Just How Screwed is Intel without Hyper-Threading?

[treetops]

A bitter sweet victory for my old 4690k...

Articles like this are almost clickbait because of how hard this exploit would be to actually use. People are worried this cat pictures, anime collection, pirate movies, etc will be stolen because of clickbait articles trying to get attention.

You had one JOB INTEL!
This is sad.

It's not a theory... The home user

Will Intel ever build a Processor that isn't flawed or vulnerable to attack?

You two are either an AMD fanboys or know absolutely nothing about this "exploit" and hwo it works.

This is a theoretical exploit. There is no practical way to use this exploit according to the researchers who discovered it and those who verified it. To use this exploit you need direct physical access to the computer when its running the software you want to obtain information from. In addition to that you have to be monitoring it the microsecond that the data passes through the processor. Also setting something up to obtain the data using this exploit is very difficult according to the researchers.

Basically you have to be using the computer running the program and using the data you want to access to obtain it through the exploit. In other words you would have to be trying to steal the data you already have access to from yourself.

The only people who have to worry about exploits like this are large companies such as Amazon, Alphabet, Apple, Microsoft, Facebook, Oracle, etc....

Interesting can you link us some proof?

" To use this exploit you need direct physical access to the computer when its running the software you want to obtain information from. "

Because I declare shenanigans on this.

 

[Bullwinkle M]

"We believe we can test a worst case scenario by disabling Hyper-Threading and for older platforms that won’t get updated this might end up being the only solution."
---------------------------------------------------------------------------
There are obviously "other" solutions...


My personal software is heavily vetted, online scripts and cloud services are "NOT ALLOWED" and everything is blocked from Internet access except the browser

If you were Windows Security Experts, you too could secure your box against these threats without disabling hyper-threading

Yeah, I may be an A-hole, but I'm also correct!

 

[Badelhas]

Can we get some results for older CPUs, some of us have yet to upgrade from Sandybridge.

This! I am still rocking the 2500k overclocked to 4.8ghz. It doesn't have HT but many are still using the also good old 2600k, which does have Hyper Threading

 

[Badelhas]

So basically Intel is going to downgrade my $350 CPU to absolute sh*t, than sell me a new one, and do the same thing again?

This is why my upgrade from the i5 2500k @4.7 will most likely be the AMD Ryzen 3700x @5ghz. Just waiting for the first reviews to arrive...

 

[Teknoman117]

What I find very interesting is that disabling HT has minimum impact on power draw, especially on newer, more refined design.

TL;DR - SMT was an optimization to make use of CPU logic that was consuming power but unutilized.

It's really not all that surprising given how SMT works. Modern CPUs are all what are known as "out of order" processors. Basically, they read in the instructions of a program, stick them in a giant buffer called the "reorder buffer", and as data dependencies are satisfied, "issue" them to functional units. If you had a program like "1: read memory location x into a, 2: set b to a + 5, 3: set d to 4 * c, 4: set e = b / d", the order it's executed could be 1,2,3,4, or 1,3,2,4, or 3,1,2,4 and give the same result. The CPU will do it whichever way is quickest.

SMT is a very clever modification of this. First, the core's working space is increased to make room for the architectural registers of each thread. Then, the reorder buffer is modified to track the hardware thread it came from. That's basically it. Note that instructions from different threads don't depend on each other, so you've effective doubled the amount of instructions which are available to execute. This creates an opportunity for the CPU to more effectively utilize it's functional units. If one thread isn't currently using, say, a multiplier, a multiplication from the other thread can be executed.

The reason the power consumption is more or less the same is because the majority of the power a functional unit consumes is merely by being powered up, even if it's not doing useful work. By lowering the combined throughput of the core, you are therefore lowering its power efficency, because the majority of the power consumption comes from merely being on.

 

[hk2000]

How Screwed? Come on, who writes these titles? You're becoming like C-Net, whom I abandoned because of their excessive use of inappropriate slang. You couldn't find a more appropriate word in the English language?

 

[DelJo63]

This should be obvious, while clearly from the above it isn't:

• Hyper-Treads requires the application to be coded using Threading.

We need to understand that not every application lends itself to being threaded in the first place. So what kind of applications can be segregated into threaded tasks?

