Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[kitz]

Thats quite a nice little tool.   

Same as you guys I got

System is Meltdown protected: YES
System is Spectre protected: NO!
Performance: GOOD

Then it goes on to give a nice explanation and even the option to disable Meltdown protection if you want.


You can also run it in Advanced Tech Mode.   This isn't obvious, but try clicking on the little spectre icon 

This 64-bit OS on Intel Processor:

   OS is Meltdown aware:      Yes
   OS is Spectre aware:      Yes
   OS Meltdown data:      0x000D
   OS Spectre data:      0x0084
   PCID/INVPCID support:      Yes / Yes
   CPU microcode updated:   No
   CPU is meltdown vulnerable:   Yes

This system's processor identification:
 Intel Core i7-6700K CPU @ 4.00GHz

Documentation of Meltdown (KVA) and Spectre (branch control speculation) bit flags returned by the NtQuerySystemInformation call which, when supported by updated versions of Windows as shown above, provides detailed information about Windows' management of these vulnerabilities:

   KVA (Meltdown Vulnerability) flags:
   ==================================
   0x01   KVA_SHADOW_ENABLED
   0x02   KVA_SHADOW_USER_GLOBAL
   0x04   KVA_SHADOW_PCID
   0x08   KVA_SHADOW_INVPCID

   Branch Prediction Speculation (Spectre) flags:
   ==================================
   0x01   BPB_ENABLED
   0x02   BPB_DISABLED_SYSTEM_POLICY
   0x04   BPB_DISABLED_NO_HW_SUPPORT
   0x08   SPEC_CTRL_ENUMERATED
   0x10   PRED_CMD_ENUMERATED
   0x20   IBRS_PRESENT
   0x40   STIBP_PRESENT
   0x80   SMEP_PRESENT

The presence of the relatively recent PCID and INVPCID support allows Windows (when it chooses to take advantage of this) to protect against the Meltdown vulnerability without significant system performance impact.

AMD processors do not require, do not offer, and do not need the PCID and INVPCID support since they are inherently invulnerable to Meltdown attack.

"CPU microcode updated" indicates that this system is using recently updated Intel or AMD microcode which provides the control over branch prediction speculation required to allow an aware operating system to protect the system from the Spectre vulnerabilities.

This application will run under WINE and can therefore be used on non-Windows systems. Although its operating system data may not be meaningful under WINE, its display of the underlying processor capabilities will be accurate.

 For more information see GRC's InSpectre web page

Copyright © 2018 by Gibson Research Corporation

Copied the full thing as it says it will run on other O/S with WINE.

[broadstairs]

I ran it under wine on my AMD PC running openSUSE  Tumbleweed and it said I was Meltdown protected but Spectre vulnerable which is rather what I suspected anyway.

Stuart

[Weaver]

I can't possibly even see any point until there is any chance of actual threat is the wild. And even then just don't let evil software run on your box. But browsers will have to be fixed tho, unless you turn javascript off everywhere, which is hard going, especially as they don't make it easy to do so selectively.

The later you leave it, the more time there will be to actually get patches sorted out properly as in some cases I feel sure that a rethink will be needed. (Thinking about what I myself would have to get up to, a high chance of don't a poor job and then a much better job second time round, which is so often a pattern with me if not others. [Once wrote an RS232 driver, subsystem and API for an o/s did a really feeble job of it and then luckily had the chance to oversee a total redesign with stunningly better results. It was about adding background-processing i/o into a completely non-multitasking o/s, so apps could do background printing and completely overlapped i/o and computation where it made sense, all without apps having to change at all. Like in DOS 2.0 iirc.])

[Chrysalis]

Been some VPS performance issues, here is an email received.

This message is to clients on NYCSKVMS7. In our email regarding the recent Intel CPU vulnerabilities, we noted that performance issues would be a likely side effect of the patches. We have since determined that a different patched kernel may alleviate some of those problems. Due to the significant reduction in performance this node is currently experiencing, we are scheduling a reboot for tomorrow (February 7) at 8 PM eastern (GMT -5). Downtime should not be more than a few minutes. If your VPS does not reboot, please make sure you do not have a CDROM / ISO mounted in the SolusVM CP.

I got no idea what patch they originally rolled out. But it seems the performance impact was higher than anticipated.

Misformed quote corrected - Roseway

[banger]

https://www.techarp.com/guides/complete-meltdown-spectre-cpu-list/6/

Above is a complete (subject to updates) list of CPU's affected by Meltdown and Spectre. Both my current CPUs have now appeared on the list, the Pentium Dual E2180 and Core 2 Duo E8400. No software mitigation as yet for Spectre on Windows but Meltdown has been pushed out on most Windows current platforms.

[Bowdon]

I'm kinda 50/50 on this in my thoughts.

Yes the security gap was there for many years and it needed to be fixed.

But on the other hand nobody in the real world actually used it, and wasn't the demonstration done on a linux system?

This all feels over hyped and rushed. I'm not sure if the fix that Microsoft was rolling out is currently being deployed. The last I heard they had to stop the rollout to at least AMD based computers because it was causing massive problems.

This as been a bad marketing disaster especially for Intel. Patch the cpu and take a performance hit. Does the performance hit become mitigated if the bios was updated? But then again, how many people will update their bios? I bet very few.

[Chrysalis]

some technical info here by the dragonflybsd dev who says its not viable on his OS.

http://lists.dragonflybsd.org/pipermail/users/2018-January/335633.html
also here some info here https://arstechnica.com/gadgets/2018/01/heres-how-and-why-the-spectre-and-meltdown-patches-will-hurt-performance/

Meltdown patch is effective, but adds new system calls to kernel operations, in lame speak it means userland processing has zero performance impact, but kernel processing has heavy performance impact (halving of performance).  Generally in laymens terms i/o and networking overheads will double.  You can see a graph posted on the arstechnica page from a admin of a server showing his cpu utilisation doubled on a patched system.   The reason desktop's (on average) are seeing much lower visible performance hit's is because much more of their processing is userland, but its not entirely userland.

Spectre has 2 variants as has already been mentioned here.  One can be patched in software, on Windows I believe the patch will only be applied if a certian registry key exists to indicate a/v software is compatible, otherwise the patch wont be installed.  The second patch requires a updated cpu microcode.  The spectre patch effectiveness and performance implications are noted in the first link I posted.  Basically there is a choice between hardening spectre mitigation just on kernel calls (so limited impact on most desktops but still heavy on servers), or hardening on all cpu instructions (massive performance hit to everything).  Microsoft has done the former else there would be meltdown on the internet about performance, but its noted that the former will allow things like browser exploits to still work.  The latter is also not even a complete mitigation. Also to avoid a meltdown about windows server performance, when the patch is installed its by default disabled.

On my PfSense unit I have decided to mitigate neither, it has no web browser, it has no public services, its pointless.
On my desktop at least for now I have also decided to not mitigate either, the OS is hardened, the browser is hardened and I have common sense.  My laptop I will probably mitigate meltdown but not spectre.

Family members is a different story, hardening their OS and browsers is difficult as it compromises ease of use, so they get confused etc.  Hardening gets undone on automated Windows 10 feature updates, and they dont have the IT savvyness to know what sort of things to avoid doing that puts them at risk, so I will make sure they mitigated as much as possible.

Thats my current take on it, for home equipment, servers is a different story.

Much of intel's IPC improvements in the past decade or so have come from branch prediction, full spectre mitigation disabling all of that sets CPU's back a decade or so in performance hence the heavy performance hit.