Joe Fitz Profile picture
Jan 5, 2018 15 tweets 4 min read Read on X
Thread time! Why can't they just quickly patch #meltdown or #spectre and push out another cpu? Why could it possibly take years? Why don't they use AGILE or x/y/z? Lots of reasons:
(note: my goal is not to criticize chip manufacturers - it's to defend the constraints they have)
Let's start with a standard software product many are familiar with and work off that. First, every time you hit 'build' it's called a 'stepping', costs millions of dollars & takes several months. If you want a profitable product, you may only get 10 chances to press 'build'.
On top of that, half those 'builds' are not 'full layer steppings' meaning you can't change any logic gates, just how they're connected. Even with a full layer stepping you can't shuffle stuff around anywhere like you can with library files and whatnot.
One way to think of it - imagine an ISA that only supports 8 bit jumps/calls. You can only go back or forth +- 128 bytes from your current address. you can't just plug in an extra 256 bytes of code between two existing blocks without lots of rework and significant timing impact
So what's an easy fix on silicon? 1 bit to a couple bytes. Equivalent of inverting a test, changing an immediate value in code, nopping out a bad instruction, or adjusting a branch destination. maybe reordering a simple if/else.
Any more than that, and you impact everything around you. Your extra power draw might heat up another gate that makes a latch work slower and causes every cpu to be speed rated 100mhz slower. The extra space you need might introduce propagation delays that can't be worked around.
So, the easiest possible fix means a couple months to 'build', a few months for you to test your fix, plus regression testing against 50 years of code that your CPU must support. Followed by ramping up high volume manufacturing. Let's say 6 months from fix to on the shelf.
But really, even a small fix means building, testing, fine tuning, building, testing, characterizing, and then releasing. So count on 2-3 steppings and we quickly get to 6 months to a year.
What about a minor new feature? If you'vea already got the architectural and specification stuff done, you need to implement it in HDL, simulate and verify it, and then put it through the build/test/production path. 2 years.
The reality is that new features are risky when you only get a few revisions. LOTS of features exist in silicon for generations before they're fully vetted and 'enabled'. So most features end up being more like 5 years to availability on a product with software supporting it.
But we're still not there. #meltdown and #spectre attack fundamental architecture features that have been built on for decades. We may need to go back to the drawing board. (old intel product lifecycle slide). Everything so far has been in the yellow 'development' phase.
Assuming we don't need too much new research, we amend the architecture, write new specifications, implement the architecture in HDL, fabricate the chip, and go through validation before selling it. Once again, we're talking 4 to 5 years.
Whats it all mean? My guess is there might be a few hardware 'quick fixes' that we could see as soon as this summer (one year after first rumblings). These would probably have a performance impact, but would be a smaller impact than the current software fixes.
Come 2019 and 2020, other products in the pipeline will have more involved fixes that again improve performance over the software and quick fixes.
The solution everyone wants is a full fix with no performance impact. I can't imagine that coming any sooner than 2021.
I left Intel over 5 years ago - I know nothing that isn't public about current or upcoming products. This is all speculation based on general knowledge of CPU and silicon manufacturing. Thanks to @savagejen for asking me questions and encouraging me to post.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Joe Fitz

Joe Fitz Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @securelyfitz

Oct 8, 2018
Do I Have a Hardware Implant?

I’ve gotten lots of inquiries if I could analyze some hardware for or could recommend someone who might.

I’ll be blunt - most of you don’t need this. Here are some things you should consider before seeking out services like this:
1. It’s unlikely you’re affected. Really. Even assuming every claim is true, and even if there is a secret device on every single X brand motherboard, it’s unlikely you’re targeted by whatever payload the implant carries.
2. There are no published hardware indicators of compromise (IOCs). The device and placement referenced in the article are only representative and not actual devices. Having experienced hardware eyes on your board might pick out something odd, but won’t be conclusive.
Read 23 tweets
Oct 5, 2018
Hector and others have identified the component used in the bloomberg article to represent the hardware implant. I'd like to share my perspective on whether it's realistically possible:
If someone said that the implant was found inside a coupler, first I'd check component suppliers for couplers that might fit the bill. And the one displayed is pretty much the smallest one you can find with 'coupler' in the name.
A coupler is a filter - you'd normally have signals coming in & filtered signals going out the other side.
If you see a piece of alumina or ceramic and it has markings on top with a coupler's model number you'll assume that's what it is.
Perfect man-in-the-middle opportunity
Read 12 tweets
Oct 4, 2018
At one point in time I had a conversation about how I would put a hardware implant into a system. I'm delighted to see @qrs had a very similar assessment:
Given a photo of a server motherboard, this was my response after a few minutes. You'll have to take my word i wrote this 4 Sept 2017.

" Well, you picked an easy one, it already has a backdoor :)"
"The ASPEED chip (1) is the BMC or Board Management Controller. It's an extra CPU on the system that is supposed to 'manage' the actual server that does all the work, like negotiating power supplies and storage connections with the rest of the servers in the rack."
Read 17 tweets
Oct 4, 2018
There’s recent news about some really interesting hardware implants. I wanted to take a bit to share more technical thoughts and details that can’t be reduced to a mainstream article on the topic.
threaded: securinghardware.com/articles/hardw…
The core of the claim is that someone implanted extra components on some server motherboards that would do malicious stuff, subvert the system and possibly allow it to ‘phone home’. I looked at the claims through a technical and feasibility lens.
I’ve studied hardware implants for a few years now. I’ve done multiple reviews of server hardware looking for backdoors I profit, via @securinghw and @SecureHardware, from people being more interested in hardware security.
Read 32 tweets
Jul 24, 2018
Remember the USB fans from Singapore that were in the news? @HackingThings and I took some more of them apart and there's plenty of potential for foul play.
This is an older lightning port fan that @HackingThings had. No surprise there's a chip in there to speak SDQ to tell the iPhone to supply power
We hooked up a @saleae logic analyser and tried @stacksmashing's protocol decoder:
Read 12 tweets
Jun 4, 2018
Congratulations, your talk has been declined! Many of us have been disappointed or relieved by a rejection in the past few days. As a follow-on to my previous post about the CFP process and writing an abstract, I figured it would be fitting to write a bit about what to do now.
Long form posted and will be updated here: securinghardware.com/articles/congr…

Don’t worry, a post about what to do if you’re *accepted* should come right on time, about a week before Black Hat and Defcon.
It’s okay to be disappointed. You put lots of work into your research, and more into making it look good for the cfp. If you’re smart, you’ve been scrambling to deliver on the things you promised in case they asked for more info. It might feel like all that was a waste of time.
Read 20 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(