# Where did Specter originate?



## Phishfry (Dec 10, 2018)

I am researching the Specter vulnerabilities and I can find no good "Post Mortem". AKA whodunnit.
Nearly all the processors we have used for the last 15 years have had these problems. Yet no real culpability..
With these vulnerabilities spanning several companies it would seem this was a design philosophy problem?
Intel and AMD designers couldn't have both designed the same flaws. So is this a deeper learned problem?
These flawed designs appear to date back to the early 2000's at least.

Meltdown seems to boil down to CPU not respecting kernel-space/ user-space isolation.
Spectrer seems to be the same issue but adds speculative execution to further deepen the problem.
https://hackernoon.com/spectre-melt...ilities-a-technical-introduction-e3d09d6699a6

So where do these bad design decisions originate from.
Is this academia or is this industry competing for speed advantages throwing out sound design decisions?
Maybe this is not considering rigid security in the design?


----------



## rigoletto@ (Dec 10, 2018)

All of this come with the introduction of a particular "feature" in CPU design which make them become more performant. Unfortunately, I don't remember the name of that right now, but I may answer in another moment.

Also, it is not just about AMD/Intel. *Generally* talking, no ISA is free of Spectre. This "feature" is present in almost all modern processors, and so it also affect Cavium ThunderxV2, POWER8,9 etc.

RaspPi (IIRC just a few models), Cavium ThunderX(v1), Risc-V, and Sparc are the few that seems not affected for some reason. Some of those, as I heard, seems more like for being  lucky.


----------



## ralphbsz (Dec 10, 2018)

Spectre is a side effect of speculative execution.  If you don't know what speculative execution is, read a computer architecture textbook.  It has been in use since ... I'm not sure I know 100%, but I think the IBM 360-91 (which was built in the mid 1960's as a high-performance supercomputer) had speculative execution.  So that part has been around for over 50 years.

The problem with Spectre is an interaction between speculative execution and caches: While the not-taken part of speculative execution should have no effect on the ISA (in a nutshell, on the state of the computer as observable through a valid program), it has a tiny side effect: the speculative execution could have loaded data into the cache, and the effect of that is visible by studying the timing of future accesses.  This is a classic side-channel attack.  It's like the old joke: to measure whether there is international tension or not, just measure the number of late-night pizza deliveries to the pentagon.

CPU cache have been around since ... forever too.  The first cache I'm aware of is in the IBM 360-67, which was built also in the mid-60s as a timesharing machine with virtual memory.  Again over 50 years.  I'm going to bet that if a real expert worked through it, they could find vulnerabilities that are like Meltdown and Spectre even in machines of the 1970s, when big mainframe computers had technologies that very much resemble what is available in microprocessors now.  Unfortunately, that's going to be hard ... to my knowledge, there are no functioning 360, 370 or Cyber machines left in the world (there are lots of older and smaller machines, like IBM 1401, or PDP-9, -10 and -15, and even a lot of VAXes, I have two myself, but no mainframes based on discrete transistors or vacuum tubes).

So, you want to know why there is no "post mortem"?  There are, dozens of them.  Look at the wikipedia article for Spectre, and you will find links to the announcements and analysis (those typically have names that start with "CVE").  Read them carefully.

Whodunnit?  Who found them?  Security researchers, at academia and in industry.  Who created the vulnerability?  Whoever designed the CPUs.  Given that nearly all modern CPU chips (those that have speculative execution and caches) have this problem, it's really hard to assign blame to one particular party.  Sure, the typical Wintel-Haters will immediately claim that this is Microsoft's and Intel's fault.  And to some extent they will be right: Given that Intel has 90% market share in CPUs used in computers (for some definition of "computer"), 90% of the machines with these vulnerabilities will be made by Intel (duh), so let's get mad at Intel.  Obviously, this is very stupid.  But there are lots of stupid people around (observe, as an example, the current President of the USA).

Where does the decision come from?  The wish of the people who have been building CPUs for the last 50 years to give their customers machines that are (a) fast, (b) inexpensive, (c) power-efficient.  With today's silicon, that requires techniques such as parallelism (meaning speculative execution as one way to have parallelism), and multiple layers in the memory hierarchy (meaning caches).  It seems that CPU designers didn't think about a very low-bandwidth information leakage side channel that happens when you have both.  The general concept of interaction of caches with side-channels has been known for at least a decade; I discussed it with colleagues in the context of storage subsystems (disks and RAID controllers) a long time ago, but I was not involved in CPU design.  We decided that the risk and bandwidth were so ludicrously low for storage that it wasn't worth thinking about.  Maybe people involved in CPU design also thought about it and rejected it being a significant risk; or maybe they didn't think about it.  The important thing to remember is: those people are not evil, nor stupid.  They are trying really hard to give CPU customers that what CPU customers have been clamoring for: chips that are "good, cheap, fast".

Really, if you want to get upset about something, and demand inquisition-like punishment (like reviewing design decisions), please (a) become an expert in CPU design first, and (b) look in other places where are much larger dangers. Really, the current political tendencies in most western countries are a much larger danger to human happiness than an obscure and difficult to exploit security bug in a chip.  I worry much more about Bolsenaro, Urban, Brexit, Trump, and Kaczynski than about Spectre and Meltdown.


----------



## Phishfry (Dec 10, 2018)

This seems to be what I was looking for:
https://en.wikipedia.org/wiki/Branch_predictor#Two-level_predictor

This is what ended up in most all processors after 1998.


----------



## Phishfry (Dec 10, 2018)

ralphbsz said:


> CPU designers didn't think about a very low-bandwidth information leakage side channel


That is what I was looking for.
I understand that even the best machine can be broken when used inappropriately.


----------