1. server programs, where the frontend listens for inputs and the backend can be working on results.
2. database requests segregated from processing their results.
3. user management (such as Active Directory requests), login/logout
4. direct local file management (open, close, read, write, update, delete)

How about gaming?
Most games are not threaded either, because the path from user-action to visible-change is reasonably short. Team games with many concurrent players may get reworked into threaded code to reduce screen lag time however.

 

[kingdom9214]

Yes lets all lose our minds over a hardware level attack that will never/couldn't effect 99% of consumers. Also lets give it a really scary name like Zombie-Load. Might as well automatically assume Intel purposely ignored this security flaw to increase performance on chips that already beat their competitors. Just hurry up with the .5-1% performance loss patch and move on the next click bait tech scandal.

 

[Danny101]

Intel chips losing half of their value.

 

[bluetooth fairy]

Clickbaity title on the edge of offensive language. And even besides this for every tech reader it is obvious that i7 w/o HT is ~ i5, yes less cache and less boost, but HT was known as the main reason to differentiate an Intel midrange product from a top-end part. Not to mention real-world security risks for those consumers and probably prosumers, who will read the article.

 

[Bp968]

Can we get some results for older CPUs, some of us have yet to upgrade from Sandybridge.

Very little simply because there are no hardware mitigations happening on a sandy bridge machine. Have you updated your bios/uefi? Is there even a recent update at all for your board? Probably not. You'll only have whatever mitigations get put into windows or you do yourself (like disabling HT).

That said, its time to upgrade my wifes small business workstation (a ivy bridge i5). Its going to be a AMD ryzen 3000 series. I have an 8700k which I like, but these nearly constant security disasters have ended up slicing the "premium" off the top of intel CPUs imo, but Intel hasn't seemed to realize it themselves yet.

I mean, if you need a secure system the i9 9900k just got turned into a i7 9700k overnight. Since its been made clear Intel has no intention of offering me any sort of performance protection or warranty why would I want to pay that huge premium for a CPU that could lose all of its performance advantage a month from now?

Sure it could happen to AMD too but so far it seems to be effecting them far far less frequently so statistics seems to be on AMDs side.

 

[Bp968]

I've wrote this before in my comment on spectre and meltdown attack.

I sincerely believe that the drive to beat AMD 64 X2 had lead Intel to choose the path of leveraging insecure cache and branch predictions.

Costly move.

That was such a great CPU. It was my last AMD (well until ryzen 2 3000 in my wifes build later this year)

 

[James Igou]

So basically Intel is going to downgrade my $350 CPU to absolute sh*t, than sell me a new one, and do the same thing again?

This is why my upgrade from the i5 2500k @4.7 will most likely be the AMD Ryzen 3700x @5ghz. Just waiting for the first reviews to arrive...

Same here. Intel has made critical errors since the development of the P4, now it turns to bite them in the ***.
I'll be running a similar Ryzen cpu myself within a few months.

 

[JaredTheDragon]

I'm curious why nobody has mentioned the very minor gains when utilizing SMT in the first place, here. 33%? For 100% more threads?!? That's just terrible. It should be linear, to say the least.

On the old 8-core FX-8350s I'm using, turning off half the threads (either way, by disabling every other thread or just two cores) yields almost perfectly linear performance results, at least in content-creation and rendering. If my render (Vray, Maya) takes an hour with all 4 cores / 8 threads, it'll always take close to two hours with half disabled. It's predictable.

I don't know how the Ryzens stack up in this department, they may be just as bad. But 33% is garbage gains. I had no idea it was that bad for these newer chips.

 

[HelllRazorX]

This security flaw is how Facebook will be taken down.

 

[akamateau]

Will Intel ever build a Processor that isn't flawed or vulnerable to attack?

Now that Jim Keller is a Senior VP at Intel the outlook is good.

 

[misor]

So basically Intel is going to downgrade my $350 CPU to absolute sh*t, than sell me a new one, and do the same thing again?

only if you allow the installation of microcode update to fix the vulnerabilities.

