Intel Publishes Microcode Security Patches, No Benchmarking Or Comparison Allowed!

UPDATE: Intel has resolved their microcode licensing issue which I complained about in this blog post. The new license text is here.

This was my complaint:

Intel is updating its loadable CPU microcode to handle various side-channel and timing attacks. There is a new license term applied to the new microcode:

You will not, and will not allow any third party to (i) use, copy, distribute, sell or offer to sell the Software or associated documentation; (ii) modify, adapt, enhance, disassemble, decompile, reverse engineer, change or create derivative works from the Software except and only to the extent as specifically required by mandatory applicable laws or any applicable third party license terms accompanying the Software; (iii) use or make the Software available for the use or benefit of third parties; or (iv) use the Software on Your products other than those that include the Intel hardware product(s), platform(s), or software identified in the Software; or (v) publish or provide any Software benchmark or comparison test results.

Since the microcode is running for every instruction, this seems to be a use restriction on the entire processor. Don’t run your benchmarker at all, not even on your own software, if you “provide” or publish the results.

The security fixes are known to significantly slow down Intel processors, which won’t just disappoint customers and reduce the public regard of Intel, it will probably lead to lawsuits (if it hasn’t already). Suddenly having processors that are perhaps 5% to 10% slower, if they are to be secure, is a significant damage to many companies that run server farms or provide cloud services. I’m not blaming Intel for this, I don’t know if Intel could have forseen the problem. Since some similar exploits have been discovered for AMD and ARM CPUs, the answer is probably “no”. But certainly customers are upset.

Another issue is whether the customer should install the fix at all. Many computer users don’t allow outside or unprivileged users to run on their CPUs the way a cloud or hosting company does. For them, these side-channel and timing attacks are mostly irrelevant, and the slowdown incurred by installing the fix is unnecessary.

So, lots of people are interested in the speed penalty incurred in the microcode fixes, and Intel has now attempted to gag anyone who would collect information for reporting about those penalties, through a restriction in their license. Bad move. The correct way to handle security problems is to own up to the damage, publish mitigations, and make it possible for your customers to get along. Hiding how they are damaged is unacceptable. Silencing free speech by those who would merely publish benchmarks? Bad business. Customers can’t trust your components when you do that.

In writing this story, I used news in this article in The Register and this copy of the license. That’s all the information I have on this issue, at this writing.

Status of Open Source Security Inc. / Bradley Spengler v. Bruce Perens lawsuit

Last year, Open Source Security and its CEO, Bradley Spengler, brought suit against me for defamation and related torts regarding this blog post and this Slashdot discussion. After the lower court ruled against themI asked for my defense costs and was awarded about $260K for them by the court. The plaintiffs brought two appeals, one on the merits of the lower court’s ruling and one on the fees charged to them for my defense. In order to bring these appeals without first paying for my defense, the plaintiffs purchased a supersedeas bond for $300,000, for the cost awarded to me plus possible interest, which will be paid to my attorneys if I win the appeals. The Electronic Frontier Foundation took on the merits appeal, pro-bono (for free, for the public good), with the pro-bono assistance of my attorneys at O’Melveny who handled the lower court case. EFF has now filed an answering brief and supplemental excerpts of the record in the merits appeal. Please join EFF and support them. You can follow the court proceedings here. I will continue to publish what’s happened in the court, but can’t comment upon the case at this time.

My Dinner With Trump Supporters – Their Degree of Denial Was Astonishing

I attended a ham radio conference over the weekend, and sat at dinner with a couple from that usually-liberal encampment, Palo Alto. But this couple were clearly conservative and Republican. I had identified myself as coming from Berkeley, so I would imagine they understood I was liberal.

At ham radio conferences, I generally talk about ham radio and its issues. I don’t usually get into politics, because I’m lobbying for some changes in ham radio policy, and it simply isn’t productive to confuse issues. Just as I wouldn’t talk about those things when appearing at an Open Source event – it’s more important to lobby people on Open Source policy issues.

But what interested me was the degree of denial I heard. The woman’s husband probably understood that I wasn’t the person to discuss his politics with, and limited his conversation to issues of attracting young people to ham radio, an issue we both felt was important.

His wife had a comment about living in Palo Alto, and this is an exact quote: “My friends say the most absurd things about President Trump. I just ignore it and let them talk.”

She also mentioned that her husband listened to conservative talk shows that “kept her honest”.

Now, the last time I checked, it was pretty clear that President Trump had cheated on his wife with a porn star and a “Playboy bunny” whom he had – as taped by his own lawyer – discussed paying for her silence during the election in possible contravention of national election funding law. He chummed with Vladimir Putin, publicly dismissing a vast pile of evidence from our nation’s security professionals that Putin had authorized interference with U.S. elections, and even high officials of his own party felt a need to contradict Trump about that. And I guess I could write about 100 more things we’ve learned about Mr. Trump that would be equally disturbing.

I didn’t engage her about this. It wouldn’t have been productive.

Somewhere in Palo Alto is a lady who listens only to Fox News, some internet sites, and conservative talk shows. And – I guess like very many people – news that concerns the rest of us that the president is unsavory, various sorts of criminal, and possibly even a Russian agent goes right over her head.

Now I understand how the people of Germany let all of the evil of the Nazis go on with their full acceptance. They had a great capacity for denial, one that we are now seeing in our own nation.

It is difficult to have hope in the face of this.

Change in my conference policy

Unfortunately, I will no longer be able to allow conferences to purchase my airline tickets. I must purchase them myself and be reimbursed. I will purchase the lowest price un-refundable coach-class tickets available for flights of a reasonable duration. These will be insured with cancel-for-any-reason travel insurance which the conference must pay for, and which will protect them from having to pay if I am not able to appear.

