Windows 10 will ban Spectrum slowdowns with Google's Retpoline patch



[ad_1]

Microsoft is integrating into the next version of Windows 10, currently referred to as code 19H1, mitigating the indirect attack by the speculative runtime channels in Specter Variant 2.

One of the big concerns about Meltdown and Specter processor failures – aside from the attackers who exploit them – is that mitigating attacks could have serious performance implications, ranging from 5 to 30 percent.

This concern was greater for Intel's microcode mitigation measures for Spectrum Variant 2, CVE-2017-5715, a "branch target injection" flaw.

Intel's mitigation measures directly change the way the hardware is executed speculatively. These are the Indirect Branch Restricted Specification (IBRS) and the Indirect Branch Predictor Barrier (IBPB), which could affect processor performance.

Google has developed a software-based mitigation solution for variant 2 of the spectrum, called Retpoline, that sufficiently limits the speculative execution behavior to mitigate an attack. Google's tests revealed that its fix had a negligible effect on performance.

SEE: Cybersecurity in an IoT and mobile world (ZDNet Special Report) | Download the report in PDF format (TechRepublic)

Retpoline has been implemented by Linux distributions such as Red Hat and SUSE, as well as by Oracle for Oracle Linux 6 and 7.

And now, as MSPoweruser has seen, Microsoft's core engineers have confirmed that Retpoline would be part of the next version of Windows 10, 19H1, which should be released next year.

Core changes by Google's Retpoline and Microsoft software have reduced the impact on "noise level" performance, according to Mehmet Iyigun of the Microsoft and Microsoft Azure Kernel team.

"Yes, we enabled Retpoline by default on our 19H1 flights with what we call" import optimization "to further reduce the impact on indirect kernel-based call performance. reduce the impact of Spectrum v2 attenuations on noise-level for most scenarios, " wrote Iyigun.

The bad news is that Microsoft has not included the Retpoline patch in the latest version of Redstone 5, or RS5, of Windows 10 October 2018, although, according to Alex Ionescu, a researcher at CrowdStrike, he would have could.

Ionescu discovered the presence of Retpoline in 19H1 with the help of a tool that he developed, SpecuCheck, a Windows utility that IT administrators can use to check the status of hardware mitigations. and Meltdown software, Specter and other speculative runway secondary failures, such as speculative store bypass. , and attacks L1TF or & # 39; Foreshadow & # 39 ;.

Iyigun's confirmation followed a tweet from Ionescu pointing out that Windows 10 did not completely mitigate Specter Variant 2 attacks.

"If you have not corrected the Intel microcode with IBRS support, or if you are using AMD Zen processors, Windows will not fully mitigate the Specter v2 before 19H1, even if RS5 has everything needed to activate it, " wrote Ionescu.

SEE: A winning strategy for cybersecurity (ZDNet Special Report) | Download the report in PDF format (TechRepublic)

As he notes, on systems without IBRS, Windows does not empty the BIOS parameter block, or BPB, from kernel mode to user mode transitions.

"On systems without IBRS, Windows does not empty the BPB during kernel> user transitions, which poses a potential security problem for CPUs without microcode implementing IBRS," he explains in a thread.

"This is probably due to the fact that IBPB (the other mitigation solution) is two to three times slower than IBRS.Therefore, the impact on performance would make a lot of scenarios current user unacceptable and would be even worse on server scenarios, "wrote Ionescu in a series. tweets.

Ionescu also ran a file system test on a Surface Pro 4 with Windows 19H1 installed and found a "big improvement" in transfer speeds. The addition of Retpoline will benefit systems with IBRS or IBPB.

"Retpoline is enabled even on systems with only IBPB, which means that these systems are finally protected against Spectrum v2, even during kernel-> user transitions to the current (unprotected) situation." researcher noted.

But Ionescu also asked Microsoft to support Retpoline mitigation, because machines without IBRS "are basically sitting ducks".

Previous and related coverage

Intel abandons Linux patch "gag" and offers new "harmless" license

Intel's license for its firmware security patches no longer prevents developers from publishing benchmark results.

Linux "gags" Intel distributions unveiling performance of Spectrum patches

You can test the performance after using our patches, but do not publish the results, specify the new Intel license terms.

New variant 4 of Spectrum: our patches generate up to 8% performance loss, warns Intel

Intel's Specter variant 4 patch is disabled by default, but users who activate it may see performance slow down.

Linux performance before and after the Meltdown and Spectrum resolution

As expected, fixes have reduced Linux performance, but their impact has not been as severe as expected.

Oracle's latest Linux patches: new Spectrum and Lazy FPU patches strengthen defenses

Oracle offers new patches for spectrum flaws affecting Linux systems on Intel and AMD chips.

The security vulnerability of the Spectrum chip strikes again; Incoming fixes

A Google developer has discovered a new way to use a "Spectrum" type check to attack any computer running an operating system.

Are 8 new "Specter class" flaws in Intel processors on the verge of being exposed?

Reports emerge from eight new security CPU vulnerabilities of the "Spectrum" class.

Ex-Intel security expert: this new specter attack may even reveal some firmware secrets

A new variant of Specter can expose the contents of the memory to which the kernel of the operating system does not normally have access.

Microsoft to Windows users: here are new Intel security updates for Specter v2

Microsoft releases new Windows updates to solve the problem of variant 2 of the Spectrum that affects Intel chips.

Windows 10 on AMD? This new update plus Microsoft Spectrum Patch Block attacks

AMD has released firmware updates for variant 2 of the spectrum that require the latest Microsoft Windows 10 hotfix.

Intel: We will never correct the flaw of variant 2 of Spectrum in these chips

A handful of processor families that Intel had to fix should now remain vulnerable.

The Windows 7 Meltdown Patch Opens an Even More Serious Vulnerability: Now Install March Updates

The Microsoft Meltdown patch has opened a gaping hole in the security of Windows 7, warns the researcher.

New Intel Specter Patch: Skylake, Kaby Lake and Coffee Lake Chips Get Stable Microcode

Intel is progressing in the reissue of stable microcode updates against Spectrum attack.

Do you have an old PC? Find out if you will get the latest Intel Spectrum Patch TechRepublic

Intel has listed a range of processors released between 2007 and 2011 that will not receive firmware updates to protect against Spectrum-related exploits.

Class Actions on Intel Specter and Stay of Merger CNET

Since the beginning of 2018, the number of cases has increased from three to 32.

[ad_2]
Source link