Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   New speculative execution micro op vulnerability PoC (https://forum.exetools.com/showthread.php?t=19850)

chants 05-02-2021 03:44

New speculative execution micro op vulnerability PoC
Anyone know where we can get a Proof of Concept for the new vulnerability?

The 2018 one is here in C:
https://github.com/google/security-research-pocs/tree/master/spectre.js and demo https://leaky.page

Press release from University: https://engineering.virginia.edu/news/2021/04/defenseless

Would be really interesting to see the technical details...

My suspicion is they pretend to jump to and execute the protected memory region to load it rather than doing indirect addressing. Which makes it surprising it took 3 years more to figure this out.

chants 05-02-2021 04:32

The paper is here: https://www.cs.virginia.edu/venkat/papers/isca2021a.pdf

It's actually a more efficient way of doing Spectre. And lfence instructions wont STOP it as like I said it uses fetch and jumping to the target instead of indirect reading.

The key is how they precisely determine the micro op cache lines and monitor them. It's much more powerful than the old technique that trains the branch predictor and fools stride prediction and such with sequential reads and writes. This is next level attack, gets really into the more general details of how the processor architecture achieves good performance.

I suspect mitigation will involve isolating kernel or secured memory in a more general stronger manner. I dont think there are many tricks left now besides killing processor performance. But such isolation might require hardware changes and not micro code updates or software mitigation.

deepzero 05-02-2021 22:15

Looks more and more like we will be simply undoing the past decades of performance tweaking in CPUs.

chants 05-03-2021 08:21

Performance often comes at the cost of providing side channels and security headaches.

Even when it's a bad password, if you return the result in a consistent amount of time based on how many characters are wrong, its trivial to get the password.

How about having dedicated cores for privileged and unpriviledged code, it comes with a cost for sure, hard to imagine an easy solutions to these issues though.

All times are GMT +8. The time now is 02:16.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2021, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX