Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 05-02-2021, 03:44
chants chants is online now
VIP
 
Join Date: Jul 2016
Posts: 725
Rept. Given: 35
Rept. Rcvd 48 Times in 30 Posts
Thanks Given: 666
Thanks Rcvd at 1,050 Times in 475 Posts
chants Reputation: 48
New speculative execution micro op vulnerability PoC

Anyone know where we can get a Proof of Concept for the new vulnerability?

The 2018 one is here in C:
https://github.com/crozone/SpectrePoC
Javascript:
https://github.com/google/security-research-pocs/tree/master/spectre.js and demo https://leaky.page

Press release from University: https://engineering.virginia.edu/news/2021/04/defenseless

Would be really interesting to see the technical details...

My suspicion is they pretend to jump to and execute the protected memory region to load it rather than doing indirect addressing. Which makes it surprising it took 3 years more to figure this out.
Reply With Quote
The Following User Says Thank You to chants For This Useful Post:
niculaita (05-02-2021)
  #2  
Old 05-02-2021, 04:32
chants chants is online now
VIP
 
Join Date: Jul 2016
Posts: 725
Rept. Given: 35
Rept. Rcvd 48 Times in 30 Posts
Thanks Given: 666
Thanks Rcvd at 1,050 Times in 475 Posts
chants Reputation: 48
The paper is here: https://www.cs.virginia.edu/venkat/papers/isca2021a.pdf

It's actually a more efficient way of doing Spectre. And lfence instructions wont STOP it as like I said it uses fetch and jumping to the target instead of indirect reading.

The key is how they precisely determine the micro op cache lines and monitor them. It's much more powerful than the old technique that trains the branch predictor and fools stride prediction and such with sequential reads and writes. This is next level attack, gets really into the more general details of how the processor architecture achieves good performance.

I suspect mitigation will involve isolating kernel or secured memory in a more general stronger manner. I dont think there are many tricks left now besides killing processor performance. But such isolation might require hardware changes and not micro code updates or software mitigation.
Reply With Quote
The Following User Says Thank You to chants For This Useful Post:
niculaita (05-02-2021)
  #3  
Old 05-02-2021, 22:15
deepzero's Avatar
deepzero deepzero is offline
VIP
 
Join Date: Mar 2010
Location: Germany
Posts: 300
Rept. Given: 111
Rept. Rcvd 64 Times in 42 Posts
Thanks Given: 178
Thanks Rcvd at 215 Times in 92 Posts
deepzero Reputation: 64
Looks more and more like we will be simply undoing the past decades of performance tweaking in CPUs.
Reply With Quote
The Following User Says Thank You to deepzero For This Useful Post:
chants (05-03-2021)
  #4  
Old 05-03-2021, 08:21
chants chants is online now
VIP
 
Join Date: Jul 2016
Posts: 725
Rept. Given: 35
Rept. Rcvd 48 Times in 30 Posts
Thanks Given: 666
Thanks Rcvd at 1,050 Times in 475 Posts
chants Reputation: 48
Performance often comes at the cost of providing side channels and security headaches.

Even when it's a bad password, if you return the result in a consistent amount of time based on how many characters are wrong, its trivial to get the password.

How about having dedicated cores for privileged and unpriviledged code, it comes with a cost for sure, hard to imagine an easy solutions to these issues though.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Stack execution .. is it blocked on Windows??? yaa General Discussion 5 12-03-2007 21:22
Basic Disassembler for Delphi port of Micro Length-Disassembler Engine 32 redbull General Discussion 0 11-04-2005 04:56
Execution protection in WinXP SP2 nine General Discussion 1 12-16-2003 04:11


All times are GMT +8. The time now is 10:20.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )