Jump to content
HWBOT Community Forums

Intel's XTU analyzed (and it's not looking good)


_mat_

Recommended Posts

Now that XTU will have its global points removed soon, I am officially publishing my findings on this benchmark. I tried to give full insight on how to disect and uncover the security issues of XTU but also some tweaks and the possiblity to run the inner benchmark executable on its own for quick performance testing and points calculation.

xtu-dll-injection-example-to-redirect-ac

https://www.overclockers.at/articles/intels-xtu-analyzed

This is not some kind of personal vendetta against Intel; far from it. The article's purpose is purely educational to raise awareness for benchmark security and timer reliability. This is not only about cheating, it's about the credibility of benchmarks and result databases like the bot as well. Security vulnerabilities are not taken seriously enough by benchmark developers and HWBOT in my opinion. Yes, I am going the hard way with XTU in my article of course and that's not for everyone. But there are already tools available for download that will get you ahead without any effort.

So I'd like to start a discussion here on how we can improve the situation permanently. It goes without saying that any serious initiative would require a cooperation from all sides involved.

Edited by _mat_
by staffs request
  • Like 6
  • Thanks 7
Link to comment
Share on other sites

... and the last one can turn off the server and switch the lights off. :P

//edit... but similar analysis of x265 would be interesting of course. On the other hand It holds a risk of finding some kind of a security hole which may not be possible to fix at all... or would take too much of time to be worth it. The fact the benchmark developer is still here doesn't guarantee unlimited maintenance and support. ;)

Edited by havli
  • Like 1
  • Thanks 1
Link to comment
Share on other sites

Yes, every benchmark is breakable and nothing is 100% bulletproof. But that's not necessary, we only need to increase the cost for cheating to a level where it's easier/cheaper to just overclock and make the damn score. Overclocking has no 100,000 USD competitions, so it's not an impossible task.

Regarding your benchmark and its current state of security:

1626703302_hwbotx265-99_999.thumb.png.d963654b858eab52d9f52ff95aba95d8.png

It took ~2 hours to break HWBOT Prime 1.0 and your bench and I've never written a single Java desktop application. it. No debugging or code changing involved, only static analysis of your executable. If you need details on how to reproduce this, just let me know and we'll chat.

  • Haha 1
  • Confused 1
Link to comment
Share on other sites

XTU actually is fun to bench, only if it support AMD and not only 2 seconds count for scoring. There is still no successor for SuperPi 32m for new platform, proper multithreaded & memory scales a lot! I only think is 3DMark11 Physics is only option for now to replace SuperPi 32m.

And please dont do this unless you submit this to their developer only, so xoc is not dead. We dont know this if someone not publicing this. I respect your good job still!

Edited by speed.fastest
  • Like 2
Link to comment
Share on other sites

1 hour ago, speed.fastest said:

XTU actually is fun to bench, only if it support AMD and not only 2 seconds count for scoring. There is still no successor for SuperPi 32m for new platform, proper multithreaded & memory scales a lot! I only think is 3DMark11 Physics is only option for now to replace SuperPi 32m.

And please dont do this unless you submit this to their developer only, so xoc is not dead. We dont know this if someone not publicing this. I respect your good job still!

What about GPUPI (even though its a royal pain to get everything working)? Hopefuly v4.0 will be out soon and and the woes of installing OpenCL support will be at an end.

  • Like 1
Link to comment
Share on other sites

9 hours ago, speed.fastest said:

XTU actually is fun to bench, only if it support AMD and not only 2 seconds count for scoring. There is still no successor for SuperPi 32m for new platform, proper multithreaded & memory scales a lot! I only think is 3DMark11 Physics is only option for now to replace SuperPi 32m.

I already have a Prime95 benchmark ready that scales pretty much perfectly and is very hungry for memory bandwidth. It is using the latest Prime95 version (29.4) and includes a few fixes like NUMA awareness, improved thread synronization and error checking. It's also faster than the XTU version. :D

It seamlessly integrates into XTU so you can start XTU with an AMD CPU and just run the benchmark. It won't be far off to create a WIN32 application that runs the bench and uploads the score to HWBOT. Is this something the community would be interested in?

  • Like 1
  • Thanks 4
Link to comment
Share on other sites

  • Crew

we need wrappers, everywhere just to keep OC alive, you can make those Matt... However due to our own self destructive community attitude it might not be enough... sigh

Honestly beats me why people always have to go the extra mile for some bragging rights on the internet...

Edited by Leeghoofd
  • Like 1
  • Thanks 3
Link to comment
Share on other sites

Newsflash, pretty much every benchmark can be hacked given enough time and skill. Question is is it worth spending dev time actively combatting hackers when the only gain is temporary internet fame?

Benchmark makers should prevent easy cheating (like adjusting the windows clock), but injecting dll's/modifying code?

  • Like 3
  • Thanks 1
  • Confused 1
Link to comment
Share on other sites

2 minutes ago, Splave said:

no offense by why did you not then with hwbotprime? 

No offense taken. My focus was not hwbotprime the past years, and I hate shifting focus between projects. Should have done the clock cheat fix earlier, I know.

Byte code alteration or adjusting memory is a whole other story though. As long as you allow your app to work offline, it can be hacked.

  • Like 2
  • Thanks 1
Link to comment
Share on other sites

  • 2 months later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...