perhaps deciding that an advertising-sponsored browser plugin or mobile app might not be a great idea after all?
        I don't know anything about hostvoid lambdas but I can assure you if you are are going to try to sandbox using VM's on a quadcore intel that would be annoyingly slow, I would not use intel at all for VM's personally. As far as JS goes yeaê—yeah, No! I knew it was just a matter of time before someone cleverly engineered some JS that could simply latch on to an average Joe's machine and install a botnet or jack their bank login credentials.

        It's only going to get much worse for intel users. I would get off intel as soon as possible to whom-ever is reading this. My opinion of Java Script is that it should be completely removed from the web, its really bad stuff in my opinion. Java=Code slop+data integrity risk+who knows what the hell is in there.

        Personally I am not going to use VM's until I have at least a dodeca-core cause I am a resource and latency snob.

        Lynx anyone?
        Last edited by creative; 14 March 2020, 04:29 PM.

        Comment


        • #64
          Originally posted by CochainComplex View Post
          btw...all this security issues are not only a concern for personal data. i think those drm people might be also ...lets say not amused. this makes all the psp and intel secure code efforts look like a joke. i hope netflix etc will not restrict their service on x86 more...at the moment 4k or proper full hd is not avsilable in the classic browser.....i really start to hate what happens to the pc world...restrictions, strange bugs, strange intel me and psp crap, trojan browsers, drm...
          AMD's PSP is at the moment from what I understand—a complete 100% enigma. Very few people know whats going on in there. Now UEFI is another story, it's pretty well documented as way in on all machines post 2011 and maybe before that with pre-uefi system-bare-metal wet code.
          Last edited by creative; 14 March 2020, 11:02 AM.

          Comment


          • #65
            Originally posted by creative View Post

            I don't know anything about hostvoid lambdas but I can assure you if you are are going to try to sandbox using VM's on a quadcore intel that would be annoyingly slow, I would not use intel at all for VM's personally. As far as JS goes yeaê—yeah, No! I knew it was just a matter of time before someone cleverly engineered some JS that could simply latch on to an average Joe's machine and install a botnet or jack their bank login credentials.

            It's only going to get much worse for intel users. I would get off intel as soon as possible to whom-ever is reading this. My opinion of Java Script is that it should be completely removed from the web, its really bad stuff in my opinion. Java=Code slop+data integrity risk+who knows what the hell is in there.

            Personally I am not going to use VM's until I have at least a dodeca-core cause I am a resource and latency snob.

            Lynx anyone?
            I was fixing to ask this question. Since the attack vector, for me, would come from a web browser wouldn't spinning up a single core *BSD virtual machine to only use for surfing be the best mitigation?

            Or would, say, Kodi running natively on the Linux install be a possible vector?

            Comment


            • #66
              Originally posted by dave_boo View Post

              I was fixing to ask this question. Since the attack vector, for me, would come from a web browser wouldn't spinning up a single core *BSD virtual machine to only use for surfing be the best mitigation?

              Or would, say, Kodi running natively on the Linux install be a possible vector?
              I am not expert on the subject, I just enjoy reading about and studying security stuff at times. Youtube actually has a lot of interesting stuff I listen to when I am bored at work.

              Even through a virtual machine the processor could be accessed through a script I would think. I would just block as much Java Script as you can. I know it breaks how a site displays in your browser but the cool thing is most the time if you're just wanting to read text its a plus. Also text web browsers like Lynx can be nice to use at times and will not run any jscript.

              Not sure about Kodi, guessing its some type of cross platform media player?

              Also taking care of some basic's like making sure you are using a more secure DNS that is less likely to be compromised and that offers phishing protection among other security things that protects you from dregs that want to steal stuff from you.

              I am still learning, I am sure there are many people on here way way smarter than me considering the subject. I do find the stuff fascinating though.

              My desire to use VM's is more for things like Linux From Scratch and maybe some security stuff.
              Last edited by creative; 14 March 2020, 11:09 PM.

              Comment


              • #67
                Originally posted by dave_boo View Post

                I was fixing to ask this question. Since the attack vector, for me, would come from a web browser wouldn't spinning up a single core *BSD virtual machine to only use for surfing be the best mitigation?

                Or would, say, Kodi running natively on the Linux install be a possible vector?
                But lots of the Intel vulnerabilities are of a kind where code in a VM can get access to information outside of the VM, so a VM only mitigates some vulnerabilities. This really is a big problems because cloud servers likes to use VM, Docker, ... to share the machine among multiple customers. While JS is an example where home users are sharing their computer with unknown others.

                Comment


                • #68
                  Originally posted by TemplarGR View Post

                  Bulldozer has always been an elegant design. I am frustrated that AMD had to scrap it and go copy Intel's SMT design. Now Zen is just a me-too Core architecture with slightly worse IPC but more cores per dollar.
                  ZEN is a very different design to core , ZEN 2 even more so.

                  And ZEN 2 has a higher IPC than intel.

                  Comment


                  • #69
                    That's disgusting. And yes I will be the tin-foil conspiracy theorist right now; I believe Intel knew about all of these recent vulnerabilities that have been slowing us down for the past year and kept it secret but revealed it to the highest bidder; a.k.a govts.

                    Comment


                    • #70
                      When Linux distributions and Windows 10 will provide those mitigations?

                      Comment

                      Working...
                      X