OT: Evidence of A Intel Virtual Memory Vulnerability
H. S. Teoh
hsteoh at quickfur.ath.cx
Fri Jan 5 02:04:42 UTC 2018
On Thu, Jan 04, 2018 at 12:55:45AM +0000, Jack Stouffer via Digitalmars-d wrote:
[...]
> Attack details published by Google Project Zero with official names
> https://meltdownattack.com
On Wed, Jan 03, 2018 at 06:06:04PM -0800, Brad Roberts via Digitalmars-d wrote:
[...]
> Calling it a vendor or architecture specific issue is a bit
> misleading, based on the reading I did today. There's a couple
> different vulnerabilities here and they tie back to speculative (ie
> out of order) execution, timing of branch prediction, and timing of
> various conditions. These techniques are _widely_ used among high
> speed processors and any that use them are likely to be vulnerable
> when an adversary can control and time execution of code and data in
> caches. The same basic techniques have shown up in a number of recent
> exploits, for example some of those in SSL and TLS over the last few
> years.
>
> It's very interesting research and I fully expect more of this sort of
> issue as more and more research is done.
I just read both the Meltdown paper and the Spectre paper. This is
indeed extremely interesting research! To quote from the Spectre paper:
"While physical side channel attacks can be used to extract
secret information from complex devices such as PCs and mobile
phones, these devices face additional threats that do not
require external measurement equipment because they execute code
from potentially unknown origins."
This resonates with my continued reservation about remote code execution
technologies like Javascript, or anything, really, that involves
automatically executing Turing-complete code from an unknown source.
Unfortunately, it seems that this is the direction modern software has
been moving in, and it seems that the general populace has become
dependent on this kind of technology. It will be very interesting, to
say the least, to see where all this leads.
My tl;dr summary of Meltdown and Spectre:
- Meltdown: out-of-order instruction execution enables the results of an
illegal memory access to affect a side-channel (the concrete example
is the CPU cache) in a measurable way before the CPU raises an error,
sucht that memory contents that the code doesn't have permission to
read are leaked out.
- Spectre: speculative execution of mispredicted branches, induced by an
attacker, enables the results of code that isn't actually branched to,
to produce a measurable effect on a side-channel (again, the concrete
example is the CPU cache, but could be any other measurable
side-channel), thus allowing an attacker to read data accessed by
instructions that supposedly aren't even supposed to execute.
My code summary of Meltdown:
ulong addr = kernelAddressMappedIntoUserSpace;
ubyte b = *addr; // causes segfault
auto tmp = buf[b * 4096]; // produces cache effect before segfault happens
...
// In another process: extract the value of b, i.e., read from
// kernel memory bypassing read permissions.
auto b = measureCacheTimings();
My code summary of Spectre:
/*
* Victim process:
*/
int i = userParameter;
ubyte[] buf;
if (i < buf.length) {
// If branch was mispredicted, causes transient
// out-of-bounds access that has measurable cache effect
// before code effects are reverted by CPU
auto r = result[buf[i] * 4096];
...
}
/*
* Attacker process (assumed to be able to influence value of
* userParameter in victim process):
*/
// Mistrain CPU branch predictor to expect i < buf.length.
foreach (_; 0 .. 1_000_000) {
// induce victim process to run with userParameter == 1
induceUserParameter(1);
}
// Force eviction of buf.length from CPU cache to ensure branch
// misprediction in the victim process.
accessManyMemoryLocations();
// Induce victim process to run with out of bounds userParameter
// == 10000.
induceUserParameter(10000);
// Extract value of out-of-bounds buf[10000], i.e., read from
// arbitrary memory location.
auto b = measureCacheTimings();
And best of all, both attacks target modern CPU hardware, and do not
need any exploitable flaws in the software.
T
--
When solving a problem, take care that you do not become part of the problem.
More information about the Digitalmars-d
mailing list