 

[Evernessince]

I don't see the point of testing this on consumer gaming rigs. If it's serious enough that HT is going to be disabled anywhere it'll be "outward facing" web / database servers which is where 99.9999% of data leaks actually occur (why go to the effort of hacking PC's one at a time when you can swipe 700 million at once). The mere concept of going to the extreme of disabling HT on consumer rigs to "make them more secure" when by default 99% of the same rigs will have W10's default firewall "security" of blacklist-only (allows literally every single background process to talk out without restriction) vs a proper whitelisted one, haven't changed their default router's username / password, etc, seems adorably naive.

No one said hackers had to target single machines. They could embed code in an ad that exploits the vulnerabilities. There are a lot of ways to deliver a malware payload to a target.

There are a ton of Intel CPUs out there, they've by far been the most popular for a long period of time which makes them a good target for hackers. Getting something past windows firewall is one thing, getting permissions is another. These Intel vulnerabilities allow hardware level access, much worse then anything that gets past your firewall that you accidentally grant UAC permissions to.

 

[Hacksaw888]

Just want to know when Intel is going to refund me or buy back this 7700k I have. Since all the vulnerabilities my CPU has lost about 40% of it's performance. I did run benchmarks myself with hyper threading turned off and I get anywhere between 16% to 30% performance loss in the 10 games I tested. Add that to the already 12% to 25% performance loss from the other vulnerabilities. That is a lot of loss of CPU performance in a year or so time.
If the leaks are true on Ryzen 7 3700X that will be my next upgrade.
Only week till we find out.

 

[GTvon]

It sounds like the perfect time to update your computer system.

 

[gamerk2]

What I find very interesting is that disabling HT has minimum impact on power draw, especially on newer, more refined design. Now that's not good. I know disabling HT is not like disabling physical cores. Still, without HT you lost 50% of compute power, but suck nearly as much juice (minimal drop that's in margin of error ~5%) as at full capacity.

From a die perspective, HTT is a *very* minimal implementation of SMT. It's really just duplicating the Registers and scheduling resources and very little else. It's something like 5% of the die for a ~15% performance benefit.

And ironically, because it doesn't have any of those cute x86 performance optimizations, the Itanium architecture is immune to all these problems. Funny how the massively parallel and focused on security CPU architecture we now all want is the one that lost in the market. Thanks AMD!

 

[VRaverna]

I wonder about the point of this article though? How many people are running 8700K and 7700K on motherboards unlikely to get patched via BIOS updates? Of course, GETTING users to download and install a BIOS patch is a whole other story, but of folks who DON'T ever patch their BIOS, how many would ever even go into the BIOS to turn off HT? Let's be real here, unless Microsoft puts out a MANDATORY Windows Update that pops up a big red warning on the screen at reboot that tells people their Windows will not launch until the BIOS is updated or HT is disabled, I'd lay odds 99%+ of Intel CPU users will never even know about these flaws (let alone care).

OS can disable HT. You don't need users knowing how to disable HT in BIOS. If Microsoft decides the risk is too high, they can release a security update that disable HT.

In linux you can disable HT using script (run under root account). Probably the same for Windows.

 

[vertigogo]

The mere concept of going to the extreme of disabling HT on consumer rigs to "make them more secure" when by default 99% of the same rigs will have W10's default firewall "security" of blacklist-only (allows literally every single background process to talk out without restriction) vs a proper whitelisted one, haven't changed their default router's username / password, etc, seems adorably naive.

I think you should read the MDS attack articles again. When a javascript running on some website or malicious ad can access your passwords, then you really do need to take action even if you are "just" a gamer running a windows machine with a regular firewall.

 

[BSim500]

I think you should read the MDS attack articles again. When a javascript running on some website or malicious ad can access your passwords, then you really do need to take action even if you are "just" a gamer running a windows machine with a regular firewall.

I read it again. If the threat is from JavaScript, then which sounds the more common sense fix to you : 1. Cripple your PC's performance even for unrelated tasks (gaming, video compression, etc), whilst still continuing to let your browser execute those (and other) hostile scripts that target hundreds of other vectors or browser weaknesses in addition, or 2. Use uBlock Origin / NoScript, and block thousands of them at the source from running in the first place, speeding up web page load times 5x, reducing web-page clutter, etc?

I totally agree that vulnerabilities need fixing ideally on a hardware level, in the mean-time however for existing owners common sense is also a wonderful thing...

 

[meric]

So if we are to read this in reverse order, it won't be false to say "intel got the performance advantage by not implementing the mentioned fixes"