Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 05-02-2021, 03:44
chants chants is offline
VIP
 
Join Date: Jul 2016
Posts: 615
Rept. Given: 16
Rept. Rcvd 40 Times in 24 Posts
Thanks Given: 564
Thanks Rcvd at 905 Times in 419 Posts
chants Reputation: 40
New speculative execution micro op vulnerability PoC

Anyone know where we can get a Proof of Concept for the new vulnerability?

The 2018 one is here in C:
https://github.com/crozone/SpectrePoC
Javascript:
https://github.com/google/security-research-pocs/tree/master/spectre.js and demo https://leaky.page

Press release from University: https://engineering.virginia.edu/news/2021/04/defenseless

Would be really interesting to see the technical details...

My suspicion is they pretend to jump to and execute the protected memory region to load it rather than doing indirect addressing. Which makes it surprising it took 3 years more to figure this out.
Reply With Quote
The Following User Says Thank You to chants For This Useful Post:
niculaita (05-02-2021)
  #2  
Old 05-02-2021, 04:32
chants chants is offline
VIP
 
Join Date: Jul 2016
Posts: 615
Rept. Given: 16
Rept. Rcvd 40 Times in 24 Posts
Thanks Given: 564
Thanks Rcvd at 905 Times in 419 Posts
chants Reputation: 40
The paper is here: https://www.cs.virginia.edu/venkat/papers/isca2021a.pdf

It's actually a more efficient way of doing Spectre. And lfence instructions wont STOP it as like I said it uses fetch and jumping to the target instead of indirect reading.

The key is how they precisely determine the micro op cache lines and monitor them. It's much more powerful than the old technique that trains the branch predictor and fools stride prediction and such with sequential reads and writes. This is next level attack, gets really into the more general details of how the processor architecture achieves good performance.

I suspect mitigation will involve isolating kernel or secured memory in a more general stronger manner. I dont think there are many tricks left now besides killing processor performance. But such isolation might require hardware changes and not micro code updates or software mitigation.
Reply With Quote
The Following User Says Thank You to chants For This Useful Post:
niculaita (05-02-2021)
  #3  
Old 05-02-2021, 22:15
deepzero's Avatar
deepzero deepzero is online now
VIP
 
Join Date: Mar 2010
Location: Germany
Posts: 281
Rept. Given: 104
Rept. Rcvd 62 Times in 40 Posts
Thanks Given: 132
Thanks Rcvd at 169 Times in 81 Posts
deepzero Reputation: 63
Looks more and more like we will be simply undoing the past decades of performance tweaking in CPUs.
Reply With Quote
The Following User Says Thank You to deepzero For This Useful Post:
chants (05-03-2021)
  #4  
Old 05-03-2021, 08:21
chants chants is offline
VIP
 
Join Date: Jul 2016
Posts: 615
Rept. Given: 16
Rept. Rcvd 40 Times in 24 Posts
Thanks Given: 564
Thanks Rcvd at 905 Times in 419 Posts
chants Reputation: 40
Performance often comes at the cost of providing side channels and security headaches.

Even when it's a bad password, if you return the result in a consistent amount of time based on how many characters are wrong, its trivial to get the password.

How about having dedicated cores for privileged and unpriviledged code, it comes with a cost for sure, hard to imagine an easy solutions to these issues though.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 16:40.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2021 )