The reason for this is that I’ve had a number of bad experiences when I’m not the one who books my travel. The worst was when my wife was hospitalized, and I was not able to change my flight to get back to her quickly. But there have been others, including calling the booking travel agency for help only to find we didn’t have any language in common, not being able to buy my own ticket for my wife because the conference took too long to secure my ticket, and the time a conference stuck me in a city I didn’t want to be in for a long weekend, with no regard to my own plans.

I will usually buy tickets less expensive than are available through a conference’s travel agency. Part of this is because they are un-refundable, but in general I’ve not found institutional travel agencies to be able to access better bargains than available online, if one books far enough in advance.

Note also that when I am traveling for your conference, I am not running my consulting business, and will have no billable time. So, I go through quite a lot of expense to appear there.

Tiny Crystal Language Programs

Crystal, as currently deployed on Linux, creates rather large executables.  On my system, a zero-length source file results in an executable of 1087016 bytes in size, with a instruction size of 726121 bytes,  2856 bytes of initialized data, and 1263736 bytes of filled-with-zero-on-demand data (“bss”). This is a problem for embedded use. For example, if I could cross-compile to my ESP32 (ignoring that LLVM doesn’t have its instruction set implemented) I would already be using all of the available memory.

If I was to write an operating system kernel in Crystal, I’d want to have a specially-tweaked support library, as Linux has for common C APIs.

Fortunately, it is pretty easy to build Crystal programs without their support library. This will give you a program with no garbage collection, no exception handling, and no support libraries for Crystal’s built-in classes. It is now your job to fill these in to the extent that you want or need to.

Having stripped out the support library, a minimal Crystal program will compile to an executable only a few kilobytes in size.

Before you get too deep into this, be warned: objects won’t work the way you expect, and are probably pretty broken until they get some library support. The program as I show it below leaks memory, and may not allocate memory properly. There is no garbage collection and no exception handling. I may have written bugs. All of this is left as an exercise for the reader, this is Open Source at work 🙂

Here is a simple Hello World program in Crystal, creating and using a class, and printing a message. Compile this with the command:

crystal build minimal.cr --prelude="empty" -p --release --no-debug

minimal.cr

require "lib_c"
require "lib_c/i686-linux-gnu/c/stdlib"
require "lib_c/i686-linux-gnu/c/stdio"

def free(object)
  LibC.free(pointerof(object))
end

class String
  def to_unsafe
    pointerof(@c)
  end
end

class Foo
  def bar
    LibC.printf "Hello, World!\n"
  end
end

f = Foo.new
f.bar
free(f)

The executable emitted by compiling this is only 6304 bytes in size after the symbol table has been stripped. Instructions are 2179 bytes and initialized data 600 bytes, fill-with-zero-on-demand data is only 16 bytes. It loads with three shared libraries: linux-vdso.so.1, libc.so.6, ld-linux-x86-64.so.2 . These are of course much larger than the program. Doing without these libraries is left as another exercise for the reader.

Obviously the above program is meant to build on i686. Modify “i686-linux-gnu” to be your architecture, and if you are on a different OS, the libraries required above may be different.

How should you ground your shielded Ethernet cable?

The advent of Category 7 cable, which includes four individually shielded twisted pairs, has introduced grounding to the concerns of the network engineer. The general advice of wire manufacturers, and the general configuration of pre-manufactured cables, is for both ends to be grounded. This is contrary to common knowledge in electrical engineering regarding ground loops and the potential for lightning-induced current.

Some purported electrical engineers assert that a shield grounded at only one end is “not a shield at all”, but an RF filter resonant to RF frequencies at its quarter wavelength, and will induce voltage to internal conductors at that frequency. They neglect to mention that a shield grounded at both ends also has resonant frequencies and can induce voltage to its internal conductors.

No configuration of grounding results in a shield always being a low-impedance path to ground across its entire length, for anything but DC and low frequencies. There will always be high-voltage points and null points across its length, for any frequency with a wavelength approaching or smaller than 4 times the circuit length, where the circuit includes the ground path between both ends of the shield if the shield is connected at both ends.

Grounding both ends of the shield simply increases the circuit length, creating a loop with external conductors, including conductive soil. This makes the circuit more vulnerable to lower frequencies than it would be otherwise, and admits additional possibilities for lightning currents to be introduced onto the shield. And you can’t count on the conductors being balanced such that induced currents oppose each other across the length of the circuit.

You must also consider that conductive soil is not a perfect sink to RF currents. Radio Amateurs learn that soil, unaugmented by radial wires, generally makes a poor counterpoise. The ground system in your building is anything but a theoretically perfect ground plane, and will in general present a high impedance at RF. Induced lightning voltage across the soil is a possibility with nearby strikes.

This is one reason for use of optical fiber, especially in areas where lightning-induced currents or RF interference (emitted or received) is a problem. No problems with electrostatic or magnetic induction when you use optical fiber. But we eventually transition to copper or aluminum at the ends of fiber runs. We must then consider lightning-induced currents and how to shield them.

Lightning frequencies are generally low, and energy is generally distributed across frequencies with a 1/f characteristic: more energy at lower frequencies. In this case, grounding the shield at both ends can indeed cause a shield that would be unresonant if single-point grounded to conduct significant energy. Ferrite chokes and other inductive means of increasing the external shield impedance are ineffective at blocking lightning-induced current, because they saturate.

So, I’ll be using single-ended grounding for my application, if for no other reason than that it removes so many unknowns from the equation. I suggest that those who wish to do otherwise actually attempt to model the circuit for its RF resonance and potential for induction of lightning current, using NEC or similar software.